peering

The Brothers WISP #169

The state of Iowa announces “Dig Once” program

OFFICIAL NOTICE. December 30, 2021. The Office of the Chief Information Officer (“OCIO”) has released the first version of the State of Iowa’s Fiber Optic Network Conduit Installation (“Dig Once”) program. More information regarding this program can be found on the website at https://ocio.iowa.gov/dig-once

The OCIO is leading and coordinating a program to provide for the installation of fiber optic network conduit where such conduit does not exist. To further the program, the OCIO has developed a website to help identify where opportunities may exist to lay or install fiber optic network conduit alongside state-funded construction projects involving trenching, boring, a bridge, a roadway, or opening of the ground, or alongside any state-owned infrastructure.

The Dig Once website provides access to information concerning the Iowa Department of Transportation (“DOT”) five-year state-funded infrastructure projects. The website provides a map of locations where anticipated projects will occur and a form to sign up to receive updates when new projects are identified within locations of interest. Please visit https://ocio.iowa.gov/dig-once to view this information. Questions may be submitted by e-mail to ociogrants@iowa.gov.

FD-IX: Local-pref and default routes

I just finished up an article over on the FD-IX blog about local-prefs, default routes, and Internet exchanges.

https://www.fd-ix.com/uncategorized/local-pref-and-default-routes/

Not everyone on the Internet needs full feeds from their provider. In this case, how does learning routes from an Internet Exchange such as FD-IX benefit you if all you are doing is default routes?

So let’s take a scenario. You are a local hosting company. You don’t provide Internet to customers, you just do hosting of websites and data. You have a couple of providers you are buying Internet from, mainly for redundancy. One of these is primary and the other is a backup. You are doing BGP just because. All you are receiving from these providers is a default route and that is it. Why would you want to receive all these routes from an IX?

Routing Registries and you

This was originally published at https://www.mtin.net/blog/internet-routing-registries/ 

It has been updated form grammar, but I am working on an updated version of this,

Routing Registries are a mysterious underpinning of the peering and BGP world. To many, they are arcane and complicated. If you have found this article you are at least investigating the use of a registry. Either that or you have run out of fluffy kittens to watch on YouTube. Either way, one of the first questions is “Why use a routing registry”.

As many of us know BGP is a very fragile ecosystem. Many providers edit access lists in order to only announce prefixes they have manually verified someone has the authority to advertise. This is a manual process for many opportunities for error. Any time a config file is edited errors can occur. Either typos, misconfiguration, or software bugs.

Routing registries attempt to solve two major issues. The first is automating the process of knowing who has the authority to advertise what. The second is allowing a central repository of this data.

So what is a routing Registry?
From Wikipedia: An Internet Routing Registry (IRR) is a database of Internet route objects for determining, and sharing route and related information used for configuring routers, with a view to avoiding problematic issues between Internet service providers.

The Internet routing registry works by providing an interlinked hierarchy of objects designed to facilitate the organization of IP routing between organizations, and also to provide data in an appropriate format for automatic programming of routers. Network engineers from participating organizations are authorized to modify the Routing Policy Specification Language (RPSL) objects, in the registry, for their own networks. Then, any network engineer, or member of the public, is able to query the route registry for particular information of interest.

What are the downsides of a RR?
Not everyone uses routing registries. So if you only allowed routes from RR’s you would get a very incomplete view of the Internet and not be able to reach a good amount of it.

Okay, so if everyone doesn’t use it why should i go to the trouble?
If you are at a formal Internet Exchange (IX) you are most likely required to use one. Some large upstream providers highly encourage you to use one to automate their process.

What are these objects and attributes?
In order to participate you have to define objects. The first one you create is the maintainer object. This is what the rest of the objects are referenced to and based on. Think of this as setting up your details in the registry.

From this point you setup “object types”. Object types include:
as-set
aut-num
inet6num
inetnum
inet-rtr
key-cert
mntner
route
route6
route-set
If you want to learn more about each of these as well as templates visit this ARIN site.

So what do I need to do to get started?
The first thing you need to do is set up your mntner object in the registry. I will use ARIN as our example. You can read all about it here:https://www.arin.net/resources/routing/.

You will need a couple of things before setting this up
1.Your ARIN ORGID
2.Your ADMIN POC for that ORGID
3.Your TECH POC for that ORGID

Once you have these you can fill out a basic template and submit to ARIN.

mntner: MNT-YOURORGID
descr: Example, Inc.
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
upd-to: hostmaster@example.net
mnt-nfy: hostmaster@example.net
auth: MD5-PW $1$ucVwrzQH$zyamFnmJ3XsWEnrKn2eQS/
mnt-by: MNT-YOURORGID
referral-by: MNT-YOURORGID
changed: hostmaster@example.net 20150202
source: ARIN

The templates is very specific on what to fill out. The mnt-by and referral-by are key to following instructions. MD5 is another sticking point. The process is documented just in a couple of places. In order to generate your MD5-PW follow these instructions.

1. Go to https://apps.db.ripe.net/crypt/ Enter in a password. Make sure you keep this cleartext password as you will need it when sending future requests to ARIN’s Routing Registry.
2. Submit the password to get the md5 crypt password. Keep this password for your records, as you may need it when interacting with ARIN’s IRR in the future.
3. Add the following line to your mntner object template in the text editor.
auth: MD5-PW
Our example above has a MD5 password already generated.
Once this is done and created you can add objects. The most commonly added objects are your ASN and IP space.

Create your ASN object using the as-num template

aut-num: AS65534
as-name: EXAMPLE-AS
descr: Example, Inc.
descr: 114 Pine Circle
descr: ANYWHERE, IN 12345
descr: US
import: from AS65535 accept ANY
import: from AS65533 accept AS65534
export: to AS65533 announce ANY
export: to AS65535 announce AS2 AS65533
admin-c: EXAMPLE456-ARIN
tech-c: EXAMPLE123-ARIN
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The things to know about the above template are the import and export attributes.

Now on to adding IP space
Suppose you have IP space of 192.0.2.0/24 Your template would look like:

inetnum: 192.0.2.0 – 192.0.2.255
netname: EXAMPLE-NET
descr: Example, Inc.
descr: 115 Oak Circle
descr: ANYWHERE, IN 12345
country: US
admin-c: EXAMPLE123-ARIN
tech-c: EXAMPLE456-ARIN
notify: user@example.com
mnt-by: MNT-YOURORGID
changed: user@example.com 20150202
source: ARIN
password:

The password attribute is the cleartext password for your MD5 key.

Further Reading:
Using RPSL in practice

NANOG IRR

Free peering has a cost

Lately, there has been some discussion about the pricing of Internet Exchanges (IXes) and the reasons behind free peering ports and paid peering ports. In this article, I want to go over some of the benefits and pitfalls of both. 

Free peering
Everyone loves free. Sure, we all do. While most free peering has costs associated, those costs are usually in the form of cross-connect charges. In some data centers, this can be a one-time fee to many hundreds of dollars a month for a typical cross-connect. Herein lies the rub. Any entity providing services to others needs to have money for equipment upgrades, labor, accounting expenses, and costs of operation. This money can come in the form of donations from members or outside sources. A non-profit can be the vehicle for this, but you still need funding to support the entity. If the labor is volunteer, what happens if the most active volunteers get pulled away due to personal or business-related obligations? Do things still run? Is there a plan in place to fix any issues? I am not saying it can’t be done, but life happens. When it comes down to it, most people will choose their family’s welfare over a volunteer gig.

Paid Peering
On the flip side, we have IXes, which charge port fees and other fees for peering. These fees go equipment and operational costs and sometimes salaries. Paid peering costs….well money.

The biggest question to ask yourself is how stable the company is. It does not matter if they are giving away ports or charging. What matters is are they going to be able to provide you service when things get busy, outages happen, or things get busy. When peering becomes more and more critical to a health network and your company’s bottom line, these questions also become essential. It does not matter if it is free or paid if the IX isn’t able to provide service. This scenario can happen on an IX, which charges no money or charges money for a port.

Route Server Diagram for an IX

Normally on a peering exchange, all connected parties will establish bilateral peering relationships with each other customer connected to the exchange. As the number of connected parties increases, it becomes increasingly more difficult to manage peering relationships with customers of the exchange.

However, by using route servers for peering relationships, the number of BGP sessions per router stays at two, if the IX has deployed redundant servers.