Routing RegistryTraining CourseFebruary 2011

Schedule

• 09:00 - 09:30 Coffee, Tea & Network setup

• 11:00 - 11:15 Break

• 13:00 - 14:00 Lunch

• 15:00 - 15:15 Break

• 17:30 End

• Ask questions at any time!

• All the material on ripe.net/training/

2

Introductions

• Number on the list

• Name

• Experience with the RIPE DB & BGP

• Goals

3

Goals

• Learn the benefits of using Routing Registry (RR)

• Practice using the RIPE Database- create, modify & protect your objects

• Practice describing your routing policy in RPSL

• Practice creating router configuration from RR

4

Today’s topics: theory and practice

1. Benefits of using Routing Registry (RR)- Exercise: Creating a route6 object

2. Configuring routers based on RR- Exercise: Generating prefix list filter

3. Advanced RIPE DB usage- Exercise: Creating maintainer for PI End User

4. Routing Policy Specification Language (RPSL)- Exercise: Creating multihoming policy in aut-num- Exercise: Generating router configuration

5. Advanced RPSL policy options

6. Resource Certification & other services

5

1. Benefits of using Routing Registry

What is “Internet Routing Registry”

• Distributed databases with public routing policy information, mirroring each other: irr.net

- APNIC, RADB, Level3, SAVVIS...

• RIPE NCC operates “RIPE Routing Registry”

• Big operators make use of it- AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918

(Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)...

7

What is your routing policy?

• What prefixes do you announce?

• Who are your neighbours?- upstreams, customers, peers

• What prefixes do you accept? Who from?

• What are your preferences?

8

Why publish your policy in IRR?

• Required by some Transit Providers & IXPs- they use it for prefix-based filtering

• Allows for automated generation of prefix filters - and router configuration commands, based on RR

• Contributes to routing security- prefix based filtering prevents accidental leaks and

route hijacking

• Consistent information between neighbors

• Good housekeeping

9

85% match between BGP/RIS & RR

• According to the RIPE Labs article

10

RIPE Database

• Public Internet resources database

• All your objects are already there:- Address space: inetnum & inet6num - AS Number: aut-num- Contact details: person, role, organisation- Strong protection: maintainer (key-cert, irt)

11

Connection between objectsinetnum: 85.118.184.0/21

status: ALLOCATED PAtech-c: LA789-RIPEmnt-lower: LIR-MNTorg: ORG-Bb2-RIPE

mnt-by: LIR-MNTorigin: AS12345route: 85.118.184.0/21

aut-num: AS12345

tech-c: LA789-RIPEmnt-by: LIR-MNTmnt-routes: USER-MNTorg: ORG-Bb2-RIPE

org: ORG-Bb2-RIPE

mnt-by: RIPE-NCC-HM-MNTmnt-ref: RIPE-NCC-HM-MNTmnt-ref: LIR-MNTadmin-c: LA789-RIPE

role: LIR ADMIN

nic-hdl: LA789-RIPEmnt-by: LIR-MNTtech-c: JD1-RIPEtech-c: JM1-RIPEe-mail: noc@provider

person: Jane Doe

nic-hdl: JD1-RIPEmnt-by: LIR-MNTaddress: somewherephone: +31122345678

person: John Malkovich

nic-hdl: JM1-RIPEmnt-by: LIR-MNTaddress: under the bridgephone: +312458765432

mntner: LIR-MNTadmin-c: LA789-RIPEtech-c: LA789-RIPEauth: MD5-PW $nje^6G

RIPE RR is part of the RIPE Database

• route[6] object creation is responsibility of LIR- every time you receive a new allocation, do create a

route or route6 object

• route and route6 objects represent routed prefix- address space being announced by an AS number

- those are two primary keys

• Only the holder of both address space and AS number can authorize creation of route[6] object

13

Exercise 1: Creating a route6 object for your LIR

Authenticating a route6 object for an LIR

status: ALLOCATED-BY-RIRmnt-by: RIPE-NCC-HM-MNTmnt-routes: LIR-MNT

15

inet6num: 2001:db8::/32

origin: AS2mnt-by: LIR-MNT

route6: 2001:db8::/32

aut-num: AS2

mnt-by: LIR-MNT

aut-num: AS2

Exercise: Creating a route6 object

• Task: Create a route6 object - for your allocation prefix- originating from your AS number

- hint: use a password of your LIR’s “maintainer”

• Time: 15 minutes

16

2. Configuring routers based on RR

Benefit of RR: automation of router config

• By creating route objects in RR ISPs enable automated generation of prefix lists

• BGP configuration made easier- with the help of tools

18

Tools for integration of RR & routers

19

Tool (e.g. RtConfig)

Commands in theTemplate/Input File

DB Objects (route[6] &

routing policy)

(partial)router configuration

RtConfig

• RtConfig reads information from the IRR

• Generates parts of the router configuration file- Creates prefix list, route-map and AS path filters

• One of the tools in the IRRToolSet- http://irrtoolset.isc.org/wiki/CruftCleanout

20

More router configuration tools

• rpsltool- a BGP filters generator based on Template::Toolkit- http://www.linux.it/~md/software/

• IRR Power Tool - A collection of tools for the purpose of maintaining

customer and peer BGP prefix-lists - PHP based- http://sourceforge.net/projects/irrpt/

• whois -h filtergen.level3.net RIPE::AS-DEMON

21

Exercise 2: Generate prefix list filter

Exercise: generating prefix list filter

• Task: Use a tool that creates a filter, based on the registered route objects, which allows prefixes of your neighbor

• Time: 15 minutes

23

3. Advanced RIPE DB usage

Finding and changing your objects

• Querying the RIPE Database- Command-line client- Web interface- Free text search (Glimpse)

- & http://lab.db.ripe.net/portal/free-text/search.htm

• Updating = creating, modifying, deleting- Web, sync, email

25

Protection

26

auth: MD5-PW $1$o93Ux nic-hdl: JS1-RIPE

mnt-by: LIR-MNT

person: John Smithmntner: LIR-MNT

password: Clear_Text

Strong authentication

• Password (MD5-PW)

• Private key / public key- PGPKEY-<id> and key-cert object- X.509-<id> and key-cert object

27

Protection

28

auth: MD5-PW $1$o93Ux nic-hdl: JS1-RIPE

mnt-by: LIR-MNT

person: John Smithmntner: LIR-MNT

status: ASSIGNED PAmnt-by: LIR-MNT

mnt-by: LIR-MNT

aut-num: AS2

inetnum: 85.118.184.0/24

Multiple protection

29

auth: MD5-PW $1$o93UxRauth: PGPKEY-AE6FBBF7

nic-hdl: JS1-RIPE

mnt-by: ONE-MNTmnt-by: TWO-MNT

person: John Smith

auth: MD5-PW $1$3SG9WP

mntner: ONE-MNT

mntner: TWO-MNT

key-cert: PGPKEY-AE6FBBF7

Hierarchical authorisation

30

status: ALLOCATED PAmnt-routes: LIR-MNTmnt-lower: LIR-MNTmnt-by: RIPE-NCC-HM-MNT

inetnum: 85.118.184.0/21

origin: AS2mnt-by: LIR-MNT

route: 85.118.184.0/21

/21 Allocation

/21 Routed prefix

mnt-routes: LIR-MNTmnt-lower: LIR-MNTmnt-by: LIR-MNTmnt-by: RIPE-NCC-HM-MNT

aut-num: AS1

Route object creation authentication inetnum: 85.118.184.0/23

status: ASSIGNED PImnt-by: ISP-MNT

mnt-by: USER-MNTorigin: AS12345route: 85.118.184.0/23

aut-num: AS12345mnt-by: LIR1-MNTmnt-by: RIPE-NCC-HM-MNT

21

3

• In the worst case - 3 passwords or signatures needed

Exercise 3: Creating maintainer for PI End User

Route object for an PI End User

inetnum: 85.118.184.0/25

status: ASSIGNED PImnt-by: LIR-MNTmnt-by: USER-MNT

mnt-by: USER-MNTmnt-by: LIR-MNT

origin: AS12345route: 85.118.184.0/25

aut-num: AS12345mnt-by: LIR-MNTmnt-by: RIPE-NCC-HM-MNTmnt-routes: USER-MNT

21

3

Exercise: Hierarchical DB protection

• You have an End User that uses PI space- They want to announce it with your (LIR’s) AS number

• Task 1: Create a mntner object for End-User

• Task 2: Add End User maintaner to PI object

• Task 3: Create route object for PI End User

• Time: 30 minutes

34

4. Routing Policy Specification Language

RPSL

• Abstract- Not vendor specific

• Global view, not router specific

• Well known: described in RFCs- RFC2622, RFC2725, RFC4012, RFC5943- Using RPSL in Practice (RFC2650)

• Tools available- for translating from RPSL into router configuration - for automated generation of router configuration files

36

Policy expressions

• Aut-num- Lists neighbors (in import / export lines)- Defines filter rules for each neighbour- Defines route parameters modifications per prefix

• Route object- Represents address range originating by ASN

• Set objects- Grouping objects with similar policy / usage

37

Controlling outbound traffic

• import line determines outbound traffic- you decide which routes to accept (filter)

• RPSL pref different from local pref- lower “pref” = more preferred- higher “local pref” = more preferred

import: from AS3

action pref=20;

accept ANY

import: from AS4

action pref=30;

accept ANY

38

• export line determines inbound traffic- you have less control- you can make certain paths less interesting- choose, then put filters in AS path prepending

aut-num: AS1

export: to AS3

announce AS1

export: to AS4

action aspath.prepend (AS1, AS1, AS1);

announce AS1

Controlling inbound traffic

39

Building an aut-num object - one example

40

aut-num: AS2 aut-num: AS1 aut-num: AS3

AS1

AS2 AS3

Internet

import: from AS1 accept AS1 export: to AS2

import: from AS3

accept ANY

import: from AS2

accept AS2

export: to AS3 announce AS1

export: to AS1 announce ANY

import: from AS1 accept AS1

announce AS1

export: to AS1 announce AS2

An aut-num object - second example

41

aut-num: AS4 aut-num: AS1 aut-num: AS3

AS1

AS4 AS3

Internet

import: from AS1 accept AS1 export: to AS4

action aspath.prepend (AS1, AS1);

announce AS1

import: from AS3

accept ANY

export: to AS3 announce AS1

import: from AS4

accept ANY

export: to AS1 announce ANY

import: from AS1 accept AS1

announce AS1

export: to AS1 announce ANY

action pref=80;

action pref=90;

Filtering rules (AS1)

• Direct peering, without route objects

• Accepting prefixes that originate from customer

• No filtering - from upstream - full routing table

• Symmetrical policy of your peer: AS2

42

import: from AS2 accept {10.2.3.0/24}

export: to AS2 announce {172.0.0.0/24}

import: from AS5 accept AS5

import: from AS3 accept ANY

aut-num: AS2

import: from AS1 accept {172.0.0.0/24}

export: to AS1 announce {10.2.3.0/24}

Prefix:

Aut-num object:

RPSLng: IPv6 in the Routing Registry

43

aut-num: AS65550mp-import: afi ipv6.unicast from AS64496 accept ANY

mp-export: afi ipv6.unicast to AS64496 announce AS65550

route6: 2001:db8::/32origin: AS65550

Exercise 4: Creating multihomed policy in aut-num

Exercise: Adding policy to aut-num object

45

ASy0y

ASnn

ASx0x

• Task:- Create RPSL policy reflecting one scenario- Put this policy in your aut-num object

• Time: 30 mins

Multihoming scenarios

• Scenario A (IPv4)- AS101 is your

upstream provider- AS202 is private peer

• Scenario B (IPv6)- AS303 is your

preferred upstream provider

- AS404 is your backup upstream provider

• Scenario C (IPv4)- AS505 is your

upstream provider- AS606 is your PI

customer

• Scenario D (IPv6) - AS707 is your

upstream provider- AS808 is your PI

customer

46

Exercise 5: Generating router configuration

Automation of router config

• Describing routing policy in aut-num enables generation of route-maps for policy routing

• Tools can read your policy towards peers- translation from RPSL to router configuration

commands

• Tools collect the data your peers have in RR- if their data changes, you only have to periodically run

your scripts to collect updates

48

Example of dynamic automated updates

49

RtConfig

@Rtconfig: import AS1 10.0.0.1 AS2 10.0.0.2

aut-num: AS2 import: from AS1 accept AS1

pl100: accept 10.0.0.0/23

deny 0.0.0.0/0routeMap: import pl100 in

route: 10.0.0.0/23origin: AS1

route: 10.0.20.0/20origin: AS1

accept: 10.0.20.0/20

Example RtConfig commands template file

syntax: @RtConfig export MyAS MyRouterIP PeerAS PeerRouterIPFirst %d replaced by peer’s ASN, Second %d incremented

!

! Peering with OTHERCOMPANY

@RtConfig set cisco_map_name = "AS%d-IMPORT-%d"

@RtConfig import AS100 10.0.0.1 AS909 10.0.0.9

!

@RtConfig set cisco_map_name = "AS%d-EXPORT-%d"

@RtConfig export AS100 10.0.0.1 AS909 10.0.0.9

50

Example Route Map (output)no ip prefix-list pl100ip prefix-list pl100 permit 193.99.0.0/16ip prefix-list pl100 deny 0.0.0.0/0 le 32!no route-map AS909-IMPORT-1!route-map AS909-IMPORT-1 permit 1 match ip address prefix-list pl100exit!router bgp 100! neighbor 10.0.0.9 remote-as 909 neighbor 10.0.0.9 route-map AS909-IMPORT-1 in!exit

51

Exercise: Generating router configuration

• Tasks:- Create RtConfig template file- Run RtConfig with this template file

• Time: 15 minutes

52

5. Advanced RPSL policy options

AS-path filters AS-setsMEDsRoute-setsCommunities

Using AS-path filters

• To create AS-path filters, use regular expressions in the filter rules in aut-num

• Examples:- paths starting with AS4import: from AS4 accept <^AS4>

- prefixes are originated in AS4; and- have paths composed of only AS4'simport: from AS4 accept <^AS4+$>

54

Using AS-set to group your customersas-set: AS4:AS-CUSTOMERS

members: AS7, AS5, AS8

aut-num: AS4

export: to AS3 announce AS4 AS4:AS-customers

export: to AS4:AS-CUSTOMERS announce ANY

import: from AS4:AS-CUSTOMERS accept PeerAS

• PeerAS means: - from AS5 accept AS5- from AS7 accept AS7- from AS8 accept AS8

55

Using other’s as-set (& with AS-path filters)as-set: AS4:AS-CUSTOMERSmembers: AS7, AS5, AS8

aut-num: AS3import: from AS4 accept AS4 import: from AS4 accept <^AS4+ AS4:AS-CUSTOMERS*$> export: to AS4 announce AS3

56

AS4AS3AS7

AS5

AS8

Example of MED & route-sets

export: to AS4

10.0.0.4 at 10.0.0.1

action med=1000; announce AS1:rs-france

export: to AS4

10.0.0.5 at 10.0.0.2

action med=2000; announce AS1:rs-spain

57

Communities

• Communities let you influence traffic engineering of ISPs two hops away from you

• Example: information communities:- Europe - 3356:2 ; Dublin - 3356:2080; 3356:123 - Customer

• Action communities:- Prepend 5400 to Google - 5400:2054 - Set the local pref to 50 - 1299:50- Do not announce to KPN - 1299:2869- Don't announce outside local POP - 2764:2- Prepend 3 times to Ams-IX peers - 8918:3068

58

Applied communities

AS9

Telia

AS1299

AS3

AS4

AS6

AS5

AS7

Google

BT

AS5400

Ams-IX

KPN

• To set/append a community:import: from AS6 action community = { 1:111 };

accept AS6

import: from AS2 action community.append(1:75);

accept AS2

• Filtering:import: from AS2

accept AS2 AND community.contains (2:1)

export: to AS3

announce AS3:AS-CUST AND

community == {1:111};

Actions: Communities

60

Remote-triggered black-hole

• If your network is under DDoS attack• Advertise the host or prefix with special

community value - (CW: 3561:666, MCI: 701:999, 3356:9999, etc)

• All the traffic for that prefix will be NULL routed

export: to AS3561

action community = {3561:666};

announce {10.10.10.10/32} # host prefix

61

6. Resource Certification

Digital Resource Certificates

• Based on open IETF standards (sidr)

• Issued by the RIRs

• The certificate states that an Internet number resource has been registered by the RIPE NCC

• The certificate does not give any indication of the identity of the holder

• All further information on the resource can be found in the registry

63

• Proof of holdership

• Secure Inter-Domain Routing- Route Origin Authorisation

• Resource transfers

• Validation is the added value!

What Certification offers

64

The system

• Accessible through the LIR Portal

• Administrator grants access to users

http://www.ripe.net/certification/enable.html

65

Proof of holdership

66

• Public Key

• Resources

• Signature

• IP Prefixes

• AS Number

• Signature

Route Origin Authorisation (ROA)

67

ROA creation demo

Software Validation of certificates and ROAs

• Validators access publically accessible repository

• Three software tools available1. RIPE NCC Validator

- Easy to set-up and use, limited feature set2. rcynic3. BBN Relying Party Software

- Complex set-up, but more options and felixibility

http://ripe.net/certification/validation

69

Hardware Validation: RPKI-RTR protocol

70

validatedcache

RPKI RTR PROTOCOL

BGPDecisionProcess

route-map validity-0

match rpki-invalid

drop

route-map validity-1

match rpki-not-found

set localpref 50

// valid defaults to 100

Who Controls Routing?

71

• Certificates do not create additional powers for the Regional Internet Registries

• Certificates reflect the resource registration status- no registration → no certificate- the reverse is not true!

• Routing decisions are made by network operators!

The road ahead

• Web-based validator

• Up / Down protocol- Run your own Certificate Authority- Allow PI holders to manage ROAs- Transfers between RIRs: ERX space

• ROA import tool- Use combination of IRR + BGP + Human

• More information: http://ripe.net/certification

• Mailing list: certtest@ripe.net

72

Serving ROAs as route[6] objects

73

RPKI-IRR• whois –h whois-rpki-irr.db.ripe.net –T route 85.118.184.0/21

• route: 85.118.184.0/21descr: rsync://certrepo.ripe.net/[..]bNak.roaorigin: AS33764remarks: 85.118.184.0/21-24mnt-by: RPKI-MNTsource: RPKI # ripe

http://labs.ripe.net/Members/Paul_P_/content-serving-roas-rpsl-route-objects

74

7. Other routing-related services

Getting an AS number

• Multihoming criteria- checked after 3 monhts

• Contractual agreement- optional: transfer from one LIR to another

• Payment for independent resource

76

RIS: Looking-glass with History

• Database with information about prefixes

• With history- 3 months online- more is available

• Route Collectors at several IXPs- more then 600 peers

• Similar to routeviews.org

http://www.ripe.net/ris/

77

RIS Tools

• Visualization of routing updates seen by RIS

• IS Alarms- includes MyASN alarm type for notifications on rogue

announcements of your address space

• ASInUse / PrefixInUse- Last appearance of ASN / prefix in global routing table

• Looking Glass (also for IPv6)

• whois -h riswhois.ripe.net <prefix>

• NetSense.ripe.net (beta)

78

“Routing Registry Consistency Check”

http://www.ripe.net/rrcc/

• Compares RR & RIS

• Gives you the lists of - missing prefixes in RR - missing prefixes in RIS- missing peers in RR- missing peers in RIS

• Allows you to correct your policy- or BGP routing

79

RIPE Global Resource Service (GRS)

• New method of mirroring other RRs

• Fully synchronised with the authoritative sources

• Translated and adjusted:- Adding missing mandatory attributes- Wrapping unrecognised attributes with "remarks"- Creating dummy objects for missing data to keep referential integrity- Converting attribute values- All these transformations are marked by "End Of Line" comments in the objects

• RADb, APNIC and ARIN available in the new format- whois -h whois.ripe.net -q sources

• Now with new API: http://lab.db.ripe.net/portal/search.htm

80

- Project REX

Has your new address space ever been:- used- announced by another AS- put in a blacklist- delegated for reverse DNS

Have your current resources been used by others?

We'll tell you with REX, the Resource Explainer

http://rex.ripe.net81

IPv6 Ripeness - rating of ISPs (LIRs)

★ Address space

★ Routing security(route6 object in

RIPE Database)

★ Reverse DNS

★ Routed on Internet(visible in RIS)

82

http://ipv6ripeness.ripe.net

Homework

• Create route & route6 objects for your allocations- if you have all 4 “ripeness” stars you get a T-shirt :)

• Subscribe to RIPE routing-wg mailing list• Subscribe to irrtools@isc.org list • Try out REX & RIS • Practice all this at home in the “Test Database”

- all RRTEST objects also in there!! (source TEST)

• Download, install, use RtConfig• Check your RR Consistency • Create certificates & ROA for your prefixes

83

Fin

Ende

KpajKonec

Son

Fine

Pabaiga

Einde

Fim

Finis

Koniec

Lõpp

Kрай

SfârşitКонeц

KrajVége

Kiнець

Slutt

Loppu

Τέλος

Y Diwedd

Amaia Tmiem

Соңы

Endir

Slut

Liðugt

An Críoch

Fund

הסוף

Fí

ËnnFinvezh

The End!

Beigas