arin

The Mess we call BGP

Ever wonder why BGP seems to be such a complicated protocol to administer? It seems pretty straightforward to set up. Some commands, and you have a BGP session. Easy huh? BGP is one of those things where the more BGP feeds you bring in, the more complex traffic management becomes. Why? Take a look at the following graphic.

https://thyme.apnic.net/BGP/ARIN/#

What you are looking at is a small visualization of some of the AS connections to Hurricane Electric (AS6939) in North America. This is not all of them, just what I could fit on the screen for this article. Some of these are “transit ASes” which means they sit between Hurricane and another network or networks. This is important to understand because they can influence how your traffic reaches customers or resources on Hurricane electric if they are between you and them. The same thing goes for Hurricane Electric. They are a transit AS between companies and resources. Their policies in terms of BGP traffic can influence your traffic. This is just one AS. There are thousands and thousands of others.

Now imagine you have 4 upstream providers with various peerings and upstream peers. Each one of them can do various manipulations to the same destination. Your routers will pick the best path, but that path may have Congestion or a host of other influences on your traffic.

For myself, as a network engineer, being able to diagnose and troubleshoot path issues is an art, just as it is a science.

ARIN consulting package end-of-the-year special

From now until the end of the year, I am running the following consulting package, including the following ARIN services.

-Helping you set up your organization within ARIN
-Helping you set up your Point of Contact (POC) records
-Getting your own ASN
-Getting an IPV6 allocation
-Generating RPKI and ROA for up to 10 IP blocks (V4 and V6)
-Creating route registry entries for 1 ASN and up to 10 IP blocks
-Creating a PeeringDB entry and linking that to your route registry
-Setting up your IP blocks to point to a reverse DNS server
-Updating your whois information (if needed)
-Signing you up for ShadowServer reports
-Signing you up for monitoring of your blocks (up to 5 for free)
-Tutorial on using Looking Glasses to view your IP blocks and how they relate to other networks

All of this for $1200. This is a savings of over $800 with this promotion. Don’t wait. I only have limited slots available. I can put you on a payment plan (10% fee) or take a 20% deposit to secure the promotion for 60 days.

Optional Add ons
-Hosting a reverse DNS server for your IPs
-IPV6 Deployment plan
-Justification for getting on the waiting list for an IPV4 block
-BGP setup for Team CYMRU

You can e-mail me here for more details.

Packets Down Range #6:OpenWifi, iOT, RDOF,CBRS

Welcome to issue #6 of Packets Down Range. The thing I am excited about lately is the 100 Gig passive mux by solid optics. One of the hats I wear is running an IX. We are always looking for ways to best utilize our dark fiber assets to increase data rates. Keep those tips and articles coming. I am working on the Patreon edition, and it will be released shortly.

Data Center News

•Are Data Centers pricing themselves out of the market? Rising energy costs, increases in cross-connect fees, and just general price raising are causing more folks to look at moving more things into the cloud.

Building an IoT backbone


Interconnection & Peering

•Hurricane Electric expands to DataBank DFW1.


ISP News
•According to Leichtman Research Group, Verizon and T-Mobile added 15x more subscribers in Q3 2022 than the top 7 cable providers in the US combined.

101 most innovative Texas wireless companies according to beststartuptexas.com.

•Crosstown Fiber extends its footprint in the greater Chicago area.
Crosstown’s underground network is designed for customers who need access to resilient fiber pathways. The company will target school systems, large corporations, hyperscalers and data center operators, small cell wireless carriers, content providers, and municipal and other government agencies.

California Internet (GeoLinks) and Shenandoah Cable Television are the latest to be authorized by the FCC for their RDOF-winning bids. People’s communications in Texas is the latest to default on their bids. The full article can be read here.


Podcasts & Events
Inside Towers Podcast

•Willie Howe has a video on routers vs. firewalls.

Ohio Linux Professionals conference December 2nd and 3rd.


Other Industry News
•ARIN releases a new version of its RSA.

•FCC to release updated broadband map on November 18th

NTIA releases plans for all that BEAD money

•Netflix is still winning the streaming wars…for now.

•Does CBRS fall short? This article claims it does.

•What does your office do for fun or unique awards for employees?

•META moves away from connectivity. Will OpenWiFi suffer because of it?


Advertise with Packets Down Range

Notable Equipment

•Solid optics releases a new 8 Channel OWDM mux. What does this mean for you? You can run 8 100 gig waves over a passive mux system up to 20km. Each channel is 400 GHz.

•Juniper announces ACX7024 Metro Router.

WIFI 7 routers are on the way.


Please consider becoming a sponsor by advertising or becoming a Patreon or donating any amount via Paypal for additional content. #packetsdownrange packetsdownrange.com

New Arin Membership structure

On 1 January 2022, the American Registry for Internet Numbers (ARIN) implemented a new fee schedule and membership structure.  There are now two customer membership categories: Service and General. Both categories are entities that have a valid ARIN Registration Services Agreement (RSA or LRSA) for IPv4 and/or IPv6 address space. However, General Members are able to nominate candidates and vote in ARIN elections for both the board of Trustees and Advisory Council. They also must express a commitment to participating in ARIN elections when requesting to be a General Member.

https://www.arin.net/resources/fees/fee_schedule/

Internet Routing Registry Resources by j2sw

What is a routing registry?
From Wikipedia https://en.wikipedia.org/wiki/Internet_Routing_Registry
The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

RFC2622 Routing Policy Specification Language (RPSL)

RFC2650 Using RPSL in Practice

RFC7682 Considerations for Internet Routing Registries (IRRs) and routing Policy Configuration

General IRR Information

http://www.irr.net/
Includes links to various registries, FAQs, and other info

https://www.gin.ntt.net/support-center/policies-procedures/routing-registry/ntt-route-registry-frequently-asked-questions/
NTT route registry FAQ

https://www.seattleix.net/irr-tutorial
Seattle Internet Exchange IRR Tutorial

https://www.manrs.org/resources/tutorials/irrs-rpki-peeringdb/

https://archive.nanog.org/meetings/nanog51/presentations/Sunday/NANOG51.Talk34.NANOG51%20IRR%20Tutorial.pdf
NANOG Routing registry tutorial

General How-Tos

https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html
A Quickstart Guide to Documenting Your Prefixes with IRR. This mainly uses the older ARIN e-mail templates.


Arin Specific

https://www.arin.net/resources/manage/irr/userguide/
Arin’s userguide for working with their IRR

https://www.arin.net/resources/manage/irr/irr-online-implementation
Notes on working with ARINs web-based


Other Regional Registries

African Network Coordination Centre (AFRNIC)
https://afrinic.net/internet-routing-registry

Asian-Pacific Network Coordination Centre (APNIC)
https://www.apnic.net/manage-ip/apnic-services/routing-registry/

American Registry for Internet Numbers (ARIN)
https://www.apnic.net/manage-ip/apnic-services/routing-registry/

Latin American and Caribbean Internet Addresses Registry (LACNIC)
https://www.lacnic.net/innovaportal/file/3512/1/internet-routing-registries.pdf

Reseaux IP Eauropeens Network Coordination Centre (RIPE NCC)
https://www.ripe.net/manage-ips-and-asns/db/support/managing-route-objects-in-the-irr

Tools

https://github.com/6connect/irrpt
A collection of tools which allow ISPs to easily track, manage, and utilize IPv4 and IPv6 BGP routing information stored in Internet Routing Registry (IRR) databases. Some of these tools include automated IRR data retrieval, update tracking via CVS, e-mail notifications, e-mail based notification for ISPs who still do human processing of routing information, and hooks for automatically deploying prefix-lists on routers.

https://www.radb.net/query
The RADB whois server provides information collected from all the registries that form part of the Internet Routing Registry. 

https://github.com/irrdnet/irrd
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format.

ARIN resources and the Service Provider

Internet Service Providers (ISPs) can be intimidated by all of the facets of working with the American Registry of Internet Numbers (ARIN). I have put together a guide that outlines common things you, as a service provider, need to do.

This guide is not an end-all how-to. Throughout, I am posting videos and links taken from the ARIN site to help. This article is more of an outline of what a service provider needs to do.

The majority of the steps below will be done through ARIN’s online ticketing system.

This is broken down into the following Sections
1. Create a Point of Contact (POC) record
2. Creating an Organization (ORG-ID)
3. Requesting an Autonomous System Number (ASN)
4. Requesting IPv6 space
5. Requesting IPV4 space
6. Source Validation
7. Reverse DNS
8. Routing Registry
9. RPKI
10. Notes and tips

Creating a Point of Contact (POC)
Point of Contact (POC) records are the foundation of your ARIN account. This record is the way you manage your resources. There are different types of POC accounts. https://www.arin.net/resources/guide/account/records/poc/ will tell you everything you need to know about POC records. Creating this record will take mere minutes to make.

Creating an Organization
Once you have a POC record created, you will create an Organization and associate your POC with that ORG-ID. ARIN will attach your resources to your org-id. You will need your federal EIN and your registered business address for this stage. This stage takes a few days to get verified due to ARIN needing to verify you are who you say you are

Requesting an ASN
An Autonomous System Number (ASN) will be the first resource an ISP will request. The ASN allows you to participate in BGP by advertising your IP blocks to peers. The ASN will require to state your routing policy, usually BGP, and at least two peers, you will be establishing BGP. If you don’t have two peers, say your plans in this section.

Once you have met the criteria and you will be asked to fill out an officer attest paper. This statement is a paper stating the information you have submitted is correct and truthful. Once you will out this form and submit it you will then receive an invoice. Once this invoice is paid, you will receive your ASN. This stage can take several days, depending on how much back and forth goes on, asking to clarify information.

Request IPv6 space
I put this as the next stage for a few reasons. The first is you should be moving toward IPv6. At the very least, dual-stack your network. Second, requesting IPV6 space will get you familiar with how ARIN looks at requests.

You are required to state how your network is laid out, what type of network, and how you plan to deploy addresses. Be prepared to give a diagram of your system. You may have to go back and forth a few times, depending on how much detail you provided on your first request.

Just like your ASN, you will be required to sign another office attest, pay the bill, and then the Ip space will be allocated.

Requesting IPV4 space
Requesting IPV4 space is pretty close to requesting V6 space, but ARIN is more strict on their criteria these days due to the shortage of space. If you are looking to transition you can get. /24 of v4 for your v6 transition.

If you choose to request IPV4 space you will be put on a waiting list with others who have also requested space. Details on the waiting list can be found at https://www.arin.net/resources/guide/ipv4/waiting_list/ . ARIN is currently doing quarterly distributions to folks on the waitlist*. I put an asterisk on the previous statement because there are several variables listed at the waitlist site linked above. Some include:

  • Only organizations holding an aggregate of a /20 or less of IPv4 address space may apply and be approved.
  • The maximum-size aggregate that an organization may qualify for at any one time is a /22.

The site says they do quarterly distributions. I believe this gives ARIN time to reclaim IP space and do a cleanup on it. Depending on when you submit you may have to wait several months or longer for an allocation.

As with V6 space and ASN, you have to do another officer attest, pay your invoice, and then it is allocated.

Origin AS
Origin AS validation is a check and balance. From Arin’s https://www.arin.net/resources/registry/originas/
The Origin Autonomous System (AS) field is an optional field collected by ARIN during all IPv4 and IPv6 block transactions (allocation and assignment requests, reallocation and reassignment actions, transfer and experimental requests). This additional field is used by IP address block holders (including legacy address holders) to record a list of the Autonomous System Numbers (ASNs), separated by commas or whitespace, from which the addresses in the address block(s) may originate.

This is simply a field you fill in on your ARIN account. When you get IP space from ARIN this is *usually* automatic.

Reverse DNS
You will need to point your IP blocks to your or hosted DNS servers for the reverse entries. Many different entities pay attention to reverse DNS entries. If you have clients who run mail servers or similar services, you will need a reverse DNS entry. More information at https://www.arin.net/resources/manage/reverse/

Routing Registry
More and more companies, such as Hurricane Electric, are requiring routing registry entries. I did a pretty in-depth article on routing registries. https://blog.j2sw.com/networking/routing-registries-and-you/
ARIN now has a web-based system for setting up route objects. This web mehtod takes some of the learning curve out of adding things into the ARIN registry. Many exchanges, including FD-IX, are moving toward routing registry support.

RPKI
RPKI is another validation method for verifying you are the proper owner of resources, especially IP blocks. https://www.arin.net/resources/manage/rpki/ . Hosted RPKI is the easiest way to get started with RPKI.

I did an article related to RPKI at https://blog.j2sw.com/networking/bgp/hurricane-electric-now-requires-irr-and-rpki/

Notes
Working with ARIN is a pretty straightforward, but sometimes confusing for the newbie. I offer a package for $799 (plus ARIN fees) where I do all the above for you. I have done this so much over the years we have templates and other shortcuts for the various things done.

If you choose to do this on your own some tips.
1. Don’t be afraid to provide more detail than asked.
2. The ARIN helpdesk is actually helpful. If you get stuck call or e-mail them. They have probably answered your question before and are willing to help.
3. Be prepared to provide information about your network, especially with IPv4 requests. ARIN is wanting to know if you are/will be using resources efficiently.

If you get IPv4 space I would recommend adding the new IP block to your advertisements. Allow it to be learned by the various reverse Geolocation folks. After a week check your blocks using the links on this page: http://thebrotherswisp.com/index.php/geo-and-vpn/. This applies to space allocated from ARIN or purchased from a broker.

If you are looking to purchase blocks for a broker, yu need to get pre-approval from ARIN. Learn more at https://www.arin.net/resources/registry/transfers/preapproval/

Routing Registries

I had routing registries on the brain so I wanted to knock some of the rust of recording and did 10 minutes on routing registries and what they are.

if you want to look at some of my older posts on routing registries

 

Routing Registries and you

This was originally published at https://www.mtin.net/blog/internet-routing-registries/ 

It has been updated form grammar, but I am working on an updated version of this,

Routing Registries are a mysterious underpinning of the peering and BGP world. To many, they are arcane and complicated. If you have found this article you are at least investigating the use of a registry. Either that or you have run out of fluffy kittens to watch on YouTube. Either way, one of the first questions is “Why use a routing registry”.

As many of us know BGP is a very fragile ecosystem. Many providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. This is a manual process for many opportunities for error. Any time a config file is edited errors can occur. Either typos, misconfiguration, or software bugs.

Routing registries attempt to solve two major issues. The first is automating the process of knowing who has the authority to advertise what. The second is allowing a central repository of this data.

So what is a routing Registry?
From Wikipedia: An Internet Routing Registry (IRR) is a database of Internet route objects for determining, and sharing route and related information used for configuring routers, with a view to avoiding problematic issues between Internet service providers.

The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

What are the downsides of a RR?
Not everyone uses routing registries. So if you only allowed routes from RR’s you would get a very incomplete view of the Internet and not be able to reach a good amount of it.

Okay, so if everyone doesn’t use it why should i go to the trouble?
If you are at a formal Internet Exchange (IX) you are most likely required to use one. Some large upstream providers highly encourage you to use one to automate their process.

What are these objects and attributes?
In order to participate you have to define objects. The first one you create is the maintainer object. This is what the rest of the objects are referenced to and based on. Think of this as setting up your details in the registry.

From this point you setup “object types”. Object types include:
as-set
aut-num
inet6num
inetnum
inet-rtr
key-cert
mntner
route
route6
route-set
If you want to learn more about each of these as well as templates visit this ARIN site.

So what do I need to do to get started?
The first thing you need to do is set up your mntner object in the registry. I will use ARIN as our example. You can read all about it here:https://www.arin.net/resources/routing/.

You will need a couple of things before setting this up
1.Your ARIN ORGID
2.Your ADMIN POC for that ORGID
3.Your TECH POC for that ORGID

Once you have these you can fill out a basic template and submit to ARIN.

mntner: MNT-YOURORGID
descr: Example, Inc.
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
upd-to: hostmaster@example.net
mnt-nfy: hostmaster@example.net
auth: MD5-PW $1$ucVwrzQH$zyamFnmJ3XsWEnrKn2eQS/
mnt-by: MNT-YOURORGID
referral-by: MNT-YOURORGID
changed: hostmaster@example.net 20150202
source: ARIN

The templates is very specific on what to fill out. The mnt-by and referral-by are key to following instructions. MD5 is another sticking point. The process is documented just in a couple of places. In order to generate your MD5-PW follow these instructions.

1. Go to https://apps.db.ripe.net/crypt/ Enter in a password. Make sure you keep this cleartext password as you will need it when sending future requests to ARIN’s Routing Registry.
2. Submit the password to get the md5 crypt password. Keep this password for your records, as you may need it when interacting with ARIN’s IRR in the future.
3. Add the following line to your mntner object template in the text editor.
auth: MD5-PW
Our example above has a MD5 password already generated.
Once this is done and created you can add objects. The most commonly added objects are your ASN and IP space.

Create your ASN object using the as-num template

aut-num: AS65534
as-name: EXAMPLE-AS
descr: Example, Inc.
descr: 114 Pine Circle
descr: ANYWHERE, IN 12345
descr: US
import: from AS65535 accept ANY
import: from AS65533 accept AS65534
export: to AS65533 announce ANY
export: to AS65535 announce AS2 AS65533
admin-c: EXAMPLE456-ARIN
tech-c: EXAMPLE123-ARIN
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The things to know about the above template are the import and export attributes.

Now on to adding IP space
Suppose you have IP space of 192.0.2.0/24 Your template would look like:

inetnum: 192.0.2.0 – 192.0.2.255
netname: EXAMPLE-NET
descr: Example, Inc.
descr: 115 Oak Circle
descr: ANYWHERE, IN 12345
country: US
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
notify: user@example.com
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The password attribute is the cleartext password for your MD5 key.

Further Reading:
Using RPSL in practice

NANOG IRR

Hulu and Geolocation issues solved

Recently I received some IP space from Arin and every geolocation provider I tried came back with proper information.  However, when we went live with these IPs Hulu and others had issues with them.

When you have these issues the first place to go to is:
http://thebrotherswisp.com/index.php/geo-and-vpn/

This link will answer many of the GeoLocaiton issues you may be experiencing.  By e-mailing ipadmin@hulu, as we suggest in the above link, I received the following back.

The IP location provider Hulu uses is Digital Envoy. Can you reach out to them and provide them with the correct geological information for that IP block. You can submit a request using the link below.https://www.digitalelement.com/contact-us/

Digital element does not happen to have an easy contact form or information on their website.  I posted a message on the NANOG mailing list asking for help. I received direct contact at Digital element, which was from a digitalenvoy.net e-mail.  I am awaiting a response back about how to handle these issues in the future.  The Digital Element web-site does not give much information on how to contact them for GeoIP issues.

If you want to read Arin’s response to GeoIp issues:
https://teamarin.net/2018/06/11/ip-geolocation-the-good-the-bad-the-frustrating/