Dear Lee, *ring ring* - "IRR/RPKI helpdesk how may I help you today?" :-) On Fri, Oct 22, 2021 at 08:25:10AM -0500, Lee Fawkes wrote:
I have a couple of questions about best practices for Internet Routing Registries. I'm able to find lots of documentation about *how* to do things, but not a lot of documentation about when I *should* do things. I work for a medium-sized ISP in the US, and we are currently using both RADb and the ARIN IRR. We peer all over the place, but my main concern is how Cogent and Hurricane Electric build prefix filters from our IRRs.
1. Netflix is asking us to add the AS of a downstream customer of one of our customers to our customer AS-SET. We have a direct relationship with this organization's provider, but not with this organization itself. Is this appropriate?
Another way to satisfy this request is to ask the organization's provider to create an AS-SET (preferably RIR-operatored IRR such as ARIN, RIPE, etc), and then reference their AS-SET on your own AS-SET. IRR AS-SETs permit both referencing AS Numbers and AS-SETs as 'members:'.
2. On the ARIN side, when ARIN-NONAUTH goes away next year, does that do away with our ability to do proxy route objects? Do we need to require all of our BGP customers to set up their own IRRs?
The industry trend (very noticable the last 3 years) is that the ability to create proxy route object registrations is slowly fading away. At at first glance proxy registrations seem better than 'no registration', the downside is that anyone can create proxy registrations for any prefix: proxies are not very safe! The recommendation is that each and every IP resource holder creates IRR and/or RPKI objects themselves, or delegates the authority to do so to their service provider. These days everyone wants to see firm cryptographic proof!
3. On the RADb side, if we're turning up a new customer that doesn't have an IRR, and another ISP already has a proxy registration for that customer, is it sufficient for us to add that customer's AS to our customer AS-SET?
Technically this is likely to work, but the downside is that you end up with a hard dependency on another ISP's proxy registration. If for whatever reason that registration lapses (failure to pay bills, M&A, who knows) ... you might end up with a hard to troubleshoot situation where it is not immediately clear "it was working yesterday, but not today?!". The best course of action is to ensure that objects are either managed by yourself, or by the customer, so the responsibilities and object ownership are clear to everyone involved.
I've been getting around the fact that RADb doesn't allow multiple proxy registrations by registering proxy route objects in ARIN-NONAUTH, but that won't be an option much longer, and I can't really experiment with our customers' route objects to see what works.
A great tool to gain some insight into various IRR/BGP/RPKI data sources and what the registration status of various objecst might mean can be found at this awesome tool: https://irrexplorer.nlnog.net/ Follow up questions welcome! Kind regards, Job