dokucama

This is an old revision of the document!

IRR SANITATION SEE THIS ABOUTMANRS
\\https://panda314159.duckdns.org/doku.php?id=network_stuff:irr&do=edit This is a hands-on guide and this is the HE algorithm explained step by step Link

IRR fields (from ripe):
- THESE ARE OBJECTS (big blocks) AND HAVE FIELDS: as-block, as-set, aut-num, domain, filter-set, inet6num, inetnum, inet-rtr, irt, key-cert, mntner, organisation, peering-set, person, poem, poetic-form, role, route, route6, route-set, rtr-set

For new acquisitions, remember to:

Add field
- Fix the ROE so our ASN is authorized to send those prefixes (this is needed any time we start announcing new subnets (more specific ones))
We don't want ISPs to filter our PI between them due to strict IRR prefix filters on their BGP sessions
- from HE: 'A route object for the /24 should suffice as AS200981 is already a member of our AS-SET, AS-HURRICANE.'
- http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html
Issues with the IRR record (RPKI):
- “RPKI status INVALID_ASN strongly indicate a serious problem.”
  - https://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html
- Be sure the IRR “aut-num contain a valid AS-SET

RPKI NOTES ( RFC6481 )

The 'resource certificate' is linked to RIPE NCC registration. External Link
- we can have hosted solution: the private key of your resource certificate resides on a server hosted by the RIPE NCC and is not retrievable from the secured system.
- or non-hosted solution: open source implementations that allow operators to run Certificate Authority (CA) software that securely interfaces with the RIPE NCC parent system.
Each association prefix-ASN is linked to a Digital Certificate which allows anyone consulting the repositoryto check that this association is correct.
Records of the organisations act as Certification Authorities (CAs) in this PKI.

In RIPE

RIPE=RIPE NCC
- LIR: members of the RIPE NCC.
- RIPE database (one of the several IRR in the world)
  - Uses Routing Policy Specification Language (RPSL)
  - route objects: When creating a route object you must authenticate against multiple maintainers

DOCUMENTING IRR:

Be sure each different site subnet (eg: /24) has a route object in IRR, otherwise it might be filtered between ISPs
Also ASN needs to have its RR ( eg; AS200981 is already a member of our AS-SET, AS-HURRICANE. )
And the export/advcertise policy
More info here: http://fcix.net/whitepaper/2018/07/14/intro-to-irr-rpsl.html

If you cannot update your autnum with an export statement for AS6939 , update peeringdb.com with your AS-SET: Record your AS-SET in the IRR as-set/route-set field.