[135972] in North American Network Operators' Group
Re: Level 3's IRR Database
daemon@ATHENA.MIT.EDU (Joe Abley)
Mon Jan 31 09:19:09 2011
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <4D459C96.3080306@foobar.org>
Date: Mon, 31 Jan 2011 09:16:38 -0500
To: Nick Hilliard <nick@foobar.org>
X-SA-Exim-Mail-From: jabley@hopcount.ca
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2011-01-30, at 12:15, Nick Hilliard wrote:
> On 30/01/2011 09:08, Jeff Wheeler wrote:
>> This brings me to my point, which is that IRR is very good for
>> preventing accidents and automating some common tasks. It should be
>> "secure" to a point, but just because a route: object exists does not
>> mean that mntner: really has authority over that address space.
>=20
> Depends on which IRR you use. The IRRDBs run by RIPE, APNIC and =
AfriNIC implement hierarchical object ownership, which means that if =
you're registering their address space, you can only do so if that =
address space legitimately belongs to you.
Note that in the case of the RIPE db (and perhaps the others, I don't =
know) this is only the case for resources that can be traced back to a =
RIPE NCC-assigned netblock.
I routinely register objects in the RIPE db which were assigned from =
other regions (e.g. ARIN). Since many European networks have procedures =
and automation that requires things to be in the RIPE db, using that db =
as your primary publication mechanism avoids the need to duplicate =
later.
The parent object in the RIPE db for such foreign resources is
inetnum: 0.0.0.0 - 255.255.255.255
netname: IANA-BLK
descr: The whole IPv4 address space
country: EU # Country is really world wide
org: ORG-IANA1-RIPE
admin-c: IANA1-RIPE
tech-c: IANA1-RIPE
status: ALLOCATED UNSPECIFIED
remarks: The country is really worldwide.
remarks: This address space is assigned at various other places in
remarks: the world and might therefore not be in the RIPE database.
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered
and the maintainer object for routes is
mntner: RIPE-NCC-RPSL-MNT
descr: This maintainer may be used to create objects to =
represent
descr: routing policy in the RIPE Database for number resources =
not
descr: allocated or assigned from the RIPE NCC.
admin-c: RD132-RIPE
auth: MD5-PW $1$ScJSM7nN$Xw3aAduCRZx4QUEq8QjR5/
remarks: *******************************************************
remarks: * The password for this object is 'RPSL', without the *
remarks: * quotes. Do NOT use this maintainer as 'mnt-by'. *
remarks: *******************************************************
mnt-by: RIPE-DBM-MNT
referral-by: RIPE-DBM-MNT
source: RIPE # Filtered
This means that anybody can assert pretty much anything they like, so =
long as the resources are not NCC-assigned.
Joe=
