welcome! apnic members training course internet resource management ii 28 april 2004, melbourne
Post on 19-Dec-2015
218 views
TRANSCRIPT
Welcome!APNIC Members Training Course
Internet Resource Management II
28 April 2004, Melbourne
Introduction
• Presenters
– Champika Wijayatunga• Senior Training Specialist
– Nurani Nimpuno• Training Development Officer
– Tim Jones• Internet Resources Analyst
Assumptions & Objectives
Assumptions• Are current or prospective
APNIC member
• Have a good understanding of networking fundamentals
• Have attended the IRM-1 course
Objectives• Provide additional guidance
to resource holders
• Keep membership up-to-date with latest policies
• Discuss advanced aspects of Internet Resource Management
• Liaise with members Faces behind the e-
mails
Schedule
• Policy guidelines – Additional tips & recommendations
• Adv db queries & role object– Advanced queries in the whois– Using role objects to manage
contacts• Adv DB protection
– How to use secure auth methodsTEA BREAK 10.30-11.00
• IRR– Introduction to the Internet Routing
Registry• Spam & Hacking
– Best Current Practices
LUNCH 12.30-13.30
• DNS– Introduction DNS
• IPv6– Overview of the “next generation”
protocol
TEA BREAK 15.00 - 15.30
• IPv6 DNS– IPv6 representation in the DNS
• Summary and discussion
Policy guidelines
Additional guidelines and tips recommendations
RIR policy objectives – Recap!
Conservation• Efficient use of resources
• Based on demonstrated need
Aggregation• Limit routing table growth
• Support provider-based routing
Registration• Ensure uniqueness
• Facilitate trouble shooting
General assignment guidelines
• Static & Dynamic– Transient connections (dial-up)
• dynamic recommended
– Permanent connections • static assignments ok (1:1 contention ratio)
– (dynamic encouraged)
• IP unnumbered– Encouraged when possible
• Helps conserving IP addresses– statically routed, single-homed customer connections
(no BGP)
http://www.apnic.net/info/faq/ip_unnumb.html
RFC1814
Private address space & NAT
• Private address space– Not necessary to request from the RIRs
• Strongly recommended when no Internet connectivity
– 10/8, 172.16/12, 192.168/16
• Network Address Translation (NAT)– Use entirely up to individual organisation
• Considerations: – breaks end-to-end model, increases
complexity, makes troubleshooting more difficult, introduces single point of failure
RFC2993
RFC1631
RFC1918
Sub-allocations
• No max or min size– Max 1 year requirement
• Assignment Window & 2nd Opinion applies – to both sub-allocation & assignments
• Sub-allocation holders don’t need to send in 2nd opinions
Sub-allocation
/22
/24
/20Member Allocation
Customer Assignments
/25/26/27 /26Customer Assignments
Sub-allocation guidelines
• Sub-allocate cautiously– Seek APNIC advice if in doubt– If customer requirements meet min allocation criteria:
• Customers should approach APNIC for portable allocation
• Efficient assignments– LIRs responsible for overall utilisation
• Sub-allocation holders need to make efficient assignments
• Database registration– Sub-allocations & assignments to be registered in the db
GPRS guidelines
• Infrastructure• Agreed to use public addresses to support roaming
and use private addresses where possible• Business as usual for RIRs
• Mobile phones• Draft document prepared by GSM Association• Recommends using private addresses where
possible
http://www.gsmworld.com/technology/gprs/guidelines.shtml
Portable critical infrastructure assignments
• What is Critical Internet Infrastructure?– Domain registry infrastructure
• Root DNS operators, gTLD & ccTLD operators
– Address Registry Infrastructure • RIRs & NIRs, IANA
• Why a specific policy ? • Protect stability of core Internet function
• Assignment sizes:– IPv4: /24 – IPv6: /32
Renumbering & return policy
• Renumbering?• one-for-one exchange to assist renumbering• needs confirmation from upstream ISP to confirm
renumbering will take place
• ‘No Questions Asked’ return prefix policy• swap 3 or more discontiguous prefixes (ISP or
customers) for single prefix, no charge
– ftp://ftp.apnic.net/apnic/docs/no-questions-policy
– Form for returning addresses– ftp://ftp.apnic.net/apnic/docs/address-return-request
APNIC17 policy update
• 17th APNIC Open Policy meeting took place the 25th – 27nd February 2004, Kuala Lumpur, Malaysia
• IPv4 minimum allocation size – Consensus to lower the minimum
allocation to /21 with lower eligibility criteria:
– immediate need of /23 and – a detailed plan for /22 in a year
consensus
APNIC17 policy update
• IPv6 allocation to closed network – To allow IPv6 allocations to closed networks, if
the other eligibility criteria are met
• IPv6 allocations to v4 networks – To allow IPv4 infrastructure to be explicitly
considered during IPv6 request process – The proposal was amended slightly to add a
requirement for LIRs to have plan to move some of their customers from IPv4 to within two years
consensus
consensus
APNIC17 policy update
• Recovery of address space – To recover unused historical IPv4
addresses in the AP region.
• IPv6 Guidelines document – An informational document to assist with
understanding the IPv6 request process. The APNIC Secretariat will edit the document and publish it on the sig-policy mailing list for comments
consensus
consensus
APNIC17 policy update
• Protecting historical resource records in the APNIC Whois Database – To protect historical resource objects
(inetnum and aut-num) in the APNIC Whois Database, in order to prevent unverified transfer of resources.
– Existing custodians that wish to maintain records should sign a formal agreement with APNIC and pay service fees (capped at US$100)
consensus
Questions ?
Material available at: www.apnic.net/training/recent/
Advanced Database
Advanced queries & role objects
Basic database query – Recap!
• Unix – whois –h whois.apnic.net <lookup key>
• Example:
whois –h whois.apnic.net HM20-AP
whois –h whois.apnic.net 202.12.29/24
• Web interface– http://www.apnic.net/apnic-bin/whois2.pl
• Also capable of performing advanced queries
Advanced database queries
– Flags used for inetnum queries
None find exact match
- l find one level less specific matches
- L find all less specific matches
- m find first level more specific matches
- M find all More specific matches
- x find exact match (if no match, nothing)
- d enables use of flags for reverse domains
- r turn off recursive lookups
inetnum: 202.64.0.0 – 202.64.15.255
202.64.0.0/20
inetnum:
202.0.0.0 – 202.255.255.255
202.0.0.0/8
Database query - inetnum
202.64.12.128/25
inetnum:
whois -L 202.64.0.0 /20
whois 202.64.0.0 /20
whois –m 202.64.0.0 /20 inetnum:
202.64.15.192/26
inetnum:
202.64.10.0/24More specific (= smaller blocks)
Less specific (= bigger block)
inetnum: 202.64.0.0/20
inetnum:
202.0.0.0 – 202.255.255.255
202.0.0.0/8
Database query - inetnum
whois -L 202.64.0.0 /20(all less specific)
whois 202.64.0.0 /20
whois –m 202.64.0.0 /20(1 level more specific)
inetnum:202.64.10.0/24
inetnum:
202.64.10.192/26
inetnum:whois -l 202.64.0.0 /20(1 level less specific)
whois –M 202.64.0.0 /20(all more specific)
202.64.0.0/16
‘-M’ will find all assignments in a range in the database
inetnum: 202.64.10.0 - 202.64.10.255netname: SILNET-APdescr: Satyam Infoway Pvt.Ltd.,.....inetnum: 202.64.12.128 - 202.64.12.255netname: SOFTCOMNETdescr: SOFTCOM LAN (Internet)IP......inetnum: 202.64.15.192 – 202.64.15.255descr: SILNETdescr: Satyam Infoway's Chennai LAN.....
% whois -M 202.64.0.0/20
Database query - inetnum
IP address queries
• -x<ip-lookup>– Only an exact match on a prefix
• If no exact match is found, no objects are returned
• whois -x [IP range]
• -d <ip-lookup>– Enables use of the "-m", "-M", "-l" and “-
L" flags for lookups on reverse delegation domains.
Recursive lookups
• whois 202.12.29.0
– whois -r 202.12.29.0
– whois -T inetnum 202.12.29.0
– whois -r -T inetnum 202.12.29.0
personinetnum route
inetnum route person
personinetnum
inetnum
recursion enabled by default
recursion turned off
‘type’ of object specified
‘type’ of object specified & recursion turned off
, &
&
&
DB query
Recursion is enabled by default
% whois 203.113.0.0/19 inetnum: 203.113.0.0 - 203.113.31.255netname: TOTNET-APdescr: Telephone Organization of THAILAND(TOT)descr: Telephone and IP Network Service Providerdescr: State Enterprise Thailand Governmentcountry: THadmin-c: NM18-APtech-c: RC80-AP…….person: Nopparat Maythaveekulchaiaddress: YTEL-1234 Office address: Telephone Organization of THAILAND(TOT)
person: Rungsun Channarukuladdress: YTEL-1234 OfficePaddress: Telephone Organization of THAILAND(TOT)
…….
Database query - recursion
Turn off recursion ‘-r’ no nic-handle lookup
% whois -r 203.113.0.0/19
inetnum: 203.113.0.0 - 203.113.31.255netname: TOTNET-APdescr: Telephone Organization of THAILAND(TOT)descr: Telephone and IP Network Service Providerdescr: State Enterprise Thailand Governmentcountry: THadmin-c: NM18-APtech-c: RC80-APmnt-by: APNIC-HMmnt-lower: MAINT-TH-SS163-APchanged: [email protected] 19990922source: APNIC
Database query – no recursion
Inverse queries
• Inverse queries are performed on inverse keys
• See object template (whois –t)
• Returns all objects that reference the object with the key specified as a query argument
• Practical when searching for objects in which a particular value is referenced, such as your nic-hdl
• Syntax: whois -i <attribute> <value>
Inverse queries - examples
• What objects are referencing my nic-hdl?– whois -ipn KX17-AP
• In what objects am I registered as tech-c?– whois –i tech-c KX17-AP
• Return all domain objects where I am registered as admin-c, tech-c or zone-c– whois -i admin-c,tech-c,zone-c -T domain KX17-AP
• What objects are protected by my maintainer?– whois -i mnt-by MAINT-WF-EX
no space!
DB query
Database query - inverse
inetnum: 202.101.128.0 - 202.101.159.255netname: CHINANET-FJdescr: chinanet fujian province networkcountry: CNadmin-c: DK26-AP……domain: 128.103.202.in-addr.arpadescr: in-addr.arpa zone for 128.103.202.in-addr.arpaadmin-c: DK26-AP…….aut-num: AS4811as-name: CHINANET-CORE-WAN-EASTdescr: CHINANET core WAN EASTdescr: connect to AT&T,OPTUScountry: CNadmin-c: DK26-AP……person: Dongmei Kouaddress: A12,Xin-Jie-Kou-Wai Street,address: Beijing,100088country: CNphone: +86-10-62370437nic-hdl: DK26-AP
% whois -i person DK26-AP
Inverse lookup with ‘-i ‘
DB query
Role object
• Represents a group of contact persons for an organisation– Eases administration– Can be referenced in other objects instead of
the person objects for individuals
• Also has a nic-hdl• Eg. HM20-AP
http://www.apnic.net/db/role.html
Role object - example
– Contains contact info for several contacts
role: address:country:phone:phone:fax-no:fax-no:e-mail:admin-c:tech-c:tech-c:nic-hdl:mnt-by:source:
OPTUS IP ADMINISTRATORS 101 Miller Street North SydneyAU+61-2-93427681+61-2-93420813+61-2-9342-0998+61-2-9342-6122noc@optus.net.auNC8-APNC8-APSC120-APOA3-APMAINT-OPTUSCOM-AP APNIC
ValuesAttributes
Creating a role object
• Email– Whois –t role
• Gives role object template
– Complete all fields• With the nic-hdls of all contacts in your
organisation
– Send to
Replacing contacts in the db- using person objects
inetnum:202.0.10.0…
KX17-AP
person:…
KX17-AP
inetnum:202.0.15.192…
KX17-AP
inetnum:202.0.12.127…
KX17-AP
person:…
ZU3-AP
K. Xander is leaving my organisation. Z. Ulrich is replacing him.
ZU3-AP
ZU3-AP
ZU3-AP1. Create a person object for new contact (Z. Ulrich).
2. Find all objects containing old contact (K. Xander).
3. Update all objects, replacing old contact (KX17-AP) with new contact (ZU3-AP).
4. Delete old contact’s (KX17-AP) person object.
Replacing contacts in the db– using a role object
inetnum:202.0.10.0…EIPA91-AP
person:…KX17-AP
inetnum:202.0.15.192…EIPA91-AP
inetnum:202.0.12.127…EIPA91-AP
K. Xander is leaving my organisation. Z. Ulrich is replacing him.
I am using a role object containing all contact persons, which is referenced in all my objects.
1. Create a person object for new contact (Z. Ulrich).
2. Replace old contact (KX17-AP) with new contact (ZU3-AP) in role object
3. Delete old contact’s person object.
role:
…
EIPA-91-AP
KX17-APAB1-APCD2-AP
ZU3-AP
person:…ZU3-AP
No need to update any other objects!
role: SparkyNet Staff ...nic-hdl: AUTO-#initials
AUTO-1SN
Tip – Choosing your nic-hdl
• Automatic generation of nic-hdls
• Specifying initials in your nic-hdl
person: Ky Xander...nic-hdl: AUTO-1
KX17-AP
SN123-AP
Summary
• Use role objects for all your contacts• Easier to administer your contacts • Keep the role object up-to-date
• Use –M on your allocation – to check all assignments
• Check consistency• Check utilisation
• Use the query reference card!
DB admin
Questions ?
Material available at: www.apnic.net/training/recent/
Database authentication
PGP, CRYPT-PW and MD5
Authentication methods
• CRYPT-PW– Can be cracked, simple to use
• PGP– Considered secure
• MD5 – Considered secure and very simple to
use
CRYPT-PW
• Use webform
APNIC Maintainer Object Request
Maintainer using CRYPT-PW
mntner: MAINT-WF-SPARKYNETdescr: Sparkynet ISPauth: CRYPT-PW aptHONzHrLHzQadmin-c: KX17-aptech-c: ZU3-APcountry: WFmnt-nfy: [email protected]: [email protected] 20030701mnt-by: MAINT-WF-SPARKYNETreferral-by: APNIC-HMsource: APNIC
Using PGP in the APNIC DB
1. Create a PGP key
2. Register public key in Database• Create key-cert object
3. Insert name of PGP key object in mntner ‘auth’ attribute
Outlook GnuPG plugin
• Download from – http://www3.gdata.de/gpg/download.html
• Install and follow the instructions
1. Public key created
-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.0.4e (MingW32)Comment: For info see http://www.gnupg.org
mQGiBD5BwbgRBACxLMukZVrtyLrso3EZ1nPWSUPilfn9aVWoJqDjRUoLaJ0gZ1tkk+DjEvuBE3tSmoCDhypvBQl886dRwtpCm45e90iwYfyalJ51e5ymmUfTa7w4OqSgD9YYO7/TDurQA3ezksBsyV5HWBoliamjLtT+mPFNYZTz+fZIii3JMD69nwCg+IzIUhTDj5lh8SKJLo3yaeU5yPMD/1H9dP3bicXq53FSuOCQhRDkgFZaf86k0UQImWnqpJIh4tKhecAvCaomU3zmTtpMECBIR3bJOvMQl2BsStNE/nt7A/2HYX9ek4ztBJj0F2/NPyyf0I2dmiVhdJaZilM7qS4hWEsjPxFJd1IV61eVJch14gWb61cp0yALlFtz30UjA/4tevEOBnf/cvvENb+veRGOSKjEj08Ohfxnd7KKA1D1nlqCHGWHFQLnCD0nA/3dYQHcxJypL09MFrKgVtjDun6QD9B4pO54LU9VyjKspBW/uFH18PYu7Ie0nuUoms2M7gvSdkIH5OiE26tLpSvwmi/U/GSOfG6YtJqn7RbHWrO/pbQkQXJ0aCBQYXVsaXRlIChAcnRoKSA8YXJ0aEBhcG5pYy5uZXQ+iFcEExECABcFAj5Bw5kFCwcKAwQDFQMCAxYCAQIXgAAKCRBFfeEvVCI2Iq7RAKCijMpB8eMcGB6b51kDaM8Cz7iBewCgyRNLMcERSSLoyB49mfKxlm0g4xS5AQ0EPkHBuxAEALTT6YLX8x86ZwTQx+aSwqbvQHPlqfPqzrZp9u82OPH/PnHUvDsmyS/TEzVzmAPF4LbJxSFYH/Rt4XVwZCSpAbDua661fLUuTiBN5fcwPIDSQYr3Lwh8YRkK23wEyxYpyoqjZQyJJaWaOMPnDpM3BeONdMmRSlWtHdfDjTIwdaCnAAMFA/0c59wwF9FuVSs6oARYbdyE6Aum1ITXG12UsDUv1r5TniR1y/xOmOZ6CQk5eNPHvIwi0Ohnqm9Sgl2o4mHq32vikVOvrhZq5IfLGMhGUQMO9nDeA3DjLVtS1laStUkC6UoizbQxsdrUQDgm3Oha6FhfGCYZ9cxPkIU+ZLXopifMEohGBBgRAgAGBQI+QcG7AAoJEEV94S9UIjYiyl8AoKSLnWlwZhXjWtgJlX4IGpurqs3tAKDLH27XqiFdnswcd4HILPCr4eTb4g===rUbp-----END PGP PUBLIC KEY BLOCK-----
2. Register public key
key-cert: [mandatory] - 8 digit PGP key ID without "0x" prefixmethod: [generated] - System generatedowner: [generated] - System generatedfingerpr: [generated] - System generated certif: [mandatory] - exported public key in armored ASCIIremarks: [optional] - same meaning with other objectnotify: [optional] - same meaning with other objectmnt-by: [mandatory] - same meaning with other objectchanged: [mandatory] - same meaning with other objectsource: [mandatory] - same meaning with other object
Putting it all together
Key-cert: PGPKEY-54223622certif: -----BEGIN PGP PUBLIC KEY BLOCK-----certif: Version: GnuPG v1.0.4e (MingW32)certif: Comment: For info see http://www.gnupg.orgcertif: certif: mQGiBD5BwbgRBACxLMukZVrtyLrso3EZ1nPWSUPilfn9aVWoJqDjRUoLaJ0gZ1tkcertif: k+DjEvuBE3tSmoCDhypvBQl886dRwtpCm45e90iwYfyalJ51e5ymmUfTa7w4OqSgcertif: D9YYO7/TDurQA3ezksBsyV5HWBoliamjLtT+mPFNYZTz+fZIii3JMD69nwCg+IzIcertif: UhTDj5lh8SKJLo3yaeU5yPMD/1H9dP3bicXq53FSuOCQhRDkgFZaf86k0UQImWnqcertif: pJIh4tKhecAvCaomU3zmTtpMECBIR3bJOvMQl2BsStNE/nt7A/2HYX9ek4ztBJj0certif: F2/NPyyf0I2dmiVhdJaZilM7qS4hWEsjPxFJd1IV61eVJch14gWb61cp0yALlFtzcertif: QHPlqfPqzrZp9u82OPH/PnHUvDsmyS/TEzVzmAPF4LbJxSFYH/Rt4XVwZCSpAbDucertif: a661fLUuTiBN5fcwPIDSQYr3Lwh8YRkK23wEyxYpyoqjZQyJJaWaOMPnDpM3BeONcertif: dMmRSlWtHdfDjTIwdaCnAAMFA/0c59wwF9FuVSs6oARYbdyE6Aum1ITXG12UsDUvcertif: Gpurqs3tAKDLH27XqiFdnswcd4HILPCr4eTb4g==certif: =rUbp
certif: -----END PGP PUBLIC KEY BLOCK-----remarks: Mydigital IDnotify: [email protected]: MAINT-AU-BLUETOOTHchanged: [email protected] 20030206source: APNICPassword: my-crypt-password
Send template to <[email protected]>
Key-cert object in APNIC DB
key-cert: PGPKEY-FEB0C9EDMethod: PGPowner: Ky Xander <[email protected]>fingerpr: A0C2 4EFC 5983 8606 A8AC 0C39 CC44 BEDB FEB0
C9EDcertif: -----BEGIN PGP PUBLIC KEY BLOCK-----certif: PGPfreeware 7.0.3 <http://www.pgp.com>certif: …certif: kRBADZ32LpvNQenzoNdttqJyrVOcA1qYjr/2/inm1Cp2DEFcertif: dsZ/pLA23lqGSgsi5dfbvF5ktZSWUmTxcNqTeaushAHNtIkcertif: …certif: -----END PGP PUBLIC KEY BLOCK-----remarks: Mydigital IDnotify: [email protected]: MAINT-WF-SPARKYNETchanged: [email protected] 20030701source: APNIC
3. Updating the maintainer object
mntner: MAINT-WF-SPARKYNETdescr: Sparkynet ISPauth: CRYPT-PW aptHONzHrLHzQadmin-c: KX17-aptech-c: ZU3-APcountry: WFmnt-nfy: [email protected]: [email protected] 20030701mnt-by: MAINT-WF-SPARKYNETreferral-by: APNIC-HMsource: APNIC
PGPKEY-54223622
Send template to <[email protected]>
MD5 (Available soon)
• Will be the recommended auth method
• Based on the MD5 hash algorithm
• Stronger protection than CRYPT-PW– But just as easy to use!
MD5 – Maintainer Example
mntner: MAINT-AU-BLUETOOTHdescr: Bluetooth Research & Developmentdescr: 22 Gordon St. Milton Queenslanddescr: 4064upd-to: [email protected]: MD5-PW $1$bukxm6Uw$KdvHpHYFqZPzCQsjW/admin-c: ap16-aptech-c: ap16-apcountry: AUmnt-by: MAINT-AU-BLUETOOTHreferral-by: APNIC-HMchanged: [email protected] 20040414source: APNIC
APNIC Internet Routing Registry
• Global Internet Routing Registry database– http://www.irr.net/– Established in 1995 by Merit
• Community driven
– Originally only 5 databases– Now more than 50 worldwide
The Internet Routing Registry
IRR
What is an IRR?
• Both public and private databases– These databases are independent
• but some exchange data• only register your data in one database
• Network operators share information– Provides stability and consistency of
routing– Data may be used by anyone worldwide
to help debug, configure, and engineer Internet routing and addressing
IRR
Internet Routing Registries
RIPE
RADB CW
APNIC Connect
ARIN, ArcStar, FGC, Verio, Bconnex,
Optus, Telstra, ...
IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
IRR
Why use an IRR?
• Globally distributed DB – provides a map of global routing policy
(ASExplorer)
– shows routing policy between any two ASes (prpath)
– allows simulation of routing policy effects – enables creation of aut-num based on
router configuration (aoe)
– enables router configuration (rtconfig)
– provides contact information (whois)
IRR
Overview of IRR functions
• Route filtering– Peering networks– A provider and its customer
• Network troubleshooting– Easier to locate routing problems outside your
network
• Router configuration– By using IRRToolSet
• Global view of routing– A global view of routing policy improves the
integrity of Internet’s routing as a whole.
IRR
APNIC Database & the IRR
• APNIC whois Database– Two databases in one
• Public Network Management Database– “whois” info about networks & contact persons
• IP addresses, AS numbers etc
• Routing Registry – contains routing information
• routing policy, routes, filters, peers etc.
– APNIC RR is part of the global IRR
IRR
Integration of whois and IRR
• Integrated APNIC Whois Database & Internet Routing Registry
APNIC Whois
IRR
IP, ASNs,reverse domains,
contacts,maintainers
etc routes, routingpolicy, filters,
peers etcinetnum, aut-num, domain, person, role, maintainer
route, aut-num, as-set, int-rtr, peering-set etc.Internet resources &
routing information
IRR
RPSL
• Routing Policy Specification Language– Object oriented language
• Based on RIPE-181
– Structured whois objects– Higher level of abstraction than access lists– Developed to describe things interesting to
routing policy
• Relevant RFCs– Routing Policy Specification Language– Routing Policy System Security – Using RPSL in Practice RFC
2650
RFC2725
RFC2622
IRR
The route object
route: 202.0.16/20descr: Sparkynetorigin: AS1mnt-by: MAINT-EXchanged: [email protected]: APNIC
• Represents a route on the Internet– Should be registered by the ISP– This route originates in AS1
IRR
IRR objects
• route – Specifies interAS routes
• aut-num – Represents an AS. Used
to describe external routing policy
• inet-rtr – Represents a router
• peering-set – Defines a set of peerings
• route-set – Defines a set of routes
• as-set – Defines a set of aut-num
objects
• rtr-set – Defines a set of routers
• filter-set – Defines a set of routes that
are matched by its filter
www.apnic.net/db/ref/db-objects.html
IRR
Inter-related IRR objects
inetnum: 202.0.16 - 202.0.31.255 … tech-c: KX17-AP mnt-by: MAINT-EX
aut-num: AS1 …tech-c: KX17-APmnt-by: MAINT-EX
…
route: origin:…mnt-by: MAINT-EX
person: …nic-hdl: KX17-AP…
mntner: MAINT-EX…
202.0.16/20AS1 202.0.16 - 202.0.31.255
AS1
IRR
Inter-related IRR objects
aut-num: AS2…
inetnum:202.0.16.0-202.0.31.255…
aut-num: AS10…
route: 202.0.16/20… origin: AS2…
as-set: AS1:AS-customersmembers: AS10, AS11
route-set: AS2:RS-routesmembers: 218.2/20, 202.0.16/20
route: 218.2/20 …origin: AS2 …
aut-num: AS2…
inetnum:218.2.0.0 - 218.2.15.255…
aut-num: AS11…
, AS2
IRR
‘Set-’ objects and their members
aut-num: AS10…
as-set: AS1:AS-CUSTSmembers: AS10, AS11
aut-num: AS11…
as-set: AS1:AS-PEERSmbrs-by-ref: MAINT-EX
aut-num: AS20member-of: AS1:AS-PEERSmnt-by: MAINT-EX
aut-num: AS21member-of: AS1:AS-PEERSmnt-by: MAINT-EX
members- members specified in the ‘set-’ object
mbrs-by-ref- ‘set’ specified in the member objects
• Two ways of referencing members
1. ‘mbrs-by-ref’ specifies the maintainer of the members.
2. Members reference the ‘set-’ object in the ‘member-of’ attribute
3. Members are maintained by the maintainer specified in the ‘set-’
1. ‘members’ specifies members of the set
2. Members added in the ‘set-’ object3. No need to modify the member
object when adding members
12
1
2
33
IRR
Hierarchical authorisation
• mnt-routes– authenticates creation of route objects
• creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute
– Format:•mnt-routes: <mntner>
In: , and objects
routeaut-numinetnum
IRR
Authorisation mechanism
inetnum: 202.137.181.0 – 202.137.185.255netname: SPARKYNET-WFdescr: SparkyNet Service Provider…mnt-by: MAINT-APNIC-APmnt-lower: MAINT-SPARKYNETmnt-routes: MAINT-SPARKYNET-WF
This object can only be modified by APNIC
Creation of more specific objects (assignments) within this range has to pass the authentication of MAINT-SPARKYNET
Creation of route objects matching/within this range has to pass the authentication of MAINT-SPARKYNET-WF
IRR
Creating route objects
• Multiple authentication checks:– Originating ASN
• mntner in the mnt-routes is checked• If no mnt-routes, mnt-lower is checked• If no mnt-lower, mnt-by is checked
– AND the address space• Exact match & less specific route
– mnt-routes etc
• Exact match & less specific inetnum– mnt-routes etc
– AND the route object mntner itself• The mntner in the mnt-by attribute
aut-num
inetnum
route
(encompassing)
route
IRR
Using the Routing Registry
Routing policy, the IRRToolSet & APNIC RR Benefits
IRR
IRRToolSet
• Set of tools developed for using the Internet Routing Registry– Started as RAToolSet
• Now maintained by RIPE NCC: – http://www.ripe.net/db/irrtoolset/– Download:
ftp://ftp.ripe.net/tools/IRRToolSet/• Installation needs: lex, yacc and C++
compiler
IRR
Use of RPSL - RtConfig
• RtConfig v4 • part of IRRToolSet
• Reads policy from IRR (aut-num, route & -set objects) and generates router configuration– vendor specific:
• Cisco, Bay's BCC, Juniper's Junos and Gated/RSd
– Creates route-map and AS path filters– Can also create ingress / egress filters
• (documentation says Cisco only)
IRR
Why use IRR and RtConfig?
• Benefits of RTConfig– Avoid filter errors (typos)– Expertise encoded in the tools that
generate the policy rather than engineer configuring peering session
– Filters consistent with documented policy• (need to get policy correct though)
– Engineers don't need to understand filter rules
• it just works :-)
IRR
AS3000
10.20.0.0/24
Using RtConfig - case scenario
10.187.65.0/24
Not fully multi-homing
Full BGP routing received fromAS3000
Local routes received from AS4000
AS4000
AS2000
(range received from upstream)(portable address range)
IRR
Using RtConfig – IRR objects
aut-num: AS2000import: from AS3000 accept ANYexport: to AS3000 announce AS2000import: from AS4000 accept AS4000export: to AS4000 announce AS2000[…]
route: 10.20.0.0/24origin: AS2000[…]
RtConfig commands@RtConfig set cisco_map_name = "AS%d-IMPORT"@RtConfig import AS2000 10.20.0.1 AS3000 10.20.0.2!@RtConfig set cisco_map_name = "AS%d-IMPORT"@RtConfig import AS2000 10.20.0.4 AS4000 10.20.0.5!
route: 10.187.65.0/24origin: AS2000[…]
full BGP routing
local routes
IRR
RtConfig output (import)
route-map AS3000-IMPORT permit 1 match ip address prefix-list pl100!router bgp 2000neighbor 10.20.0.2 route-map AS3000-IMPORT in!!no route-map AS4000-IMPORT!route-map AS4000-IMPORT permit 1 match ip address prefix-list pl101!router bgp 2000neighbor 10.4.192.2 route-map AS4000-IMPORT in
RtConfig – web prototype
http://www.ripe.net/cgi-bin/RtConfig.cgi
Source AS & Router
Peer AS & Router
Export / Import
Config format
Cisco prefix-lists
IRR
RtConfig – web output
RTConfigOutput (Bay)
IRR
Using the Routing Registry & RtConfig
Define your routing policy
Enter policy in IRR
Run rtconfig Apply config to routers
routingpolicyIRR
AS1 peer
cust cust
cust
UpstreamUpstream
peer
cust
routingpolicy
router config
no access-list 101access-list 101 permit ip 10.4.200.0 0.0.4.0 255.255.252.0 0.0.0.0access-list 101 permit ip 10.4.208.0 0.0.0.0 255.255.252.0 0.0.0.0access-list 101 permit ip 10.20.0.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 permit ip 10.187.65.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255!no route-map AS3001-EXPORT!route-map AS3001-EXPORT permit 1 match ip address 101!router bgp 4003neighbor 10.3.15.4 route-map AS3001-EXPORT out
IRRrtconfig
router config
no access-list 101access-list 101 permit ip 10.4.200.0 0.0.4.0 255.255.252.0 0.0.0.0access-list 101 permit ip 10.4.208.0 0.0.0.0 255.255.252.0 0.0.0.0access-list 101 permit ip 10.20.0.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 permit ip 10.187.65.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255!no route-map AS3001-EXPORT!route-map AS3001-EXPORT permit 1 match ip address 101!router bgp 4003neighbor 10.3.15.4 route-map AS3001-EXPORT out
Disadvantages• Requires some
initial planning• Takes some time to
define & register policy
• Need to maintain data in RR
Advantages• You have a clear
idea of your routing policy
• Consistent config over the whole network
• Less manual maintenance in the long run
IRR
The rest of the IRRToolSet
• peval– (Lightweight) policy evaluation tool
• prtraceroute– Prints the route packets take - including policy
information (as registered in RR)
• aoe (aut-num object editor)– Displays the aut-num object for the specified AS
• roe– Creates the “route” object (based on BGP dump
and routes in aut-num objects)
IRR
The rest of the IRRToolSet
• prpath– enumerates possible paths between two
ASes
• CIDRAdvisor– suggests safe aggregates per AS
• rpslcheck– syntax checks objects for IRR
IRR
Benefits of APNIC RR
• Single maintainer – Use same mntner to manage
• internet resources• reverse DNS• routing policy• contact info • etc
aut-num:…mnt-by: MAINT-EX
inetnum:…mnt-by: MAINT-EX
route:…mnt-by: MAINT-EX
domain:…mnt-by: MAINT-EXmntner:
MAINT-EX…
person:…mnt-by: MAINT-EX
(Single person object can also be used)
IRR
Benefits of APNIC RR
inetnum: 221.0.0.0 - 221.3.127.255netname: CNCGROUP-SDdescr: CNCGROUP Shandong province networkcountry: CNadmin-c: CH455-APtech-c: XZ14-APmnt-by: APNIC-HMmnt-lower: MAINT-CNCGROUP-SDchanged: [email protected] 20021224status: ALLOCATED PORTABLEsource: APNIC
Allocation objects maintained by APNIC
mntner: APNIC-HMdescr: APNIC Hostmaster – Maintainer...
– APNIC able to assert resources for a registered route within APNIC ranges.
IRR
APNIC RR service scope
• Routing Queries– Regular whois clients– APNIC whois web interface– Special purpose programs such as
IRRToolSet
• Routing Registration and Maintenance– Similar to registration of Internet
resources
IRR
APNIC RR service scope
• Support– APNIC Helpdesk support
• Training• IRR workshop under development
• Mirroring– APNIC mirrors IRRs within Asia Pacific
and major IRRs outside of the region.
IRR
Summary
• APNIC RR integrated in APNIC Whois DB• IRR benefits
– Facilitates network troubleshooting– Generation of router configuration– Provides global view of routing
• APNIC RR benefits– Single maintainer (& person obj) for all objects– APNIC asserts resources for a registered route– Part of the APNIC member service!
IRR
Questions ?
Material available at: www.apnic.net/training/recent/
Spam & Network Abuse
‘Best Current Practices’
Overview
• ‘Best Current Practice’
• Principles
• Customer Education
• Network Abuse
• Summary
‘Best Current Practice’
• ‘Best Current Practice’ (BCP)– Voluntary code of conduct for ISPs– Consensus on code– Many ISPs wish to be seen publicly
combating UCE– Need to work with all customers,
especially ISP customers so their customers adopt the BCP
Principles
• No email relaying– Historically SMTP systems ‘relayed’ email
from anyone to destination
• Requirement– Provide SMTP delivery for customers only
• As determined by domain and/or IP address
– ISPs should configure email systems to prevent relaying
– Check customers do not run open relays
Principles
• Must be able to trace email passing through a system– Add a ‘received’ header– Machine name can be forged
• ‘received’ line should contain name and IP address
• Identification of the sender of the email– Dial up connections with dynamic addressing
• Recommended– Time stamps based on NTP to identify sender– ISPs should keep logs for reasonable time
Principles
• AUP (Acceptable User Policy)– ISPs should publish
• Handle abuse reports– ISPs should accept and process reports of abuse by their
customers• Set up a specialist ‘[email protected]’ mailbox
– ISP should acknowledge receipt of abuse• Ticketing system to allow tracking of reports
– Identity of reporter should be kept confidential
– ISP may immediately terminate customers account• May also apply ‘warning’ then eventual termination• According to ISPs AUP
Principles
• Disseminate information to community– On action taken against customers– Publish overview statistical information– Ensure terminated accounts are not re-opened
• Dealing with UCE– Enhances an ISP’s standing in global
community– Avoid mass filtering of ISP emails– Avoid unwanted attention from legal authorities
Education
• Difficult, but important– Marketing departments don’t like it– Incorporate into ISP AUP (terms & contracts)
• ISP should provide documentation– Explaining nature of UBE– Why sending it is considered unacceptable – State what is required for a ‘spam abuse’ report– Where such reports can be sent
• Prevention is better than cure
Customer education – important facts
• Be careful about giving the email addresses to unknown sources (e.g. when filling in forms online etc.)
• Do not write back to the spammer– Confirm the validity of the e-mail id– Has a link for removal from their list
• normally doesn’t work
• Report the complaints to the spammer's ISP– Search spammers IP in the Whois database – Include the full header with the complain
Detecting network abuse
• Software to detect Network Abuse– Mostly designed to search the ARIN Whois
database– May refer to APNIC
• Many websites with whois lookup functions – has the same limitations
• However the IP addresses are registered by four RIRs on a regional basis
• If a standard search refers you to APNIC– It means only that the network in
question is registered in the Asia Pacific region
– Does not mean that APNIC is responsible or that the hacker/spammer is using APNIC network
Detecting network abuse
Investigation of network abuse complaints
• APNIC is not able to investigate these complaints
• Can use the APNIC Whois Database to find out where to take your complaint
• APNIC does not regulate the conduct of Internet activity (legally or practically)
Investigation of network abuse complaints
• Laws relating to network abuse vary from country to country
• Investigation possibilities– Cooperation of the network administrators– law enforcement agencies
• Local jurisdiction • jurisdiction where the problem originates
How can APNIC help you ?
• The APNIC Whois Database – Holds IP address records within the AP
region– Can use this database to track down the
source of the network abuse– Can find contact details of the relevant
network administrators • not the individual users• use administrators log files to contact the
individual involved
How can APNIC help you ?
• Education of network operators in the Asia Pacific community– Address policies and the importance of
registration of resources
• Community discussions can be raised in the APNIC open policy meetings / mailing lists etc.
Current status in Australia
• New legislation - Spam Bill 2003 – a balance between making spamming
unprofitable yet protecting legitimate business communications channels
– up to $1.1 million for each day for sending messages which break the law
– For more info:• http://www2.dcita.gov.au/ie/trust/improving/spam • http://scaleplus.law.gov.au/html/comact/11/6735/top.htm
Questions?
• Useful FAQ– http://www.apnic.net/info/faq/abuse/
Reverse DNS
Overview
• Principles – recap
• Creating reverse zones
• Setting up nameservers
• Reverse delegation procedures
• IPv6 reverse delegations
• Current status
Principles
• Mapping from names to addresses is common– Forward DNS
• Sometimes its necessary to know which name comes with a given address– Security, Spam detection, Diagnostics etc.– Reverse DNS
test.example.com A 193.0.0.4
Principles
• Delegate maintenance of the reverse DNS to the custodian of the address block
• Address allocation is hierarchical– LIRs/ISPs -> Customers -> End users
whois
Root DNSRoot DNS
Principles – DNS tree
net edu com au
whois
apnic
202 203 210 211..202
2222
in-addr
arpa
6464
22.64 .in-addr.202 .arpa
- Mapping numbers to names - ‘reverse DNS’
RIR
ISP
Customer
Creating reverse zones
• Same as creating a forward zone file– SOA and initial NS records are the same
as normal zone– Main difference
• need to create additional PTR records
• Can use BIND or other DNS software to create reverse zones– Details can be different
Start of Authority (SOA) record
<domain.name.> IN SOA <hostname.domain.name.>
<mailbox.domain.name> ( <serial-number> <refresh>
<retry> <expire>
<negative-caching> )
Start of Authority (SOA) record
• <domain.name>– Name of the domain where SOA belongs – Can use ‘@’ as well– e.g: 253.253.192.in-addr.arpa.
• IN– The class of the DNS record
• SOA– The type of DNS record – Indicates authority for this zone
Start of Authority (SOA) record
• <hostname.domain.name.>– 'master' field – hostname of the primary zone server
• <mailbox.domain.name.>– e-mail address of the person responsible for
maintaining the zone – '@' symbol is replaced by a '.', and any '.' before
the "@" was replaced by '\' • Ex: [email protected] written as dns-
admin.apnic.net• [email protected] written as dns\.admin.apnic.net
Start of Authority (SOA) record
• <serial-number>– To compare between the primary and
secondary servers
• <refresh>– How often a secondary should check the
primary
• <retry>– If a refresh attempt fails, a secondary
server will retry based on the time specified in the retry field
Start of Authority (SOA) record
• <expire>– If the refresh and retry attempts fail, the
secondary server will stop serving the zone after this period
• <negative caching>– How long a remote name server can
cache negative responses about a zone• Domain name or type of data doesn’t exists
Example SOA record
253.253.192.in-addr.arpa. IN SOA ns.test-domain.net. admin.test-
domain.net ( <2003033101>
<10800> <3600> <604800>
<10800> )
Nameserver (NS) records
• Declares the nameservers that serve a given zone
• <domain.name> – Domain which the NS belongs
• Ex: 253.253.192.in-addr.arpa or @ or <space>
• IN is the class of the DNS record• NS is the type
– Name Server in this case
• <hostname.domain.name>– Hostname of the authoritative server
<domain.name.> IN NS <hostname.domain.name.>
Example NS record
IN NS ns.apnic.net. IN NS svc00.apnic.net. IN NS ns.telstra.net. IN NS rs.arin.net.
Pointer (PTR) records
• Create pointer (PTR) records for each IP address
or
131.28.12.202.in-addr.arpa. IN PTR svc00.apnic.net.
131 IN PTR svc00.apnic.net.
A reverse zone example
Note trailing dots
$ORIGIN 1.168.192.in-addr.arpa.@ 3600 IN SOA test.company.org. (
sys\.admin.company.org. 2002021301 ; serial1h ; refresh30M ; retry1W ; expiry3600 ) ; neg. answ. ttl
NS ns.company.org.NS ns2.company.org.
1 PTR gw.company.org.router.company.org.
2 PTR ns.company.org.; BIND9 auto generate: 65 PTR host65.company.org$GENERATE 65-127 $ PTR host$.company.org.
Name server software
• ISC BIND (Berkeley Internet Name Domain)– Version 8
• In use, available, obsolete• Don't start to use it• Migrate to Version 9
– Version 9• Current version (9.2.3 as of Jan 2004)
– Release– Release Candidate (Betas)– Snapshots (Alphas)
» 9.3– Never Use Snapshots on production servers
• Other name server software– Microsoft DNS server– DJBDNS
Setting up the primary nameserver
• Add an entry specifying the primary server to the named.conf file
• <domain-name>– Ex: 28.12.202.in-addr.arpa.
• <type master>– Define the name server as the primary
• <path-name>– location of the file that contains the zone records
zone "<domain-name>" in { type master; file "<path-name>"; };
Setting up the secondary nameserver
• Add an entry specifying the primary server to the named.conf file
• <type slave>– Define the name server as the secondary
• <ip address>– IP address of the primary name server
• <domain-name>, <master>, <path-name> are same as before
zone "<domain-name>" in { type slave; file "<path-name>";Masters { <IP address> ; }; };
Reverse delegation requirements
• /24 Delegations• Address blocks should be assigned/allocated• At least two name servers
• /16 Delegations• Same as /24 delegations• APNIC delegates entire zone to member• Recommend APNIC secondary zone
• < /24 Delegations• Read “classless in-addr.arpa delegation”
RFC2317
Subdomains of in-addr.arpa domain
• Subnetting on an Octet Boundary– Similar to delegating subdomains of
forward-mapping domains
• Mapping problems– In IPv4 the mapping is done on 8 bit
boundaries (class full), address allocation is classless
– Zone administration does not always overlap address administration
Subdomains of in-addr.arpa domain
• Example: an organisation given a /16– 192.168.0.0/16 (one zone file and further
delegations to downstreams)– 168.192.in-addr.arpa zone file
should have:
0.168.192.in-addr.arpa. NS ns1.organisation0.com.0.168.192.in-addr.arpa. NS ns2.organisation0.com.1.168.192.in-addr.arpa. NS ns1.organisation1.com.1.168.192.in-addr.arpa. NS ns2.organisation1.com.2.168.192.in-addr.arpa. NS ns1.organisation2.com.2.168.192.in-addr.arpa. NS ns2.organisation2.com. : :
Subdomains of in-addr.arpa domain
• Example: an organisation given a /20– 192.168.0.0/20 (a lot of zone files!) –
have to do it per /24)– Zone files
0.168.192.in-addr.arpa.
1.168.192.in-addr.arpa.
2.168.192.in-addr.arpa.
:
:
15.168.192.in-addr.arpa.
Subdomains of in-addr.arpa domain
• Example: case of a /24 subnetted with the mask 255.255.255.192– In-addr zone – 254.253.192.in-addr.arpa– Subnets
• 192.253.254.0/26 • 192.253.254.64/26• 192.253.254.128/26• 192.253.254.192/26
– If different organisations has to manage the reverse-mapping for each subnet
• Solution to follow…
Classless in-addr for 192.253.254/24
• CNAME records for each of the domain names in the zone– Pointing to domain names in the new
subdomains $ORIGIN 254.253.192.in-addr.arpa.
0-63 NS ns1.organisation1.com.0-63 NS ns2.organisation1.com.
1 CNAME 1.0-632 CNAME 2.0-63
64-127 NS ns1.organisation2.com.64-127 NS ns2.organisation2.com.
65 CNAME 65.64-12766 CNAME 66.64-127
Classless in-addr for 192.253.254/24
• Using $GENERATE (db.192.253.254 file)
$ORIGIN 254.253.192.in-addr.arpa.
0-63 NS ns1.organisation1.com.0-63 NS ns2.organisation1.com.
$GENERATE 1-63$ CNAME $.0-63
64-127 NS ns1.organisation2.com.64-127 NS ns2.organisation2.com.
$GENERATE 65-127$ CNAME $.64-127
Classless in-addr for 192.253.254.0/26
• Now, the zone data file for 0-63.254.253.192.in-addr.arpa can contain just PTR records for IP addresses 192.253.254.1 through 192.253.154.63
$ORIGIN 0-63.254.253.192.in-addr.arpa.$TTL 1d@ SOA ns1.organisation1.com. Root.ns1.organisation1.com. (
1 ; Serial3h ; Refresh1h ; Retry1w ; Expire1h ) ; Negative caching TTL
NS ns1.organisation1.com.NS ns2.organisation1.com.
1 PTR org1-name1.organisation1.com. 2 PTR org1-name2.organisation1.com. 3 PTR org1-name3.organisation1.com.
Questions ?
Material available at: www.apnic.net/training/recent/
IPv6
Technical overview
Policies & Procedures
Overview
• Rationale
• IPv6 Addressing
• Features of IPv6
• Transition Techniques
• Current status
• IPv6 Policies & Procedures
• Statistics
Rationale
• Address depletion concerns– Squeeze on available addresses space
• Probably will never run out, but will be harder to obtain
– End to end connectivity no longer visible• Widespread use of NAT
IPv6 provides much larger IP address space than IPv4
Rationale (Cont.)
• Increase of backbone routing table size– Current backbone routing table size > 100K
• CIDR does not guarantee an efficient and scalable hierarchy
• The lack of uniformity of the current hierarchical system
• Routing aggregation is still a concern in IPv6
IPv6 address architecture is more hierarchical than IPv4
IPv6 address management hierarchy
IPv6
IANA
RIR RIR
NIR
Customer Site Customer Site
LIR/ISPLIR/ISP
/23
/32
/48/64
/128
Rationale (Cont.)
• Needs to improve the Internet environment– Encryption, authentication, and data integrity
safeguards needed• Necessity of IP level security
– Plug and Play function needed• Reduce network administrators work load• Reduce errors caused by individual users
More recent technologies (security, Plug and Play, multicast, etc.) available by default in IPv6
• Useful reading:– “The case for IPv6”: http://www.6bone.net/misc/case-for-ipv6.html
IPv6 addressing
• 128 bits of address space• Hexadecimal values of eight 16 bit fields
• X:X:X:X:X:X:X:X (X=16 bit number, ex: A2FE)• 16 bit number is converted to a 4 digit hexadecimal
number
• Example:• FE38:DCE3:124C:C1A2:BA03:6735:EF1C:683D
– Abbreviated form of address• 4EED:0023:0000:0000:0000:036E:1250:2B00
→4EED:23:0:0:0:36E:1250:2B00
→4EED:23::36E:1250:2B00
(Null value can be used only once)
IPv6 addressing model• IPv6 Address type
– Unicast• An identifier for a single
interface
– Anycast• An identifier for a set of
interfaces
– Multicast• An identifier for a group of
nodes
RFC3513
Unicast address
• Address given to interface for communication between host and router– Aggregatable global unicast address
– Local use unicast address• Link-local address (starting with FE80::)
• Site-local address (starting with FEC0::)
001 FP subnet prefix Interface ID 3bits 64 bits
1111111010 000…….0000 Interface ID 10 bits 54 bits 64 bits
1111111011 Subnet-ID Interface ID 10 bits 54 bits 64 bits
IPv6 header• Comparison between IPv4 header and IPv6 header
IHL
IHL=IP Header LengthTTL=Time to Live
Version IHL Type of Service Total Length 4 bits 4bits 8bits 16bits
Identification Flags Fragment Offset 16 bits 4 bits 12 bits
TTL Protocol Header Header Checksum 8 bits 8 bits 16 bits
Source Address32 bits
Destination Address32 bits
IP options0 or more bits
IPv4 Header
= Eliminated in IPv6
Enhanced in IPv6
Enhanced in IPv6
Enhanced in IPv6
IPv6 Header
Source Address128 bits
Destination Address128 bits
Version Traffic Class Flow Label 4bits 8 bits 20 bits
Payload Length Next Header Hop Limit 16 bits 8 bits 8 bits
IPv6 security • Convey the authentication information via IPv6
extension header: Authentication header
• Method to transport encrypted data: Encapsulating Security Payload (ESP) header
Next Header Length Reserved
Security Parameters Index (SPI)
Authentication Data
Sequence Number
Payload Data
Padding Next HeaderPad Length
Authentication Data
Security Parameters Index (SPI)
IPv6 features – autoconfigutation (Cont.)
Tentative address (link-local address)Well-known link local prefix +Interface ID (EUI -64)Ex: FE80::310:BAFF:FE64:1D
Is this address unique?
1. A new host is turned on.2. Tentative address will be assigned to the new host.3. Duplicate Address Detection (DAD) is performed on all unicast address.4. If no ND message comes back then the address is unique.5. FE80::310:BAFF:FE64:1D will be assigned to the new host.
AssignFE80::310:BAFF:FE64:1D
3FFE:0:0:1/64 network
IPv6 feature: autoconfiguration (Cont.)
FE80::310:BAFF:FE64:1D
Send meRouter Advertisement
1. The new host will send “router solicitation” request via multicasting to obtain the network prefix.
2. The router will reply “routing advertisement”.3. The new host will learn the network prefix. Ex: 3FFE:0:0:14. The new host will assigned a new address Network prefix+Interface ID
Ex: 3FFE:0:0:1:310:BAFF:FE64:1D
RouterAdvertisement
Assign3FFE:0:0:1:310:BAFF:FE64:1D
3FFE:0:0:1/64 network
IPv4 to IPv6 transition
• Implementation rather than transition• The key to successful IPv6 transition
– Maintaining compatibility with IPv4 hosts and routers while deploying IPv6
• Millions of IPv4 nodes already exist• Upgrading every IPv4 nodes to IPv6 is not feasible• Transition process will be gradual
• Commonly utilised transition techniques– Dual Stack Transition– Tunneling
Dual stack transition
• Dual stack = TCP/IP protocol stack running both IPv4 and IPv6 protocol stacks simultaneously
• Useful at the early phase of transition
DRIVER
IPv4 IPv6
APPLICATION
TCP/UDP
Dual Stack Host
IPv4 IPv6
Tunneling
• Commonly utilised transition method• IP v6 packet encapsulated in an IPv4 header• Destination routers will decapsulate the packets
and send IPv6 packets to destination IPv6 host
Add IPv4 Header
Encapsulation
IPv6 network
IPv4 network
IPv6 network
Decapsulation
Eliminate IPv4 Header
IPv6 Host X IPv6 Host YRouter α Router β
IPv6
IPv6 dataIPv6 header IPv4 header IPv4 header IPv6 dataIPv6 headerIPv6 dataIPv6 header
IPv6 address policy goals
• Efficient address usage• Avoid wasteful practices
• Aggregation• Hierarchical distribution• Aggregation of routing information• Limiting number of routing entries advertised
• Minimise overhead• Associated with obtaining address space
• Registration, Uniqueness, Fairness & consistency
• Same as IPv4
IPv6
IPv6 addressing structure
0 127
LIR/32
32
128 bits
Customer Site /48
16
Subnet /64
16 64
Device /128
IPv6 initial allocation
• Initial allocation criteria– Plan to connect 200 end sites within 2 years
• Default allocation (“slow start”)
• Initial allocation size is /32– Provides 16 bits of site address space
– Larger initial allocations can be made if justified according to:
• IPv6 network infrastructure plan• Existing IPv4 infrastructure and customer base
128 bits32 bits
48 bits48 bits32 bits
IPv6 assignments
• Default assignment /48 for all end sites• POP also defined as end site
– Providing 16 bits of space for subnets
• Other assignment sizes– /64 only one subnet – /128 only one device connecting
• Larger assignments - Multiple /48s – Should be reviewed by RIR/NIR
• Follow second opinion procedure
48 bits
128 bits64 bits64 bits48 bits
IPv6 utilisation
• Utilisation determined from end site assignments– LIR responsible for registration of all /48
assignments– Intermediate allocation hierarchy not
considered
• Utilisation of IPv6 address space is measured differently from IPv4
IPv6 utilisation requirement
• IPv6 utilisation measured according to HD-Ratio (RFC 3194):
• IPv6 utilisation requirement is HD=0.80– Measured according to assignments only
• E.g. ISP has assigned 10000 (/48s) addresses of /32
Utilisation HD = log (Assigned address space)
log (Available address space)
log (Assigned address space)
log (Available address space)=
log (10,000)
log (65,536)= 0.83
IPv6 utilisation requirement (Cont.)• HD Ratio utilisation requirement of 0.80
IPv6
Prefix
Site Address
Bits
Total site address in /48s
Threshold
(HD ratio 0.8)
Utilisation %
42 6 64 28
36 12 4096 776
35 13 8192 1351
32 16 65536 7132
29 19 524288 37641
24 24 16777216 602249
16 32 4294967296 50859008
8 40 1099511627776 4294967296
3 45 35184372088832 68719476736
10.9%
43.5%
18.9%16.5%
7.2%
3.6%
1.2%0.4%
0.2%
• RFC 3194
• “In a hierarchical address plan, as the size of the allocation increases, the density of assignments will decrease.”
Subsequent allocation
• Must meet HD = 0.8 utilisation requirement of previous allocation
• (7132 /48s assignments in a /32)
• Other criteria to be met– Correct registrations (all /48s registered)– Correct assignment practices etc
• Subsequent allocation results in a doubling of the address space allocated to it– Resulting in total IPv6 prefix is 1 bit shorter– Or sufficient for 2 years requirement
IXP IPv6 assignment policy
• Criteria– Demonstrate ‘open peering policy’– 3 or more peers
• Portable assignment size: /48 – All other needs should be met through
normal processes– /64 holders can “upgrade” to /48
• Through NIRs/ APNIC• Need to return /64
IPv6
Current Status - Implementations
• Most vendors are shipping supported products today
• eg. 3Com, Apple, Bay Networks, BSDI, Bull, Cisco, Dassault, Digital, Epilogue, Ericsson/Telebit, FreeBSD, IBM, Hitachi, HP, KAME, Linux, Mentat, Microsoft, Nokia, Novell, Nortel, OpenBSD, SCO, Siemens Nixdorf, Silicon Graphics, Sun, Trumpet
IPv6
IPv6 deployment current experiments
IPv6-washing machine IPv6-refrigerator IPv6-microwave
Mobile viewer Access point
PC
IPv6 network
Home hub
Home hub
Home router
Light
Air conditioner
Ethernet
Wireless
Current issues: Multihoming
• Assigned portable address is not available
• Multiple unicast addresses per node – How to determine the source address?
• Multiple interfaces per host– Possible defeat ICMP redirect– How to achieve “load-sharing” across
multiple interfaces?
• Other issues too– IETF is working for possible solutions
Current issues: DNS
• Need for a root name server, TLDs name server accessible via IPv6
• Human error easily made in IPv6 reverse DNS record– Dynamic update may provide a solution– Security system while update required
• Ex: DNSSEC
IPv6 Address Allocation Procedures
• IPv6 Allocations to RIRs from IANA– APNIC 2001:0200::/23
2001:0C00::/232001:0E00::/23
– ARIN 2001:0400::/23 2001:1800::/23
– LACNIC 2001:1200::/23– RIPE NCC 2001:0600::/23
2001:0800::/232001:0A00::/23
2001:1400::/23 2001:1600::/232001:1A00::/23
• IPv6 Address Request form http://ftp.apnic.net/apnic/docs/ipv6-alloc-request
• IPv6 FAQ http://www.apnic.net/faq/IPv6-FAQ.html
IPv6
IPv6 distribution per RIR
APNIC139
ARIN90
LACNIC11
RIPE-NCC304
Source: APNIC statistic data - Last update March 2004
IPv6 allocations from RIRs to LIRs/ISPs yearly comparison
Source: RIR reports and joint statistics presented at APNIC 17
IPv6 allocations in Asia Pacific
JP68
KR19
ID3 NZ
1
TW13
CN9
AU7
TH3
PG1
MY4
IN3
HK2
SG5
PH1
Source: APNIC statistic data - Last update March 2004
APNIC allocation by year
9
139
37
7
45
26
15
0
20
40
60
80
100
120
140
160
1999 2000 2001 2002 2003 2004 Total
Source: APNIC statistic data - Last update March 2004
IPv6 routing table
Source: http://bgp.potaroo.net/v6/as1221/index.html - Last updated 09/03/2004
0
50
100
150
200
250
300
350
/24 /27 /28 /32 /33 /35 /37 /40 /41 /42 /44 /45 /48 /60 /64 /120
No. of /32s announced, 76
No. of /35 announced, 15
Not announced yet , 48
IPv6 allocation announcements
Data obtained from RIPE RIS Looking Glass as of 11/03/2004
Questions ?
Material available at: www.apnic.net/training/recent/
IPv6 Reverse delegations
IPv6 representation in the DNS
• Forward lookup support: Multiple RR records for name to number– AAAA (Similar to A RR for IPv4 )– A6 without chaining (prefix length set to 0 )
• Reverse lookup support: – Reverse nibble format for zone ip6.int – Reverse nibble format for zone ip6.arpa
IPv6 forward and reverse mappings
• Existing A record will not accommodate IPv6’s 128 bit addresses
• BIND expects an A record’s record-specific data to be a 32-bit address (in dotted-octet format)
• An address record– AAAA (RFC 1886)
• A reverse-mapping domain– Ip6.int (now replaced by ip6.arpa)
whois
Root DNSRoot DNS
The reverse DNS tree – with IPv6
net edu com int
whois
apnic
arpa
202 203 210202
2222
in-addr
6464
RIR
ISP
Customer
IP6IP6
IPv6 Addresses
64 H1
H10
H8
H12
H32
ISP
/32Downstream
ISP/40
Customer/48
Devices /128
intarpa
IP6IP6
Root DNSb.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.
IPv6 forward lookups
• Multiple addresses possible for any given name– Ex: in a multi-homed situation
• Can assign A records and AAAA records to a given name/domain
• Can also assign separate domains for IPv6 and IPv4
Sample forward lookup file
;; domain.edu $TTL 86400@ IN SOA ns1.domain.edu. root.domain.edu. (
2002093000 ; serial - YYYYMMDDXX21600 ; refresh - 6 hours1200 ; retry - 20 minutes3600000 ; expire - long time86400) ; minimum TTL - 24 hours
;; NameserversIN NS ns1.domain.edu.IN NS ns2.domain.edu.
;; Hosts with just A recordshost1 IN A 1.0.0.1
;; Hosts with both A and AAAA recordshost2 IN A 1.0.0.2
IN AAAA 2001:468:100::2
IPv6 reverse lookups
• IETF decided to restandardize IPv6 PTR RRs – They will be found in the IP6.ARPA namespace
rather than under the IP6.INT namespace
• The ip6.int domains has been deprecated, but some hosts still use them– Supported for backwards compatiblity
• Now using ip6.arpa for reverse
IPv6 reverse lookups - AAAA and ip6.arpa
• Address record four times longer than A– Quad A ( AAAA )
• AAAA record is a parallel to the IPv4 A record
• It specifies the entire address in a single record
IPv6 reverse lookups - AAAA and ip6.arpa
• Example
–Each level of subdomain• Represents 4 bits
4.3.2.1.0.0.0.0.0.0.0.1.0.0.0.2.0.0.0.3.0.0.0.4.0.5.6.7.8.9.a.b
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.
Ipv6-host IN AAAA 4321:0:1:2:3:4:567:89ab
IPv6 reverse lookups - PTR records
• Similar to the in-addr.arpa
• Example: reverse name lookup for a host with address 3ffe:8050:201:1860:42::1
b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa. IN PTR test.ip6.example.com.
$ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.
Sample reverse lookup file
;; 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev;; These are reverses for 2001:468:100::/64);; File can be used for both ip6.arpa and ip6.int.$TTL 86400@ IN SOA ns1.domain.edu. root.domain.edu. (
2002093000 ; serial - YYYYMMDDXX21600 ; refresh - 6 hours1200 ; retry - 20 minutes3600000 ; expire - long time86400) ; minimum TTL - 24 hours
;; NameserversIN NS ns1.domain.edu.IN NS ns2.domain.edu.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.ip6.domain.edu2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.domain.edu;;;; Can delegate to other nameservers in the usual way;;
Sample configuration file
// named.conf
zone “domain.edu” {type master;file “master/domain.edu”;
}zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.int" {
type master;file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";
};zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.arpa" {
type master;file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";
};
• Reverse tree has 4bit ‘boundary’– /35 allocation needs two /36 delegations
• Delegation for two /360.8.3.2.0.1.0.0.2.ip6.arpa 1.8.3.2.0.1.0.0.2.ip6.arpa
Reverse delegation for existing /35 holders
Can be 1 or 0
FP | /35 allocations||3 | /32 | |--|----------------------------|--|----……00100000000000010000001000111000000?------------ 35 bits -------------- 2 0 0 1: 0 2 3 8 0/35
Current Status – IPv6 in DNS
• A6 and Bit label specifications has been made experimental– RFC3363
• IETF standardized 2 different formats– AAAA and A6– Confusions on which format to deploy– More than one choice will lead to delays
in the deployment of IPv6
What we covered so far in IPv6 reverse DNS
• IPv6 representation in the DNS
• IPv6 forward and reverse mappings
• AAAA and A6 records
• Current status
Questions ?
Material available at: www.apnic.net/training/recent/
Summary
ooo
Topics covered today
• Policy guidelines • Adv db queries, protection and
role objects• IRR• Spam & Hacking• DNS• IPv6• IPv6 DNS
Summary
• Use proper authentication to protect your objects in the whois Database– Use role objects to facilitate management of contacts
• The IRR can help you manage your router configs
• Prevent email relaying to reduce spam– Follow Best Current Practices
• Register your reverse delegations!
• Start thinking about IPv6 now
Supplementary reading
Policy guidelines
Policy guidelines• IPv4 guideline document
http://www.apnic.net/docs/policy/ipv4-guidelines.html
• IP unnumberedhttp://www.apnic.net/info/faq/ip_unnumb.html
Renumbering• Network Renumbering Overview: Why Would I
Want It and What Is It Anyway?http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2071.txt
• Procedures for Enterprise Renumberinghttp://www.isi.edu/div7/pier/papers.html
Policy guidelines
NAT• The IP Network Address Translator
http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1631.txt
• Architectural Implications of NAT http://www.ietf.org/rfc/rfc2993.txt
• Unique Addresses are Good http://www.ietf.org/rfc/rfc1814.txt
APNIC Database
APNIC Database Documentation• Updating information in the APNIC Database
http://ftp.apnic.net/apnic/docs/database-update-info
• Creating role objects http://www.apnic.net/db/role.html
• APNIC Maintainer Object Request http://www.apnic.net/apnic-bin/maintainer.pl
• APNIC Whois Database objects resource guide http://www.apnic.net/services/whois_guide.html
Internet Routing Registry
• APNIC Routing Registry Guidehttp://www.apnic.net/services/apnic-rr-guide.html
• Routing Policy Specification Language (RPSL)
http://nori.apnic.net/ietf/rfc/rfc2280.txt
• Using RPSL in Practicehttp://nori.apnic.net/ietf/rfc/rfc2650.txt
• Routing Policy System Securityhttp://nori.apnic.net/ietf/rfc/rfc2725.txt
• IRRToolSethttp://www.ripe.net/db/irrtoolset/
Spam and Hacking
• APNIC spam and hacking FAQhttp://www.apnic.net/info/faq/abuse/
• Using the APNIC Whois Database to investigate security incidents
http://www.apnic.net/info/faq/abuse/using_whois.html
Reverse DNS
Request Forms• Guide to reverse zones
http://www.apnic.net/db/revdel.html
• Registering your Rev Delegations with APNIC http://www.apnic.net/db/domain.html
Relevant RFCs• Classless Delegations
http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt
• Common DNS configuration errorshttp://ftp.apnic.net/ietf/rfc/rfc1000/rfc1537.txt
Reverse DNS
Documentation• Domain name structure and delegation
http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1591.txt
• Domain administrators operations guidehttp://ftp.apnic.net/ietf/rfc/rfc1000/rfc1033.txt
• Taking care of your domainftp://ftp.ripe.net/ripe/docs/ripe-114.txt
• Tools for DNS debugginghttp://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt
IPv6
• IPv6 Address Allocation & Assignment Policy
• http://ftp.apnic.net/apnic/docs/ipv6-address-policy
• IPv6 Address request form• http://ftp.apnic.net/apnic/docs/ipv6-alloc-
request
• FAQ• http://www.apnic.net/info/faq/IPv6-FAQ.html
IPv6
• The case for IPv6– draft-ietf-iab-case-for-ipv6-06.txt
• http://www.6bone.net/misc/case-for-ipv6.html
• Internet Protocol Version 6 (IPv6) Addressing Architecture
• http://nori.apnic.net/ietf/rfc/rfc3513.txt
• IPv6 Stateless Address Autoconfiguration • http://nori.apnic.net/ietf/rfc/rfc2462.txt
IPv6
• The H Ratio for Address Assignment Efficiency
• http://www.ietf.org/rfc1715.txt
• The Host-Density Ratio for Address Assignment Efficiency: An update on the H ratio
• http://www.ietf.org/rfc3194.txt
IPv6: HD ratio 0.8
IPv6 prefix Site addr bits
Total site addrs in /48s Threshold Util%
42 6 64 28 43.5%36 12 4096 776 18.9%35 13 8192 1351 16.5%32 16 65536 7132 10.9%29 19 524288 37641 7.2%24 24 16777216 602249 3.6%16 32 4294967296 50859008 1.2%
8 40 1099511627776 4294967296 0.4%3 45 35184372088832 68719476736 0.2%
RFC3194 “The Host-Density Ratio for Address Assignment Efficiency”
IPv6 DNS
• Representing Internet Protocol version 6 (IPv6) Addresses in the Domain Name System (DNS)
http://www.ietf.org/rfc/rfc3363.txt
• DNS Extensions to support IP version 6http://www.ietf.org/rfc/rfc1886.txt
• Delegation of IP6.ARPA http://www.ietf.org/rfc/rfc3152.txt