lir and ripe database
play

LIR and RIPE Database Training Course January 2017 Schedule 09:00 - PowerPoint PPT Presentation

LIR and RIPE Database Training Course January 2017 Schedule 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number on the list Experience with the RIPE


  1. Updates: Not Using a role Object inetnum: 85.11.184.0/25 tech-c: JS123-RIPE tech-c: SB436-RIPE admin-c: SB436-RIPE admin-c: JS123-RIPE person: John Smith status: ASSIGNED PA status: ASSIGNED PA inetnum: 85.11.184.128/25 nic-hdl: JS123-RIPE mnt-by: LIR-MNT mnt-by: LIR-MNT tech-c: SB436-RIPE tech-c: JS123-RIPE address: Sesame Street 1 admin-c: JS123-RIPE admin-c: SB436-RIPE phone: +1 555 0101 status: ASSIGNED PA status: ASSIGNED PA e-mail: john@example.org inetnum: 85.11.186.0/27 mnt-by: LIR-MNT mnt-by: LIR-MNT mnt-by: RED1-MNT tech-c: JS123-RIPE tech-c: SB436-RIPE admin-c: JS123-RIPE admin-c: SB436-RIPE status: ASSIGNED PA status: ASSIGNED PA inetnum: 85.11.186.32/25 person: Sue Baker mnt-by: LIR-MNT mnt-by: LIR-MNT tech-c: SB436-RIPE tech-c: JS123-RIPE nic-hdl: SB436-RIPE admin-c: JS123-RIPE admin-c: SB436-RIPE address: Sesame Street 1 status: ASSIGNED PA status: ASSIGNED PA inetnum: 85.11.186.64/26 phone: +1 555 0202 mnt-by: LIR-MNT mnt-by: LIR-MNT e-mail: sue@example.org tech-c: JS123-RIPE tech-c: SB436-RIPE mnt-by: RED1-MNT admin-c: JS123-RIPE admin-c: SB436-RIPE status: ASSIGNED PA status: ASSIGNED PA mnt-by: RED1-MNT mnt-by: LIR-MNT 52

  2. Updates: Using a role Object person: John Smith inetnum: 85.11.184.0/25 nic-hdl: JS123-RIPE tech-c: LA789-RIPE address: Sesame Street 1 admin-c: LA789-RIPE phone: +1 555 0101 e-mail: john@example.org inetnum: 85.11.184.128/25 mnt-by: LIR-MNT tech-c: LA789-RIPE admin-c: LA789-RIPE role: LIR Admin inetnum: 85.11.185.0/24 nic-hdl: LA789-RIPE tech-c: LA789-RIPE tech-c: JS123-RIPE admin-c: LA789-RIPE admin-c: JS123-RIPE tech-c: SB436-RIPE inetnum: 85.11.186.0/27 admin-c: SB436-RIPE tech-c: LA789-RIPE mnt-by: LIR-MNT admin-c: LA789-RIPE person: Sue Baker inetnum: 85.11.186.32/27 nic-hdl: SB436-RIPE tech-c: LA789-RIPE address: Sesame Street 1 admin-c: LA789-RIPE phone: +1 555 0202 status: ASSIGNED PA e-mail: sue@example.org mnt-by: LIR-MNT mnt-by: LIR-MNT 53

  3. Add Abuse Contact for Your Allocation role: Abuse Role Acme nic-hdl: AR789-RIPE admin-c: SB436-RIPE Create “Abuse Role object” tech-c: JS123-RIPE tech-c: XL451-RIPE with “abuse mailbox” abuse-mailbox: abuse@example.org mnt-by: RED1-MNT organisation: ORG-BB2-RIPE Point the abuse-c in the org admin-c: JD1-RIPE tech-c: LA789-RIPE object to the “Abuse Role abuse-c: AR789-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT object” inetnum: 85.11.184.0/21 netname: NL-EXAMPLE status: ALLOCATED PA The allocation points to your org: ORG-BB2-RIPE mnt-by: RIPE-NCC-HM-MNT organisation object mnt-by: LIR-MNT mnt-lower: RED1-MNT admin-c: LA789-RIPE tech-c: LA789-RIPE 54

  4. Updating the RIPE Database Exercise 3

  5. Exercise: Updating the RIPE Database • Time - 10 minutes • Goal - Learn how to update existing objects in the RIPE Database • Tasks - Update a maintainer object adding an authentication attribute 56

  6. Creating Objects in RIPE Database

  7. Create maintainer and person pair (1) • Creation of first person - mntner object pair person: John Smith nic-hdl: JS123-RIPE address: Sesame Street 1 phone: +1 555 0101 e-mail: john@example.org mnt-by: RED-MNT mntner: RED-MNT admin-c: JS123-RIPE descr: Startup maintainer mnt-by: RED-MNT upd-to: john@example.org auth: SSO john@example.org 58

  8. Create maintainer and person pair (2) John Smith 59

  9. Create maintainer and person pair (3) 60

  10. Creating an object (1) • Email updates • Webupdates • Restful API (XML/JSON) • Syncupdates 61

  11. Creating an object (2) • Choose a mntner to protect the new object • Or choose a person object for admin-c (only mntners) 62

  12. Creating an object (3) 63

  13. Creating an inetnum object - IPv4 64

  14. Hierarchical Authorisation (1) • Giving someone else some rights to create new objects for you • But not too many rights; you don’t want them to delete or edit your objects - mnt-lower - create inetnum or inet6num objects - mnt-routes - create route or route6 objects - mnt-domains - create (reverse) domain objects 65

  15. Hierarchical Authorisation (2) • mntner in mnt-by has two functions: 1. Protects the object 2. Guards the address range inetnum : 85.118.184.0/23 mnt-by: RED1-MNT 66

  16. Hierarchical Authorisation (3) • If your SSO account is associated with… - associated with RED1-MNT - not associated with GOLD-MNT • …can you create a more specific object? inetnum: 85.118.184.0/23 mnt-by: RED1-MNT mnt-lower: GOLD-MNT • NO! 67

  17. Hierarchical Authorisation (4) inetnum: 85.118.184.0/23 mnt-by: RED1-MNT 1 mnt-lower: GOLD-MNT mnt-lower: RED1-MNT • Who can update this object? John • Who can create more specific inetnums now? Abe John 68

  18. Hierarchical Authorisation (5) • • Route and Domain objects inetnum : 85.118.184.0/21 descr: My Allocation status: ALLOCATED PA org: ORG-BB2-RIPE admin-c: LA789-RIPE tech-c: LA789-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: LIR-MNT mnt-lower: LIR2-MNT mnt-routes: LIR2-MNT mnt-domains: LIR2-MNT domain: 184.11.85.in-addr.arpa route: 85.11.184.0/21 mnt-by: STRANGE-MNT origin: AS2 ‘FORCE DELETE’ mnt-by: END-USER-MNT tech-c: LA789-RIPE nserver: ns1.example.com admin-c: JD1-RIPE nserver: ns2.example.com mnt-by: SOME-MNT 69

  19. route and route6 Object (1st Scenario) inet6num: 2001:db8::/32 aut-num: AS2 tech-c: LA789-RIPE tech-c: LA789-RIPE admin-c: JD1-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-END-MNT mnt-by: LIR-MNT mnt-by: LIR2-MNT mnt-routes: LIR2-MNT route6: 2001:db8::/32 tech-c: LA789-RIPE admin-c: JD1-RIPE origin: AS2 mnt-by: LIR2-MNT Jim Davis 70

  20. route and route6 Object (2nd Scenario) inet6num: 2001:db8::/32 aut-num: AS2 tech-c: LA789-RIPE tech-c: LA789-RIPE admin-c: JD1-RIPE admin-c: JD1-RIPE mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-END-MNT mnt-by: LIR-MNT mnt-by: AS-MNT mnt-routes: LIR2-MNT mnt-routes: AS-MNT route6: 2001:db8::/32 tech-c: LA789-RIPE admin-c: JD1-RIPE origin: AS2 mnt-by: AS-MNT Ann Snow 71

  21. Domain Objects • Domain object creation = request for reverse delegation - Asking RIPE NCC to enter NS records pointing to your name servers in RIPE NCC’s parent zone • Valid for IPv4 and IPv6 • Robot checks before successful creation - Authentication check - RIPE Database syntax check - Zone delegation check 72

  22. Setting up Reverse Delegation: Preparation • Modify the covering inetnum or inet6num - add ”mnt-domains: your_mntner” • Reverse delegation needs specific prefix lengths - /24 or /16 chunks for IPv4 - multiples of 4 bit chunks (/32, /36, /48, etc.) for IPv6 • Domain names: - c.b.a.in-addr.arpa. (for IPv4 a.b.c.0/24) - 8.b.d.0.1.0.0.2.ip6.arpa. (for IPv6 2001:db8::/32) 73

  23. Setting up Reverse Delegation: Setup • Configure your DNS servers - at least two name servers in different subnets - create a zone file on each for each chunk • Delegation checker - http://dnscheck.ripe.net 74

  24. Setting up Reverse Delegation: domain Object domain: 16 .155.10.in-addr.arpa domain: 17 .155.10.in-addr.arpa mnt-by: EXAMPLE-MNT nserver: tinny.arin.net mnt-by: EXAMPLE-MNT domain: 18 .155.10.in-addr.arpa nserver: sec3.apnic.net nserver: tinny.arin.net mnt-by: EXAMPLE-MNT domain: 19 .155.10.in-addr.arpa nserver: sec3.apnic.net nserver: tinny.arin.net mnt-by: EXAMPLE-MNT nserver: sec3.apnic.net nserver: tinnie.arin.net nserver: sec3.apnic.net 75

  25. Creating Objects in RIPE Database Exercise 4

  26. Exercise: Creating Objects in the RIPE Database • Time - 15 minutes • Goal - Learn how to create new objects in the RIPE Database • Tasks - Create a person and a maintainer object pair - Create a role object 77

  27. Questions

  28. Getting Resources Section 5

  29. Terminology • Allocation - Block of IP addresses reserved for future use • Assignment - A chunk of addresses from an allocation that is used: - in your own infrastructure - in an End User network 80

  30. Types of Address Space • PA = Provider Aggregatable - Blocks given to LIRs - Distributed further to other users - When customers change ISP, the IPs go back to LIR • PI = Provider Independent - Blocks given directly to a user for their own network - User takes IPs with them if they change ISP 81

  31. PA versus PI Provider Provider Internet Aggregatable Independent ISP 1 ISP 2 ISP 1 ISP 2 PA2 Alloc. PA1 Alloc. PA1 PA2 PI Assig. Assig. 82

  32. IPv4 Address Distribution - Current IANA /0 RIR /8 /22 LIR /23 /25 /24 End User Allocation PA Assignment PI Assignment 83

  33. IPv6 Address Distribution IANA /3 RIR /12 /32 LIR /56 /48 /48 End User Allocation PA Assignment PI Assignment 84

  34. Sub-allocations LIR Downstream Customer End User PA Allocation PA Sub-allocation PA Assignment 85

  35. First IPv6 Allocation • Have mntner , person and role objects ready • Submit the First IPv6 Allocation Request form - Have a plan for making assignments within two years • Minimum allocation size is /32 - Up to a /29 without additional justification - More if justified by customer numbers and the extent 
 of the infrastructure - Additional bits based on hierarchical and geographical structure, planned longevity and security levels 86

  36. Requesting an IPv6 PI Assignment • Every PI Assignment must have a Sponsoring LIR • Needs organisation , person and mntner objects • Minimum size = /48 • Send us: - PI Assignment Request Form - End User Assignment Agreement - Company registration document or picture ID (for a 
 private individual) 87

  37. IPv6 PI Assignments • PI space cannot be used for sub-assignments! - Not even a single address for the connection - If you have customers, you cannot use PI for them inet6num: 2001:db8::/48 inet6num: 2001:db8:1234::/48 descr: Some PI Assignment status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: ENDUSER-MNT mnt-routes: ENDUSER-MNT mnt-domains: ENDUSER-MNT • Yearly charges for PI Assignments - See the RIPE NCC Charging Scheme 88

  38. IPv4 Allocation from the Last /8 • Submit the IPv4 Allocation Request form - Use the same mntner , person and role objects 
 from the IPv6 allocation • Each LIR can get one /22 block - = 1024 IPv4 addresses • Cannot be transferred within 24 months 
 after receiving it 89

  39. IPv4 PI Assignments • Since IPv4 exhaustion, no new PI assignments • No sub-assigning allowed • Yearly charges for PI Assignments - See the RIPE NCC Charging Scheme • Convert LIR PI assignments into PA allocations 90

  40. Autonomous System Numbers • Assignment requirements - Address space - Multihoming - One AS Number per network • For LIR itself • For End User - Sponsoring LIR requests it for End User • 32-bit is the default - 16-bit available on request 91

  41. PI / ASN and Sponsoring LIR • Options for End Users holding PI / ASN: - Sign End User Agreement with an LIR - Become an LIR themselves - Return the resources • Sponsoring LIR is published in the RIPE Database - “sponsoring-org:” attribute 92

  42. Getting IPs and ASNs Demonstration

  43. Transfers Section 6

  44. Types of Transfers PA allocations Merger or Acquisition between RIPE NCC members PI assignments From Legacy Space between End Users AS numbers Inter-RIR between End Users 95

  45. IPv4 Allocation Transfers 96

  46. IPv4 PI Assignment Transfers 97

  47. IPv4 Transfers: Where to Look • IPv4 Listing Service - Accessible from LIR Portal account • Brokers - Listed on RIPE NCC website - NOT endorsed by RIPE NCC - Signed an agreement to conform to RIPE Policies 98

  48. IPv6 Allocation Transfers 99

  49. IPv6 PI Assignment Transfers 100

Recommend


More recommend