Thank you for your efforts in making routing more secure for the entire MICE community.
Could you please clarify which IRR source will be included for filter generation? We currently rely on RADb instead of ARIN for our IRR records, and it would be helpful to confirm if this will be used with the new route servers.
On 2023-05-09 6:19 a.m., Richard Laager wrote:
[I plan to send this to MICE-ANNOUNCE too, but I want to see if anyone has corrections.]
MICE will soon be deploying new route servers which will require IRR (Internet Routing Registry) records, as is a best practice at IXPs.
What
- You MUST have an as-set object listing your AS and your downstream ASes (if any).
- You MUST either list that as-set in PeeringDB or email the name of your as-set to me (off-list to rlaager@wiktel.com please).
- A route/route6 object MUST exist for each prefix you announce to the route servers (whether originated by you or transited through you) and it must list an Origin AS that is in your as-set.
When
- If you are a transit AS (i.e. have ASes behind you) and don't have an as-set object, fix this now. Without an as-set object, your downstream ASes announcements will be blocked (filtered) immediately when the first new route server is cut in. (Granted, they will still work through the second route server until it is upgraded.) Figure you have 1-2 weeks at most.
- Enforcement of the route/route6 objects (for both transit and non-transit ASes) will come later, but not a lot later. So please, start on this now.
Where
If you are not sure where to create IRR records, use ARIN (assuming you are in the ARIN region).
How (with ARIN)
- Login to ARIN Online. (Go to arin.net and click Login in the top right.)
- On the left side, expand "Routing Security" and click "IRR".
- Click "as-set" at the top.
- Click "Create an Object".
- Fill in the fields:
The "AS Set Name" is what you will list in PeeringDB (or email to me).
"Description" is unparsed, but they suggest the location and have a button to "Copy the Address from My Org ID".
"Members" is where you list your ASN and downstream ASes (if any).- Click "Review". Once ready, click "Submit".
- Click "route/route6" at the top.
- Click "Create an Object".
- Fill in the fields:
"Prefix" is the prefix, e.g. 192.0.2.0/24.
"Origin" is your ASN.- Click "Review". Once ready, click "Submit".
- Repeat to create additional route objects until all of your announcements are covered. Don't forget IPv6!
Examples
Here is my as-set: https://www.radb.net/query?keywords=AS-WIKTEL
Here is one example route: https://www.radb.net/query?keywords=69.89.192.0%2F20
(I created the AS33362 one. The AS19905 one is because another AS can originate this route for DDoS scrubbing reasons.)
-- Richard
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1--
Best regards
August Yang
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1