Internet Routing Registry Resources by j2sw

What is a routing registry?
From Wikipedia https://en.wikipedia.org/wiki/Internet_Routing_Registry
The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

RFC2622 Routing Policy Specification Language (RPSL)

RFC2650 Using RPSL in Practice

RFC7682 Considerations for Internet Routing Registries (IRRs) and routing Policy Configuration

General IRR Information

http://www.irr.net/
Includes links to various registries, FAQs, and other info

https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/ntt-route-registry-frequently-asked-questions/
NTT route registry FAQ

https://www.seattleix.net/irr-tutorial
Seattle Internet Exchange IRR Tutorial

https://archive.nanog.org/meetings/nanog51/presentations/Sunday/NANOG51.Talk34.NANOG51%20IRR%20Tutorial.pdf
NANOG Routing registry tutorial

General How-Tos

https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html
A Quickstart Guide to Documenting Your Prefixes with IRR. This mainly uses the older ARIN e-mail templates.


Arin Specific

https://www.arin.net/resources/manage/irr/userguide/
Arin’s userguide for working with their IRR

https://www.arin.net/resources/manage/irr/irr-online-implementation
Notes on working with ARINs web-based


Other Regional Registries

African Network Coordination Centre (AFRNIC)
https://afrinic.net/internet-routing-registry

Asian-Pacific Network Coordination Centre (APNIC)
https://www.apnic.net/manage-ip/apnic-services/routing-registry/

American Registry for Internet Numbers (ARIN)
https://www.apnic.net/manage-ip/apnic-services/routing-registry/

Latin American and Caribbean Internet Addresses Registry (LACNIC)
https://www.lacnic.net/innovaportal/file/3512/1/internet-routing-registries.pdf

Reseaux IP Eauropeens Network Coordination Centre (RIPE NCC)
https://www.ripe.net/manage-ips-and-asns/db/support/managing-route-objects-in-the-irr

Tools

https://github.com/6connect/irrpt
A collection of tools which allow ISPs to easily track, manage, and utilize IPv4 and IPv6 BGP routing information stored in Internet Routing Registry (IRR) databases. Some of these tools include automated IRR data retrieval, update tracking via CVS, e-mail notifications, e-mail based notification for ISPs who still do human processing of routing information, and hooks for automatically deploying prefix-lists on routers.

https://www.radb.net/query
The RADB whois server provides information collected from all the registries that form part of the Internet Routing Registry. 

https://github.com/irrdnet/irrd
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format.

ARIN resources and the Service Provider

Internet Service Providers (ISPs) can be intimidated by all of the facets of working with the American Registry of Internet Numbers (ARIN). I have put together a guide that outlines common things you, as a service provider, need to do.

This guide is not an end-all how-to. Throughout, I am posting videos and links taken from the ARIN site to help. This article is more of an outline of what a service provider needs to do.

The majority of the steps below will be done through ARIN’s online ticketing system.

This is broken down into the following Sections
1. Create a Point of Contact (POC) record
2. Creating an Organization (ORG-ID)
3. Requesting an Autonomous System Number (ASN)
4. Requesting IPv6 space
5. Requesting IPV4 space
6. Source Validation
7. Reverse DNS
8. Routing Registry
9. RPKI
10. Notes and tips

Creating a Point of Contact (POC)
Point of Contact (POC) records are the foundation of your ARIN account. This record is the way you manage your resources. There are different types of POC accounts. https://www.arin.net/resources/guide/account/records/poc/ will tell you everything you need to know about POC records. Creating this record will take mere minutes to make.

Creating an Organization
Once you have a POC record created, you will create an Organization and associate your POC with that ORG-ID. ARIN will attach your resources to your org-id. You will need your federal EIN and your registered business address for this stage. This stage takes a few days to get verified due to ARIN needing to verify you are who you say you are

Requesting an ASN
An Autonomous System Number (ASN) will be the first resource an ISP will request. The ASN allows you to participate in BGP by advertising your IP blocks to peers. The ASN will require to state your routing policy, usually BGP, and at least two peers, you will be establishing BGP. If you don’t have two peers, say your plans in this section.

Once you have met the criteria and you will be asked to fill out an officer attest paper. This statement is a paper stating the information you have submitted is correct and truthful. Once you will out this form and submit it you will then receive an invoice. Once this invoice is paid, you will receive your ASN. This stage can take several days, depending on how much back and forth goes on, asking to clarify information.

Request IPv6 space
I put this as the next stage for a few reasons. The first is you should be moving toward IPv6. At the very least, dual-stack your network. Second, requesting IPV6 space will get you familiar with how ARIN looks at requests.

You are required to state how your network is laid out, what type of network, and how you plan to deploy addresses. Be prepared to give a diagram of your system. You may have to go back and forth a few times, depending on how much detail you provided on your first request.

Just like your ASN, you will be required to sign another office attest, pay the bill, and then the Ip space will be allocated.

Requesting IPV4 space
Requesting IPV4 space is pretty close to requesting V6 space, but ARIN is more strict on their criteria these days due to the shortage of space. If you are looking to transition you can get. /24 of v4 for your v6 transition.

If you choose to request IPV4 space you will be put on a waiting list with others who have also requested space. Details on the waiting list can be found at https://www.arin.net/resources/guide/ipv4/waiting_list/ . ARIN is currently doing quarterly distributions to folks on the waitlist*. I put an asterisk on the previous statement because there are several variables listed at the waitlist site linked above. Some include:

  • Only organizations holding an aggregate of a /20 or less of IPv4 address space may apply and be approved.
  • The maximum-size aggregate that an organization may qualify for at any one time is a /22.

The site says they do quarterly distributions. I believe this gives ARIN time to reclaim IP space and do a cleanup on it. Depending on when you submit you may have to wait several months or longer for an allocation.

As with V6 space and ASN, you have to do another officer attest, pay your invoice, and then it is allocated.

Origin AS
Origin AS validation is a check and balance. From Arin’s https://www.arin.net/resources/registry/originas/
The Origin Autonomous System (AS) field is an optional field collected by ARIN during all IPv4 and IPv6 block transactions (allocation and assignment requests, reallocation and reassignment actions, transfer and experimental requests). This additional field is used by IP address block holders (including legacy address holders) to record a list of the Autonomous System Numbers (ASNs), separated by commas or whitespace, from which the addresses in the address block(s) may originate.

This is simply a field you fill in on your ARIN account. When you get IP space from ARIN this is *usually* automatic.

Reverse DNS
You will need to point your IP blocks to your or hosted DNS servers for the reverse entries. Many different entities pay attention to reverse DNS entries. If you have clients who run mail servers or similar services, you will need a reverse DNS entry. More information at https://www.arin.net/resources/manage/reverse/

Routing Registry
More and more companies, such as Hurricane Electric, are requiring routing registry entries. I did a pretty in-depth article on routing registries. https://blog.j2sw.com/networking/routing-registries-and-you/
ARIN now has a web-based system for setting up route objects. This web mehtod takes some of the learning curve out of adding things into the ARIN registry. Many exchanges, including FD-IX, are moving toward routing registry support.

RPKI
RPKI is another validation method for verifying you are the proper owner of resources, especially IP blocks. https://www.arin.net/resources/manage/rpki/ . Hosted RPKI is the easiest way to get started with RPKI.

I did an article related to RPKI at https://blog.j2sw.com/networking/bgp/hurricane-electric-now-requires-irr-and-rpki/

Notes
Working with ARIN is a pretty straightforward, but sometimes confusing for the newbie. I offer a package for $799 (plus ARIN fees) where I do all the above for you. I have done this so much over the years we have templates and other shortcuts for the various things done.

If you choose to do this on your own some tips.
1. Don’t be afraid to provide more detail than asked.
2. The ARIN helpdesk is actually helpful. If you get stuck call or e-mail them. They have probably answered your question before and are willing to help.
3. Be prepared to provide information about your network, especially with IPv4 requests. ARIN is wanting to know if you are/will be using resources efficiently.

If you get IPv4 space I would recommend adding the new IP block to your advertisements. Allow it to be learned by the various reverse Geolocation folks. After a week check your blocks using the links on this page: http://thebrotherswisp.com/index.php/geo-and-vpn/. This applies to space allocated from ARIN or purchased from a broker.

If you are looking to purchase blocks for a broker, yu need to get pre-approval from ARIN. Learn more at https://www.arin.net/resources/registry/transfers/preapproval/

Routing Registries

I had routing registries on the brain so I wanted to knock some of the rust of recording and did 10 minutes on routing registries and what they are.

if you want to look at some of my older posts on routing registries

Routing Registries and you

Transit, peer, upstream. What do they all mean?

 

Routing Registries and you

This was originally published at https://www.mtin.net/blog/internet-routing-registries/ 

It has been updated form grammar, but I am working on an updated version of this,

Routing Registries are a mysterious underpinning of the peering and BGP world. To many, they are arcane and complicated. If you have found this article you are at least investigating the use of a registry. Either that or you have run out of fluffy kittens to watch on YouTube. Either way, one of the first questions is “Why use a routing registry”.

As many of us know BGP is a very fragile ecosystem. Many providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. This is a manual process for many opportunities for error. Any time a config file is edited errors can occur. Either typos, misconfiguration, or software bugs.

Routing registries attempt to solve two major issues. The first is automating the process of knowing who has the authority to advertise what. The second is allowing a central repository of this data.

So what is a routing Registry?
From Wikipedia: An Internet Routing Registry (IRR) is a database of Internet route objects for determining, and sharing route and related information used for configuring routers, with a view to avoiding problematic issues between Internet service providers.

The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

What are the downsides of a RR?
Not everyone uses routing registries. So if you only allowed routes from RR’s you would get a very incomplete view of the Internet and not be able to reach a good amount of it.

Okay, so if everyone doesn’t use it why should i go to the trouble?
If you are at a formal Internet Exchange (IX) you are most likely required to use one. Some large upstream providers highly encourage you to use one to automate their process.

What are these objects and attributes?
In order to participate you have to define objects. The first one you create is the maintainer object. This is what the rest of the objects are referenced to and based on. Think of this as setting up your details in the registry.

From this point you setup “object types”. Object types include:
as-set
aut-num
inet6num
inetnum
inet-rtr
key-cert
mntner
route
route6
route-set
If you want to learn more about each of these as well as templates visit this ARIN site.

So what do I need to do to get started?
The first thing you need to do is set up your mntner object in the registry. I will use ARIN as our example. You can read all about it here:https://www.arin.net/resources/routing/.

You will need a couple of things before setting this up
1.Your ARIN ORGID
2.Your ADMIN POC for that ORGID
3.Your TECH POC for that ORGID

Once you have these you can fill out a basic template and submit to ARIN.

mntner: MNT-YOURORGID
descr: Example, Inc.
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
upd-to: hostmaster@example.net
mnt-nfy: hostmaster@example.net
auth: MD5-PW $1$ucVwrzQH$zyamFnmJ3XsWEnrKn2eQS/
mnt-by: MNT-YOURORGID
referral-by: MNT-YOURORGID
changed: hostmaster@example.net 20150202
source: ARIN

The templates is very specific on what to fill out. The mnt-by and referral-by are key to following instructions. MD5 is another sticking point. The process is documented just in a couple of places. In order to generate your MD5-PW follow these instructions.

1. Go to https://apps.db.ripe.net/crypt/ Enter in a password. Make sure you keep this cleartext password as you will need it when sending future requests to ARIN’s Routing Registry.
2. Submit the password to get the md5 crypt password. Keep this password for your records, as you may need it when interacting with ARIN’s IRR in the future.
3. Add the following line to your mntner object template in the text editor.
auth: MD5-PW
Our example above has a MD5 password already generated.
Once this is done and created you can add objects. The most commonly added objects are your ASN and IP space.

Create your ASN object using the as-num template

aut-num: AS65534
as-name: EXAMPLE-AS
descr: Example, Inc.
descr: 114 Pine Circle
descr: ANYWHERE, IN 12345
descr: US
import: from AS65535 accept ANY
import: from AS65533 accept AS65534
export: to AS65533 announce ANY
export: to AS65535 announce AS2 AS65533
admin-c: EXAMPLE456-ARIN
tech-c: EXAMPLE123-ARIN
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The things to know about the above template are the import and export attributes.

Now on to adding IP space
Suppose you have IP space of 192.0.2.0/24 Your template would look like:

inetnum: 192.0.2.0 – 192.0.2.255
netname: EXAMPLE-NET
descr: Example, Inc.
descr: 115 Oak Circle
descr: ANYWHERE, IN 12345
country: US
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
notify: user@example.com
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The password attribute is the cleartext password for your MD5 key.

Further Reading:
Using RPSL in practice

NANOG IRR

Hulu and Geolocation issues solved

Recently I received some IP space from Arin and every geolocation provider I tried came back with proper information.  However, when we went live with these IPs Hulu and others had issues with them.

When you have these issues the first place to go to is:
http://thebrotherswisp.com/index.php/geo-and-vpn/

This link will answer many of the GeoLocaiton issues you may be experiencing.  By e-mailing ipadmin@hulu, as we suggest in the above link, I received the following back.

The IP location provider Hulu uses is Digital Envoy. Can you reach out to them and provide them with the correct geological information for that IP block. You can submit a request using the link below.https://www.digitalelement.com/contact-us/

Digital element does not happen to have an easy contact form or information on their website.  I posted a message on the NANOG mailing list asking for help. I received direct contact at Digital element, which was from a digitalenvoy.net e-mail.  I am awaiting a response back about how to handle these issues in the future.  The Digital Element web-site does not give much information on how to contact them for GeoIP issues.

If you want to read Arin’s response to GeoIp issues:
https://teamarin.net/2018/06/11/ip-geolocation-the-good-the-bad-the-frustrating/

Need an ASN, IP space? I have a package for you.

Are you intimidated by getting an ASN to participate in BGP? Do you not have the time to learn all the ins and out of dealing with ARIN to get IP space or routing registries? Let me help you.

The ARIN starter package
-Organization ID and POC IDs setup
-Paperwork to get your own ASN
-Paperwork for your own IPV6 allocation
-Paperwork for an IPV4 /24
-ASN validation
-Documentation and maintenance documents
Cost $899 plus ARIN fees

Add Ons
-RPKI Setup $199
-Routing Registry setup $199

Add-ons are priced to add-on to the starter package.  Please let me know if you need just the add-ons for a proper quote.

ARIN suspends Cogent’s access to ARIN whois

From the ARIN mailing list

ARIN has repeatedly informed Cogent that their use of the ARIN Whois for solicitation is contrary to the terms of use and that they must stop.  Despite ARIN’s multiple written demands to Cogent to cease these prohibited activities, ARIN has continued to receive complaints from registrants that Cogent continues to engage in these prohibited solicitation activities.  
For this reason, ARIN has suspended Cogent Communications’ use of ARIN’s Whois database effective today and continuing for a period of six months.  For additional details please refer tohttps://www.arin.net/vault/about_us/corp_docs/20200106_whois_tos_violation.pdf    ARIN will restore Cogent’s access to the Whois database at an earlier time if Cogent meets certain conditions, including instructing its sales personnel not to engage in the prohibited solicitation activities. 
Given the otherwise general availability of ARIN Whois, it is quite possible that Cogent personnel may evade the suspension via various means and continue their solicitation.  If that does occur, please inform us (via compliance@arin.net), as ARIN is prepared to extend the suspension and/or bring appropriate legal action.

IPV6 Planning and Implementation resources for the xISP

This post is designed to give you a lot of information on implementing IPV6 into your network.  Much of this has is aimed at the service provider market, but there are resources for the enterprise market.

One of the mindsets of this article is you are treating your customers as one of two ways.  The first is a typical ISP end user.  This can be John Smith on your wireless network or the small branch office down the street. These can vary in size and I will talk about how you can deal with these.  The second type is the Enterprise or BGP peer.  These are folks who should have their own IPV6 allocations and ASN.

Anyone who has followed me for a while knows I talk a lot of network philosophy. This article has bits of philosophy mixed in this article.  Some of it is my own while others are the debates on certain aspects of IPV6 implementation. This is not a comprehensive guide to IPV6.  rather, this is designed to fill in some blanks.

Implementing IPV6
Packet Pushers has an excellent IPV6 planning podcast
https://packetpushers.net/podcast/ipv6-buzz-011-an-ipv6-address-planning-guide/

Kevin Myers over at Stubarea51 has a great article on implementing IPV6 in a service provider market using Mikrotik
https://www.stubarea51.net/2018/09/14/wisp-design-an-overview-of-adding-ipv6-to-your-wisp/

Typical service providers will are assigned a /36 or a /32 from their Regional Routing Registry (RIR).  Don’t think in terms of IP addresses, but think in terms of subnets.  I will emphasize this throughout the article.  Also, another rule of thumb is when you are subnetting everything has to be done in multiples of 4 when it comes to the subnet mask. As with anything, there are exceptions but they might not be best practices.

IPV6 and Point-to-Point links
There is much debate on whether you should use a /64, a /124,126, or a /127 for point-to-point links.  These would be the equivalent of /30’s in the IPV4 world.  One of my favorite articles on this topic https://tools.ietf.org/id/draft-palet-v6ops-p2p-links-00.html

I typically use a /124 or /126, which seems to be what most of the larger upstream providers and content networks are using for point-to-point links. If you are using a /64 you have to contend with neighbor exhaustion attacks as well as ping pong attacks.  One of the hybrid approaches is to use a /124,/126 or a /127 pulled from a single /64. I have yet to have a major upstream or content network hand me a /127.

Point-to-point links are one of the most highly talked about IPV6 methodologies.  There are many right answers in this debate, as you can tell my the ietf article above. My advice is to pick one and go with it.  The majority of the BGP peers I work with use either a /124 or a /126.  I pull these out of a single /64.  Some ISPs will allocate a /56 or /60, which we will talk about next, and use the first /64 and pull their point-to-point from that.

IPV6 and customer allocations
For years the standard allocation to a customer was a /56.  In recent years this has been shrunk to a /60 with most of the major providers, such as Comcast.  When we break down allocations in a service provider network, we have the standard accepted school of thought.

  • Individual pops are assigned a /48 prefix.
  • Enterprise customers are assigned a /56 prefix. That gives them 256 /64 subnets.
  • Small customers are assigned a /60 prefix, allowing 16 /64 subnets.

One of the critical errors in thinking I see network engineers and architects do in IPV6 thinking is concentrating too much on IP addresses and not on the subnets.  Just like in IPV4 subnetting it is all about the math.  Assigning a customer a /64 directly is bad practice. The biggest reason is it does not allow the customer the ability to subnet the block into smaller chunks.

Some engineers think a customer will never use 18,446,744,073,709,551,616 and they would be correct. That is 18 quintillion IP addresses.  99.99 percent of us have never dealt with numbers that high.  Many of us have only heard about numbers that high in science fiction such as Star Trek.  However, a /64 is the smallest subnet assigned without breaking core functionality of IPV6. Remember earlier when we talked about point-to-point links? When we subnet out the /64 we are taking away sing a subnet prefix length other than a /64 will break many features of IPv6, amongst other things Neighbor Discovery (ND), Secure Neighborship Discovery (SEND) [RFC3971], privacy extensions [RFC4941], parts of Mobile IPv6 [RFC4866], PIM-SM with Embedded-RP [RFC3956], and SHIM6 [RFC5533].  Many new IPV6 developments also are relying on /64s being in place.

Back to our point-to-point addressing, we do not need neighbor discovery because we are only talking to one host.  We don’t need privacy because we know the one host we are talking with, and so on.

But 18 quintillion IP addresses is still too much.  Yes, but all the features relying on at least a /64 are worth the tradeoff.  The key is to think in terms of subnets, not IP addresses.

So why not assign the customer a /62 to save on space..err..I mean subnets? Remember, when subnetting the math has to be in multiple of 4. So you can assign a /48, a /52, a /56, or a /60 to the customer and be safe. We talked about why assigning a /64 is bad practice even though it fits the multiple of 4.

Provider assigned IP (PI) space
There are very few cases for assigning Provider space to a customer who has an ASN.  If the customer has an ASN they should be going to their Regional Internet Registry (RIR) and getting an allocation.  In my case, most of the requests I do go through ARIN.  Arin has a very good document on getting your first IPV6 allocation. https://www.arin.net/resources/guide/ipv6/first_request/

Anyone else I want to assign them a /56 or /60 as stated above.  These are customer not participating in BGP. One of the lessons learned in the IPV4 world is how many started with provider assigned IP space and then went through the pain of renumbering when they received allocations from the RIR. In IPV6 we would have to re-subnet, but still the same pain.

What gets assigned IPV6 space?
One of my philosophies is I treat IPV6 like public IP addresses in the IPV4 world.  I am not assigning Internet routable IP addresses to my switches, and APs unless they are doing routing.  I can still use private Ip addresses for my infrastructure such as 10.x.x.x./8

Philosophies rounded up
-Point-to-point links.  Should you use a /64,124,126,127, or even something else.  I have seen Cogent hand me a /112 in several places

-Customer Allocations. Should you assign the customer a /56 or bigger?  I believe any customer that needs more than a /56 should have their own ASN and their own IPV6 allocation. If necessary a large customer could have a /52 and still be within the bounds.

Closing notes
IPv6 is very much in flux with some conflicting methods of doing things.  However, a good solid plan you stick to and follow can save you lots of headaches and allow your network to scale. Implementing IPV6 to some degree on your network should be a priority.  There are many benefits to IPV6, which are not IP space-related which I will talk about in a later article

Further Reading
https://www.infoblox.com/wp-content/uploads/infoblox-infographic-ipv6-best-practice.pdf

https://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf

Other articles I have done on V6
http://www.mtin.net/blog/ipv6-point-to-point-subnets/

Basic IPV6 Mikrotik Firewall

Netflix, IPv6, and queing

IPv6 Security tidbits

IPv6 Test Sites

 

About the Author Justin Wilson

#routingrf #routinglight #bendinglight