__**IRR SANITATION**__ SEE THIS ABOUT[[https://www.manrs.org/isps/guide/global-validation/|MANRS]]\\
\\https://panda314159.duckdns.org/doku.php?id=network_stuff:irr&do=edit
This is a [[http://example.com|hands-on guide]] and this is the HE algorithm explained step by step [[https://routing.he.net/algorithm.html|Link]]
  * IRR fields (from ripe): 
    * THESE ARE OBJECTS (big blocks) AND HAVE FIELDS:  as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, mntner, organisation, peering-set, person, poem, poetic-form, role, route, route6, route-set, rtr-set

For new acquisitions, remember to:
  * Add field 
    * Fix the ROE so our ASN is authorized to send those prefixes (this is needed any time we start announcing new subnets (more specific ones))
  * We don't want ISPs to filter our PI  between them due to strict IRR prefix filters on their BGP sessions
    * from HE: 'A route object for the /24 should suffice as AS200981 is already a member of our AS-SET, AS-HURRICANE.'
    * [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
  * Issues with the IRR record  (RPKI):
    * "RPKI status INVALID_ASN strongly indicate a serious problem."
      * [[https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]
    * Be sure the IRR "aut-num **contain** a valid AS-SET
\\ 

RPKI NOTES ( RFC6481 )
  * ROA is the set  of : prefixes,  ASN and digital certificates.
  * The 'resource certificate' is linked to RIPE NCC registration. [[https://www.ripe.net/manage-ips-and-asns/resource-management/certification/using-the-rpki-system|External Link]]
    * we can have hosted solution: the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system.
    * or non-hosted solution: open source implementations that allow operators to run Certificate Authority (CA) software that securely interfaces with the RIPE NCC parent system.
  * Each  association prefix-ASN is  linked  to  a  Digital  Certificate  which  allows  anyone  consulting  the repositoryto  check  that  this  association  is  correct.
  * Records of the organisations act as Certification Authorities (CAs) in this PKI.

----



In RIPE
  * RIPE=RIPE NCC
    * LIR: members of the RIPE NCC. 
    * RIPE database (one of the several IRR in the world)
      * Uses Routing Policy Specification Language (RPSL)
      * route objects: When creating a route object you must authenticate against multiple //maintainers// 

----
__DOCUMENTING IRR__:\\
  * Be sure each different site subnet (eg: /24) has a route object in IRR, otherwise it might be filtered between ISPs 
  * Also ASN needs to have its RR ( eg; AS200981 is already a member of our AS-SET, AS-HURRICANE. )
  * And the export/advcertise policy
  * More info here: [[http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html]]


----

      * If you cannot update your autnum with an export statement for AS6939 , update peeringdb.com with  your AS-SET: Record  your AS-SET in the IRR as-set/route-set field.

 

https://www.peeringdb.com/