Differences

This shows you the differences between two versions of the page.

--- network_stuff:irr [2020/07/03 12:06] – jotasandoku
+++ network_stuff:irr [2023/11/02 14:38] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+__**IRR SANITATION**__ SEE THIS ABOUT[[https://www.manrs.org/isps/guide/global-validation/|MANRS]]\\
+\\https://panda314159.duckdns.org/doku.php?id=network_stuff:irr&do=edit
+This is a [[http://example.com|hands-on guide]] and this is the HE algorithm explained step by step [[https://routing.he.net/algorithm.html|Link]]
+  * IRR fields (from ripe):
+    * THESE ARE OBJECTS (big blocks) AND HAVE FIELDS:  as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, mntner, organisation, peering-set, person, poem, poetic-form, role, route, route6, route-set, rtr-set
+For new acquisitions, remember to:
+  * Add field
+    * Fix the ROE so our ASN is authorized to send those prefixes (this is needed any time we start announcing new subnets (more specific ones))
+  * We don't want ISPs to filter our PI  between them due to strict IRR prefix filters on their BGP sessions
+    * from HE: 'A route object for the /24 should suffice as AS200981 is already a member of our AS-SET, AS-HURRICANE.'
+    * [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
+  * Issues with the IRR record  (RPKI):
+    * "RPKI status INVALID_ASN strongly indicate a serious problem."
+      * [[https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
+    * Be sure the IRR "aut-num **contain** a valid AS-SET
+\\
+RPKI NOTES ( RFC6481 )
+  * ROA is the set  of : prefixes,  ASN and digital certificates.
+  * The 'resource certificate' is linked to RIPE NCC registration. [[https://www.ripe.net/manage-ips-and-asns/resource-management/certification/using-the-rpki-system|External Link]]
+    * we can have hosted solution: the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system.
+    * or non-hosted solution: open source implementations that allow operators to run Certificate Authority (CA) software that securely interfaces with the RIPE NCC parent system.
+  * Each  association prefix-ASN is  linked  to  a  Digital  Certificate  which  allows  anyone  consulting  the repositoryto  check  that  this  association  is  correct.
+  * Records of the organisations act as Certification Authorities (CAs) in this PKI.
+----
 In RIPE
   * RIPE=RIPE NCC
@@ Line 16: / Line 46: @@
 ----
-__**IRR SANITATION**__ SEE THIS ABOUT[[https://www.manrs.org/isps/guide/global-validation/|MANRS]]\\
-RIR (Regional Internet Registry) runs IRR databese SEE [[https://panda314159.duckdns.org/doku.php?id=network_stuff:irr]]\\
-IRR fields (from ripe): as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, mntner, organisation, peering-set, person, poem, poetic-form, role, route, route6, route-set, rtr-set
-For new acquisitions, remember to:
-  * Add field
-    * Fix the ROE so our ASN is authorized to send those prefixes (this is needed any time we start announcing new subnets (more specific ones))
-  * We don't want ISPs to filter our PI  between them due to strict IRR prefix filters on their BGP sessions
-    * from HE: 'A route object for the /24 should suffice as AS200981 is already a member of our AS-SET, AS-HURRICANE.'
-    * [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
-  * Issues with the IRR record  (RPKI):
-    * "RPKI status INVALID_ASN strongly indicate a serious problem."
-      * [[https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
-    * Be sure the IRR "aut-num **contain** a valid AS-SET
       * If you cannot update your autnum with an export statement for AS6939 , update peeringdb.com with  your AS-SET: Record  your AS-SET in the IRR as-set/route-set field.

dokucama

User Tools

Site Tools

Differences

Page Tools