APNIC eLearning:

Internet Routing Registry

Issue Date: 02 July 2016

Revision: 1.0
Overview
•  What is Routing Policy
•  IRR Database & Objects
•  Routing Policy Documentation in IRR Database
•  RPSL (Routing Policy Specification Language)
•  IRRToolSet to Generate Router Configuration

2
What is Routing Policy
•  Public description of the relationship between external BGP
peers
•  Can also describe internal BGP peer relationship
•  Usually registered at an IRR (Internet Routing Registry)
such as RADB or APNIC

3
Benefit of Routing Policy
•  Who are my BGP peers
•  What routes are
–  Originated by a peer
–  Imported from each peer
–  Exported to each peer
–  Preferred when multiple routes exist

•  What to do if no route exists

4
Why Define a Routing Policy
•  Documentation
•  Provides routing security
–  Can peer originate the route?
–  Can peer act as transit for the route?

•  Allows automatic generation of router configurations

•  Provides a debugging aid
–  Compare policy versus reality

5
Internet Routing Registry (IRR)
•  Number of public databases that contain routing policy
information which mirror each other:
–  APNIC, RIPE, RADB, JPIRR, Level3
–  http://www.irr.net/
•  Stability and consistency of routing – network operators
share information
•  Both public and private databases
•  These databases are independent – but some exchange
data
–  only register your data in one database
•  List of Routing Registry
–  http://www.irr.net/docs/list.html

6
Internet Routing Registry (IRR)
•  IRRs are used in at least three distinct ways
–  To publish your own routing intentions
–  To construct and maintain routing filters and router configurations
–  Diagnostic and information service for more general network
management

7
IRR Objects Query
•  whois query from CLI
whois -h whois.apnic.net 2406:6400::/32
•  You can search from APNIC website also

8
IRR Objects Query Flags
•  IRR supports a number of flag option
–  ! RADB Query Flags
–  - RIPE/BIRD Query Flags

•  -i flags for inverse query

–  whois
whois-h -h whois.apnic.net
whois.apnic.net -i -imnt-by
mnt-by MAINT-AU-
MAINT-AU-
APNICTRAINING
APNICTRAINING
[All the objects with a matching mnt-by attribute]
–  whois
whois-h -h whois.apnic.net
whois.apnic.net -i -iorigin
origin as17821
as17821
[route and route6 objects with a matching origin attribute]

•  -q flag for Informational queries

–  whois
whois-h -h whois.apnic.net -qsources
whois.apnic.net -q sources
[list of sources]

9
IRR Objects Query Flags
•  -K flags for primary keys of an object are returned
–  whois
whois -h
-h whois.apnic.net
whois.apnic.net -K-K2406:6400::/32
2406:6400::/32

•  IRRd (IRR Daemon) supports service side set expansions

(as-set and route-set)
–  whois -h whois.radb.net
whois -h whois.radb.net '!iAS-APNICTRAINING’
‘!iAS-APNICTRAINING’
[returns members of AS-APNICTRAINING as-set object]

•  For details please check

–  https://www.apnic.net/apnic-info/whois_search/using-whois/
searching/query-options
–  http://www.radb.net/support/query2.php

10
Whois & IRR Database
•  APNIC whois database also works as IRR database
•  Integrated APNIC whois database & Internet Routing
Registry

IP, ASNs, reverse

domains, contacts,
maintainers etc APNIC whois

IRR routers, routing policy,

filters, peers etc

Internet Resources & Routing Information

11
RPSL
•  Routing Policy Specification Language
•  RPSL is object oriented
–  These objects are registered in the Internet Routing Registry (IRR)
–  route, autonomous system, router, contact and set objects

•  RIPE-81 was the first language deployed in the Internet for

specifying routing policies
–  It was later replaced by RIPE-181
–  RPSL is a replacement for the RIPE-181 or RFC-1786
–  RPSL addresses RIPE-181's limitations

12
What is RPSL
•  Describes things interesting to routing policy
–  Prefixes
–  AS Numbers
–  Relationships between BGP peers
–  Management responsibility
•  For more about RPSL
–  RFC-1786: RIPE-181
–  RFC-2622: Routing Policy Specification Language
–  RFC-2650: Using RPSL in Practice
–  RFC-2726: PGP Authentication for RIPE Database Updates
–  RFC-2725: Routing Policy System Security
–  RFC-2769: Routing Policy System Replication
–  RFC-4012: Routing Policy System Replication next generation

13
RPSL Objects
•  RPSL objects are similar to RIPE-181 objects
•  Objects
–  set of attributes
•  Attributes
–  mandatory or optional
–  values: single, list, multiple
•  Class “key”
–  set of attributes
–  usually one attribute has the same name as the object’s class
–  uniquely identify each object
•  Class “key” = primary key
–  must be specified first

14
RPSL Attributes
•  Case insensitive
•  Value of an attribute has a type
–  <object-name>
–  <as-number>
–  <ipv4-address>
–  <ipv6-address>
–  <address-prefix>
–  etc

•  Complete list of attributes and types in RFC 2622

–  https://www.rfc-editor.org/rfc/rfc2622.txt

15
APNIC Database Objects and Routing
Registry Objects
OBJECT PURPOSE
person Technical or administrative contacts responsible for an object
role Technical or administrative contacts represented by a role,
performed by one or more people
Inetnum / Allocation or assignment of IPv4 / IPv6 address space
inet6num
aut-num Registered holder of an AS number and corresponding routing
policy
route / route6 Single IPv4/IPv6 route injected into the Internet routing mesh
mntner Authorized agent to make changes to an object
as-set Collect together Autonomous Systems with shared properties
route-set Defines a set of routes prefixes
filter-set Defines a set of routes that are matched by a filter expression

16
Import and Export Attributes
•  You can document your routing policy in your aut-num
object in the APNIC Database:
–  Import lines describe what routes you accept from a neighbor and
what you do with them
–  Export lines describe which routes you announce to your neighbor

17
Routing Policy Scenarios

Internet

Transit Provider
AS4608
aut-num: AS17821

import: from AS4608 accept ANY

export: to AS4608 announce AS17821 AS131107
You
AS65543 AS17821
import: from AS131107 accept AS131107
Peer
export: to AS131107 announce ANY

Downstream
import: from AS65543 accept AS65543
AS131107 Customer export: to AS65543 announce AS17821 AS131107

18
RPSL Tools
•  IRRToolSet (written in C++)
–  https://github.com/irrtoolset/irrtoolset

•  Rpsltool (perl, using Template::Toolkit)

–  http://www.linux.it/~md/software

•  IRR Power Tools (PHP)

–  http://sourceforge.net/projects/irrpt/

•  BGPQ3 (C)
–  http://snar.spb.ru/prog/bgpq3/

19
Use of IRRToolSet
•  Use IRRToolSet to generate filters based on information
stored in our routing registry
–  Avoid filter errors (typos)
–  Filters consistent with documented policy (need to get policy correct
though)
–  Engineers don’t need to understand filter rules (it just works :-)

•  Some providers have own tools.

20
IRRToolSet : Installation
•  Dependency (Debian / Ubuntu)
# apt-get install build-essential libtool subversion bison
flex libreadline-dev autoconf automake

•  Installation
# wget
ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet-5.0.1/
irrtoolset-5.0.1.tar.gz
# tar –zxvf irrtoolset-5.0.1.tar.gz
# cd irrtoolset-5.0.1
# ./configure
# make
# make install

For details : https://github.com/irrtoolset/irrtoolset

21
RtConfig CLI Options
•  Defaults to using RADB
–  -h whois.ra.net / whois.radb.net
–  -p 43
–  Default protocol irrd

•  For other RIR use protocol bird

–  -protocol bird/ripe

•  Defaults to “cisco” style output

–  -config cisco / -config junos

•  -s <list of IRR sources>

–  -s APNIC,RADB,RIPE

22
RtConfig Syntax
•  import / export pair for each link; syntax
@RtConfig [import/export] <yourASN> <yourRouterIP>
<neighbourASN> <neighbourRouterIP>

•  Takes other command also

@RtConfig configureRouter <inet-rtr-name>

@RtConfig static2bgp <ASN-1> <rtr-1>
@RtConfg access_list filter <filter>

•  And many more. But best thing to look man rtconfig

23
IRRToolSet Cisco Example
bash-3.2$ rtconfig -protocol bird -config cisco -h whois.apnic.net

rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2

!
no ipv6 access-list ipv6-500
ipv6 access-list ipv6-500 permit 2406:6400:8000::/48 any
ipv6 access-list ipv6-500 deny any any
!
no ip as-path access-list 500
ip as-path access-list 500 permit ^(_65001)+$

<output truncated>

router bgp 17821

!
neighbor 2406:6400:10::2 remote-as 65001
address-family ipv4
no neighbor 2406:6400:10::2 activate
address-family ipv6 unicast
neighbor 2406:6400:10::2 activate
neighbor 2406:6400:10::2 route-map AS65001-IN in
exit

24
IRRToolSet JunOS Example
bash-3.2$ rtconfig -protocol bird -config junos -h whois.apnic.net

rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2

policy-options {
community community-1 members [17821:65001];
as-path as-path-1 "( 65001)+";

<output truncated>

protocols {
bgp {
group peer-2406:6400:10::2 {
type external;
peer-as 65001;
neighbor 2406:6400:10::2 {
import policy_65001_1 ;
family inet6 {
unicast;
}
}
}
}
}
25
Getting the Complete Picture
•  Automation relies on the IRR being complete
–  Not all resources are registered in an IRR
–  Not all information is correct

•  Small mistakes can have a big impact

–  Check your output before using it

•  Be prepared to make manual overrides

–  Help others by documenting your policy

26
RPSL in Summary

1. Define Routing Policy 2. Create IRR Object/Objects

3. Run RtConfig to generate config 4. Push config to router/routers

27
Questions
•  Please remember to fill out the
feedback form
–  <survey-link>
•  Slide handouts will be available
after completing the survey

28
APNIC Helpdesk Chat
Thank You!
END OF SESSION

30