By Keessun Fokeerah Member Services(MS) Team irr@afrinic.net Routing Security: AFRINIC Internet Routing Registry(IRR) Tutorial By Keessun Fokeerah Member Services(MS) Team irr@afrinic.net
Target Audience Network engineers(registered technical contacts of AFRINIC members) Prior AFRINIC INRM training including WHOIS-101 is recommended Conversant with the AFRINIC whois database & RPSL(rfc2622) Have appropriate rights to create/migrate route objects (hold organisation’s maintainer password).
Objectives Create awareness of the AFRINIC IRR Increase adoption of the AFRINIC IRR Aid with migration of existing route objects & routing information from other Routing registries. How to create your Route objects Sensitise on impacts of the “AFRINIC IRR homing project” at RIPE NCC
Introduction AFRINIC deployed and showcased a Internet Routing Registry(IRR) during its AFRINIC-18 meeting(17th June 2013). Up till last year, AFRINIC members were asked by AFRINIC to add route objects on the RIPE IRR. Some members also had routing policy information hidden in 'remarks' fields in the AFRINIC WHOIS itself.
Why do we need a routing registry? Each RIR database is independent from the other RIRs databases. Routing registries are queried by upstream/transit providers for: Update filter lists, ensuring stability and consistency of routing information shared via BGP. Better control on BGP traffic, example to avoid BOGONS. If you don't have objects in RIPE NCC database then you need to create new objects to avoid being filtered by upstream providers; Based on the routing policy, other objects may need to be created(AS-SET & ROUTE-SET). For routing purposes not all objects are needed. It depends on the situation and routing policy.
AFRINIC IRR Features Open to AFRINIC Resource members and Legacy Resource Holders in AFRINIC service region AFRINIC IRR is mirrored by the other IRRs such as APNIC, RIPENCC, NTTCOM,AMS-IX,Work Online(SA) and even RADB. Network Operators will be able to point to our routing registry and enjoy a one stop-shop kind of service for routing related information. Stable & Secure source of routing information AFRINIC IRR service is now part of the WHOIS service.
Benefits of the AFRINIC IRR Cost - Free service provided to the community. Easy maintenance - Integrated to the AFRINIC whois, so same set of objects are used(Aut-num, maintainer etc) Security - Route objects are tied to aut-num; created only by AFRINIC Hostmasters. - Only “holder" of prefixes can create route objects for given inetnum. - Considerable reduced risk of hijacking. - No publicly available password such as RIPE-NCC-RPSL-MNT at RIPE NCC
AFRINIC Routing Registry Overview
WHOIS DB Objects List Mntner: Maintainer used to protect objects and associated with authentication either password, x509 or PGP key. Aut-num: information about the Autonomous System Number (ASN). Route: describes routing information about specific IPv4 range intended to be advertised to Internet. Route6: describes routing information about specific IPv6 range intended to be advertised to Internet. AS-Set: describes set of Aut-num which usually identifies the origin of all the prefixes that will be advertised by the organisation. Applicable to a member using multiple ASNs to announce same prefix(es) ROUTE-Set: The simple method to maintain a list of routes is to use a route-set object. A customer using a route-set object to maintain their list of advertised routes would simply ask their upstream to use an import policy to build their filter.
Route/route6 object creation workflow Route/Route6- The workflow not make a difference between route and route6 objects. The resources AFRINIC manages are considered "in region" and will be called "IN". The resources AFRINIC does not manage are called "OUT".
Route/route6 object creation workflow(old)
Route/route6 object creation new workflow
Route/route6 object creation workflow(cont) Scenario 1: Prefix OUT & ASN(IN or OUT) If the prefix is OUT, request to create the route object will be rejected irrespective of ASN being administered by AFRINIC or not.
Route/route6 object creation – Prefix OUT
Route/route6 object creation – Prefix OUT
Route/route6 object creation workflow(cont) Scenario 2: Prefix IN & ASN IN Both the prefix and the aut-num are administered by AFRINIC. Creation shall be allowed, if the 3 “phases” of authentications succeed: 1. Inetnum authentication by the first of the following maintainers: - mnt-routes - mnt-lower - mnt-by 2. Autnum authentication by the first of the following maintainers: 3. Route object authentication using mnt-by(of the route object) Note: If different maintainers are used, all the authentications concluded no later than 7 days after the first submission.
Route(6) creation – Prefix & ASN OUT/IN
Route(6) object creation – Prefix & ASN IN
Route(6) object creation – Prefix & ASN IN
RIPE: Afrinic IRR homing project Proposed Implementation Step 1: Communicate Operators are encouraged to add the AFRINIC IRR to their tool chains AFRINIC continues aiding migration of objects into the AFRINIC IRR Step 2: Freeze in RIPE IRR 3 months after step 1 No new route(6) objects allowed for AFRINIC ASN and prefix Modify or delete for existing objects by maintainers Step 3: Clean-up objects 3 months after step 2 Remaining route(6) objects are deleted in the RIPE IRR and imported as locked objects in the AFRINIC IRR. AFRINIC resource holders can delete objects On 26th May 2016 during RIPE-72
RIPE: Afrinic IRR homing project Proposed Implementation Step 1: Communicate Operators are encouraged to add the AFRINIC IRR to their tool chains AFRINIC continues aiding migration of objects into the AFRINIC IRR Step 2: Freeze/lock in RIPE IRR implemented as part of NWI-5
NWI-5 Changes on RIPE IRR Effective: 4th Sept 2018 The RIPE-NCC-RPSL-MNT maintainer was deleted Creation of out-of-region aut-num(ASN) is no longer possible The RIPE IRR no longer supports the creation of out-of-region route(6) objects Existing non-RIPE-managed route(6) objects have been moved under the source: “RIPE-NONAUTH” The existing out-of-region objects may eventually be deleted after further discussion by the RIPE Database Working Group
NWI-5 impacts Impact Operators still having their objects on RIPE no-auth have been impacted during the change Operators who still did not migrate are liable to future delete and thus their traffic will be affected
AFRINIC IRR adoption AFRINIC encourages adoption of the IRR through: 1. BoFs at AFRINIC meetings and outreach at regional events 2. During boot camps. Purpose: ● Inform the community the AFRINIC IRR is ready & invite members to use it ● Promote use of migration tool to simplify migration of existing objects from other IRRs ● Encourage participants to use AFRINIC tools (MyAFRINIC, webupdate) to manage their route objects & Routing Policy ● Encourage them to clean up the various registries to avoid inconsistencies using tools such as http://irrexplorer.nlnog.net
AFRINIC IRR adoption
AFRINIC IRR adoption
Recommendations AFRINIC recommends that: 1. Contact details are updated after staff joins in or leave your company 2. Maintainer passwords are kept up to date 3. If you hold resources from AFRINIC, have your route object registered 4. To avoid negative impacts on your business, migrate your route objects to AFRINIC IRR from RIPE NCC’s IRR
Contact us at: irr@afrinic. net hostmaster@afrinic Contact us at: irr@afrinic.net hostmaster@afrinic.net Refer to how to manuals: www.afrinic.net/en/library/membership-documents Meet us at the AFRINIC booth for support
Want more Security on your Routing?
Let’s talk about RPKI!
Thank you for your Attention Questions? twitter.com/ flickr.com/ facebook.com/ linkedin.com/company/ youtube.com/ www. afrinic afrinic afrinic afrinic media .net 8/12/16