dokucama

User Tools

Site Tools

Trace: sonic irr netapp evpnvxlan palo_alto
network_stuff:irr

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
network_stuff:irr [2017/07/06 16:44] – created jotasandokunetwork_stuff:irr [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +__**IRR SANITATION**__ SEE THIS ABOUT[[https://www.manrs.org/isps/guide/global-validation/|MANRS]]\\
 +\\https://panda314159.duckdns.org/doku.php?id=network_stuff:irr&do=edit
 +This is a [[http://example.com|hands-on guide]] and this is the HE algorithm explained step by step [[https://routing.he.net/algorithm.html|Link]]
 +  * IRR fields (from ripe): 
 +    * THESE ARE OBJECTS (big blocks) AND HAVE FIELDS:  as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, mntner, organisation, peering-set, person, poem, poetic-form, role, route, route6, route-set, rtr-set
 +
 +For new acquisitions, remember to:
 +  * Add field 
 +    * Fix the ROE so our ASN is authorized to send those prefixes (this is needed any time we start announcing new subnets (more specific ones))
 +  * We don't want ISPs to filter our PI  between them due to strict IRR prefix filters on their BGP sessions
 +    * from HE: 'A route object for the /24 should suffice as AS200981 is already a member of our AS-SET, AS-HURRICANE.'
 +    * [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
 +  * Issues with the IRR record  (RPKI):
 +    * "RPKI status INVALID_ASN strongly indicate a serious problem."
 +      * [[https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
 +    * Be sure the IRR "aut-num **contain** a valid AS-SET
 +\\ 
 +
 +RPKI NOTES ( RFC6481 )
 +  * ROA is the set  of : prefixes,  ASN and digital certificates.
 +  * The 'resource certificate' is linked to RIPE NCC registration. [[https://www.ripe.net/manage-ips-and-asns/resource-management/certification/using-the-rpki-system|External Link]]
 +    * we can have hosted solution: the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system.
 +    * or non-hosted solution: open source implementations that allow operators to run Certificate Authority (CA) software that securely interfaces with the RIPE NCC parent system.
 +  * Each  association prefix-ASN is  linked  to  a  Digital  Certificate  which  allows  anyone  consulting  the repositoryto  check  that  this  association  is  correct.
 +  * Records of the organisations act as Certification Authorities (CAs) in this PKI.
 +
 +----
 +
 +
 +
 In RIPE In RIPE
   * RIPE=RIPE NCC   * RIPE=RIPE NCC
Line 5: Line 35:
       * Uses Routing Policy Specification Language (RPSL)       * Uses Routing Policy Specification Language (RPSL)
       * route objects: When creating a route object you must authenticate against multiple //maintainers//        * route objects: When creating a route object you must authenticate against multiple //maintainers// 
 +
 +----
 +__DOCUMENTING IRR__:\\
 +  * Be sure each different site subnet (eg: /24) has a route object in IRR, otherwise it might be filtered between ISPs 
 +  * Also ASN needs to have its RR ( eg; AS200981 is already a member of our AS-SET, AS-HURRICANE. )
 +  * And the export/advcertise policy
 +  * More info here: [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
 +
 +
 +----
 +
 +      * If you cannot update your autnum with an export statement for AS6939 , update peeringdb.com with  your AS-SET: Record  your AS-SET in the IRR as-set/route-set field.
 +
 + 
 +
 +https://www.peeringdb.com/
 +
network_stuff/irr.1499359495.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki