NANOG36-NOTES 2006.02.14 talk 1 IRR power tools
Apologies in advance, notes from this morning will be a bit more scattered, as I was working on an issue in parallel to taking notes. Matt 2006.02.14 talk 1 IRR Power Tools 12:10 to 12:25, extra talk added, not on printed agenda. Thanks to those who submitted lightning talks. PC committee members are doing moderation, Todd Underwood will be handling the first session this morning. There will be 3 talks about tools for operators 1 IRR and 2 Netflow tools. Be thinking of interesting questions to ask. Todd has to introduce RAS at 9am, 7am west coast time which is normally his bedtime. IRR power tools, Dec 2004 first generation re-write. IRR--a quick review People have been asking him "why do we need the IRR?" Any time you have a protocol like BGP that can propagate information, you need some form of filtering in place to limit damage. IRRs are databases for storing lists of customer information. Written to speak RPSL some speak RPSLng. RADB ALTDB VERIO, LEVEL3, SAVVIS RIR-run databases: ARIN, RIPE, APNIC, etc. IRRs better than manual filtering. huge list on the slides. Filtering is needed, and hard to keep updated by hand. Why doesn't everyone use IRR? Many people do In Europe, pretty much total support in Europe; it's required by RIPE, providers won't deal with you if you don't keep your entries up, large exchanges likewise check. Few major networks in US use IRR too: NTT/Verio Level3 Savvis Most people don't. Why doesn't everyone use it? In US, it's too complex for customers. support costs go up if you have to teach customers. Networks don't like to list their customers in a public database that can be mined by competitors RAS figured he could fix at least one piece Wrote a tool to help with: automatic retrieval of prefixes behind an IRR object automatic filtering of bogon or other undesirable routes Automatic aggregation of prefixes to reduce config size Tracking and long-term recording of prefix changes Emails the customer and ISP with prefix changes Exports the change data to plain-text format for easy interaction with non-IRR enabled networks Generates router configs for easy deployments. Doesn't do import/export policies, doesn't do filter-sets, rtr-set, peering-set, etc. Just focuses on essential portions. Tool was written around IRRToolSet initially, but the C++ code didn't compile nicely. This isn't a complete replacement for IRRToolSet, but provides the basic functionality A few conf files: IRRDB.CONF EXCLUSIONS.CONF NAG.CONF ./irrpt_fetch grabs the current database info It also speaks clear english on add/remove of prefixes for access lists; default format is english, but you can change it to diff format. ./irrpt_pfxgen ASNUM generates a prefix list suitable for the customer interface. Can use -f juniper to create juniper filters. http://irrpt.sourceforge.net/ Always looking for more feedback; it's been deployed by a few people in the peering community; this will be its first widescale announcement. Future plans: Add support for IPv6/RPSLng needs IPv6 aggregation tools RADB tool uses a faster protocol, RIPE just breaks down one level; you have to do multiple iterations to get the full expansion. Servers tend to time out before you can get all the answer; RIPE servers have hard 3 minute timeout that closes the socket. Add SQL database support for a backend Convert from a script to a real application IRRWeb -- http://www.irrweb.com/ He'll talk about irrweb at next nanog. Allow end users to register routes without needing to know ANYTHING about RPSL You can play with it, register routes, but it doesn't publish anywhere. That's it--happy valentine's day! Richard A Steenbergen ras at nlayer.net Susan notes that RADB is developed by Merit, the two primary developers are here today Chris Fraiser, main cust interface now Larry Blunk is RPSLng person, also here today. Right now, no mirroring between IRRs, you have to mesh with everyone else when a new IRR comes up. RADB at least does pick up from the others, so right now RADB is the best spot to do your queries against. Todd asks about filters; does it do prefix list only, or prefix list plus as-path? It builds off as's behind other as's, which might not be the best model; latest code is starting to understand as-sets. To do it properly, you might need import/export policy support. Randy Bush, IIJ. Like IPv6, this meeting marks the tenth anniversary of Randy pushing for IRR adoption. And like IPv6, adoption rate has not been going well. What's wrong? Pretty much too complex, which is why this effort is to make it much simpler, to try to get more uptake in the US. Todd notes that 2 things; 1, tools are too difficult; this addresses that. second piece is that in US, allocations aren't tied to registry entry creation; this won't solve that part at all. For the second part, the benefits are seen mostly the closer you are to the registration process. Anyone can register any block; and if you don't use AS123:, people can register anything in your block, whether you want them to or not. Randy notes that they're trying to tweak allocation policy on something that nobody wants; he thinks this might approaching the issue at the wrong end. There's no push for it, so better tools doesn't necessarily help; and the data in the database are poor, so what of the data can really be trusted? Randy feels that certification path for allocation is more needed to formally track and make the data correct and verifiable, so no stale/bogus data can enter the database. Richard will talk at tools BOF this afternoon, and Andrew Dole, Boeing. ARIN region policy, modify ORG template, add ASN entry into registry entry to link AS to prefix in the registry. Could be a useful database that could be used to cross-verify the RADB data. Discuss on ppml list, if you think it needs more, or should be mandatory, etc. RAS notes it would take a communication protocol between RIRs to make it widespread. Sandy Murphy, Sparta. She submitted the policy to the ppml list. There is a security language for RPSLng--with the tools being submitted, is there plans to support those security specifications? You have to have authorization of prefix holder and AS holder before you can create the route entry in RIPE, for example. RAS's goal is to just try to bring US up to level of rest of the world. Need to tie registration of prefix to authority to put entries in routing registry. IRRs are chock full of old stale data, and no way to remove it.
participants (1)
-
Matthew Petach