SlideShare a Scribd company logo

IRR toolset with rpsl

•
Muhammad Moinur Rahman, profile picture
Muhammad Moinur Rahman

This document provides an introduction to RPSL (Routing Policy Specification Language) and the historical context of internet routing registries. It discusses the development of early routing registries in Europe in the 1980s and 1990s that led to the establishment of the Routing Policy Specification Language (RPSL) standard. The document then describes the basic components and object types of RPSL, including route, autonomous system number, contact, and set objects.

Technology
1 of 67
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
RPSL with IRRToolSet Muhammad Moinur Rahman
2 IRR Toolset, RPSL: Introducton ● Tutorial ○ Do not think of bypassing the RFC ● Target audience ○ Knowledge of Internet Routng(specially BGP) ○ Familiar with any IRR Database ○ No need to know Internet Routng Registry ● Layout ○ Theory ○ Handson Lab using IRR Power Tools, Net:IRR, rpsltools and IRRToolSet
Page 3 Historical Context ● The basic concept of routng registries dates back to the 1980's and NSFNet ● A high-level policy based routng database (PRDB) was used to generate confgs ● NSFNet regional networks were required to submit Network Announcement Change Requests (NACR) to update the PRDB ● NACR’s documented connected networks and their Autonomous System numbers
Page 4 Historical Context (Early European Works) ● RIPE – Reseaux IP Europeens ● Formed in 1989 to coordinate and promote IP networking in Europe ● Developed a registry for allocaton of IP addresses and Autonomous System numbers in Europe (frst RIR) ● No routng policy support initally
Page 5 Historical Context (RIPE) ● RIPE-81 document was published in Feb, 1993 - extended the RIPE address registry to include basic routng policy informaton ● Added ability to specify an Autonomous System number for an IP address allocaton ● Also allowed the expression of Autonomous System relatonships
Page 6 Historical Context (RIPE-181) ● RIPE-181 (RIPE-81++) document was published in Oct, 1994 ● Introduced concept of object classes ● Separated routng policy informaton from IP address allocaton informaton with introducton of the “route” object ● Extended Autonomous System policy expression functonality ● Also adopted a mechanism for grouping Autonomous Systems with the “as-macro”
Page 7 Historical Context (RPSL) ● In March 1995, the RIPE-181 standard was accepted as an IETF informatonal document – RFC-1786 ● IETF created the Routng Policy System Working Group to revise and standardize the language under the auspices of the IETF ● Result was known as the Routng Policy Specifcaton Language (RPSL)
Page 8 Historical Context (RFC-2622) ● RFC 2622 was released in June, 1999 and formally defned RPSL standard ● Based on the RIPE-181 standard ○ Signifcantly extended the functonality of the aut-num object ○ route object also extended ○ as-macro became as-set object ○ Added a number of new object types ○ Included a dictonary based extension mechanism
Page 9 Historical Context (RFC-2622 New Objects) ● as-set ● route-set ● flter-set ● rtr-set ● peering-set ● inet-rtr ● mntner, role, and person objects for authentcaton and contact informaton
Page 10 Historical Context (RFC-4012 RPSLng) ● IPv6 and multcast support ● Address Family Identfer(af i.e, ipv4 and ipv6) ● MPBGP added in protocol Dictonary ● RPSL types ipv6-address, ipv6-address-prefx and ipv6-address- prefx- range added ● Policy Atribute mp-import, mp-export and mp-default added ● Class route6 added ● route-set class now supports both IPv4 and IPv6 mp-members ● peering-set supports mp-peering atribute ●
Page 11 Routng Policy Specifcaton Language(RPSL) ● Object-based language ○ route, autonomous system, router, contact and set objects ● Defnes the syntax, semantcs and format of data in IRR ● Vendor independent ● Extensible ● IETF Proposed Standard (RFC2622) later superseded by RPSLng (RFC4012) ● Based on RIPE-181 (RFC 1786)
Page 12 RPSL Basics ● Each object type (class) contains mandatory and optonal atributes ● All objects must have these atributes ○ mnt-by: identfes mntner object that controls the object ○ changed: lists email and tme of change ○ source: identfes the registry name where the object is located
Page 13 mntner Object ● Mntner is an abbreviaton of maintainer ● Identfes accounts in the registry ● Maintainer objects used for authentcaton ● Specifes authentcaton mechanism in the “auth” atribute ○ CRYPT-PW or MD5-PW - password auth ○ PGP-KEY – PGP/GPG based auth ○ MAIL-FROM – email based auth ○ NONE
Page 14 mntner Object mntner: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] admin-c: [mandatory] [multiple] [inverse key] tech-c: [optional] [multiple] [inverse key] upd-to: [mandatory] [multiple] [inverse key] mnt-nfy: [optional] [multiple] [inverse key] auth: [mandatory] [multiple] remarks: [optional] [multiple] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
Page 15 mntner Object Example mntner: MAINT-BD-1ASIAAHL descr: 1Asia Alliance Communication Ltd country: BD admin-c: MMR13-AP upd-to: hostmaster@1asia-ahl.com mnt-by: MAINT-BD-1ASIAAHL auth: # Filtered referral-by: APNIC-HM changed: moin@1asia-ahl.com 20121127 source: APNIC
Page 16 route/route6 Object ● Defnes a CIDR prefx and origin AS ● Most common type of object found in routng registries ● Used by a number of ISP's to generate flters on their customer BGP sessions ○ Customers must register all routes in order for their ISP to route them ○ Allows automaton of adding new prefxes
Page 17 route/route6 object and keys ● Every RPSL class has a primary “key” ● For most classes, it is simply the main class atribute value ● For example, the mntner class uses the mntner atribute value as the key ● However, route objects use both route and origin felds as the primary key ● There can be multple objects for the same prefx with diferent origins ● This is by design ○ Mult-origin mult-homing ○ When changing to a new origin AS, want routes for both untl switched ● However, also many cases of multples due to stale routes not being cleaned
Page 18 route/route6 Object Format route: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] origin: [mandatory] [single] [primary/inverse key] withdrawn: [optional] [single] member-of: [optional] [single] [inverse key] inject: [optional] [multiple] components: [optional] [single] aggr-bndry: [optional] [single] [inverse key] aggr-mtd: [optional] [single] export-comps: [optional] [single] holes: [optional] [single] remarks: [optional] [multiple] cross-nfy: [optional] [multiple] [inverse key] cross-mnt: [optional] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
Page 19 route/route6 Object Example route: 182.16.140.0/22 descr: 1Asia Communication Pte Ltd origin: AS10102 mnt-lower: MAINT-BD-1ASIAAHL mnt-routes: MAINT-BD-1ASIAAHL mnt-by: MAINT-BD-1ASIAAHL changed: moin@1asia-ahl.com 20121209 source: APNIC
Page 20 aut-num Object ● Defnes routng policy for an AS ● Uses mp-import: and mp-export: atributes to specify policy ● Can be used for highly detailed policy descriptons and automated confg generaton ● Can reference other registry objects such as ○ as-sets ○ route-sets ○ flter-sets
Page 21 aut-num Object Format aut-num: [mandatory] [single] [primary/look-up key] as-name: [mandatory] [single] descr: [mandatory] [multiple] member-of: [optional] [single] [inverse key] import: [optional] [multiple] [inverse key] export: [optional] [multiple] [inverse key] default: [optional] [multiple] [inverse key] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] remarks: [optional] [multiple] cross-nfy: [optional] [multiple] [inverse key] cross-mnt: [optional] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
Page 22 aut-num Object Example aut-num: AS10102 as-name: SG-1ASIACOM-AS-AP descr: 1Asia Communication Pte Ltd descr: 151 Chin Swee Road descr: 14-01 Manhattan House country: SG admin-c: SHC12-AP tech-c: MMR13-AP mnt-by: MAINT-SG-1ASIACOM-SG mnt-routes:MAINT-SG-1ASIACOM-SG mnt-irt: IRT-SG-1ASIACOM-SG changed: hm-changed@apnic.net 20100428 changed: hm-changed@apnic.net 20121116 source: APNIC
Page 23 as-set Object ● Provides a way of grouping AS'es ● Name must begin with prefx “AS-” or in the format ○ AS<NUM>:AS-CUSTOMERS ○ AS<NUM>:AS-PEERS ● Frequently used to list downstream/customer AS numbers ● Maybe referenced in aut-num import/export policy expressions ● Can reference other as-set's
Page 24 route-set Object ● Defnes a set of routes prefxes ● Name must begin with prefx “RS-” or in the format ASNUM:RS-<ORGANIZATION> ● Can reference other route-sets ● Can also reference AS's or as-set's ○ In this case, the route-set will include all route object prefxes which have an origin which matches the AS numbers
Page 25 route-set Object Format route-set: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] members: [optional] [single] mbrs-by-ref:[optional] [single] remarks: [optional] [multiple] tech-c: [mandatory] [multiple] [inverse key] admin-c: [mandatory] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
Page 26 route-set Object Example route-set: AS10102:RS-1ASIA descr: Routes announced across Peers members: 103.4.108.0/22,182.16.140.0/22 tech-c: MMR13-AP admin-c: MMR13-AP mnt-by: MAINT-BD-1ASIAAHL changed: moin@1asia-ahl.com 20140129 source: APNIC
Page 27 flter-set Object ● Defnes a set of routes that are matched by a flter expression ● Similar in concept to route-set's ● Name must begin with prefx “ftr-”
Page 28 The IRR(internet Routng Registry) ● Concept of “the” Internet Routng Registry system established in 1995 ● Shares informaton regarding producton Internet Routng Registries ● Web site at htp://www.irr.net ● Initally RIPE-181 format, shif-ed to RPSL ● Mirror Routng Registry data in a common repository for simplifed queries ● The IRR currently consists of roughly 35 operatonal registries ● Registries operators ○ Regional Internet Registers (RIR’s), such as ARIN, RIPE, and APNIC ○ ISP’s - SAVVIS, NTT, Level3 ○ Non-affiliated public registries – RADB and ALTDB
Page 29 RADB Routng Registry ● The RADB launched in 1995 as part of NSFNet funded Routng Arbiter project ● The Routng Arbiter project was intended to ease transiton from the NSFNet to the commercial Internet ● Registry was used to confgure Route Servers located at designated Network Access Points (NAP’s) located in Chicago, Washington, New York, and San Francisco ● RADB transitoned from public NSFNet funding to fee-based model in 1999 ● Re-branded Routng Assets Database in 2002 – htp://www.radb.net ● The registry can be queried at website and via whois at whois.radb.net ● This server also mirrors the other registries in the IRR as documented at www.irr.net
Page 30 Why Register? ● Document routng policy ● In partcular, register route objects to associate network prefxes with origin AS ● A number of transit providers require their customers to register routes and flter customer route announcements based on registry contents ● Filters unauthorized announcements to prevent route hijacking, denial of service
Page 31 Incidents ● BGP->RIP->BGP injecton ● 128/7 leak ● bogon 0/0, 10/8 leaks ● Daily, someone is leaking somelse’s prefx.
Page 32 Common IRR query fags ● IRR's support a number fag optons ● -i fag performs inverse query ○ “-i origin AS10102” returns all route objects with an origin of AS10102 ○ “-i mnt-by MAINT-AS10102” returns all routes maintained by MAINT-AS10102 ● -M fag returns more specifc route objects for a prefx ○ “-M 27.0.8.0/22” returns all more specifc route objects in the 27.0.8.0/22 prefx ● -s fag limits number of sources queried ○ May not want to query all 30+ IRR db's ○ example, “-s RADB,RIPE” ● -K fag – return primary keys only ○ Useful for route object queries, excludes extraneous felds not needed for policy ○ Of-en used by tools
Page 33 Advanced IRR queries ● IRRd provides the ability to perform server side set expansions (as-set and route-set) ● This is done with the “!i” query ○ “!iAS-ESNETUS” returns members of ASESNETUS as-set object ● Add a “,1” for a recursive expansions ○ “!iAS-ESNETUS,1” will recurse any as-set members and return individual as- members ○ Reduces number of queries to server
Page 34 Advanced RPSL – aut-num ● The aut-num object can be used to express an Autonomous System’s routng policy and peering informaton ● Powerful structured syntax allows for complex policy expressions ● Some operators drive their network confguraton of of their RPSL data ● Others simply use it to document AS relatonships in a public manner
Page 35 RPSL Tools ● Several tools have been developed to facilitate the use of RPSL registry data in the confguraton of networks ● Tools range from sophistcated and powerful to simple and limited ● Use the IRR by querying over the whois protocol ● Some ISP’s use in-house developed tools which process RPSL database fles directly
Page 36 Tools of trade for RPSL ● IRRToolSet ● NET::IRR ○ Perl module supportng basic IRR queries ● IRR Power Tools ○ IRR based router confguraton – PHP + CVS ● Rpsltool – generates cisco confgs - Perl
Page 37 Tools of trade for RPSL ● IRRToolSet ● NET::IRR ○ Perl module supportng basic IRR queries ● IRR Power Tools ○ IRR based router confguraton – PHP + CVS ● Rpsltool – generates cisco confgs - Perl
Page 38 IRRToolSet ● Based on original RAToolSet used in NSF Routng Arbiter project ● Writen in C++ and now maintainer by ISC ● rtconfg tool uses templates to generate router confgs from IRR data ● Other provided tools include ○ peval – low level policy evaluaton tools ○ rpslcheck – verfes RPSL syntax of objects ● Death of IRRToolSet?? ● Revamped by ISC, yet complex to confgure
Page 39 Net::IRR ● Perl CPAN module ● Provide several useful Perl functons ○ get_routes_by_origin ○ get_ipv6_routes_by origin ○ get_as_set ○ get_route_set ○ route_search
Page 40 IRR Power Tools ● PHP based toolset ○ htp://sourceforge.net/projects/irrpt ● Allows ISP to easily track, manage and utlize IRR data ● Performs tracking with CVS ● Can email notfcatons of updates ● irrpt_pfxgen script can generate router confgs in Cisco/Foundry, Juniper, Extreme, and Force10 formats
Page 41 Routng Registry Futures ● RPKI(Resource Public Key Infrastructure) work will likely have impact on routng registry usage ● APNIC along with RIPE has already designed the portal for RPKI usage ● Latest subset of IRRToolSet has added support for integratng RPKI along with RPSL
Page 42 • Feeling sorry for being here .. ☹ • Don’t be .. • Confguraton part will make you think life is really easy .. ☺ Lets go for a Tea Break
Page 43 IRR Toolset, RPSL: Installaton ● Available in most Unix/Linux like OS ● Basic Requirements for IRRToolset are as of following ○ GNU Make ○ GCC ○ fex ○ bison ○ libtool ● Additonal tools for autoconfguraton are as of following: ○ expect ○ cron
Page 44 IRR Toolset, RPSL: Installaton – Get Source root@bofh:~ #wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet- 5.0.1/irrtoolset-5.0.1.tar.gz root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz root@bofh:~ # cd irrtoolset-5.0.1
Page 45 IRR Toolset, RPSL: Installaton – Build and Install root@bofh:~irrtoolset-5.0.1# ./configure root@bofh:~irrtoolset-5.0.1# make root@bofh:~irrtoolset-5.0.1# make install
Page 46 IRR Toolset, RPSL: RPSL Primer root@bofh:~ whois –h whois.apnic.net AS131208 #####snipped###### mp-import: afi any.unicast { from AS-ANY accept ANY AND NOT RS-MARTIANS; } refine { from AS-ANY action pref = 50; accept community.contains(131208:50); from AS- ANY action pref = 30; accept community.contains(131208:70); from AS- ANY action pref = 10; accept community.contains(131208:90); from AS-ANY action pref = 0; accept ANY; } refine afi ipv4.unicast {
Page 47 IRR Toolset, RPSL: RPSL Primer(Contd) from AS6453 66.110.0.126 at 103.4.109.254 action pref=10; community.append(131208:11000,131208:11010,131208:11011); accept ANY AND NOT RS-MARTIANS; from AS58715 103.4.108.62 at 103.4.108.61 action community.append(131208:41000,131208:41010,131208:41011); accept AS- 58715^24 AND <^AS58715+ AS-58715*$>; from AS58656 103.4.108.94 at 103.4.108.93 action community.append(131208:41000,131208:41010,131208:41011); accept AS- BDHUB^24 AND <^AS58656+ AS-BDHUB*$>; from AS58657 103.4.108.178 at 103.4.108.177 action community.append(131208:41000,131208:41010,131208:41011); accept AS58657^24 AND <^AS58657+$>; from AS15169 27.0.9.10 at 27.0.9.9 action pref=5; community.append(131208:31000,131208:31020,131208:31021); accept AS15169^24 AND <^AS15169+ AS-GOOGLE*$>; } refine afi ipv6.unicast {
Page 48 IRR Toolset, RPSL: RPSL Primer(Contd) from AS6453 2001:5a0:2300:100::55 at 2001:5a0:2300:100::56 action pref=10; community.append(131208:11000,131208:11010,131208:11011); accept ANY AND NOT RS-MARTIANS; from AS15169 2404:a100:2000::11 at 2404:a100:2000::12 action pref=5; community.append(131208:31000,131208:31020,131208:31021); accept AS15169 AND <^AS15169+ AS-GOOGLE*$>; }
Page 49 IRR Toolset, RPSL: rtconfg Caveats ● Hard to debug as debug message has no clue to original error ● By default uses irrd whois server which none of the RIR’s uses except Merit RADB ● For using with APNIC, RIPE etc RIR’s whois server we must change the protocol to bird(Original RIPE whois daemon)
Page 50 IRR Toolset, RPSL: rtconfg ● Prompt based shell application ● root@bofh:~# rtconfig –h whois.apnic.net –protocol bird < rtconfig> Takes any of the following commands: @rtconfig import <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig export <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig configureRouter <inet-rtr-name> @rtconfig importGroup <ASN-1> <peering-set-name> @rtconfig exportGroup <ASN-1> <peering-set-name> @rtconfig static2bgp <ASN-1> <rtr-1> @rtconfig set sources = <source-list> @rtconfig access_list filter <filter> @rtconfig aspath_access_list filter <filter> @rtconfig printPrefixes <format> filter <filter>
Page 51 IRR Toolset, RPSL: rtconfg(Contd) @rtconfig printPrefixRanges <format> filter <filter> @rtconfig printSuperPrefixRanges <format> filter <filter>
Page 52 IRR Toolset, RPSL: rtconfg(Contd) Cisco Specific @rtconfig set cisco_map_name = <map-name> @rtconfig set cisco_map_first_no = <no> @rtconfig set cisco_map_increment_by = <no> @rtconfig set cisco_prefix_acl_no = <no> @rtconfig set cisco_aspath_acl_no = <no> @rtconfig set cisco_pktfilter_acl_no = <no> @rtconfig set cisco_community_acl_no = <no> @rtconfig set cisco_access_list_no = <no> @rtconfig set cisco_max_preference = <no> @rtconfig networks <ASN-1> @rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2>
Page 53 IRR Toolset, RPSL: rtconfg(Contd) @rtconfig pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig outbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2>
Page 54 IRR Toolset, RPSL: rtconfg(Contd) Junos Specific @rtconfig set junos_policy_name = <policy-name> @rtconfig networks <ASN-1>
Page 55 IRR Toolset, RPSL: rtconfg Input File(Provision) router bgp 131208 neighbor 103.4.108.54 remote-as 58682 neighbor 103.4.108.54 version 4 ! # Earth Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig set cisco_map_name = "AS58715-IN" @RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61 ! # BDHub Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig set cisco_map_name = "AS58656-IN" @RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93 ! end
Page 56 IRR Toolset, RPSL: rtconfg Input File(Output) Live Demonstration. Output is attached as Provision1.txt
Page 57 IRR Toolset, RPSL: Daily Changes ● For automated processing we concentrate on : ○ AS-SET ● Changes in AS-SET requires the following confguraton changes: ○ Prefx-list ○ AS-PATH access list
Page 58 IRR Toolset, RPSL: rtconfg Input File(Changes) # Earth Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig aspath_access_list filter <^AS58715+ AS-58715*$> @RtConfig access_list filter AS-58715 # BDHub Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig aspath_access_list filter <^AS58656+ AS-BDHUB*$> @RtConfig access_list filter AS-BDHUB ! end
Page 59 IRR Toolset, RPSL: rtconfg Input File(Output) Live Demonstration. Output is attached as changes1.txt.
Page 60 IRR Toolset, RPSL: Uploading Confguraton Various ways to upload confguraton: ● SNMP Write ● NETCONF XML Based ● Automated Script using expect
Page 61 IRR Toolset, RPSL: SNMP Write Cons ● Secured only while SNMPv3 is used ● Uses UDP ● Long Running Process ● Non-Standard MIB ● Tough to integrate with rtconfg
Page 62 IRR Toolset, RPSL: NETCONF Cons ● Works good with so many routers ● Overkill for a small number of routers ● Needs detailed concept of XML and how it works ● Not for the faint hearted ● Need detailed idea of Yang too
Page 63 IRR Toolset, RPSL: Expect Expect is a tool for automatng interactve applicatons such as telnet, f-p, passwd, fsck, rlogin, tp, etc. Pros ● Good for automatng tasks that prompts for informaton ● Easy to understand ● Used for automatc Testng Cons ● Keeps login credentals inside script ● Wrong fle permission can be fatal
Page 64 IRR Toolset, RPSL: Script for Confguraton #!/usr/local/bin/expect set timeout 500 set hostname "dhk-agg-rtr01.1asiacom.net" set file [open changes1.txt r] set username “rtconfig" set password "yovHyWer@lijZashexyuefs7" while {![eof $file]} { set buffer [read $file 10240000] } spawn ssh -2 -l $username $hostname expect "assword:" { send "$passwordn" }
Page 65 IRR Toolset, RPSL: Script for Confguraton expect "DHK-AGG-RTR01#" { send "conf tn" expect "(config)#" { foreach line [split $buffer "n"] { send "$linen“} expect "(config)#" { send "commitn" expect "(config)#" { send "exitn“ } } } } expect "DHK-AGG-RTR01#" { send "exitn" } close $spawn_id
Page 66 IRR Toolset, RPSL: Further Reading ● RFC-2622: Routng Policy Specifcaton Language ● RFC-2725: Routng Policy System Security ● RFC-2650: Using RPSL in Practce ● RFC-4012: Routng Policy Specifcaton Language next generaton (RPSLng) ● RFC-2726: PGP Authentcaton for RIPE Database Updates ● RFC-2769: Routng Policy System Replicaton
Page 67 IRR Toolset, RPSL: Questons Contact person: Muhammad Moinur Rahman address: The Alliance Building. (6th Floor), address: 63 Pragati Sharani, Baridhara, country: BD phone: +8801977881132 e-mail: moin@1asia-ahl.com nic-hdl: MMR13-AP notify: moin@1asia-ahl.com mnt-by: MAINT-BD-1ASIAAHL changed: moin@1asia-ahl.com 20121128 source: APNIC

More Related Content

PDF
IRR Toolset, RPSL
Bangladesh Network Operators Group
 
PDF
Routing Security Workshop
RIPE NCC
 
PPTX
IRR Tutorial and RPKI Demo
APNIC
 
PPTX
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
APNIC
 
PPTX
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
PDF
RPSL and rpsltool
Marco d'Itri
 
PDF
Local Internet Registry-LIR-Training-Slides.pdf
akram583300
 
PDF
BGP Bugs, Hiccups and weird stuff: Issues seen by RT-BGP Toolkit
APNIC
 
IRR Toolset, RPSL
Bangladesh Network Operators Group
 
Routing Security Workshop
RIPE NCC
 
IRR Tutorial and RPKI Demo
APNIC
 
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
APNIC
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
RPSL and rpsltool
Marco d'Itri
 
Local Internet Registry-LIR-Training-Slides.pdf
akram583300
 
BGP Bugs, Hiccups and weird stuff: Issues seen by RT-BGP Toolkit
APNIC
 

Similar to IRR toolset with rpsl (20)

PPT
16 bgp
TCT
 
PPTX
Implementing Internet and MPLS BGP
Private
 
PDF
VNIXNOG 2019: Securing Internet Routing
APNIC
 
PDF
The current state of anonymous filesharing
Marc Seeger
 
PDF
Finding the path, by Yoshinobu Matsuzaki [APNIC 38 / APOPS 1]
APNIC
 
PDF
MMIX Peering Forum: Securing Internet Routing
APNIC
 
PDF
Securing Internet Routing: RPSL & RPKI
APNIC
 
PDF
btNOG 6: Securing Internet Routing
APNIC
 
PDF
mnNOG 1: Securing internet Routing
APNIC
 
PDF
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
PDF
2 4routing
Rupesh Basnet
 
PDF
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
DOC
Juniper policy based filter based forwarding
Mars Chen
 
PDF
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
PDF
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
MyNOG
 
PDF
The Next Generation Internet Number Registry Services
MyNOG
 
PDF
MyNOG 8: Next Generation Internet Number Registry Services
APNIC
 
PDF
AS-STATS
Thomas Mangin
 
PDF
Routing Registry Function Automation using RPKI & RPSL
APNIC
 
PDF
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
16 bgp
TCT
 
Implementing Internet and MPLS BGP
Private
 
VNIXNOG 2019: Securing Internet Routing
APNIC
 
The current state of anonymous filesharing
Marc Seeger
 
Finding the path, by Yoshinobu Matsuzaki [APNIC 38 / APOPS 1]
APNIC
 
MMIX Peering Forum: Securing Internet Routing
APNIC
 
Securing Internet Routing: RPSL & RPKI
APNIC
 
btNOG 6: Securing Internet Routing
APNIC
 
mnNOG 1: Securing internet Routing
APNIC
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
2 4routing
Rupesh Basnet
 
BKNIX Peering Forum 2019: Securing Internet Routing
APNIC
 
Juniper policy based filter based forwarding
Mars Chen
 
PCTA e-Tech Show 2021: Securing Internet Routing
APNIC
 
Initial Experiences Route Filtering at the Edge AS15169 by Arturo L. Servin
MyNOG
 
The Next Generation Internet Number Registry Services
MyNOG
 
MyNOG 8: Next Generation Internet Number Registry Services
APNIC
 
AS-STATS
Thomas Mangin
 
Routing Registry Function Automation using RPKI & RPSL
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
Ad

More from Muhammad Moinur Rahman (14)

PDF
FreeBSD is not Linux
Muhammad Moinur Rahman
 
PDF
Introduction to Blockchain
Muhammad Moinur Rahman
 
PDF
Network tips tricks
Muhammad Moinur Rahman
 
PDF
Practical Implementation of Large BGP communities with Geotags and Traffic En...
Muhammad Moinur Rahman
 
PDF
Importance of sshfp and configuring sshfp for network devices
Muhammad Moinur Rahman
 
PDF
BGP communities and geotags
Muhammad Moinur Rahman
 
PDF
The FreeBSD - PRIMER
Muhammad Moinur Rahman
 
PDF
FreeBSD Portscamp, Kuala Lumpur 2016
Muhammad Moinur Rahman
 
PDF
Software defined networking: Primer
Muhammad Moinur Rahman
 
PDF
Introduction to SDN
Muhammad Moinur Rahman
 
PDF
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
PDF
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
PDF
Blockchain - The future of internet
Muhammad Moinur Rahman
 
PDF
Practical Implementation of BGP Community with Geotags
Muhammad Moinur Rahman
 
FreeBSD is not Linux
Muhammad Moinur Rahman
 
Introduction to Blockchain
Muhammad Moinur Rahman
 
Network tips tricks
Muhammad Moinur Rahman
 
Practical Implementation of Large BGP communities with Geotags and Traffic En...
Muhammad Moinur Rahman
 
Importance of sshfp and configuring sshfp for network devices
Muhammad Moinur Rahman
 
BGP communities and geotags
Muhammad Moinur Rahman
 
The FreeBSD - PRIMER
Muhammad Moinur Rahman
 
FreeBSD Portscamp, Kuala Lumpur 2016
Muhammad Moinur Rahman
 
Software defined networking: Primer
Muhammad Moinur Rahman
 
Introduction to SDN
Muhammad Moinur Rahman
 
Rpki with rpki.net tools
Muhammad Moinur Rahman
 
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
Blockchain - The future of internet
Muhammad Moinur Rahman
 
Practical Implementation of BGP Community with Geotags
Muhammad Moinur Rahman
 
Ad

Recently uploaded (20)

PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Software Development Company | KodekX
KodekX
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PDF
Beyond Automation: The Role of IoT Sensor Integration in Next-Gen Industries
Rejig Digital
 
PDF
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
PDF
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
This slide provides an overview Technology
mineshkharadi333
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
Coupa-Overview _Assumptions presentation
annapureddyn
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Architecture of the Future (09152021)
EdwardMeyman
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PDF
Brief History of Internet - Early Days of Internet
sutharharshit158
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Software Development Methodologies in 2025
KodekX
 
Software Development Company | KodekX
KodekX
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
Beyond Automation: The Role of IoT Sensor Integration in Next-Gen Industries
Rejig Digital
 
BLW VOCATIONAL TRAINING SUMMER INTERNSHIP REPORT
codernjn73
 
Oracle AI Vector Search- Getting Started and what's new in 2025- AIOUG Yatra ...
Sandesh Rao
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
This slide provides an overview Technology
mineshkharadi333
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
Coupa-Overview _Assumptions presentation
annapureddyn
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Architecture of the Future (09152021)
EdwardMeyman
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
Brief History of Internet - Early Days of Internet
sutharharshit158
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 

IRR toolset with rpsl

  • 2. 2 IRR Toolset, RPSL: Introducton ● Tutorial ○ Do not think of bypassing the RFC ● Target audience ○ Knowledge of Internet Routng(specially BGP) ○ Familiar with any IRR Database ○ No need to know Internet Routng Registry ● Layout ○ Theory ○ Handson Lab using IRR Power Tools, Net:IRR, rpsltools and IRRToolSet
  • 3. Page 3 Historical Context ● The basic concept of routng registries dates back to the 1980's and NSFNet ● A high-level policy based routng database (PRDB) was used to generate confgs ● NSFNet regional networks were required to submit Network Announcement Change Requests (NACR) to update the PRDB ● NACR’s documented connected networks and their Autonomous System numbers
  • 4. Page 4 Historical Context (Early European Works) ● RIPE – Reseaux IP Europeens ● Formed in 1989 to coordinate and promote IP networking in Europe ● Developed a registry for allocaton of IP addresses and Autonomous System numbers in Europe (frst RIR) ● No routng policy support initally
  • 5. Page 5 Historical Context (RIPE) ● RIPE-81 document was published in Feb, 1993 - extended the RIPE address registry to include basic routng policy informaton ● Added ability to specify an Autonomous System number for an IP address allocaton ● Also allowed the expression of Autonomous System relatonships
  • 6. Page 6 Historical Context (RIPE-181) ● RIPE-181 (RIPE-81++) document was published in Oct, 1994 ● Introduced concept of object classes ● Separated routng policy informaton from IP address allocaton informaton with introducton of the “route” object ● Extended Autonomous System policy expression functonality ● Also adopted a mechanism for grouping Autonomous Systems with the “as-macro”
  • 7. Page 7 Historical Context (RPSL) ● In March 1995, the RIPE-181 standard was accepted as an IETF informatonal document – RFC-1786 ● IETF created the Routng Policy System Working Group to revise and standardize the language under the auspices of the IETF ● Result was known as the Routng Policy Specifcaton Language (RPSL)
  • 8. Page 8 Historical Context (RFC-2622) ● RFC 2622 was released in June, 1999 and formally defned RPSL standard ● Based on the RIPE-181 standard ○ Signifcantly extended the functonality of the aut-num object ○ route object also extended ○ as-macro became as-set object ○ Added a number of new object types ○ Included a dictonary based extension mechanism
  • 9. Page 9 Historical Context (RFC-2622 New Objects) ● as-set ● route-set ● flter-set ● rtr-set ● peering-set ● inet-rtr ● mntner, role, and person objects for authentcaton and contact informaton
  • 10. Page 10 Historical Context (RFC-4012 RPSLng) ● IPv6 and multcast support ● Address Family Identfer(af i.e, ipv4 and ipv6) ● MPBGP added in protocol Dictonary ● RPSL types ipv6-address, ipv6-address-prefx and ipv6-address- prefx- range added ● Policy Atribute mp-import, mp-export and mp-default added ● Class route6 added ● route-set class now supports both IPv4 and IPv6 mp-members ● peering-set supports mp-peering atribute ●
  • 11. Page 11 Routng Policy Specifcaton Language(RPSL) ● Object-based language ○ route, autonomous system, router, contact and set objects ● Defnes the syntax, semantcs and format of data in IRR ● Vendor independent ● Extensible ● IETF Proposed Standard (RFC2622) later superseded by RPSLng (RFC4012) ● Based on RIPE-181 (RFC 1786)
  • 12. Page 12 RPSL Basics ● Each object type (class) contains mandatory and optonal atributes ● All objects must have these atributes ○ mnt-by: identfes mntner object that controls the object ○ changed: lists email and tme of change ○ source: identfes the registry name where the object is located
  • 13. Page 13 mntner Object ● Mntner is an abbreviaton of maintainer ● Identfes accounts in the registry ● Maintainer objects used for authentcaton ● Specifes authentcaton mechanism in the “auth” atribute ○ CRYPT-PW or MD5-PW - password auth ○ PGP-KEY – PGP/GPG based auth ○ MAIL-FROM – email based auth ○ NONE
  • 14. Page 14 mntner Object mntner: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] admin-c: [mandatory] [multiple] [inverse key] tech-c: [optional] [multiple] [inverse key] upd-to: [mandatory] [multiple] [inverse key] mnt-nfy: [optional] [multiple] [inverse key] auth: [mandatory] [multiple] remarks: [optional] [multiple] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
  • 15. Page 15 mntner Object Example mntner: MAINT-BD-1ASIAAHL descr: 1Asia Alliance Communication Ltd country: BD admin-c: MMR13-AP upd-to: [email protected] mnt-by: MAINT-BD-1ASIAAHL auth: # Filtered referral-by: APNIC-HM changed: [email protected] 20121127 source: APNIC
  • 16. Page 16 route/route6 Object ● Defnes a CIDR prefx and origin AS ● Most common type of object found in routng registries ● Used by a number of ISP's to generate flters on their customer BGP sessions ○ Customers must register all routes in order for their ISP to route them ○ Allows automaton of adding new prefxes
  • 17. Page 17 route/route6 object and keys ● Every RPSL class has a primary “key” ● For most classes, it is simply the main class atribute value ● For example, the mntner class uses the mntner atribute value as the key ● However, route objects use both route and origin felds as the primary key ● There can be multple objects for the same prefx with diferent origins ● This is by design ○ Mult-origin mult-homing ○ When changing to a new origin AS, want routes for both untl switched ● However, also many cases of multples due to stale routes not being cleaned
  • 18. Page 18 route/route6 Object Format route: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] origin: [mandatory] [single] [primary/inverse key] withdrawn: [optional] [single] member-of: [optional] [single] [inverse key] inject: [optional] [multiple] components: [optional] [single] aggr-bndry: [optional] [single] [inverse key] aggr-mtd: [optional] [single] export-comps: [optional] [single] holes: [optional] [single] remarks: [optional] [multiple] cross-nfy: [optional] [multiple] [inverse key] cross-mnt: [optional] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
  • 19. Page 19 route/route6 Object Example route: 182.16.140.0/22 descr: 1Asia Communication Pte Ltd origin: AS10102 mnt-lower: MAINT-BD-1ASIAAHL mnt-routes: MAINT-BD-1ASIAAHL mnt-by: MAINT-BD-1ASIAAHL changed: [email protected] 20121209 source: APNIC
  • 20. Page 20 aut-num Object ● Defnes routng policy for an AS ● Uses mp-import: and mp-export: atributes to specify policy ● Can be used for highly detailed policy descriptons and automated confg generaton ● Can reference other registry objects such as ○ as-sets ○ route-sets ○ flter-sets
  • 21. Page 21 aut-num Object Format aut-num: [mandatory] [single] [primary/look-up key] as-name: [mandatory] [single] descr: [mandatory] [multiple] member-of: [optional] [single] [inverse key] import: [optional] [multiple] [inverse key] export: [optional] [multiple] [inverse key] default: [optional] [multiple] [inverse key] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] remarks: [optional] [multiple] cross-nfy: [optional] [multiple] [inverse key] cross-mnt: [optional] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
  • 22. Page 22 aut-num Object Example aut-num: AS10102 as-name: SG-1ASIACOM-AS-AP descr: 1Asia Communication Pte Ltd descr: 151 Chin Swee Road descr: 14-01 Manhattan House country: SG admin-c: SHC12-AP tech-c: MMR13-AP mnt-by: MAINT-SG-1ASIACOM-SG mnt-routes:MAINT-SG-1ASIACOM-SG mnt-irt: IRT-SG-1ASIACOM-SG changed: [email protected] 20100428 changed: [email protected] 20121116 source: APNIC
  • 23. Page 23 as-set Object ● Provides a way of grouping AS'es ● Name must begin with prefx “AS-” or in the format ○ AS<NUM>:AS-CUSTOMERS ○ AS<NUM>:AS-PEERS ● Frequently used to list downstream/customer AS numbers ● Maybe referenced in aut-num import/export policy expressions ● Can reference other as-set's
  • 24. Page 24 route-set Object ● Defnes a set of routes prefxes ● Name must begin with prefx “RS-” or in the format ASNUM:RS-<ORGANIZATION> ● Can reference other route-sets ● Can also reference AS's or as-set's ○ In this case, the route-set will include all route object prefxes which have an origin which matches the AS numbers
  • 25. Page 25 route-set Object Format route-set: [mandatory] [single] [primary/look-up key] descr: [mandatory] [multiple] members: [optional] [single] mbrs-by-ref:[optional] [single] remarks: [optional] [multiple] tech-c: [mandatory] [multiple] [inverse key] admin-c: [mandatory] [multiple] [inverse key] notify: [optional] [multiple] [inverse key] mnt-by: [mandatory] [multiple] [inverse key] changed: [mandatory] [multiple] source: [mandatory] [single]
  • 26. Page 26 route-set Object Example route-set: AS10102:RS-1ASIA descr: Routes announced across Peers members: 103.4.108.0/22,182.16.140.0/22 tech-c: MMR13-AP admin-c: MMR13-AP mnt-by: MAINT-BD-1ASIAAHL changed: [email protected] 20140129 source: APNIC
  • 27. Page 27 flter-set Object ● Defnes a set of routes that are matched by a flter expression ● Similar in concept to route-set's ● Name must begin with prefx “ftr-”
  • 28. Page 28 The IRR(internet Routng Registry) ● Concept of “the” Internet Routng Registry system established in 1995 ● Shares informaton regarding producton Internet Routng Registries ● Web site at htp://www.irr.net ● Initally RIPE-181 format, shif-ed to RPSL ● Mirror Routng Registry data in a common repository for simplifed queries ● The IRR currently consists of roughly 35 operatonal registries ● Registries operators ○ Regional Internet Registers (RIR’s), such as ARIN, RIPE, and APNIC ○ ISP’s - SAVVIS, NTT, Level3 ○ Non-affiliated public registries – RADB and ALTDB
  • 29. Page 29 RADB Routng Registry ● The RADB launched in 1995 as part of NSFNet funded Routng Arbiter project ● The Routng Arbiter project was intended to ease transiton from the NSFNet to the commercial Internet ● Registry was used to confgure Route Servers located at designated Network Access Points (NAP’s) located in Chicago, Washington, New York, and San Francisco ● RADB transitoned from public NSFNet funding to fee-based model in 1999 ● Re-branded Routng Assets Database in 2002 – htp://www.radb.net ● The registry can be queried at website and via whois at whois.radb.net ● This server also mirrors the other registries in the IRR as documented at www.irr.net
  • 30. Page 30 Why Register? ● Document routng policy ● In partcular, register route objects to associate network prefxes with origin AS ● A number of transit providers require their customers to register routes and flter customer route announcements based on registry contents ● Filters unauthorized announcements to prevent route hijacking, denial of service
  • 31. Page 31 Incidents ● BGP->RIP->BGP injecton ● 128/7 leak ● bogon 0/0, 10/8 leaks ● Daily, someone is leaking somelse’s prefx.
  • 32. Page 32 Common IRR query fags ● IRR's support a number fag optons ● -i fag performs inverse query ○ “-i origin AS10102” returns all route objects with an origin of AS10102 ○ “-i mnt-by MAINT-AS10102” returns all routes maintained by MAINT-AS10102 ● -M fag returns more specifc route objects for a prefx ○ “-M 27.0.8.0/22” returns all more specifc route objects in the 27.0.8.0/22 prefx ● -s fag limits number of sources queried ○ May not want to query all 30+ IRR db's ○ example, “-s RADB,RIPE” ● -K fag – return primary keys only ○ Useful for route object queries, excludes extraneous felds not needed for policy ○ Of-en used by tools
  • 33. Page 33 Advanced IRR queries ● IRRd provides the ability to perform server side set expansions (as-set and route-set) ● This is done with the “!i” query ○ “!iAS-ESNETUS” returns members of ASESNETUS as-set object ● Add a “,1” for a recursive expansions ○ “!iAS-ESNETUS,1” will recurse any as-set members and return individual as- members ○ Reduces number of queries to server
  • 34. Page 34 Advanced RPSL – aut-num ● The aut-num object can be used to express an Autonomous System’s routng policy and peering informaton ● Powerful structured syntax allows for complex policy expressions ● Some operators drive their network confguraton of of their RPSL data ● Others simply use it to document AS relatonships in a public manner
  • 35. Page 35 RPSL Tools ● Several tools have been developed to facilitate the use of RPSL registry data in the confguraton of networks ● Tools range from sophistcated and powerful to simple and limited ● Use the IRR by querying over the whois protocol ● Some ISP’s use in-house developed tools which process RPSL database fles directly
  • 36. Page 36 Tools of trade for RPSL ● IRRToolSet ● NET::IRR ○ Perl module supportng basic IRR queries ● IRR Power Tools ○ IRR based router confguraton – PHP + CVS ● Rpsltool – generates cisco confgs - Perl
  • 37. Page 37 Tools of trade for RPSL ● IRRToolSet ● NET::IRR ○ Perl module supportng basic IRR queries ● IRR Power Tools ○ IRR based router confguraton – PHP + CVS ● Rpsltool – generates cisco confgs - Perl
  • 38. Page 38 IRRToolSet ● Based on original RAToolSet used in NSF Routng Arbiter project ● Writen in C++ and now maintainer by ISC ● rtconfg tool uses templates to generate router confgs from IRR data ● Other provided tools include ○ peval – low level policy evaluaton tools ○ rpslcheck – verfes RPSL syntax of objects ● Death of IRRToolSet?? ● Revamped by ISC, yet complex to confgure
  • 39. Page 39 Net::IRR ● Perl CPAN module ● Provide several useful Perl functons ○ get_routes_by_origin ○ get_ipv6_routes_by origin ○ get_as_set ○ get_route_set ○ route_search
  • 40. Page 40 IRR Power Tools ● PHP based toolset ○ htp://sourceforge.net/projects/irrpt ● Allows ISP to easily track, manage and utlize IRR data ● Performs tracking with CVS ● Can email notfcatons of updates ● irrpt_pfxgen script can generate router confgs in Cisco/Foundry, Juniper, Extreme, and Force10 formats
  • 41. Page 41 Routng Registry Futures ● RPKI(Resource Public Key Infrastructure) work will likely have impact on routng registry usage ● APNIC along with RIPE has already designed the portal for RPKI usage ● Latest subset of IRRToolSet has added support for integratng RPKI along with RPSL
  • 42. Page 42 • Feeling sorry for being here .. ☚ • Don’t be .. • Confguraton part will make you think life is really easy .. ☺ Lets go for a Tea Break
  • 43. Page 43 IRR Toolset, RPSL: Installaton ● Available in most Unix/Linux like OS ● Basic Requirements for IRRToolset are as of following ○ GNU Make ○ GCC ○ fex ○ bison ○ libtool ● Additonal tools for autoconfguraton are as of following: ○ expect ○ cron
  • 44. Page 44 IRR Toolset, RPSL: Installaton – Get Source root@bofh:~ #wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet- 5.0.1/irrtoolset-5.0.1.tar.gz root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz root@bofh:~ # cd irrtoolset-5.0.1
  • 45. Page 45 IRR Toolset, RPSL: Installaton – Build and Install root@bofh:~irrtoolset-5.0.1# ./configure root@bofh:~irrtoolset-5.0.1# make root@bofh:~irrtoolset-5.0.1# make install
  • 46. Page 46 IRR Toolset, RPSL: RPSL Primer root@bofh:~ whois –h whois.apnic.net AS131208 #####snipped###### mp-import: afi any.unicast { from AS-ANY accept ANY AND NOT RS-MARTIANS; } refine { from AS-ANY action pref = 50; accept community.contains(131208:50); from AS- ANY action pref = 30; accept community.contains(131208:70); from AS- ANY action pref = 10; accept community.contains(131208:90); from AS-ANY action pref = 0; accept ANY; } refine afi ipv4.unicast {
  • 47. Page 47 IRR Toolset, RPSL: RPSL Primer(Contd) from AS6453 66.110.0.126 at 103.4.109.254 action pref=10; community.append(131208:11000,131208:11010,131208:11011); accept ANY AND NOT RS-MARTIANS; from AS58715 103.4.108.62 at 103.4.108.61 action community.append(131208:41000,131208:41010,131208:41011); accept AS- 58715^24 AND <^AS58715+ AS-58715*$>; from AS58656 103.4.108.94 at 103.4.108.93 action community.append(131208:41000,131208:41010,131208:41011); accept AS- BDHUB^24 AND <^AS58656+ AS-BDHUB*$>; from AS58657 103.4.108.178 at 103.4.108.177 action community.append(131208:41000,131208:41010,131208:41011); accept AS58657^24 AND <^AS58657+$>; from AS15169 27.0.9.10 at 27.0.9.9 action pref=5; community.append(131208:31000,131208:31020,131208:31021); accept AS15169^24 AND <^AS15169+ AS-GOOGLE*$>; } refine afi ipv6.unicast {
  • 48. Page 48 IRR Toolset, RPSL: RPSL Primer(Contd) from AS6453 2001:5a0:2300:100::55 at 2001:5a0:2300:100::56 action pref=10; community.append(131208:11000,131208:11010,131208:11011); accept ANY AND NOT RS-MARTIANS; from AS15169 2404:a100:2000::11 at 2404:a100:2000::12 action pref=5; community.append(131208:31000,131208:31020,131208:31021); accept AS15169 AND <^AS15169+ AS-GOOGLE*$>; }
  • 49. Page 49 IRR Toolset, RPSL: rtconfg Caveats ● Hard to debug as debug message has no clue to original error ● By default uses irrd whois server which none of the RIR’s uses except Merit RADB ● For using with APNIC, RIPE etc RIR’s whois server we must change the protocol to bird(Original RIPE whois daemon)
  • 50. Page 50 IRR Toolset, RPSL: rtconfg ● Prompt based shell application ● root@bofh:~# rtconfig –h whois.apnic.net –protocol bird < rtconfig> Takes any of the following commands: @rtconfig import <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig export <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig configureRouter <inet-rtr-name> @rtconfig importGroup <ASN-1> <peering-set-name> @rtconfig exportGroup <ASN-1> <peering-set-name> @rtconfig static2bgp <ASN-1> <rtr-1> @rtconfig set sources = <source-list> @rtconfig access_list filter <filter> @rtconfig aspath_access_list filter <filter> @rtconfig printPrefixes <format> filter <filter>
  • 51. Page 51 IRR Toolset, RPSL: rtconfg(Contd) @rtconfig printPrefixRanges <format> filter <filter> @rtconfig printSuperPrefixRanges <format> filter <filter>
  • 52. Page 52 IRR Toolset, RPSL: rtconfg(Contd) Cisco Specific @rtconfig set cisco_map_name = <map-name> @rtconfig set cisco_map_first_no = <no> @rtconfig set cisco_map_increment_by = <no> @rtconfig set cisco_prefix_acl_no = <no> @rtconfig set cisco_aspath_acl_no = <no> @rtconfig set cisco_pktfilter_acl_no = <no> @rtconfig set cisco_community_acl_no = <no> @rtconfig set cisco_access_list_no = <no> @rtconfig set cisco_max_preference = <no> @rtconfig networks <ASN-1> @rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2>
  • 53. Page 53 IRR Toolset, RPSL: rtconfg(Contd) @rtconfig pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2> @rtconfig outbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-2> <rtr-2>
  • 54. Page 54 IRR Toolset, RPSL: rtconfg(Contd) Junos Specific @rtconfig set junos_policy_name = <policy-name> @rtconfig networks <ASN-1>
  • 55. Page 55 IRR Toolset, RPSL: rtconfg Input File(Provision) router bgp 131208 neighbor 103.4.108.54 remote-as 58682 neighbor 103.4.108.54 version 4 ! # Earth Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig set cisco_map_name = "AS58715-IN" @RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61 ! # BDHub Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig set cisco_map_name = "AS58656-IN" @RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93 @RtConfig set cisco_access_list_no = 599 @RtConfig set cisco_map_name = "ANY" @RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93 ! end
  • 56. Page 56 IRR Toolset, RPSL: rtconfg Input File(Output) Live Demonstration. Output is attached as Provision1.txt
  • 57. Page 57 IRR Toolset, RPSL: Daily Changes ● For automated processing we concentrate on : ○ AS-SET ● Changes in AS-SET requires the following confguraton changes: ○ Prefx-list ○ AS-PATH access list
  • 58. Page 58 IRR Toolset, RPSL: rtconfg Input File(Changes) # Earth Communication Ltd @RtConfig set cisco_access_list_no = 500 @RtConfig aspath_access_list filter <^AS58715+ AS-58715*$> @RtConfig access_list filter AS-58715 # BDHub Ltd @RtConfig set cisco_access_list_no = 501 @RtConfig aspath_access_list filter <^AS58656+ AS-BDHUB*$> @RtConfig access_list filter AS-BDHUB ! end
  • 59. Page 59 IRR Toolset, RPSL: rtconfg Input File(Output) Live Demonstration. Output is attached as changes1.txt.
  • 60. Page 60 IRR Toolset, RPSL: Uploading Confguraton Various ways to upload confguraton: ● SNMP Write ● NETCONF XML Based ● Automated Script using expect
  • 61. Page 61 IRR Toolset, RPSL: SNMP Write Cons ● Secured only while SNMPv3 is used ● Uses UDP ● Long Running Process ● Non-Standard MIB ● Tough to integrate with rtconfg
  • 62. Page 62 IRR Toolset, RPSL: NETCONF Cons ● Works good with so many routers ● Overkill for a small number of routers ● Needs detailed concept of XML and how it works ● Not for the faint hearted ● Need detailed idea of Yang too
  • 63. Page 63 IRR Toolset, RPSL: Expect Expect is a tool for automatng interactve applicatons such as telnet, f-p, passwd, fsck, rlogin, tp, etc. Pros ● Good for automatng tasks that prompts for informaton ● Easy to understand ● Used for automatc Testng Cons ● Keeps login credentals inside script ● Wrong fle permission can be fatal
  • 64. Page 64 IRR Toolset, RPSL: Script for Confguraton #!/usr/local/bin/expect set timeout 500 set hostname "dhk-agg-rtr01.1asiacom.net" set file [open changes1.txt r] set username “rtconfig" set password "yovHyWer@lijZashexyuefs7" while {![eof $file]} { set buffer [read $file 10240000] } spawn ssh -2 -l $username $hostname expect "assword:" { send "$passwordn" }
  • 65. Page 65 IRR Toolset, RPSL: Script for Confguraton expect "DHK-AGG-RTR01#" { send "conf tn" expect "(config)#" { foreach line [split $buffer "n"] { send "$linen“} expect "(config)#" { send "commitn" expect "(config)#" { send "exitn“ } } } } expect "DHK-AGG-RTR01#" { send "exitn" } close $spawn_id
  • 66. Page 66 IRR Toolset, RPSL: Further Reading ● RFC-2622: Routng Policy Specifcaton Language ● RFC-2725: Routng Policy System Security ● RFC-2650: Using RPSL in Practce ● RFC-4012: Routng Policy Specifcaton Language next generaton (RPSLng) ● RFC-2726: PGP Authentcaton for RIPE Database Updates ● RFC-2769: Routng Policy System Replicaton
  • 67. Page 67 IRR Toolset, RPSL: Questons Contact person: Muhammad Moinur Rahman address: The Alliance Building. (6th Floor), address: 63 Pragati Sharani, Baridhara, country: BD phone: +8801977881132 e-mail: [email protected] nic-hdl: MMR13-AP notify: [email protected] mnt-by: MAINT-BD-1ASIAAHL changed: [email protected] 20121128 source: APNIC