route roa management guide - apnic · 2017. 6. 18. · routes and route objects can exist...
TRANSCRIPT
-
1
Route Management Guide to manage your routes and (RPKI) ROA
-
2
Route/ROAmanagement.......................................................................................3
1 MyAPNICroutesandWhoisrouteobjects.......................................................41.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferent.......................................41.2 SynchronizingMyAPNICroutesandWHOISrouteobjects..............................................41.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjects.......................................42 Importroutes.................................................................................................5
3 CreateRoutes.................................................................................................83.1 ROAoption.............................................................................................................................................93.2 ‘WhoisRouteAttributes’option................................................................................................103.3 ‘Notifyadditionalcontacts’option...........................................................................................123.4 Sub-routeselection.........................................................................................................................133.5 RouteRequests–Actionlog........................................................................................................153.6 RouteTaskDetails...........................................................................................................................164 EditRoutes...................................................................................................17
5 Userpermission............................................................................................195.1 Checkinguserpermission............................................................................................................196 FAQ..............................................................................................................206.1 WhatisROAandRPKI...................................................................................................................206.2 WhydoIget“authorizationfailed”..........................................................................................206.3 Howdoesauthorizationwork?..................................................................................................206.4 HowdoIenableTwofactorauthentication(2FA)............................................................216.4.1 Time-basedOneTimePassword(TOTP)..............................................................................216.4.2 DigitalCertificates.........................................................................................................................21
-
3
Route/ROAmanagementToaccesstheRoute/ROAmanagementfeature:
1) LogintoMyAPNIC2) Goto:ResourcesàRouteManagement(seeimagebelow)
-
4
1 MyAPNICroutesandWhoisrouteobjectsTheroutemanagementtoolisaninteractivefeatureinMyAPNICwhereuserscanmanageroutesandROAsatonce.
1.1 HowMyAPNICroutesandWHOISrouteobjectsaredifferentThroughthistool,userscancreate/manageMyAPNICroutes,whicharementionedas“routes”throughoutthisdocument.These‘routes’actasatemplateforcreatingactualroutesinwhoisdatabase,whicharementionedas“routeobjects”inthisdocument.Routesandrouteobjectscanexistseparately;thatisarouteinMyAPNICcanexistwithoutanactualrouteobjectinwhoisdatabase,androuteobjectsinwhoisdatabasecanexistwithoutarouteentryinMyAPNIC.
1.2 SynchronizingMyAPNICroutesandWHOISrouteobjectsUserscandecidetoimportroutesinthewhoisdatabasethroughRouteManagementtool.ThiswillensurearouteentryinMyAPNICiscreatedforeveryrouteobjectassociatedtothataccount.(routeswithaccountsIPprefixesandASNs).OncearouteentryiscreatedinMyAPNIC,userscanmanagewhoisrouteobjectsthroughthetoolsinterface.Whenausercreates/updates/deletesaroutethroughthistool,thetoolwillattempttocreateawhoisrouteobjectassoonaspossible.Ifyouareupdatingmultipleobjectsatthesametime,thetoolmayshow“pending”statusagainsttherouteswhicharenotyetsynchronized.
1.3 ConflictsbetweenMyAPNICroutesandWHOISrouteobjectsRoutemanagementtoolisnottheonlywaythatawhoisrouteobjectcanbemanaged.Ifawhoisrouteobjectischanged,theMyAPNICrouteentrywillnotchange.Itwillindicatethatthereisconflict.ThisensuresthatuserismadeawareofchangesdoneoutsidetheRouteManagementtool.Theusercanthentakeactiontoresolvetheconflict.Eitheracceptthechanges,orreverttherouteobjectbacktoMyAPNICroutetemplate.
-
5
2 ImportroutesWhenauseropensorrefreshestheRoutemanagementpage,thetoolchecksforanyrouteobjectsintheAPNICwhoisdatabasewhicharenotmanagedbytheroutemanagementtoolinMyAPNIC.Ifanysuchrouteobjectsexist,theusercanselectandimportthemandstartmanagingthemthroughthetool.
Ifuserclickson“Review&Import”,followingscreenwillappear.
-
6
Fromthispage,theusercanviewandselectrouteobjectstobemanagedbythetool.Whentheuserfinishesselecting,andclickson“Import”thefollowingmessagewillappearonthescreentoconfirmthattheimporttaskisbeinghandledinthebackground.
Toseemoredetailsaboutthetask,theusercaneitherclickontheabovemessagewhileitsbeingdisplayed,orclickonthe“Requests”linkatthetopofRouteManagementpage.Byclickingeitherofthelinks,usercanseefollowingdetailedinformationaboutthetask.
Byclickingonthe“View”buttonaparticularrequestontheRoutetaskrequestwindow,thetoolwillshowanychangesthatweredoneintheAPNICwhoisdatabaseregardingthisrequest.Inthecaseofimporting,therouteobjectwillnotbechanged,hencethemessage“Objectalreadyexists”isdisplayed.
-
7
Oncetheroutesareimported,anyfurtherchangestotherouteobjectwillchangetherouteobjectintheAPNICwhoisdatabase.Seesection3,Editroutesformoreinformationaboutmakingchangestoanexistingroute.
-
8
3 CreateRoutesTocreateanewrouteobject,pleaseselectthe‘createrouteobject’
Thefollowingtemplateshowstheminimuminformationthatauserneedstoinputtocreatearoute.
Prefix TheIPv4orIPv6prefixinCIDRnotationOriginAS TheASNumberwhichisusedtoannouncetheIPprefixMostSpecificAnnouncement
Bydefault,thiswillbeprefilledbytheIPprefixessize.However,theusercanchosetoannouncemorespecificIPprefixesifhewishesto.Ifamorespecificannouncementischosen,thetoolwillcreatealltherouteobjectsfromtheleastspecificannouncement,uptothemostspecificannouncement,includinganyprefixesinbetween.
ROA SeeROAoptionDefinewhosisrouteattributes
See‘WhoisRouteAttributes’option
NotifyAdditionalContacts
SeeNotifyAdditionalContacts
-
9
3.1 ROAoptionIfthememberwhologsintoMyAPNIChas:-RPKIupdatepermission–AND--TwoFactorAuthenticationenabledTheROAoptionwillbetickedbydefault.Ifproceeded,withtheoption,matchingROAswillbecreatedfortheprefixandalsoformostspecificannouncement.Optioncanbeun-tickediftheuserdoesnotrequireROAstobecreated.IfthememberwhologsintoMyAPNIChas:-RPKIupdatepermissionrevoked–OR--TwoFactorAuthenticationdisabledTheROAoptionwillbeun-tickedbydefault.Usercannottickthisoption.IftheuserwantstocreateROAs,hecanclick“here”togototheTwoFactorAuthenticationconfigurationpage.
-
10
3.2 ‘WhoisRouteAttributes’option
Usercanaddnumberofattributesthroughthisoption,fromthedropdownmenu,onebyone.ToseeadetailedexplanationaboutalltheseattributespleasevisitthefollowingURL.https://www.apnic.net/apnic-info/whois_search/using-whois/guide/routeIfthisoptionisnotselected,aroutewillbecreatedwiththemandatoryattributesfilledwithinformationfromyour.
-
11
Routeobjecttemplatefor‘route’(IPv4routes)
Routeobjecttemplatefor‘route6’(IPv6routes)
-
12
3.3 ‘Notifyadditionalcontacts’optionBydefault,ifarouteiscreated,automaticnotificationswillbesendtoASNcustodian.NotificationswillbesendtoAPNICaccountcontacts.IftheASNisfromadifferentRIR,‘whois’databasecontactsassociatedtothatASNwillbenotified.Ifneitheroftheabovecontactswerefound,APNIChelpdeskwillbenotified.WiththeNotify‘Notifyadditionalcontacts’,theuserisabletosendroutecreationnoticestoanyotherpartythathewishestoinform.Multiplee-mailcontactscanbeincludedbyseparatingthemwithcommasorspaces.
-
13
3.4 Sub-routeselectionOncealltheinformationisfilled,andwhenuserclicks“NEXT”,theConfirmationwindowappears,wherefurtheradjustmentscanbemade.
Theconfirmationscreenaboveshowsalltheroutesthataregoingtobecreated.Themandatoryattributestheuserenteredaredisplayedatthetopofthescreen.Itisfollowedbyalistofroutesthatwillbecreated.Listwillhavemorethanonerouteifthe‘mostspecificannouncement’ishigherthan‘prefixsize’.Allroutesinthelistwouldbeselectedbydefault.Theuserhastheoptiontounselectanyrouteifrequired.Selectall Ticksallthesub-routesinthelistDeselectall Un-tickallthesub-routesinthelistShow‘X’entries
Determinesthenumberofsub-routestobedisplayedperpage.Optionsare10,25,50and100
Previous Goestothepreviouspageofthelistifthenumberofsub-routesdoesnotfitintoanewpage
-
14
Next Goestothenextpageofthelistifthenumberofsub-routesdoesnotfitintoanewpage
Cancel AbortstheroutecreationGoback Goestothepreviouspagewhererouteattributescanbe
updatedSubmit Allselectedsub-routeswillbecreated.Routeobjectswillbe
injectedtothewhoisdatabase.IfROAoptionisenabled,matchingROAswillbecreated
Oncethee‘Submit’buttonisclicked,thetoolwillstartprocessingtheroutecreation.Adialogboxappearingasbelowwillindicatethis.
ThisdialogboxwilldisappearautomaticallyoncetheroutesarecreatedinMyAPNIC.Asshowninthedialogbox,toseedetailsclickthe‘Routerequests’linkshownbelow.
-
15
3.5 RouteRequests–ActionlogThe‘Routerequests’link(please1.1.4ConfirmandSubmit)willtaketheusertoalogofallactivitiesassociatedtheRouteManagementpage.Actionlogwilllooksimilartothebelowscreen.
ID ActionlogIDCreated DateandtimestampofthesubmissionUser MyAPNICuserIDType Typeofactionrequests.CreateRoute,ModifyRouteorDelete
RouteRoute TheIPprefixwhichwillbeannounced.Sub-routeprefixescanbe
viewedbyclicking‘View’Status Greentickmarkindicatesallsub-routesarecreatedsuccessfully.
Redcrossiconindicatesthatatleastonesub-routecreationhasfailed.
View Showsmoredetailsaboutaspecificactionitem
-
16
3.6 RouteTaskDetailsThescreenbelowshowshowroutetaskdetailswillappearifthe‘view’buttonisclickedintherouterequestspage(see1.1.6RouteRequests)
Ifthetaskselectediseither“CreateRoute”or“EditRoute”,theusercanviewtheactualwhoisrouteobjectbyclickingthe“ViewWhoisObject”buttonintheabovescreen.
-
17
4 EditRoutesTheroutescreatedthroughMyAPNICorthroughothermethodssuchase-mailupdatescanbemodifiedthroughthisinterface.
Clickingontheeditbuttoninfrontofarouteentrycanmodifythespecificroute.
-
18
MostSpecificAnnouncement
Usercanchangethisattribute.Bychangingthis,thenumberofsub-routeentrieswillautomaticallychange.
ROA UsercantogglebetweenROAenableandROAdisable.UserneedtohavepermissiontoenableROA(See:UserPermission)
Enable/Disable IfManagedsetto‘Enabled’,itmeansthereisawhoisrouteobjectexisting.IfManagedsetto‘Disabled’,itmeanswhoisrouteobjectdoesnotexist.Bytogglingbetweenthetwostates,theusercancreateanddeletewhoisrouteobjects.Iftheuserdisablesasub-routeforwhichROAisenabled,ROAwillautomaticallygetdeletedaswell.
Submit Changeswillbeprocessed,andwhoisrouteobjectswillbeupdatedaccordingly.
UpdateWhois Thisbuttonwillopenwhoisupdatepageforthatparticularwhoisrouteobject.
-
19
5 UserpermissionTobeabletocreateROAstogetherwithroutes,userrequire:
1) ResourceCertificationpermissionenabled–AND-2) TwoFactorAuthenticationenabled(2FA)
a. TimebasedOneTimePasswords(TOTP)–ORb. DigitalCertificates
Tolearnmoreabout:ResourcesCertification:www.apnic.net/ROATwoFactoreAuthentication:www.apnic.net/2FABydefault,CorporateContactshaveResourceCertificationpermissionEnabled.TechnicalContactsandBilling(Admin)Contactsdonothaveaccessbydefault.TheCorporateContactcangrantthemaccessthroughMyAPNIC.Noneofthecontactshave2FAenabled.Therefore,allcontactpersonsmustselectedoneoftheabove2FAmethodsandconfigureitbeforetheycancreateROAs.
5.1 CheckinguserpermissionUserscancheckwhatpermissionsareenabledforthembygoingto:HomeàMyProfileàAccountPermission
TobeabletocreateROAsboth“View”and“Update”permissionsshouldbeenabled.
http://www.apnic.net/ROAhttp://www.apnic.net/2FA
-
20
6 FAQ
6.1 WhatisROAandRPKIPleasevisitAPNICwebsiteformoreinformation.www.apnic.net/ROA
6.2 WhydoIget“authorizationfailed”Itcouldbeduetooneormoreofthefollowingreasons.
1) IPprefixnotintheAPNICaccount.RouteobjectscanbecreatedbyIPprefixcustodiansonly.Pleasegoto:HomeàResourcesàIPv4/IPv6andcheckiftheIPprefixisavailable.
2) TheaccountmaintainerhasnotbeenaddedtoyourMyAPNIC.Youcanrequestforthepasswordifthereareotheruserswhoalreadyhavethemaintaineradded.Pleasegoto:HomeàResourcesàmaintainersandcheckifthemaintainerisregistered.
3) Antherrouteobjectexistswhichissameorlargerthantherouteobject
youaretryingtocreate,andithasadifferent“mnt-lower”or“mnt-routes”.Inthatcase,pleaseregisterthatmaintainerinyourMyAPNICanduseitformorespecificrouteannouncements.
6.3 Howdoesauthorizationwork?Whois objects are protected bymaintainers. In the case of route objects, it’s a little bit morecomplicated.Tobeconsistentwith theobjectswhichalreadyexist, therearedifferent levelsofcheckswhichneedstobevalidatedbeforearoutecanbeinjectedintowhoisdatabase.If you are creating a route object (eg : 198.51.100.0/24 with AS64511), maintainerauthorizationwillbecheckedinthefollowingorder.
1) IstherearouteobjectwiththesameIPprefix?a. Ifyes:Goto5b. IfNo:Goto2
2) IstherearouteobjectwithalessspecificIPprefix?(overlappingtherouteyouwanttocreate)
a. Ifyes:Goto5b. IfNo:Goto3
3) IsthereaninetnumobjectwiththesameIPprefix?
a. Ifyes:Goto5b. IfNo:Goto4
4) IsthereaninetnumobjectwithalessspecificIPprefix?(overlappingtherouteyouwant
tocreate)a. Ifyes:Goto5b. IfNo:routecreationfailerrorgiven
5) Isthereamnt-routesdefinedintheexistingobject
http://www.apnic.net/ROA
-
21
a. Ifyes:Goto8b. IfNo:Goto6
6) Isthereamnt-lowerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:Goto7
7) Isthereamntnerdefinedintheexistingobjecta. Ifyes:Goto8b. IfNo:routecreationfailerrorgiven
8) Doesthemnt-routes/mnt-lower/mntneroftheexistingobjectmatchthemntneroftherouteyouwishtocreate?
a. Ifyes:CreateRouteb. IfNo:routecreationfailerrorgiven
If you still cannot find the reason why it fails, please contact APNIC helpdek.([email protected])
6.4 HowdoIenableTwofactorauthentication(2FA)Therearetwooptionstoenable2FA.Formoreinformationabout2FA,pleasevisitwww.apnic.net/2FA
6.4.1 Time-basedOneTimePassword(TOTP)Toconfigure,pleaseseefollowingguide:www.apnic.net/2fa
6.4.2 DigitalCertificatesToconfigure,pleaseseefollowingguide:https://www.apnic.net/manage-ip/myapnic/digital-certificates
mailto:[email protected])http://www.apnic.net/2fahttps://www.apnic.net/manage-ip/myapnic/digital-certificates