route management guide v3 - apnic · 2017-12-17 · 1 introduction this document provides detailed...
TRANSCRIPT
1
Route Management Guide to manage your routes and (RPKI) ROA
2
1 Introduction....................................................................................................3
2 ActivatingRPKIengine....................................................................................32.1 PermissionsrequiredforResourceCertification.................................................................32.2 RPKIEngineactivation(enablingresourcecertification)..................................................42.3 HostingyourownCertificateAuthority....................................................................................63 RouteandROAmanagement..........................................................................93.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferent....................................103.2 SynchronizingMyAPNICroutesandWHOISrouteobjects...........................................103.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjects....................................104 Importroutes...............................................................................................11
5 CreateRoutes...............................................................................................145.1 UsingROAoption.............................................................................................................................155.2 ‘WhoisRouteAttributes’option................................................................................................165.3 ‘Notifyadditionalcontacts’option...........................................................................................185.4 Sub-routeselection.........................................................................................................................195.5 RouteRequests–Actionlog........................................................................................................215.6 RouteTaskDetails...........................................................................................................................226 EditRoutes...................................................................................................23
7 Userpermission............................................................................................257.1 Checkinguserpermission............................................................................................................258 FAQ..............................................................................................................268.1 WhatisROAandRPKI...................................................................................................................268.2 WhydoIget“authorizationfailed”..........................................................................................268.3 Howdoesauthorizationwork?..................................................................................................268.4 HowdoIenableTwofactorauthentication(2FA)............................................................278.4.1 Time-basedOneTimePassword(TOTP)..............................................................................278.4.2 DigitalCertificates.........................................................................................................................27
3
1 IntroductionThisdocumentprovidesdetailedinstructionsregardingusingtheRoutesManagementfeatureinMyAPNICtocreaterouteobjectsandROAs.ThenextsectionofthisdocumentisexplaininghowtoactivatetheRPKIengine,whichisrequiredforResourceCertification,followedbyRouteManagement.
2 ActivatingRPKIengineRPKIengineneedstobeactivatedinordertocertifytheresourcesunderaparticularaccount.TheRPKIpageisaccessibleasfollowing:
1) LogintoMyAPNIC2) Goto:ResourcesàResourceCertification(seeimagebelow)
2.1 PermissionsrequiredforResourceCertificationAll users should have Two-Factor-Authentication enabled in MyAPNIC to use the Resource Certification feature
- Corporate Contacts by default have “update” privilege.
- Other contacts by default only have “view” privilege
The Corporate Contact can manage user privileges from the Manage Contact menu in MyAPNIC.
4
2.2 RPKIEngineactivation(enablingresourcecertification)
TostartusingtheResourceCertificationfeature,clickontheCertificationmenuunderResources.SelectifyouwanttooperateintheMyAPNICRPKIportalorifyouwanttohostyourowncertificateauthority.
5
Afterselectingthefirstoption,youwillbetakentothetermsandconditions.Pleasereadcarefully,andifyouagreetotheconditionspleaseacceptbyclickingthefollowingbuttonatthebottomofthepage.
WiththatyourRPKIenginewillbeactivated.Thisisrequiredtorequest/receiveyourResourceCertificatefromAPNICandcreateyourROA(RouteOriginAuthorization)objectsinMyAPNIC.Oncethisserviceisactivated,itisavailabletoallMyAPNICusersfromthataccountwiththeResourceCertificationprivilege.
6
2.3 HostingyourownCertificateAuthority
Selectthesecondoptionandclick“Next”.
7
Readthetermsandconditionsandclickon“Iaccept.EnableprovisioningprotocoltomyownCertificationAuthority”.Clickon“UploadXML”andattachyouridentity.xmlfile.
8
Afteryouattachyouridentity.xmlfile,clickon“Submit”.
Clickon“DownloadparentXML”todownloadtheXMLfilewhichisneededtoconfiguretheparentofyourRPKIengine.ShouldyourRPKIenginesbusinessPKI(BPKI)certificatechangeinthefuture,youneedtouploadyournewidentityXMLfilebyclickingon“UploadnewXML”.
9
3 RouteandROAmanagementTheroutemanagementtoolisaninteractivefeatureinMyAPNICwhereuserscanmanageroutesandROAsatonce.ToaccesstheRoute/ROAmanagementfeature:
3) LogintoMyAPNIC4) Goto:ResourcesàRouteManagement(seeimagebelow)
10
3.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferentThroughthistool,userscancreate/manageMyAPNICroutes,whicharementionedas“routes”throughoutthisdocument.These‘routes’actasatemplateforcreatingactualroutesinwhoisdatabase,whicharementionedas“routeobjects”inthisdocument.Routesandrouteobjectscanexistseparately;thatisarouteinMyAPNICcanexistwithoutanactualrouteobjectinwhoisdatabase,androuteobjectsinwhoisdatabasecanexistwithoutarouteentryinMyAPNIC.
3.2 SynchronizingMyAPNICroutesandWHOISrouteobjectsUserscandecidetoimportroutesinthewhoisdatabasethroughRouteManagementtool.ThiswillensurearouteentryinMyAPNICiscreatedforeveryrouteobjectassociatedtothataccount.(routeswithaccountsIPprefixesandASNs).OncearouteentryiscreatedinMyAPNIC,userscanmanagewhoisrouteobjectsthroughthetoolsinterface.Whenausercreates/updates/deletesaroutethroughthistool,thetoolwillattempttocreateawhoisrouteobjectassoonaspossible.Ifyouareupdatingmultipleobjectsatthesametime,thetoolmayshow“pending”statusagainsttherouteswhicharenotyetsynchronized.
3.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjectsRoutemanagementtoolisnottheonlywaythatawhoisrouteobjectcanbemanaged.Ifawhoisrouteobjectischanged,theMyAPNICrouteentrywillnotchange.Itwillindicatethatthereisconflict.ThisensuresthatuserismadeawareofchangesdoneoutsidetheRouteManagementtool.Theusercanthentakeactiontoresolvetheconflict.Eitheracceptthechanges,orreverttherouteobjectbacktoMyAPNICroutetemplate.
11
4 ImportroutesWhenauseropensorrefreshestheRoutemanagementpage,thetoolchecksforanyrouteobjectsintheAPNICwhoisdatabasewhicharenotmanagedbytheroutemanagementtoolinMyAPNIC.Ifanysuchrouteobjectsexist,theusercanselectandimportthemandstartmanagingthemthroughthetool.
Ifuserclickson“Review&Import”,followingscreenwillappear.
12
Fromthispage,theusercanviewandselectrouteobjectstobemanagedbythetool.Whentheuserfinishesselecting,andclickson“Import”thefollowingmessagewillappearonthescreentoconfirmthattheimporttaskisbeinghandledinthebackground.
Toseemoredetailsaboutthetask,theusercaneitherclickontheabovemessagewhileitsbeingdisplayed,orclickonthe“Requests”linkatthetopofRouteManagementpage.Byclickingeitherofthelinks,usercanseefollowingdetailedinformationaboutthetask.
Byclickingonthe“View”buttonaparticularrequestontheRoutetaskrequestwindow,thetoolwillshowanychangesthatweredoneintheAPNICwhoisdatabaseregardingthisrequest.Inthecaseofimporting,therouteobjectwillnotbechanged,hencethemessage“Objectalreadyexists”isdisplayed.
13
Oncetheroutesareimported,anyfurtherchangestotherouteobjectwillchangetherouteobjectintheAPNICwhoisdatabase.Seesection3,Editroutesformoreinformationaboutmakingchangestoanexistingroute.
14
5 CreateRoutesTocreateanewrouteobject,pleaseselectthe‘createrouteobject’
Thefollowingtemplateshowstheminimuminformationthatauserneedstoinputtocreatearoute.
Prefix TheIPv4orIPv6prefixinCIDRnotationOriginAS TheASNumberwhichisusedtoannouncetheIPprefixMostSpecificAnnouncement
Bydefault,thiswillbeprefilledbytheIPprefixessize.However,theusercanchosetoannouncemorespecificIPprefixesifhewishesto.Ifamorespecificannouncementischosen,thetoolwillcreatealltherouteobjectsfromtheleastspecificannouncement,uptothemostspecificannouncement,includinganyprefixesinbetween.
ROA SeeROAoptionDefinewhosisrouteattributes
See‘WhoisRouteAttributes’option
NotifyAdditionalContacts
SeeNotifyAdditionalContacts
15
5.1 UsingROAoptionIfthememberwhologsintoMyAPNIChas:-RPKIupdatepermission–AND--TwoFactorAuthenticationenabledTheROAoptionwillbetickedbydefault.Ifproceeded,withtheoption,matchingROAswillbecreatedfortheprefixandalsoformostspecificannouncement.Optioncanbeun-tickediftheuserdoesnotrequireROAstobecreated.IfthememberwhologsintoMyAPNIChas:-RPKIupdatepermissionrevoked–OR--TwoFactorAuthenticationdisabledTheROAoptionwillbeun-tickedbydefault.Usercannottickthisoption.IftheuserwantstocreateROAs,hecanclick“here”togototheTwoFactorAuthenticationconfigurationpage.
16
5.2 ‘WhoisRouteAttributes’option
Usercanaddnumberofattributesthroughthisoption,fromthedropdownmenu,onebyone.ToseeadetailedexplanationaboutalltheseattributespleasevisitthefollowingURL.https://www.apnic.net/apnic-info/whois_search/using-whois/guide/routeIfthisoptionisnotselected,aroutewillbecreatedwiththemandatoryattributesfilledwithinformationfromyour.
17
Routeobjecttemplatefor‘route’(IPv4routes)
Routeobjecttemplatefor‘route6’(IPv6routes)
18
5.3 ‘Notifyadditionalcontacts’optionBydefault,ifarouteiscreated,automaticnotificationswillbesendtoASNcustodian.NotificationswillbesendtoAPNICaccountcontacts.IftheASNisfromadifferentRIR,‘whois’databasecontactsassociatedtothatASNwillbenotified.Ifneitheroftheabovecontactswerefound,APNIChelpdeskwillbenotified.WiththeNotify‘Notifyadditionalcontacts’,theuserisabletosendroutecreationnoticestoanyotherpartythathewishestoinform.Multiplee-mailcontactscanbeincludedbyseparatingthemwithcommasorspaces.
19
5.4 Sub-routeselectionOncealltheinformationisfilled,andwhenuserclicks“NEXT”,theConfirmationwindowappears,wherefurtheradjustmentscanbemade.
Theconfirmationscreenaboveshowsalltheroutesthataregoingtobecreated.Themandatoryattributestheuserenteredaredisplayedatthetopofthescreen.Itisfollowedbyalistofroutesthatwillbecreated.Listwillhavemorethanonerouteifthe‘mostspecificannouncement’ishigherthan‘prefixsize’.Allroutesinthelistwouldbeselectedbydefault.Theuserhastheoptiontounselectanyrouteifrequired.Selectall Ticksallthesub-routesinthelistDeselectall Un-tickallthesub-routesinthelistShow‘X’entries
Determinesthenumberofsub-routestobedisplayedperpage.Optionsare10,25,50and100
Previous Goestothepreviouspageofthelistifthenumberofsub-routesdoesnotfitintoanewpage
20
Next Goestothenextpageofthelistifthenumberofsub-routesdoesnotfitintoanewpage
Cancel AbortstheroutecreationGoback Goestothepreviouspagewhererouteattributescanbe
updatedSubmit Allselectedsub-routeswillbecreated.Routeobjectswillbe
injectedtothewhoisdatabase.IfROAoptionisenabled,matchingROAswillbecreated
Oncethee‘Submit’buttonisclicked,thetoolwillstartprocessingtheroutecreation.Adialogboxappearingasbelowwillindicatethis.
ThisdialogboxwilldisappearautomaticallyoncetheroutesarecreatedinMyAPNIC.Asshowninthedialogbox,toseedetailsclickthe‘Routerequests’linkshownbelow.
21
5.5 RouteRequests–ActionlogThe‘Routerequests’link(please1.1.4ConfirmandSubmit)willtaketheusertoalogofallactivitiesassociatedtheRouteManagementpage.Actionlogwilllooksimilartothebelowscreen.
ID ActionlogIDCreated DateandtimestampofthesubmissionUser MyAPNICuserIDType Typeofactionrequests.CreateRoute,ModifyRouteorDelete
RouteRoute TheIPprefixwhichwillbeannounced.Sub-routeprefixescanbe
viewedbyclicking‘View’Status Greentickmarkindicatesallsub-routesarecreatedsuccessfully.
Redcrossiconindicatesthatatleastonesub-routecreationhasfailed.
View Showsmoredetailsaboutaspecificactionitem
22
5.6 RouteTaskDetailsThescreenbelowshowshowroutetaskdetailswillappearifthe‘view’buttonisclickedintherouterequestspage(see1.1.6RouteRequests)
Ifthetaskselectediseither“CreateRoute”or“EditRoute”,theusercanviewtheactualwhoisrouteobjectbyclickingthe“ViewWhoisObject”buttonintheabovescreen.
23
6 EditRoutesTheroutescreatedthroughMyAPNICorthroughothermethodssuchase-mailupdatescanbemodifiedthroughthisinterface.
Clickingontheeditbuttoninfrontofarouteentrycanmodifythespecificroute.
24
MostSpecificAnnouncement
Usercanchangethisattribute.Bychangingthis,thenumberofsub-routeentrieswillautomaticallychange.
ROA UsercantogglebetweenROAenableandROAdisable.UserneedtohavepermissiontoenableROA(See:UserPermission)
Enable/Disable IfManagedsetto‘Enabled’,itmeansthereisawhoisrouteobjectexisting.IfManagedsetto‘Disabled’,itmeanswhoisrouteobjectdoesnotexist.Bytogglingbetweenthetwostates,theusercancreateanddeletewhoisrouteobjects.Iftheuserdisablesasub-routeforwhichROAisenabled,ROAwillautomaticallygetdeletedaswell.
Submit Changeswillbeprocessed,andwhoisrouteobjectswillbeupdatedaccordingly.
UpdateWhois Thisbuttonwillopenwhoisupdatepageforthatparticularwhoisrouteobject.
25
7 UserpermissionTobeabletocreateROAstogetherwithroutes,userrequire:
1) ResourceCertificationpermissionenabled–AND-2) TwoFactorAuthenticationenabled(2FA)
a. TimebasedOneTimePasswords(TOTP)–ORb. DigitalCertificates
Tolearnmoreabout:ResourcesCertification:www.apnic.net/ROATwoFactoreAuthentication:www.apnic.net/2FABydefault,CorporateContactshaveResourceCertificationpermissionEnabled.TechnicalContactsandBilling(Admin)Contactsdonothaveaccessbydefault.TheCorporateContactcangrantthemaccessthroughMyAPNIC.Noneofthecontactshave2FAenabled.Therefore,allcontactpersonsmustselectedoneoftheabove2FAmethodsandconfigureitbeforetheycancreateROAs.
7.1 CheckinguserpermissionUserscancheckwhatpermissionsareenabledforthembygoingto:HomeàMyProfileàAccountPermission
TobeabletocreateROAsboth“View”and“Update”permissionsshouldbeenabled.
26
8 FAQ
8.1 WhatisROAandRPKIPleasevisitAPNICwebsiteformoreinformation.www.apnic.net/ROA
8.2 WhydoIget“authorizationfailed”Itcouldbeduetooneormoreofthefollowingreasons.
1) IPprefixnotintheAPNICaccount.RouteobjectscanbecreatedbyIPprefixcustodiansonly.Pleasegoto:HomeàResourcesàIPv4/IPv6andcheckiftheIPprefixisavailable.
2) TheaccountmaintainerhasnotbeenaddedtoyourMyAPNIC.Youcanrequestforthepasswordifthereareotheruserswhoalreadyhavethemaintaineradded.Pleasegoto:HomeàResourcesàmaintainersandcheckifthemaintainerisregistered.
3) Antherrouteobjectexistswhichissameorlargerthantherouteobject
youaretryingtocreate,andithasadifferent“mnt-lower”or“mnt-routes”.Inthatcase,pleaseregisterthatmaintainerinyourMyAPNICanduseitformorespecificrouteannouncements.
8.3 Howdoesauthorizationwork?Whois objects are protected bymaintainers. In the case of route objects, it’s a little bit morecomplicated.Tobeconsistentwith theobjectswhichalreadyexist, therearedifferent levelsofcheckswhichneedstobevalidatedbeforearoutecanbeinjectedintowhoisdatabase.If you are creating a route object (eg : 198.51.100.0/24 with AS64511), maintainerauthorizationwillbecheckedinthefollowingorder.
1) IstherearouteobjectwiththesameIPprefix?a. Ifyes:Goto5b. IfNo:Goto2
2) IstherearouteobjectwithalessspecificIPprefix?(overlappingtherouteyouwanttocreate)
a. Ifyes:Goto5b. IfNo:Goto3
3) IsthereaninetnumobjectwiththesameIPprefix?
a. Ifyes:Goto5b. IfNo:Goto4
4) IsthereaninetnumobjectwithalessspecificIPprefix?(overlappingtherouteyouwant
tocreate)a. Ifyes:Goto5b. IfNo:routecreationfailerrorgiven
5) Isthereamnt-routesdefinedintheexistingobject
27
a. Ifyes:Goto8b. IfNo:Goto6
6) Isthereamnt-lowerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:Goto7
7) Isthereamntnerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:routecreationfailerrorgiven
8) Doesthemnt-routes/mnt-lower/mntneroftheexistingobjectmatchthemntneroftherouteyouwishtocreate?
a. Ifyes:CreateRouteb. IfNo:routecreationfailerrorgiven
If you still cannot find the reason why it fails, please contact APNIC helpdek.([email protected])
8.4 HowdoIenableTwofactorauthentication(2FA)Therearetwooptionstoenable2FA.Formoreinformationabout2FA,pleasevisitwww.apnic.net/2FA
8.4.1 Time-basedOneTimePassword(TOTP)Toconfigure,pleaseseefollowingguide:www.apnic.net/2fa
8.4.2 DigitalCertificatesToconfigure,pleaseseefollowingguide:https://www.apnic.net/manage-ip/myapnic/digital-certificates