飞扬的喵窝 猫爪必须在上

ripe ncc database 指南(英文原文)

mntner object , object-as with the set, object of aut-num , object route 
object the inetnum , object name person , object domain , object role

Once you have reached the configuration of the BGP protocol, it means “communicating” with the RIPE database (simply “ DB ”) .

Many people ask: “ What is an as-set? "Or" How to find out which AS route belongs ? "

In this article I will try to talk about what objects in this database you need to run and how they are used.

So, you have passed the process of obtaining the status of LIR , your own block of IP addresses and autonomous system number ( ASN um).

Reference:

The Local Internet Registry (LIR) is a term used to describe the members of the RIPE NCC.

They are called local Internet registries (LIRs) because they are responsible for allocating address space and registering address space at the local level. Local Internet registries also approve mandatory policies and procedures at the local level. Organizations that become local Internet registries are basically Internet Service Providers (ISPs) that allocate and assign address space to their customers, telecommunications organizations, and commercial enterprises along with academic institutions. Academic institutions are organizations that require large blocks of address space that cannot be obtained from a higher-level provider.

What to do next? An endless amount of documentation on the RIPE website and a silent google ... and you need to understand. I will try to describe in my own words, how I understood / did myself.

ALLOCATION vs ASSIGNMENT

To begin with, let's look at two concepts:

  1. ALLOCATION - the address space allocated to the provider. It is assigned to him in the database

  2. ASSIGNMENT - current RIPE-approved address space used by the provider as also described in the database

It seems that everything is clear with the first one, RIPE has allocated you a block for further use, but the second is not so simple.

After RIPE has made ALLOCATION of any block, you need to coordinate with them how much and for what needs you will use the address space. You will have to fill out a form in which to paint the ADDRESS PLAN in order to transfer part of the address space from the ALLOCATED status to the ASSIGNED status ASSIGNED status will mean that RIPE has approved your use of the address space for your needs.

Tips for completing ADDRESS PLAN :

  1. do not specify the network under the end user more than / 30, because otherwise, RIPE will write to you, a network of more than / 30 counts as End User`s infrastructure and will force your users to also fill out a form for allocating address space.

  2. you can ask for at least / 24 under P2P (networks / 30), which will include your channels

  3. you can also ask for two networks / 24 for active equipment: routers, servers, voip hardware, etc., the main thing is not to overdo it.

  4. RIPE likes when they write about NAT (ipv4 address space is rapidly ending), do not disappoint them, ask, again, no less than / 24, under the NAT server.

  5. As equipment, write everything: servers, tsiska (even Catalyst), VoIP gateways, iron firewalls that are all you can :), all for which you can prove the need for an external address (if asked;))

You have filled out the ADDRESS PLAN and sent it to RIPE ... waiting for an answer ... option two:

  1. they will satisfy your request and they will put the status of ASSIGNED PA on the network that they approved

  2. they will say that it does not suit them and you will have to butt with them further.

Why all this ? Can you use address space in the ALLOCATED status ?

You can use it, but if your address space runs out and you go to receive another address block, RIPE will refuse to you, citing the fact that you are not currently using your first ALLOCATED address block. You can see how RIPE sees your current use of the allocated address space using the Web Asused utility , specifying your Regid (for example: ru.myisp) and you will receive an email containing a report on your address space usage.

Objects in the database

A database consists of many objects, we will look at some of them. For example, take a good trunk provider: Transtelecom.

The object name person [description of the fields of the object]

This is a description of a person. Example :

person : Yaroslav V Kapsalov address: JSC TransTeleCom address: 7, Dolgorukovskaya st. address: 127006 Moscow Russia e-mail: [email protected] phone: +7 495 7846670 nic-hdl : YARK-RIPE source: RIPE # Filtered

The person object is used to specify the administrative (admin-c) and technical (tech-c) contacts where you need to specify the NIC-HDL , this is the unique identifier assigned to the person in the database . In this example, nic-hdl is YARK-RIPE.

Video example of creating an object: watch

Video example of checking an object: watch

Object role [object field description]

It is similar to the “ person ” object , but is intended to describe not only the contact person, but also the role that it performs. In addition, the “ role ” object allows you to combine several people who perform a common function (for example, technical support department, system administrators, etc.). To set administrative and technical contacts it is recommended to use the “ role ” object whenever possible Example :

role : TTC NOC address: Company TransTeleCom Network Operation Center address: 7, Dolgorukovskaya st. address: 127006 Moscow Russia remarks: phone: +7 095 7846677 phone: +7 495 7846677 remarks: phone: +7 095 7846670 phone: +7 495 7846670 remarks: fax-no: +7 095 7846671 fax-no: +7 495 7846671 ............ [skiped] .................... mnt-by: TRANSTELECOM-MNT source: RIPE # Filtered .. .......... [skiped] ....................

The fields of the same name are filled in the same way as in the “ person “ object Please note that unlike the “ person ” object , the “ e-mail ” field is mandatory here.

In the field “ role ” the name of the service to which the object belongs is indicated.

The “ admin-c ” and “ tech-c ” fields contain nic-handle persons responsible for administrative and technical issues. There may be several such fields.

Inetnum object [object field description]

This object describes an ASSIGNMENT block (blocks, subnets) of addresses. Example :

inetnum : 217.150.32.0 - 217.150.32.255netname: TTK-OFFICE-NETdescr: Transtelecom Office Networkdescr: Moscow, Russiacountry: RUadmin-c: KTTK-RIPEtech-c: KTTK-RIPEstatus: ASSIGNED PAremarks: INFRA -AWmnt-by: TRANSTELECOM-MNTsource: RIPE # Filtered

Status ( status ) - an attribute of inetnum objects that contain information on the allocation and assignment of IP-address space (for more information, see ripe-387). The following table provides a breakdown of the status values of the IP address blocks.

StatusExplanation
ALLOCATED PAThis address space is allocated to the local registry (LIR), and no assignments or sub-allocations made in this space are portable when moved (end user assigned addresses from this space) to another provider.

ALLOCATED PIThis address space was allocated to a local or regional registry, and all assignments made in it are portable. Assignments (after moving to another provider) can be saved as long as the criteria for the initial assignment are fulfilled. No sub-allocations can be made in this address space.

ASSIGNED PAThis address space has been assigned to the end user for use with the services provided by the corresponding local registry. It cannot be saved if you refuse services provided by the local registry.

ASSIGNED PIThis address space has been assigned to the end user and can be saved as long as the criteria for the initial assignment are met.

EARLY-


REGISTRATION

The address space with this status is used by the RIPE database administration when moving pre-RIR registrations from the ARIN database. This value can be changed by database users (RIPE) (except for the value ALLOCATED PA). Only RIPE database administrators can create objects with this status.

NOT-SETThis value indicates that the corresponding address spaces (more precisely, the corresponding objects of type Inetnum) were registered before the “status” attribute became mandatory for objects of type Inetnum. The corresponding object has not been updated since. Objects with this status value are not created. This status value can be changed by database users.

SUB-ALLOCATED PAThis address space was allocated by the local registry to the downstream network operator, which will (itself) assign addresses (to end users) from this space. All appointments from this space are PA. They can not be saved when changing services to another provided by another provider.

ALLOCATEDUNSPECIFIEDThis address space is allocated to a local or regional registry.Assignments can be PI and PA. This status is intended for address spaces allocated according to the documents that are outdated at the moment, when both types of assignments simultaneously existed. Assigning this status to new allocated address spaces is avoided. Sub-allocations of address spaces in this type of address space cannot be made.

LIR-PARTITIONEDPAThis status allows local registries to document distribution and delegate the management of allocated space within their organizations. Address space with this status is not considered to be used. When addresses from such a space are used, a more specific Inetnum object must be registered for these addresses.

0This status is not a status approved by the RIPE NCC, the value 0 (“zero”) only indicates that the status of this address block is unknown, this value is used only by this release of the geo-referenced database.


Route object [object field description]

This object indicates which autonomous system the network belongs to. Example :

route : 217.150.32.0/19descr: RU-TRANS-TELECOM-20010213 origin : AS20485mnt-by: TRANSTELECOM-MNTsource: RIPE # Filtered

From this it follows that the network 217.150.32.0/19 is announced by the autonomous system with the number 20485. The object’s route key is simultaneously two fields: route and origin . The route field indicates the range of addresses for which the autonomous system whose number is specified in the origin field will be responsible for routing to the Internet .

Aut-num object [object field description]

This object describes an autonomous system. Example :

aut-num : AS20485as-name: TRANSTELECOMdescr: JSC Company TransTeleComdescr: Moscow, Russia............ [skiped] ............... .....

It describes not only who owns this number, administrative and technical contacts, 
but also a description of the peers of the autonomous system and the communities that can be 
used. 
Peers: 
………… [skiped] ……………… .. 
import: from AS174 action pref = 120; accept AS174: AS-COGENT; 
import: from AS786 action pref = 120; accept AS-JANETPLUS; 
import: from AS1290 action pref = 120; accept AS-PSINETUK; 
import: from AS2110 action pref = 120; accept AS-IEUNET; 
import: from AS2119 action pref = 120; accept AS-TELENOR; 
import: from AS2529 action pref = 120; accept AS-DEMON; 

………… [skiped] ……………… ..

Shows the import of routes for Transtelecom autonomous system (AS20485), which 
autonomous system prefixes are received from the specified peers. Can be specified as a single AS or as-set . 

………… [skiped] ……………… .. 

export: to AS174 announce AS-TTK; 
export: to AS786 announce AS-TTK; 
export: to AS1290 announce AS-TTK; 
export: to AS2110 announce AS-TTK; 
export: to AS2119 announce AS-TTK; 
export: to AS2529 announce AS-TTK; 

………… [skiped] ……………… ..

It shows which routes are announced by the autonomous system of Transtelecom (AS20485) to their feasts. 
It is also possible to specify one AS or as-set (in this example, it is the as-set that is used ) 
Communities: ………… [skiped] ……………… .. remarks: + ========= ================================================= === + remarks: | BGP COMMUNITIES | remarks: + ————————————————————— remarks: | Communities for prefix classification | remarks: + ————————————————————— remarks: | All inbound prefixes are marked with BGP communities | remarks: | describe your source and geographical region. remarks: | For the second component of the community |










remarks: | (number after 20485 :) is set at five digits. 
remarks: | This format is 20485: SNNRR where the fields are: | 
remarks: | 
remarks: | S - source of the prefix: | 
remarks: | 
remarks: | 1 - Customer | 
remarks: | 2 - Upstream | 
remarks: | 3 - International peer | 
remarks: | 4 - Russian peer | 
remarks: | 
remarks: | NN - Upstream, peer or customer number: | 
remarks: | 
remarks: | Customers: | 
remarks: | 11 - BGP with Internal Internet Access | 
remarks: | 13 - BGP with Partial Internet Access | 
remarks: | 17 - BGP with Global Internet Access | 
remarks: | Static routes from CTTC allocations: 20485: 61RR |
remarks: | Upstreams: | 
remarks: | 01 - Cable & Wireless (AS1273) | 
remarks: | 02 - Telia (AS1299) | 
remarks: | 03 - NTT (AS2914) | 
remarks: | 05 - PCCW (AS3491) | 
remarks: | 07 - UUNET (AS702) | 
remarks: | International peers: | 
remarks: | 01 - SONG (AS3246) | 
remarks: | 03 - GOOGLE (AS15169) | 
remarks: | 04 - LINX | 
remarks: | 05 - RETN (AS9002, International peers) | 
………… [skiped] ……………… .. 

Describes how to use / use the community with this autonomous system. 

A community can be set up on all routes or only on some. The community consists of 
ASNUM: COMMNUM - autonomous system number of the parent of the given community: 20485: 20100
In the community you can understand where the route came from and use them in your filters (route-map). Also with their help, you can "ask" the autonomous system of a neighbor to do something with the routes (prefixes) announced by your AS. 
............ [skiped] .................... remarks: + ————————————————————— + remarks: | Communities for prefix control | remarks: + ————————————————————— + remarks: | !!! ATENTION !!! remarks: | May cause connectivity | remarks: | problems and you must clearly understand what you | remarks: | are doing. TransTeleCom does not bear any responsibility | remarks: | if there will be such troubles. remarks: + —————————————————————— +










remarks: | There are two predetermined eBGP session types which | 
remarks: | customers may use: | 
remarks: | 1 - Global Internet Access. CTTC announce | 
remarks: | customer's prefixes to all customers | 
remarks: | upstreams and peers. 
remarks: | BGP communities are available. 
remarks: | 
remarks: | 2 - Access to customers and Russian peers. 
………… [skiped] ……………… ..
remarks: | - To prepand or deny prefix use 20485: 5DNNA, where: | 
remarks: | 
remarks: | D - destination of prepend or deny action: | 
remarks: | 2 - Upstreams | 
remarks: | 3 - International peers | 
remarks: | 4 - Russian peers | 
remarks: | 9 - Upstreams and Peers |
………… [skiped] ……………… .. 
remarks: | A - action: | 
remarks: | 
remarks: | 0 - don't announce prefix | 
remarks: | 1 - announce with one prepend | 
remarks: | 2 - announce with two times prepend | 
remarks: | 3 - announce with three times prepend | 
………… [skiped] ……………… ..

Composing the community based on the description, and announcing it along with the route (s) coming from you, the autonomous system of the feast (in this example, AS20485) will perform certain actions: perform prepend (prepend - when the as-path is substituted N times the AS number, which increases the as-path and, accordingly, worsens the route) or completely “prohibits” (will not announce to its neighbors) this route (prefix). 
This can allow you to balance incoming traffic on your external channels.

As-set object [object field description]

This object describes (includes) several autonomous systems or other as-set .

This object is used to configure incoming BGP filters, using either prefixes or as-path. Example :

as with the-set : the AS-TTKdescr: the Customers with TransTelecom of Global the Accessmembers: AS20485members: the AS-CTTCmembers: the AS-KTTKmembers: the AS-SETTCmembers: the AS-SIBTTKmembers: the AS-STTKmembers: the AS-SUTTKmembers: the AS -TTKNNmembers: AS-TTKNN-IZHEVSKmembers: AS-UMNmembers: AS-UMN-TMNmembers: AS-VTTmembers: AS-ZSTTK-SETmembers: AS33989
............ [skiped] .................... mnt-by: TRANSTELECOM-MNT source: RIPE # Filtered

Inside an as-set member, an object can be like one AS (for example, AS33989) or other as -set`s (for example, AS-CTTC Using the utility on our website you can build filters on as-set ( attention! The as-set object must exist in the RIPE database ).

In this example, the name as-set `a is AS-TTK .

Domain object [object field description]

This object is responsible for the DNS server. Thanks to him, you can specify the DNS server responsible for the reverse rezolv (PTR records) for your address block. Example :

domain : 32.150.217.in-addr.arpadescr: Reverse delegation for TRANS-TELECOM-NETremarks: INFRA AWadmin-c: KTTK-RIPEtech-c: KTTK-RIPEzone-c: KTTK-RIPEnserver: dns- prim.transtk.runserver: dns-sec.transtk.runserver: ns.transtelecom.netnserver: ns1.transtelecom.netmnt-by: TRANSTELECOM-MNTsource: RIPE # Filtered

This is necessary if you want the nslookup command YOUR IP address, you and the rest of the world, to receive a name.

Example: nslookup 217.150.32.1 
1.32.150.217.in-addr.arpa name = ttk-eth1.transtk.ru.

Mntner object [object field description]

Pronounced as the maintainer .

This object is necessary to protect objects in the database , the main feature of which is the authentication scheme. When using a reference to mntner in any database object (including mntner itself ), the object is considered protected from unauthorized modification / deletion, and the degree of security is determined by the authentication scheme. They like to sign other objects as a certificate, confirming the authenticity of the data. Unlike other objects, the mntner object has a password and in order to change other objects that have a link to mntner (the field “ mnt-by“), You need to know it. By whom "signed" you can see the mnt-by field Example :

mntner : TRANSTELECOM-MNTdescr: JSC TransTeleCom Maintaineradmin-c: KTTK-RIPEtech-c: KTTK-RIPEauth: MD5-PW $ 1 $ dkAwA6S5 $ tP8KkASb5xG7atyTYxpDo /mnt-AI-ASTR / $ -144 -TWTTKKTAS-5 MNTsource: RIPE # Filtered

The string is auth and contains an encrypted password. The password is encrypted as in FreeBSD OS ( /etc/master.passwd ), so when creating your mntnerobject, you can copy your password from the /etc/master.passwd file to use the Crypted password generation utility on the RIPE website.

Video example of creating an object: watch

Be sure to protect your objects with the help of mntner (the mnt-by " field ). Watch the video example how to do it: watch

I hope that at least it became clearer, because I know for myself that it is difficult to get into this business from scratch.

So what next?

If you already have the number of the atomic system and your address block, then it’s time to add the missing parts to the database . There are two ways to make changes:

  1. send a letter with a complete description of the object to email [email protected] In response, you will receive a letter or " SUCCESS: changes " or " FAILED: changes " with a description of the mistakes you made.

  2. use the Webupdates online utility

At your place, I would first use the 2nd way, because There are tips on creating objects.

First create a person object Go to Webupdates , in the section “Create a new object” select the object person and click “Add object”. Fill in all the required fields and click “Submit update” and read whether an object has been created or an error has occurred. If any of the fields are in doubt, click “?” And read the description-hint. The “ nic-hdl ” field can be set to AUTO-1, then the database itself will generate the name for this object.

Now create mntner . Again, go to “ADD” on the Webupdates and select the mntner object .

In the field " mntner :" we write MNT - YOUR-PROVIDER-NAME or YOUR-PROVIDER-NAME - MNT . 
In the “ admin-c :” field , write nic-hdl (which we received after creating the person .) - this will be used for administrative contacts. 
In the field “ auth :” we write MD5-PW YOUR PASSWORD-In-MD5
In the field referral-by : we write RIPE-DBM-MNT

After creating the mntner object, you can return to the person object , but already editing, i.e. Section "Modify or delete an existing object" - enter your nic-hdl In the editing, we add the “ mnt-by ” field (using the “ Add New Field” form at the bottom of the page ), in which we indicate the name we wrote whencreating the mntner object , for example MNT - YOUR-PROVIDER-NAME, but now we need to add the “ password ” field to enter a non-encrypted password to confirm ownership of the mntner object “Signing” the person object with your mntner objectyou avoid the fact that someone will change your person object without your knowledge , because Now for any changes that will be required Retreiving password mntner `a.

Next, you need to create an inetnum object .

In the field “ inetnum :” we enter the network which we agreed with the RIPE when we wrote Address Plan . Example: 217.150.32.0 - 217.150.32.255

In the “ netname :” field , enter the name for your network as specified in the Address Plan.

In the field " status :" we write ASSIGNED PA

What to write in the field " mnt-by :" you already know 

All other objects are created / edited on the same principle.

Create route , domain , as-set objects .

In the domain object, add as many “ nserver :” fields as you need. They need to specify the DNS names of your DNS servers that will be responsible for the reverse delegation (reverse lookup (resolving)) of your addresses. In “ zone-c :” we indicate the nic-hdl of the person who in your organization will be responsible for the zones of skim viewing.

In the as-set object, add the " members :" field If your AS is not yet transit, then write in it AS YOUR_AS NUMBER, the " as-set :" field is the name of your future as-set `a. Usually the name looks like AS- PROVIDER_NAME , such as the AS-TTK .

You need to create it so that if you are asked “By what object to build filters?”, Then you need to say that it is as-set and its name. This is for your convenience.

Important: if you have edited your as-set (added / deleted something), then you need to inform your peers (neighbors), because Not everyone has an automatic update filter.

Edit (if necessary) your aut-num object, for example, by adding the “ remarks :” or “ descr :” field (s) with a more detailed description of your network or legal entity to which it belongs, as well as, possibly, updating your “ import : "Or" export : "sheet.

Thus, we did everything necessary to launch our AS with our own block of addresses.

Remember that a full description of the object's fields can be obtained by running the database with the -v option and the name of the object that interests us: an example .

Fields marked as [mandatory] are required, must be present in the application.

Fields marked as [single] may be present in the application only in a single copy.

Fields marked as [multiple] may be present in multiple instances (for example, to indicate multiple phone numbers).

The " changed " field must contain the e-mail address of the person who sends this application (or makes changes) and the date of the changes in the format YYYYMMDD .

The “ source ” field must contain the value “RIPE”.

The “ mnt-by ” field is used to select the method for authorizing further changes to the created object (see the “ mntner ” object ).

Deletion from the database is done in the same way as creation. The only difference is that the “ delete:  field is added at the end in which you specify the reason for deleting this object.

For ease of use WebUpdates , in order not to enter the password from the object mntner , you can use authorization before making the necessary changes: look


Excerpted from:http://subnets.ru/blog/?p=24
作者:Fish 分类:网络摘抄 浏览:132 评论:0
留言列表
发表评论
来宾的头像