The problem with routing registries

Anyone who has followed me or I have done IP work for knows I am a fan of Internet Routing Registries (IRR).  However, there is a glaring issue with these registries.  I will use the example I ran into today.

A downstream client of a WISP client bought 67.158.57.0/24 off the open market about a year ago.  They finally have things in place where they are looking to announce this IP space to the world.  I helped them set up BGP to my client ISP and sent out the normal LOAs to the upstream providers.  I received this back from Hurricane Electric.

The IRR entry for this prefix does not list 14333.
https://www.radb.net/query?keywords=67.158.57.0%2F24
Please update IRR and let me know. I can add this to your prefix filter.

And a Subsequent followup message

I can add this prefix to your filter, based on the LOA. However the reason we require IRR entries for prefixes is because our peers only accept our re-announcements if there are correct IRR entries authorizing the announcement. 

Can you confirm what the source ASN will be for this announcement?
If a customer of yours is going to re-announce this to you, and that ASN is listed on:
https://www.radb.net/query?keywords=67.158.57.0%2F24
Then this will work. However if you plan to announce this sourced from your ASN 14333, this will not be picked up past our network.

This highlights one of the glaring issues with registries.  There are no checks and balances when it comes to stale data in registries. The same is true with access lists in provider routers.

What I am guessing happened is when the /20 block was carved up and sold it’s information was never removed from the routing registry.  Since this is RADb and it does not talk directly with ARIN we have some inconsistencies going on.

The following RFC illustrates many of the issues folks run into.
https://tools.ietf.org/html/rfc7682
From the summary of the document

As discussed above, many of the problems that have traditionally stifled IRR deployment have, themselves, become historical. However, there are still real operational considerations that limit IRR usage from realizing its full effectiveness.

To further complicate this Hurricane Electric is referencing data in RADb, which is a paid registry.

So what are am I going to have to do? In order to make this right, I will have to reach out to RADB and have them edit the registry to start with. Since this customer, nor the ISP, are members of RADb it will take time.

Quick home VPN using Mikrotik and an existing router

I had a situation today where we had an office worker needing to work from home.  This user had a Housefull of devices and a router managed by the Fiber to the home provider. This user had devices attached to the wifi on the provider router and such.  Normally I would want to replace this router, but it would be an undertaking.

For this setup, we used a Mikrotik MAP lite.
https://www.ispsupplies.com/MikroTik-RBmAPL-2nD

My quick solution was to have the user install the Mikrotik mAP as an ethernet device off of the provider’s router.  We then established a VPN tunnel from this device to the ISP’s network they work for.

 

We then added routes in the Mikrotik to the 3 networks they needed to access across the L2tp tunnel.  This user runs the Dude and Winbox. Once the tunnel was established we had two issues to overcome.

1. You have to add a nat rule in order for traffic behind the Mikrotik to reach the devices on the other side of the tunnel.  I simply added a nat rule that looks like this:

add action=masquerade chain=srcnat out-interface=all-ppp src-address=\
192.168.88.0/24

We could have done this in a few different ways, but remember this was a quick setup.

2. I needed the laptop they were working on the be able to route the three prefixes to the Mikrotik, thus going out the VPN.  In our setup, the laptop only has 2 default gateways.  It does not know any other routing info.

I created a bash script with the following in it. In short, you add the text below into a notepad file and save it with the extension of .bat.

route ADD 10.2.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.3.0.0 MASK 255.255.0.0 192.168.88.1
route ADD 10.4.0.0 MASK 255.255.0.0 192.168.88.1

If you need help on creating a bash script
https://www.howtogeek.com/263177/how-to-write-a-batch-script-on-windows/

Once I had the file, which I simply saved into the Dude folder on the desktop, I created a shortcut on the desktop.  You will want to right-click on the shortcut and do the following.

It is important to note you are only able to do this on a shortcut in Windows, not the actual file itself.  No idea why. The script is important because this user brings the laptop back and forth.  I did not want to create persistent routes on the computer because the office network is different.  If you do not do persistent routes they will be after a reboot.  This way the user double clicks on the script shortcut when they login to the computer and before firing up the dude.

There are many other ways to accomplish this.  This was one of the quickest and less-impacting to the user and fewer things to support. One of the downsides to this setup is the user maintains two physical connections to two physical routers.  In this instance, the user could hardwire into the Mikrotik and maintain a wireless connection to the FIOS router.

If given more time you could have the laptop wired into the Mikoritk as your desk and have the wireless on the Mikrotik become a wireless client back to the FIOS router. This would make the setup a little more mobile.

#teleworker @packetsdownrange #j2 #vpn

Ultimate DD-WRT router guide

An interesting post about DD-WRT crossed my inbox awhile back.  Like most interesting things I saved it to look at later.

Custom firmware, such as DD-WRT makes the process easier, and provides you with a lot of additional options as well; thereby turning a standard $100 router into a super router that is suitable for any home or office.

With this DD-WRT router guide you’ll be increasing your wireless range, data transfer rates, creating NAS solutions, setting up a VPN Service, and so much more in no time at all. Some of these, you can even implement without having DD-WRT.

Don’t have the time to read all of this today? I’d recommend at least reading the introduction so you can find out what this “DD-WRT” business is all about.

https://proprivacy.com/vpn/guides/dd-wrt

VXLAN and why you should care as a service provider

As some of you may have heard Mikrotik has added in some VXLAN support in the latest RouterOS7 beta.  What is VXLAN and how would service providers use it? Let’s start out with some broad information about VXLAN

Where does TRILL and VXLAN fit in to your network strategy?

The always interesting RFC read
https://tools.ietf.org/html/rfc7348

This document describes Virtual eXtensible Local Area Network
   (VXLAN), which is used to address the need for overlay networks
   within virtualized data centers accommodating multiple tenants.  The
   scheme and the related protocols can be used in networks for cloud
   service providers and enterprise data centers

Boil it down for me. What is vxlan?
In short, VXLAN allows you to create a layer2 network on top of a layer3 network. It allows you to bind separate layer2 domains and make them look like one. If you are thinking this looks like a GRE tunnel, you are correct except the layer2 domains are still separate with tunnels. VXLAN is mainly touted as a way to interconnect data centers. If you are having to use spanning-tree then VLXLAN is an answer.

Okay, but why not use tunnels or MPLS?
VXLAN allows you to accomplish what GRE does without having to change the network design. By using VXLAN you are also able to have standalone layer2 domains that talk to each other. With the tunnel approach, you have to do a lot of manual configuration.

Is this just a data center thing?
VXLAN was designed to solve many of the edge computing and hyper-scale computing issues. Imagine having compute nodes in different parts of a data center or even in different data centers.  You want all of those nodes on the same VLAN.  With GRE you could extend that VLAN, but with VXLAN you can have two standalone layer2 VLANs that are merged together. VXLAN also solves the 4096 VLAN issue.  This is important in hyper-scale cloud computing.

VXLAN benefits in a nutshell

  • increases layer2 segments to 16 million
  • Centralize control
  • Standards-based
  • Scalable

VXLAN downsides in a nutshell

  • Multicast must be available
  • more overhead to layer2 packet
  • no built-in encryption
  • Slow adoption of ipv6 support by open source

What about the service provider? How can I use this?
In a service-provider network, you have things like broadcast issues. Basically, bridging is bad. Your layer2 networks need to be contained. Imagine you are a service provider who is providing LTE services. You may have an LTE VLAN on your network.  Historically you would have to extend your VLAN across the network in order to do management and access your LTE core. Now you have this large broadcast domain across your entire network.  Or worse yet, you have tunnels to other cities or locations you don’t have physically connected to your network.  Now you have tunnels a part of your LTE VLAN.  MTU issues and other things are now a part of your life.

With VXLAN each LTE node can have its own layer2 VLAN but still talk to the others. This prevents the broadcast storms which can occur.

Another use for VXLAN is a way to allow managed service providers to deploy large scale networks over the 4000 limits of VLANs.  You could literally deploy thousands of layer2 segments to tenants

Why I should or should not care about VXLAN as a service provider?
If you just have a couple of layer2 networks to extend across your network VXLAN is not for you. However, VXLAN does allow for multipath routing and other protocols to be extended to remote networks.

VXLAN adds 50+ bytes of overhead to the layer2 frame. In many service provider networks, this is not an issue due to MTU being raised for MPLS, etc.   IP multicast must be extended across the entire network. Mac addresses are used in creating a distribution network across all of the routed layer2 domains.

Large service providers have started looking at segment routing to solve many of the issues I talk about. This causing them to gravitate toward EVPN. EVPN allows for BGP for the control plane and MPLS for the data plane. More on this coming soon.

In closing, VXLAN is an ultra-cool technology and has use cases for service providers.  Other methods also exist to solve these issues in the service provider world. For those of you looking to learn all you can, I will be posting a list of links for my Patreon folks.

Routing Registries

I had routing registries on the brain so I wanted to knock some of the rust of recording and did 10 minutes on routing registries and what they are.

if you want to look at some of my older posts on routing registries

Routing Registries and you

Transit, peer, upstream. What do they all mean?

 

Routing Registries and you

This was originally published at https://www.mtin.net/blog/internet-routing-registries/ 

It has been updated form grammar, but I am working on an updated version of this,

Routing Registries are a mysterious underpinning of the peering and BGP world. To many, they are arcane and complicated. If you have found this article you are at least investigating the use of a registry. Either that or you have run out of fluffy kittens to watch on YouTube. Either way, one of the first questions is “Why use a routing registry”.

As many of us know BGP is a very fragile ecosystem. Many providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. This is a manual process for many opportunities for error. Any time a config file is edited errors can occur. Either typos, misconfiguration, or software bugs.

Routing registries attempt to solve two major issues. The first is automating the process of knowing who has the authority to advertise what. The second is allowing a central repository of this data.

So what is a routing Registry?
From Wikipedia: An Internet Routing Registry (IRR) is a database of Internet route objects for determining, and sharing route and related information used for configuring routers, with a view to avoiding problematic issues between Internet service providers.

The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

What are the downsides of a RR?
Not everyone uses routing registries. So if you only allowed routes from RR’s you would get a very incomplete view of the Internet and not be able to reach a good amount of it.

Okay, so if everyone doesn’t use it why should i go to the trouble?
If you are at a formal Internet Exchange (IX) you are most likely required to use one. Some large upstream providers highly encourage you to use one to automate their process.

What are these objects and attributes?
In order to participate you have to define objects. The first one you create is the maintainer object. This is what the rest of the objects are referenced to and based on. Think of this as setting up your details in the registry.

From this point you setup “object types”. Object types include:
as-set
aut-num
inet6num
inetnum
inet-rtr
key-cert
mntner
route
route6
route-set
If you want to learn more about each of these as well as templates visit this ARIN site.

So what do I need to do to get started?
The first thing you need to do is set up your mntner object in the registry. I will use ARIN as our example. You can read all about it here:https://www.arin.net/resources/routing/.

You will need a couple of things before setting this up
1.Your ARIN ORGID
2.Your ADMIN POC for that ORGID
3.Your TECH POC for that ORGID

Once you have these you can fill out a basic template and submit to ARIN.

mntner: MNT-YOURORGID
descr: Example, Inc.
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
upd-to: hostmaster@example.net
mnt-nfy: hostmaster@example.net
auth: MD5-PW $1$ucVwrzQH$zyamFnmJ3XsWEnrKn2eQS/
mnt-by: MNT-YOURORGID
referral-by: MNT-YOURORGID
changed: hostmaster@example.net 20150202
source: ARIN

The templates is very specific on what to fill out. The mnt-by and referral-by are key to following instructions. MD5 is another sticking point. The process is documented just in a couple of places. In order to generate your MD5-PW follow these instructions.

1. Go to https://apps.db.ripe.net/crypt/ Enter in a password. Make sure you keep this cleartext password as you will need it when sending future requests to ARIN’s Routing Registry.
2. Submit the password to get the md5 crypt password. Keep this password for your records, as you may need it when interacting with ARIN’s IRR in the future.
3. Add the following line to your mntner object template in the text editor.
auth: MD5-PW
Our example above has a MD5 password already generated.
Once this is done and created you can add objects. The most commonly added objects are your ASN and IP space.

Create your ASN object using the as-num template

aut-num: AS65534
as-name: EXAMPLE-AS
descr: Example, Inc.
descr: 114 Pine Circle
descr: ANYWHERE, IN 12345
descr: US
import: from AS65535 accept ANY
import: from AS65533 accept AS65534
export: to AS65533 announce ANY
export: to AS65535 announce AS2 AS65533
admin-c: EXAMPLE456-ARIN
tech-c: EXAMPLE123-ARIN
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The things to know about the above template are the import and export attributes.

Now on to adding IP space
Suppose you have IP space of 192.0.2.0/24 Your template would look like:

inetnum: 192.0.2.0 – 192.0.2.255
netname: EXAMPLE-NET
descr: Example, Inc.
descr: 115 Oak Circle
descr: ANYWHERE, IN 12345
country: US
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
notify: user@example.com
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The password attribute is the cleartext password for your MD5 key.

Further Reading:
Using RPSL in practice

NANOG IRR