Download - RIPE whois Database
1NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net
RIPE whois Database
RIPE Network Coordination Centre
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net2
Schedule
• intro• basic DB queries• creating person/role object
• creating network object• advanced DB queries• protecting objects• updating objects
• exercises / examples
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net3
RIPE Database Intro
• Public Network Management Database• Software Management
• RIPE NCC• requirements by RIPE community ([email protected])• download from ftp://ftp.ripe.net/
• Data Management• LIRs, other users
• RIPE NCC
• Information content not responsibility of RIPE NCC• Exchange of knowledge
• Transition to RPSL
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net4
Object Types• Information about: objects:
IP address space inetnum, inet6num
reverse domains domain
routing policies route, aut-num, etc
contact details person, role, mntner
• Server whois.ripe.net• UNIX client (command line queries)
• http://www.ripe.net/db/• The most important documents
– Representation of IP Routing Policies in a Routing Registry (ripe-181)
– RIPE NCC Database Reference Manual (ripe-223) New!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net5
Basic Queries• Whois (client, web interface)
– searches only look-up keys– returns exact match
• Look-up keys - usually the object name– person, role: name, email, nic-hdl– inetnum: address (or range), netname
• Glimpse - full text search• e.g. searching for address space based on the postal address
or the name of the organisation
Examples
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net6
Creating person Object
• Check if person object exists in RIPE DB– only one object per person
• Obtain and complete a template whois -t person
• whois -v person (verbose)
Send to <[email protected]>
• Each person and role object has a unique nic-hdl
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net7
whois -t person
person: [mandatory] [single] [lookup key]
address: [mandatory] [multiple] [ ]
phone: [mandatory] [multiple] [ ]
fax-no: [optional] [multiple] [ ]
e-mail: [optional] [multiple] [lookup key]
nic-hdl: [mandatory] [single] [primary/look-up key]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [optional] [multiple] [inverse key]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net8
whois -t rolerole: [mandatory] [single] [lookup key]
address: [mandatory] [multiple] [ ]
phone: [optional] [multiple] [ ]
fax-no: [optional] [multiple] [ ]
e-mail: [mandatory] [multiple] [lookup key]
trouble: [optional] [multiple] [ ]
admin-c: [mandatory] [multiple] [inverse key]
tech-c: [mandatory] [multiple] [inverse key]
nic-hdl: [mandatory] [single] [primary/look-up key]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [optional] [multiple] [inverse key]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net9
role: Technical BlueLight Staff ...nic-hdl: AUTO-#initials
AUTO-2BL
nic-hdl
person: Piet Bakker...nic-hdl: AUTO-1PB1234-RIPE
• Unique identifier for person and role objects– primary key for person and role objects
• Format: <initials>[number]-<database>– e.g. CD567-RIPE, JFK11-RIPE
• Used in all attributes where contact info is needed
Use “AUTO-#” placeholders
BL112-RIPE
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net10
Database Robot Responses<[email protected]>
• Successful update– acknowledgement
• Warnings– object accepted but might be ambiguous– object corrected and accepted
• Errors– object NOT corrected and NOT accepted– diagnostics in acknowledgement
• If not clear send questions to <[email protected]>– include error report and the original message
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net11
Creating Network Objects
• AW=0 or AW<request_size– take the “network template” from the approved request
• otherwise– whois -t inetnum
• Send to <[email protected]>
– with (only) the keyword NEW in the subject line• to avoid over-writing the existing objects
(address range is the primary key for inetnum)
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net12
whois -t inetnuminetnum: [mandatory] [single] [primary/look-up key]netname: [mandatory] [single] [lookup key]descr: [mandatory] [multiple][ ]country: [mandatory] [multiple][ ]admin-c: [mandatory] [multiple][inverse key]tech-c: [mandatory] [multiple][inverse key]rev-srv: [optional] [multiple][inverse key]status: [mandatory] [single] [ ]remarks: [optional] [multiple][ ]notify: [optional] [multiple][inverse key]mnt-by: [mandatory] [multiple][inverse key]mnt-lower: [optional] [multiple][inverse key]mnt-routes: [optional] [multiple][inverse key]changed: [mandatory] [multiple][ ]source: [mandatory] [single] [ ]
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net13
Pay Attention to...• Insert the address range
– in the ‘network template’ from the approved request form
• Keep the same netname attribute as approved• Create person or role objects in advance
– admin-c: on site; client’s MD– tech-c: LIR or consultant
• Status: ASSIGNED PA• In the changed attribute leave out the date
– DB will add the current date
Protection is mandatory – recommended: include mnt-lower and mnt-routes
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net14
Changes with RPSL
• Objects format - stricter syntax checks!!!– line continuation (white space or “+” sign)– attribute order is relevant and preserved– support for end of line comments (after “#”)– no empty attributes allowed
• inetnum value can not be in prefix notation!• correct: a.b.c.d<space>-<space>w.x.y.z
• Submission to the DB supports:– MIME – PGP (GnuPG)
New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net15
Querying Address Ranges– whois [customer’s IP range, customer’s netname]
• netname not unique search key
– whois -m [LIR allocated IP range]• list of biggest sub-ranges (first level more specific)
– whois -M [LIR allocated IP range]• all sub-ranges
– whois -L [customer’s IP range]• exact match & bigger encompassing ranges
– LIR’s own allocation object & RIPE NCC’s /8
– whois -l [customer’s IP range]• not the exact match, but the smallest bigger object
– whois -x [IP range]• if no matching object is found nothing is returned
New in RPSL!
New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net16
Example DB Queries
195.35.64.0-
195.35.65.191195.35.88/26
195.35.64.0 -
195.35.95.255
195.35.80/25
BLUELIGHT GOODY2SHOES
whois -M 195.35.64.0/19
whois -m 195.35.64.0/19
whois -L 195.35.92.10
ENGOS ...195.35.92/29
ENGO-7
195.35.92.8/29
ENGO-8
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net17
Inverse Lookups in RIPE DB
• whois -i {attribute} {value}• Inverse keys
– notify, mnt-by, mnt-lower, admin-c, tech-c, zone-c,
• whois –i tech-c JJ125-RIPE– whois -i admin-c,tech-c,zone-c -T domain JJ125-RIPE– whois -ipn JJ125-RIPE
• whois -i mnt-by BLUELIGHT-MNT• whois -i notify [email protected]
New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net18
Non-Recursive Lookups: “-r”
• whois 193.35.64.82 => inetnum,route,person(s)– whois -r 193.35.64.82 => inetnum, route– whois -T inetnum 193.35.64.82 => inetnum,persons– whois -r -T inetnum 193.35.64.82 => inetnum– whois -T route 193.35.64.82 => route
• Summary -- DB flags:– -i, -r, -T, -m, -M, -l, -L, -x
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net19
Questions?
(link back to the Assignment Process)
20NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net
Advanced Database Issues
• Protection• DB administration
– updating objects– deleting objects
•Test whois Database
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net21
Notification / Authorisation
• notify attribute (optional)– sends notification of change to the email address
specified
mnt-by attribute & mntner object– mnt-by mandatory (except dn, pn, ro)
Hierarchical authorisation for inetnum, domain, route, aut-num objects– mnt-lower attribute– mnt-routes attribute
New in RPSL!
New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net22
Creating Maintainer Object
• Mandatory protection of objects• except for person, role and domain
– updates of objects that contain mnt-by attribute must pass the authentication rules in the mntner object
• Decide on the authentication method– ripe-223
• ripe-157, ripe-189 documents obsolete
• Manual registration necessary– send the mntner object to <[email protected]>– requester needs to be contact person from the LIR
See also: Protection of RIPE DB objects
New!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net23
Authorisation Mechanism inetnum: 195.35.64.0 - 195.35.65.191netname: BLUELIGHT-1descr: Blue Light Internet…………..mnt-by: BLUELIGHT-MNT mntner: BLUELIGHT-MNTdescr: Maintainer for all Bluelight objectsadmin-c: JJ231-RIPEtech-c: BL112-RIPEauth: CRYPT-PW q5nd!~sfhk0#upd-to: [email protected]: [email protected]
referral-by: RIPE-DBM-MNTmnt-by: BLUELIGHT-MNTchanged: [email protected] 19991112source: RIPE
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net24
Maintainer Object Attributes
auth (mandatory, multiple)• upd-to (mandatory)
– notification for failed updates
• mnt-nfy (optional, encouraged)– works like notify but for all objects that refer to this mntner
• mnt-by (mandatory)– can reference the object itself
• referral-by (mandatory)– references mntner object that created this object
• Manual registration of object necessary• Send object to <[email protected]>
New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net25
Authentication Methods
1. auth: NONE• could be used with mnt-nfy attribute
2. auth: MAIL-FROM {e-mail, reg-exp}– e.g. MAIL-FROM .*@bluelight\.nl
• protection from typos
3. auth: CRYPT-PW {encrypted password}• include password attribute in your updates
– value is clear text password
4. auth: PGPKEY-<argument>• key-cert object
– see: ripe-223
• http://www.gnupg.org/
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net26
inetnum: 195.35.64.0 - 195.35.79.255netname: NL-BLUELIGHT-20000909… ...status: ALLOCATED PAmnt-by: RIPE-NCC-HM-MNTmnt-lower: BLUELIGHT-MNTmnt-routes: BLUELIGHT-MNTchanged: [email protected] 20000909changed: [email protected] 20001111source: TEST
• Ask <[email protected]> to add mnt-lower and mnt-routes attributes into your allocation inetnum objects
Hierarchical Authorisation
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net27
Hierarchical Authorisation (cont’d)
• mnt-lower and mnt-routes attributes– authenticate only creation of more specific objects– only one level below
• mandatory in allocation inetnum objects• mandatory in PI assignment inetnum objects• recommended in PA inetnum objects, and route objects
• mnt-routes in aut-num object e.g. AS42– authenticates creation of route objects with
origin: AS42 New in RPSL!
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net28
DB Update ProcedureSend to: <[email protected]>
• Modifying an object– obtain object from RIPE DB– make needed changes– keep the same primary key– add the changed line to the new version of object
changed: [email protected] 20010505• keep the old changed lines in to show history
– include authentication (password, PGP signature)
• Deleting an object– add delete line to the exact copy of current objectdelete: [email protected] overlapping inetnum 20010606
– include authentication (password, PGP signature)
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net29
When to Update Your Objects • Fixing overlapping assignments• Merging two inetnum (domain, route) objects Splitting one assignment into smaller ones• Changing the netname• Protecting unprotected objects
– including mnt-by attribute
• Updating peering agreements in aut-num Updating references to new contact persons/roles
– admin-c, tech-c, zone-c
• Updating contact info– phone/address change in person/role/mntner
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net30
Inetnum: person:
195.35.64.80 JAJA1-RIPE JAJA1-RIPE
Case Study 1 -- Contact Person Left
1. whois -i tech-c JAJA1-RIPE
2. Create new person object (for Carl Dickens, new guy)
3. Change the tech-c reference in all inetnum objects
4. Delete old person object
Inetnum:
195.35.64.130
JAJA1-RIPE
...CD2-RIPE
CD2-RIPE
CD2-RIPE
person:
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net31
195.35.64.130
CD2-RIPE
195.35.64.80
CD2-RIPE
Case Study 2 --Replacing tech-c Using role Object
1. Create person object for each tech-c
2. Create role object for all tech-c:s
3. Change the tech-c reference in all inetnum
objects to reference role object
4. Keep role object up-to-date with staff changes
CD2-RIPEBL112-RIPE
BL112-RIPE
... BL112-RIPECD2-RIPE
JJ231-RIPE
role:person:
JJ231-RIPE
person:
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net32
Case Study 3 -- Replacing Assignment Objects
• Splitting any approved assignment • e.g. moving first assignment registered as one
block, at the beginning of allocated range
– delete the original object– create two or more new objects– keep the same netname
• or let RIPE NCC know of the change• using the same ticket number
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net33
Test whois Database
• Non-production whois Database• Similar interface as “real” RIPE whois Database
– whois & email• whois -h test-whois.ripe.net ; <[email protected]>
– syntax checking – error reports
• Possible to automatically create mntner• Ideal for testing
– various authorisation schemes– self-made scripts that update RIPE whois DB
• Source: TEST
NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net34
Questions?
Questions, bug reports: <[email protected]>