routing registry training slides
TRANSCRIPT
Routing RegistryTraining CourseFebruary 2011
Schedule
• 09:00 - 09:30 Coffee, Tea & Network setup
• 11:00 - 11:15 Break
• 13:00 - 14:00 Lunch
• 15:00 - 15:15 Break
• 17:30 End
• Ask questions at any time!
• All the material on ripe.net/training/
2
Introductions
• Number on the list
• Name
• Experience with the RIPE DB & BGP
• Goals
3
Goals
• Learn the benefits of using Routing Registry (RR)
• Practice using the RIPE Database- create, modify & protect your objects
• Practice describing your routing policy in RPSL
• Practice creating router configuration from RR
4
Today’s topics: theory and practice
1. Benefits of using Routing Registry (RR)- Exercise: Creating a route6 object
2. Configuring routers based on RR- Exercise: Generating prefix list filter
3. Advanced RIPE DB usage- Exercise: Creating maintainer for PI End User
4. Routing Policy Specification Language (RPSL)- Exercise: Creating multihoming policy in aut-num- Exercise: Generating router configuration
5. Advanced RPSL policy options
6. Resource Certification & other services
5
1. Benefits of using Routing Registry
What is “Internet Routing Registry”
• Distributed databases with public routing policy information, mirroring each other: irr.net
- APNIC, RADB, Level3, SAVVIS...
• RIPE NCC operates “RIPE Routing Registry”
• Big operators make use of it- AS286 (KPN), AS5400 (BT), AS1299 (Telia), AS8918
(Carrier1), AS2764 (Connect), AS3561 (Savvis), AS3356 (Level 3)...
7
What is your routing policy?
• What prefixes do you announce?
• Who are your neighbours?- upstreams, customers, peers
• What prefixes do you accept? Who from?
• What are your preferences?
8
Why publish your policy in IRR?
• Required by some Transit Providers & IXPs- they use it for prefix-based filtering
• Allows for automated generation of prefix filters - and router configuration commands, based on RR
• Contributes to routing security- prefix based filtering prevents accidental leaks and
route hijacking
• Consistent information between neighbors
• Good housekeeping
9
85% match between BGP/RIS & RR
• According to the RIPE Labs article
10
RIPE Database
• Public Internet resources database
• All your objects are already there:- Address space: inetnum & inet6num - AS Number: aut-num- Contact details: person, role, organisation- Strong protection: maintainer (key-cert, irt)
11
Connection between objectsinetnum: 85.118.184.0/21
status: ALLOCATED PAtech-c: LA789-RIPEmnt-lower: LIR-MNTorg: ORG-Bb2-RIPE
mnt-by: LIR-MNTorigin: AS12345route: 85.118.184.0/21
aut-num: AS12345
tech-c: LA789-RIPEmnt-by: LIR-MNTmnt-routes: USER-MNTorg: ORG-Bb2-RIPE
org: ORG-Bb2-RIPE
mnt-by: RIPE-NCC-HM-MNTmnt-ref: RIPE-NCC-HM-MNTmnt-ref: LIR-MNTadmin-c: LA789-RIPE
role: LIR ADMIN
nic-hdl: LA789-RIPEmnt-by: LIR-MNTtech-c: JD1-RIPEtech-c: JM1-RIPEe-mail: noc@provider
person: Jane Doe
nic-hdl: JD1-RIPEmnt-by: LIR-MNTaddress: somewherephone: +31122345678
person: John Malkovich
nic-hdl: JM1-RIPEmnt-by: LIR-MNTaddress: under the bridgephone: +312458765432
mntner: LIR-MNTadmin-c: LA789-RIPEtech-c: LA789-RIPEauth: MD5-PW $nje^6G
RIPE RR is part of the RIPE Database
• route[6] object creation is responsibility of LIR- every time you receive a new allocation, do create a
route or route6 object
• route and route6 objects represent routed prefix- address space being announced by an AS number
- those are two primary keys
• Only the holder of both address space and AS number can authorize creation of route[6] object
13
Exercise 1: Creating a route6 object for your LIR
Authenticating a route6 object for an LIR
status: ALLOCATED-BY-RIRmnt-by: RIPE-NCC-HM-MNTmnt-routes: LIR-MNT
15
inet6num: 2001:db8::/32
origin: AS2mnt-by: LIR-MNT
route6: 2001:db8::/32
aut-num: AS2
mnt-by: LIR-MNT
aut-num: AS2
Exercise: Creating a route6 object
• Task: Create a route6 object - for your allocation prefix- originating from your AS number
- hint: use a password of your LIR’s “maintainer”
• Time: 15 minutes
16
2. Configuring routers based on RR
Benefit of RR: automation of router config
• By creating route objects in RR ISPs enable automated generation of prefix lists
• BGP configuration made easier- with the help of tools
18
Tools for integration of RR & routers
19
Tool (e.g. RtConfig)
Commands in theTemplate/Input File
DB Objects (route[6] &
routing policy)
(partial)router configuration
RtConfig
• RtConfig reads information from the IRR
• Generates parts of the router configuration file- Creates prefix list, route-map and AS path filters
• One of the tools in the IRRToolSet- http://irrtoolset.isc.org/wiki/CruftCleanout
20
More router configuration tools
• rpsltool- a BGP filters generator based on Template::Toolkit- http://www.linux.it/~md/software/
• IRR Power Tool - A collection of tools for the purpose of maintaining
customer and peer BGP prefix-lists - PHP based- http://sourceforge.net/projects/irrpt/
• whois -h filtergen.level3.net RIPE::AS-DEMON
21
Exercise 2: Generate prefix list filter
Exercise: generating prefix list filter
• Task: Use a tool that creates a filter, based on the registered route objects, which allows prefixes of your neighbor
• Time: 15 minutes
23
3. Advanced RIPE DB usage
Finding and changing your objects
• Querying the RIPE Database- Command-line client- Web interface- Free text search (Glimpse)
- & http://lab.db.ripe.net/portal/free-text/search.htm
• Updating = creating, modifying, deleting- Web, sync, email
25
Protection
26
auth: MD5-PW $1$o93Ux nic-hdl: JS1-RIPE
mnt-by: LIR-MNT
person: John Smithmntner: LIR-MNT
password: Clear_Text
Strong authentication
• Password (MD5-PW)
• Private key / public key- PGPKEY-<id> and key-cert object- X.509-<id> and key-cert object
27
Protection
28
auth: MD5-PW $1$o93Ux nic-hdl: JS1-RIPE
mnt-by: LIR-MNT
person: John Smithmntner: LIR-MNT
status: ASSIGNED PAmnt-by: LIR-MNT
mnt-by: LIR-MNT
aut-num: AS2
inetnum: 85.118.184.0/24
Multiple protection
29
auth: MD5-PW $1$o93UxRauth: PGPKEY-AE6FBBF7
nic-hdl: JS1-RIPE
mnt-by: ONE-MNTmnt-by: TWO-MNT
person: John Smith
auth: MD5-PW $1$3SG9WP
mntner: ONE-MNT
mntner: TWO-MNT
key-cert: PGPKEY-AE6FBBF7
Hierarchical authorisation
30
status: ALLOCATED PAmnt-routes: LIR-MNTmnt-lower: LIR-MNTmnt-by: RIPE-NCC-HM-MNT
inetnum: 85.118.184.0/21
origin: AS2mnt-by: LIR-MNT
route: 85.118.184.0/21
/21 Allocation
/21 Routed prefix
mnt-routes: LIR-MNTmnt-lower: LIR-MNTmnt-by: LIR-MNTmnt-by: RIPE-NCC-HM-MNT
aut-num: AS1
Route object creation authentication inetnum: 85.118.184.0/23
status: ASSIGNED PImnt-by: ISP-MNT
mnt-by: USER-MNTorigin: AS12345route: 85.118.184.0/23
aut-num: AS12345mnt-by: LIR1-MNTmnt-by: RIPE-NCC-HM-MNT
21
3
• In the worst case - 3 passwords or signatures needed
Exercise 3: Creating maintainer for PI End User
Route object for an PI End User
inetnum: 85.118.184.0/25
status: ASSIGNED PImnt-by: LIR-MNTmnt-by: USER-MNT
mnt-by: USER-MNTmnt-by: LIR-MNT
origin: AS12345route: 85.118.184.0/25
aut-num: AS12345mnt-by: LIR-MNTmnt-by: RIPE-NCC-HM-MNTmnt-routes: USER-MNT
21
3
Exercise: Hierarchical DB protection
• You have an End User that uses PI space- They want to announce it with your (LIR’s) AS number
• Task 1: Create a mntner object for End-User
• Task 2: Add End User maintaner to PI object
• Task 3: Create route object for PI End User
• Time: 30 minutes
34
4. Routing Policy Specification Language
RPSL
• Abstract- Not vendor specific
• Global view, not router specific
• Well known: described in RFCs- RFC2622, RFC2725, RFC4012, RFC5943- Using RPSL in Practice (RFC2650)
• Tools available- for translating from RPSL into router configuration - for automated generation of router configuration files
36
Policy expressions
• Aut-num- Lists neighbors (in import / export lines)- Defines filter rules for each neighbour- Defines route parameters modifications per prefix
• Route object- Represents address range originating by ASN
• Set objects- Grouping objects with similar policy / usage
37
Controlling outbound traffic
• import line determines outbound traffic- you decide which routes to accept (filter)
• RPSL pref different from local pref- lower “pref” = more preferred- higher “local pref” = more preferred
import: from AS3
action pref=20;
accept ANY
import: from AS4
action pref=30;
accept ANY
38
• export line determines inbound traffic- you have less control- you can make certain paths less interesting- choose, then put filters in AS path prepending
aut-num: AS1
export: to AS3
announce AS1
export: to AS4
action aspath.prepend (AS1, AS1, AS1);
announce AS1
Controlling inbound traffic
39
Building an aut-num object - one example
40
aut-num: AS2 aut-num: AS1 aut-num: AS3
AS1
AS2 AS3
Internet
import: from AS1 accept AS1 export: to AS2
import: from AS3
accept ANY
import: from AS2
accept AS2
export: to AS3 announce AS1
export: to AS1 announce ANY
import: from AS1 accept AS1
announce AS1
export: to AS1 announce AS2
An aut-num object - second example
41
aut-num: AS4 aut-num: AS1 aut-num: AS3
AS1
AS4 AS3
Internet
import: from AS1 accept AS1 export: to AS4
action aspath.prepend (AS1, AS1);
announce AS1
import: from AS3
accept ANY
export: to AS3 announce AS1
import: from AS4
accept ANY
export: to AS1 announce ANY
import: from AS1 accept AS1
announce AS1
export: to AS1 announce ANY
action pref=80;
action pref=90;
Filtering rules (AS1)
• Direct peering, without route objects
• Accepting prefixes that originate from customer
• No filtering - from upstream - full routing table
• Symmetrical policy of your peer: AS2
42
import: from AS2 accept {10.2.3.0/24}
export: to AS2 announce {172.0.0.0/24}
import: from AS5 accept AS5
import: from AS3 accept ANY
aut-num: AS2
import: from AS1 accept {172.0.0.0/24}
export: to AS1 announce {10.2.3.0/24}
Prefix:
Aut-num object:
RPSLng: IPv6 in the Routing Registry
43
aut-num: AS65550mp-import: afi ipv6.unicast from AS64496 accept ANY
mp-export: afi ipv6.unicast to AS64496 announce AS65550
route6: 2001:db8::/32origin: AS65550
Exercise 4: Creating multihomed policy in aut-num
Exercise: Adding policy to aut-num object
45
ASy0y
ASnn
ASx0x
• Task:- Create RPSL policy reflecting one scenario- Put this policy in your aut-num object
• Time: 30 mins
Multihoming scenarios
• Scenario A (IPv4)- AS101 is your
upstream provider- AS202 is private peer
• Scenario B (IPv6)- AS303 is your
preferred upstream provider
- AS404 is your backup upstream provider
• Scenario C (IPv4)- AS505 is your
upstream provider- AS606 is your PI
customer
• Scenario D (IPv6) - AS707 is your
upstream provider- AS808 is your PI
customer
46
Exercise 5: Generating router configuration
Automation of router config
• Describing routing policy in aut-num enables generation of route-maps for policy routing
• Tools can read your policy towards peers- translation from RPSL to router configuration
commands
• Tools collect the data your peers have in RR- if their data changes, you only have to periodically run
your scripts to collect updates
48
Example of dynamic automated updates
49
RtConfig
@Rtconfig: import AS1 10.0.0.1 AS2 10.0.0.2
aut-num: AS2 import: from AS1 accept AS1
pl100: accept 10.0.0.0/23
deny 0.0.0.0/0routeMap: import pl100 in
route: 10.0.0.0/23origin: AS1
route: 10.0.20.0/20origin: AS1
accept: 10.0.20.0/20
Example RtConfig commands template file
syntax: @RtConfig export MyAS MyRouterIP PeerAS PeerRouterIPFirst %d replaced by peer’s ASN, Second %d incremented
!
! Peering with OTHERCOMPANY
@RtConfig set cisco_map_name = "AS%d-IMPORT-%d"
@RtConfig import AS100 10.0.0.1 AS909 10.0.0.9
!
@RtConfig set cisco_map_name = "AS%d-EXPORT-%d"
@RtConfig export AS100 10.0.0.1 AS909 10.0.0.9
50
Example Route Map (output)no ip prefix-list pl100ip prefix-list pl100 permit 193.99.0.0/16ip prefix-list pl100 deny 0.0.0.0/0 le 32!no route-map AS909-IMPORT-1!route-map AS909-IMPORT-1 permit 1 match ip address prefix-list pl100exit!router bgp 100! neighbor 10.0.0.9 remote-as 909 neighbor 10.0.0.9 route-map AS909-IMPORT-1 in!exit
51
Exercise: Generating router configuration
• Tasks:- Create RtConfig template file- Run RtConfig with this template file
• Time: 15 minutes
52
5. Advanced RPSL policy options
AS-path filters AS-setsMEDsRoute-setsCommunities
Using AS-path filters
• To create AS-path filters, use regular expressions in the filter rules in aut-num
• Examples:- paths starting with AS4import: from AS4 accept <^AS4>
- prefixes are originated in AS4; and- have paths composed of only AS4'simport: from AS4 accept <^AS4+$>
54
Using AS-set to group your customersas-set: AS4:AS-CUSTOMERS
members: AS7, AS5, AS8
aut-num: AS4
export: to AS3 announce AS4 AS4:AS-customers
export: to AS4:AS-CUSTOMERS announce ANY
import: from AS4:AS-CUSTOMERS accept PeerAS
• PeerAS means: - from AS5 accept AS5- from AS7 accept AS7- from AS8 accept AS8
55
Using other’s as-set (& with AS-path filters)as-set: AS4:AS-CUSTOMERSmembers: AS7, AS5, AS8
aut-num: AS3import: from AS4 accept AS4 import: from AS4 accept <^AS4+ AS4:AS-CUSTOMERS*$> export: to AS4 announce AS3
56
AS4AS3AS7
AS5
AS8
Example of MED & route-sets
export: to AS4
10.0.0.4 at 10.0.0.1
action med=1000; announce AS1:rs-france
export: to AS4
10.0.0.5 at 10.0.0.2
action med=2000; announce AS1:rs-spain
57
Communities
• Communities let you influence traffic engineering of ISPs two hops away from you
• Example: information communities:- Europe - 3356:2 ; Dublin - 3356:2080; 3356:123 - Customer
• Action communities:- Prepend 5400 to Google - 5400:2054 - Set the local pref to 50 - 1299:50- Do not announce to KPN - 1299:2869- Don't announce outside local POP - 2764:2- Prepend 3 times to Ams-IX peers - 8918:3068
58
Applied communities
AS9
Telia
AS1299
AS3
AS4
AS6
AS5
AS7
BT
AS5400
Ams-IX
KPN
• To set/append a community:import: from AS6 action community = { 1:111 };
accept AS6
import: from AS2 action community.append(1:75);
accept AS2
• Filtering:import: from AS2
accept AS2 AND community.contains (2:1)
export: to AS3
announce AS3:AS-CUST AND
community == {1:111};
Actions: Communities
60
Remote-triggered black-hole
• If your network is under DDoS attack• Advertise the host or prefix with special
community value - (CW: 3561:666, MCI: 701:999, 3356:9999, etc)
• All the traffic for that prefix will be NULL routed
export: to AS3561
action community = {3561:666};
announce {10.10.10.10/32} # host prefix
61
6. Resource Certification
Digital Resource Certificates
• Based on open IETF standards (sidr)
• Issued by the RIRs
• The certificate states that an Internet number resource has been registered by the RIPE NCC
• The certificate does not give any indication of the identity of the holder
• All further information on the resource can be found in the registry
63
• Proof of holdership
• Secure Inter-Domain Routing- Route Origin Authorisation
• Resource transfers
• Validation is the added value!
What Certification offers
64
The system
• Accessible through the LIR Portal
• Administrator grants access to users
http://www.ripe.net/certification/enable.html
65
Proof of holdership
66
• Public Key
• Resources
• Signature
• IP Prefixes
• AS Number
• Signature
Route Origin Authorisation (ROA)
67
ROA creation demo
Software Validation of certificates and ROAs
• Validators access publically accessible repository
• Three software tools available1. RIPE NCC Validator
- Easy to set-up and use, limited feature set2. rcynic3. BBN Relying Party Software
- Complex set-up, but more options and felixibility
http://ripe.net/certification/validation
69
Hardware Validation: RPKI-RTR protocol
70
validatedcache
RPKI RTR PROTOCOL
BGPDecisionProcess
route-map validity-0
match rpki-invalid
drop
route-map validity-1
match rpki-not-found
set localpref 50
// valid defaults to 100
Who Controls Routing?
71
• Certificates do not create additional powers for the Regional Internet Registries
• Certificates reflect the resource registration status- no registration → no certificate- the reverse is not true!
• Routing decisions are made by network operators!
The road ahead
• Web-based validator
• Up / Down protocol- Run your own Certificate Authority- Allow PI holders to manage ROAs- Transfers between RIRs: ERX space
• ROA import tool- Use combination of IRR + BGP + Human
• More information: http://ripe.net/certification
• Mailing list: [email protected]
72
Serving ROAs as route[6] objects
73
RPKI-IRR• whois –h whois-rpki-irr.db.ripe.net –T route 85.118.184.0/21
• route: 85.118.184.0/21descr: rsync://certrepo.ripe.net/[..]bNak.roaorigin: AS33764remarks: 85.118.184.0/21-24mnt-by: RPKI-MNTsource: RPKI # ripe
http://labs.ripe.net/Members/Paul_P_/content-serving-roas-rpsl-route-objects
74
7. Other routing-related services
Getting an AS number
• Multihoming criteria- checked after 3 monhts
• Contractual agreement- optional: transfer from one LIR to another
• Payment for independent resource
76
RIS: Looking-glass with History
• Database with information about prefixes
• With history- 3 months online- more is available
• Route Collectors at several IXPs- more then 600 peers
• Similar to routeviews.org
http://www.ripe.net/ris/
77
RIS Tools
• Visualization of routing updates seen by RIS
• IS Alarms- includes MyASN alarm type for notifications on rogue
announcements of your address space
• ASInUse / PrefixInUse- Last appearance of ASN / prefix in global routing table
• Looking Glass (also for IPv6)
• whois -h riswhois.ripe.net <prefix>
• NetSense.ripe.net (beta)
78
“Routing Registry Consistency Check”
http://www.ripe.net/rrcc/
• Compares RR & RIS
• Gives you the lists of - missing prefixes in RR - missing prefixes in RIS- missing peers in RR- missing peers in RIS
• Allows you to correct your policy- or BGP routing
79
RIPE Global Resource Service (GRS)
• New method of mirroring other RRs
• Fully synchronised with the authoritative sources
• Translated and adjusted:- Adding missing mandatory attributes- Wrapping unrecognised attributes with "remarks"- Creating dummy objects for missing data to keep referential integrity- Converting attribute values- All these transformations are marked by "End Of Line" comments in the objects
• RADb, APNIC and ARIN available in the new format- whois -h whois.ripe.net -q sources
• Now with new API: http://lab.db.ripe.net/portal/search.htm
80
- Project REX
Has your new address space ever been:- used- announced by another AS- put in a blacklist- delegated for reverse DNS
Have your current resources been used by others?
We'll tell you with REX, the Resource Explainer
http://rex.ripe.net81
IPv6 Ripeness - rating of ISPs (LIRs)
★ Address space
★ Routing security(route6 object in
RIPE Database)
★ Reverse DNS
★ Routed on Internet(visible in RIS)
82
http://ipv6ripeness.ripe.net
Homework
• Create route & route6 objects for your allocations- if you have all 4 “ripeness” stars you get a T-shirt :)
• Subscribe to RIPE routing-wg mailing list• Subscribe to [email protected] list • Try out REX & RIS • Practice all this at home in the “Test Database”
- all RRTEST objects also in there!! (source TEST)
• Download, install, use RtConfig• Check your RR Consistency • Create certificates & ROA for your prefixes
83
Fin
Ende
KpajKonec
Son
Fine
Pabaiga
Einde
Fim
Finis
Koniec
Lõpp
Kрай
SfârşitКонeц
KrajVége
Kiнець
Slutt
Loppu
Τέλος
Y Diwedd
Amaia Tmiem
Соңы
Endir
Slut
Liðugt
An Críoch
Fund
הסוף
Fí
ËnnFinvezh
The End!
Beigas