Home page logo
/

nanog logo nanog mailing list archives

NANOG36-NOTES 2006.02.14 talk 1 IRR power tools
From: Matthew Petach <mpetach () netflight com>
Date: Tue, 14 Feb 2006 11:56:34 -0800

Apologies in advance, notes from this morning will be a bit
more scattered, as I was working on an issue in parallel
to taking notes.

Matt



2006.02.14 talk 1 IRR Power Tools


12:10 to 12:25, extra talk added, not on
printed agenda.
Thanks to those who submitted lightning
talks.

PC committee members are doing moderation,
Todd Underwood will be handling the first
session this morning.

There will be 3 talks about tools for operators
1 IRR and 2 Netflow tools.  Be thinking of
interesting questions to ask.

Todd has to introduce RAS at 9am, 7am west
coast time which is normally his bedtime.

IRR power tools, Dec 2004 first generation
re-write.

IRR--a quick review
People have been asking him "why do we need
the IRR?"  Any time you have a protocol like
BGP that can propagate information, you need
some form of filtering in place to limit
damage.

IRRs are databases for storing lists of
customer information.  Written to speak RPSL
some speak RPSLng.
RADB
ALTDB
VERIO, LEVEL3, SAVVIS
RIR-run databases: ARIN, RIPE, APNIC, etc.

IRRs better than manual filtering.
huge list on the slides.
Filtering is needed, and hard to keep updated by
hand.

Why doesn't everyone use IRR?
Many people do
In Europe, pretty much total support in Europe; it's
required by RIPE, providers won't deal with you if
you don't keep your entries up, large exchanges likewise
check.

Few major networks in US use IRR too:
NTT/Verio
Level3
Savvis
Most people don't.

Why doesn't everyone use it?
In US, it's too complex for customers.
support costs go up if you have to teach customers.
Networks don't like to list their customers in a public
database that can be mined by competitors

RAS figured he could fix at least one piece
Wrote a tool to help with:
automatic retrieval of prefixes behind an IRR object
automatic filtering of bogon or other undesirable routes
Automatic aggregation of prefixes to reduce config size
Tracking and long-term recording of prefix changes
Emails the customer and ISP with prefix changes
Exports the change data to plain-text format for easy
interaction with non-IRR enabled networks
Generates router configs for easy deployments.

Doesn't do import/export policies,
doesn't do filter-sets, rtr-set, peering-set, etc.
Just focuses on essential portions.

Tool was written around IRRToolSet initially, but
the C++ code didn't compile nicely.
This isn't a complete replacement for IRRToolSet,
but provides the basic functionality

A few conf files:
IRRDB.CONF
EXCLUSIONS.CONF
NAG.CONF

./irrpt_fetch grabs the current database info

It also speaks clear english on add/remove of
prefixes for access lists; default format is
english, but you can change it to diff format.

./irrpt_pfxgen ASNUM
generates a prefix list suitable for the customer
interface.
Can use -f juniper to create juniper filters.

http://irrpt.sourceforge.net/
Always looking for more feedback; it's been deployed
by a few people in the peering community; this will
be its first widescale announcement.

Future plans:
Add support for IPv6/RPSLng
 needs IPv6 aggregation tools
RADB tool uses a faster protocol, RIPE just breaks down
  one level; you have to do multiple iterations to get
  the full expansion.  Servers tend to time out before
  you can get all the answer; RIPE servers have hard
  3 minute timeout that closes the socket.
 Add SQL database support for a backend
 Convert from a script to a real application
 IRRWeb -- http://www.irrweb.com/

He'll talk about irrweb at next nanog.
Allow end users to register routes without needing to
know ANYTHING about RPSL

You can play with it, register routes, but it
doesn't publish anywhere.

That's it--happy valentine's day!
Richard A Steenbergen ras at nlayer.net

Susan notes that
RADB is developed by Merit, the two primary
developers are here today
Chris Fraiser, main cust interface now
Larry Blunk is RPSLng person, also here today.

Right now, no mirroring between IRRs, you have
to mesh with everyone else when a new IRR comes
up.  RADB at least does pick up from the others,
so right now RADB is the best spot to do your
queries against.

Todd asks about filters; does it do prefix list
only, or prefix list plus as-path?
It builds off as's behind other as's, which might
not be the best model; latest code is starting
to understand as-sets.  To do it properly, you
might need import/export policy support.

Randy Bush, IIJ.  Like IPv6, this meeting marks
the tenth anniversary of Randy pushing for IRR
adoption.  And like IPv6, adoption rate has not
been going well.  What's wrong?
Pretty much too complex, which is why this effort
is to make it much simpler, to try to get more
uptake in the US.

Todd notes that 2 things; 1, tools are too difficult;
this addresses that.  second piece is that in US,
allocations aren't tied to registry entry creation;
this won't solve that part at all.

For the second part, the benefits are seen mostly
the closer you are to the registration process.
Anyone can register any block; and if you don't
use AS123:, people can register anything in your
block, whether you want them to or not.

Randy notes that they're trying to tweak allocation
policy on something that nobody wants; he thinks
this might approaching the issue at the wrong end.
There's no push for it, so better tools doesn't
necessarily help; and the data in the database
are poor, so what of the data can really be
trusted?
Randy feels that certification path for allocation
is more needed to formally track and make the
data correct and verifiable, so no stale/bogus
data can enter the database.

Richard will talk at tools BOF this afternoon, and

Andrew Dole, Boeing.  ARIN region policy, modify
ORG template, add ASN entry into registry entry
to link AS to prefix in the registry.  Could be a
useful database that could be used to cross-verify
the RADB data.  Discuss on ppml list, if you think
it needs more, or should be mandatory, etc.
RAS notes it would take a communication protocol
between RIRs to make it widespread.

Sandy Murphy, Sparta.  She submitted the policy
to the ppml list.  There is a security language
for RPSLng--with the tools being submitted, is
there plans to support those security specifications?
You have to have authorization of prefix holder
and AS holder before you can create the route
entry in RIPE, for example.
RAS's goal is to just try to bring US up to level
of rest of the world.
Need to tie registration of prefix to authority to
put entries in routing registry.
IRRs are chock full of old stale data, and no way
to remove it.

  By Date           By Thread  

Current thread:
  • NANOG36-NOTES 2006.02.14 talk 1 IRR power tools Matthew Petach (Feb 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault