Professional Documents
Culture Documents
February 2011
Schedule
09:00 - 09:30 Coffee, Tea & Network setup 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:00 - 15:15 Break 17:30 End
Introductions
Number on the list Name Experience with the RIPE DB & BGP Goals
Goals
Learn the benets of using Routing Registry (RR) Practice using the RIPE Database
-
Practice describing your routing policy in RPSL Practice creating router conguration from RR
4
Distributed databases with public routing policy information, mirroring each other: irr.net
-
RIPE NCC operates RIPE Routing Registry Big operators make use of it
-
AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918 (Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)...
7
What prexes do you accept? Who from? What are your preferences?
8
they use it for prex-based ltering and router conguration commands, based on RR prex based ltering prevents accidental leaks and route hijacking
10
RIPE Database
Public Internet resources database All your objects are already there:
Address space: inetnum & inet6num - AS Number: aut-num - Contact details: person, role, organisation - Strong protection: maintainer (key-cert, irt)
-
11
org:
ORG-Bb2-RIPE RIPE-NCC-HM-MNT RIPE-NCC-HM-MNT LIR-MNT LA789-RIPE route: origin: mnt-by: 85.118.184.0/21 AS12345 LIR-MNT
role: mntner: LIR-MNT admin-c: LA789-RIPE tech-c: LA789-RIPE auth: MD5-PW $nje^6G nic-hdl: mnt-by: tech-c: tech-c: e-mail:
person:
Jane Doe
nic-hdl: JD1-RIPE mnt-by: LIR-MNT address: somewhere phone: +31122345678 person: John Malkovich
nic-hdl: JM1-RIPE mnt-by: LIR-MNT address: under the bridge phone: +312458765432
every time you receive a new allocation, do create a route or route6 object address space being announced by an AS number
-
Only the holder of both address space and AS number can authorize creation of route[6] object
13
AS2
mnt-by: LIR-MNT
15
Time: 15 minutes
16
By creating route objects in RR ISPs enable automated generation of prex lists BGP conguration made easier
-
18
Tool
(e.g. RtConfig)
RtConfig
RtCong reads information from the IRR Generates parts of the router conguration le
-
http://irrtoolset.isc.org/wiki/CruftCleanout
20
rpsltool
-
a BGP lters generator based on Template::Toolkit http://www.linux.it/~md/software/ A collection of tools for the purpose of maintaining customer and peer BGP prex-lists PHP based http://sourceforge.net/projects/irrpt/
21
Task: Use a tool that creates a filter, based on the registered route objects, which allows prefixes of your neighbor
Time: 15 minutes
23
& http://lab.db.ripe.net/portal/free-text/search.htm
25
Protection
person:
John Smith
password: Clear_Text
26
Strong authentication
27
Protection
inetnum: 85.118.184.0/24 status: ASSIGNED PA mnt-by: LIR-MNT
person:
John Smith
28
Multiple protection
mntner: ONE-MNT
nic-hdl: JS1-RIPE mnt-by: mnt-by: mntner: TWO-MNT auth: auth: MD5-PW $1$o93UxR PGPKEY-AE6FBBF7 ONE-MNT TWO-MNT
key-cert: PGPKEY-AE6FBBF7
29
Hierarchical authorisation
inetnum: status: mnt-routes: mnt-lower: mnt-by: 85.118.184.0/21 ALLOCATED PA LIR-MNT LIR-MNT RIPE-NCC-HM-MNT
/21
Allocation
/21
Routed prefix
Task 1: Create a mntner object for End-User Task 2: Add End User maintaner to PI object Task 3: Create route object for PI End User
Time: 30 minutes
34
RPSL
Abstract
-
Tools available
for translating from RPSL into router conguration - for automated generation of router conguration les
36
Policy expressions
Aut-num
Lists neighbors (in import / export lines) - Denes lter rules for each neighbour - Denes route parameters modications per prex
-
Route object
-
Represents address range originating by ASN Grouping objects with similar policy / usage
Set objects
-
37
import:
import:
from AS3 action pref=20; accept ANY from AS4 action pref=30; accept ANY
38
AS1 to AS3 announce AS1 to AS4 action aspath.prepend (AS1, AS1, AS1); announce AS1
39
AS2 AS1
AS3
aut-num: AS2
import: from AS1 accept AS1 export: to AS1 announce AS2
aut-num: AS1
export: to AS2 announce AS1 import: from AS3 accept ANY import: from AS2 accept AS2 export: to AS3 announce AS1
aut-num: AS3
export: to AS1 announce ANY import: from AS1 accept AS1
40
AS4 AS1
AS3
aut-num: AS4
import: from AS1 accept AS1 export: to AS1 announce ANY
aut-num: AS1
export: to AS4 announce AS1 action aspath.prepend (AS1, AS1); announce AS1 import: from AS3 action pref=80; accept ANY export: to AS3 announce AS1 import: from AS4 action pref=90; accept ANY
aut-num: AS3
export: to AS1 announce ANY import: from AS1 accept AS1
41
Aut-num object:
aut-num:
AS65550 mp-import: afi ipv6.unicast from AS64496 accept ANY mp-export:
afi ipv6.unicast to AS64496 announce AS65550
43
ASnn
Task:
Create RPSL policy reecting one scenario - Put this policy in your aut-num object
-
Time: 30 mins
45
Multihoming scenarios
Scenario A (IPv4)
-
Scenario C (IPv4)
-
AS101 is your upstream provider AS202 is private peer AS303 is your preferred upstream provider AS404 is your backup upstream provider
Scenario B (IPv6)
-
AS505 is your upstream provider AS606 is your PI customer AS707 is your upstream provider AS808 is your PI customer
46
Scenario D (IPv6)
Describing routing policy in aut-num enables generation of route-maps for policy routing Tools can read your policy towards peers
-
translation from RPSL to router conguration commands if their data changes, you only have to periodically run your scripts to collect updates
48
RtConfig
pl100: accept 10.0.0.0/23 accept: 10.0.20.0/20 deny 0.0.0.0/0 routeMap: import pl100 in 49
with OTHERCOMPANY set cisco_map_name = "AS%d-IMPORT-%d" import AS100 10.0.0.1 AS909 10.0.0.9 set cisco_map_name = "AS%d-EXPORT-%d" export AS100 10.0.0.1 AS909 10.0.0.9
50
51
Tasks:
Create RtCong template le - Run RtCong with this template le
-
Time: 15 minutes
52
To create AS-path lters, use regular expressions in the lter rules in aut-num Examples:
paths starting with AS4 import: from AS4 accept <^AS4> - prexes are originated in AS4; and - have paths composed of only AS4's import: from AS4 accept <^AS4+$>
-
54
PeerAS means:
from AS5 accept AS5 - from AS7 accept AS7 - from AS8 accept AS8
55
AS3 from AS4 accept AS4 from AS4 accept <^AS4+ AS4:AS-CUSTOMERS*$> to AS4 announce AS3
AS8
56
export:
57
Communities
Communities let you inuence trafc engineering of ISPs two hops away from you Example: information communities:
-
Action communities:
-
Prepend 5400 to Google - 5400:2054 Set the local pref to 50 - 1299:50 Do not announce to KPN - 1299:2869 Don't announce outside local POP - 2764:2 Prepend 3 times to Ams-IX peers - 8918:3068
58
Applied communities
Google
KPN Ams-IX
Telia AS1299
BT AS5400
AS9
AS3 AS4 AS6 AS7 AS5
Actions: Communities
To set/append a community:
import: import: from AS6 action community = { 1:111 }; accept AS6 from AS2 action community.append(1:75); accept AS2
Filtering:
import: export: from AS2 accept AS2 AND community.contains (2:1) to AS3 announce AS3:AS-CUST AND community == {1:111};
60
Remote-triggered black-hole
If your network is under DDoS attack Advertise the host or prex with special community value
-
61
6. Resource Certification
Based on open IETF standards (sidr) Issued by the RIRs The certicate states that an Internet number resource has been registered by the RIPE NCC The certicate does not give any indication of the identity of the holder All further information on the resource can be found in the registry
63
Resource transfers
The system
http://www.ripe.net/certication/enable.html
65
Proof of holdership
66
67
http://ripe.net/certication/validation
69
validated cache
route-map validity-0 match rpki-invalid drop route-map validity-1 match rpki-not-found set localpref 50 // valid defaults to 100
70
Certicates do not create additional powers for the Regional Internet Registries Certicates reect the resource registration status
no registration no certicate - the reverse is not true!
-
71
73
RPKI-IRR
http://labs.ripe.net/Members/Paul_P_/content-serving-roasrpsl-route-objects
74
Getting an AS number
Multihoming criteria
-
Contractual agreement
-
76
RIS Tools
includes MyASN alarm type for notications on rogue announcements of your address space Last appearance of ASN / prex in global routing table
ASInUse / PrexInUse
-
Looking Glass (also for IPv6) whois -h riswhois.ripe.net <prefix> NetSense.ripe.net (beta)
78
or BGP routing
79
New method of mirroring other RRs Fully synchronised with the authoritative sources Translated and adjusted:
-
Adding missing mandatory attributes Wrapping unrecognised attributes with "remarks" Creating dummy objects for missing data to keep referential integrity Converting attribute values All these transformations are marked by "End Of Line" comments in the objects
RADb, APNIC and ARIN available in the new format - whois -h whois.ripe.net -q sources Now with new API: http://lab.db.ripe.net/portal/search.htm
80
- Project REX
Has your new address space ever been:
used - announced by another AS - put in a blacklist - delegated for reverse DNS
-
Have your current resources been used by others? We'll tell you with REX, the Resource Explainer
http://rex.ripe.net
81
Homework
Subscribe to RIPE routing-wg mailing list Subscribe to irrtools@isc.org list Try out REX & RIS Practice all this at home in the Test Database
-
Download, install, use RtCong Check your RR Consistency Create certicates & ROA for your prexes
83
The End!
Ende Konec Lpp Fine Kraj Beigas
Einde
Vge Endir e
Sfrit Pabaiga
Fim
Amaia
Loppu
Tmiem