• 1

Dealing With Recent Routing Registry Changes

Presented at SAFNOG 4, Dar es Salaam, Tanzania.

1.  Introduction

I will give you an AFRINIC perspective on routing registries, paying particular attention to some recent changes made by the RIPE NCC, how they affect AFRINIC members, and some forthcoming changes to be made by AFRINIC.

2.  What is a routing registry?

image5

A routing registry is a database where network operators can register information about their routing policies, and the routes that they plan to announce in BGP.  There are tools that can use the registered routes and policies to create filters that can be used in configuring routers.

Several organisations maintain routing registries, which collectively form the Internet Routing Registry, or “IRR” system.  Each of the five Regional Internet Registries maintains a routing registry, several large network operators maintain their own routing registries, and there are a few provider-independent routing registries.  Many of the routing registries mirror each other’s databases.

Different routing registries have different usage restrictions.  The AFRINIC routing registry is open for use by holders of AFRINIC address space.

3.  What’s in the routing registry

In AFRINIC’s case, the same underlying database is used for both WHOIS and the IRR, so there’s a mixture of information related to routing, and information related to address space allocation.

This is not an IRR tutorial, so I won’t go into detail about the objects in the registry, but I will list a few of the object types.  If you want a tutorial, then AFRINIC is running one here at SAFNOG this afternoon.

image6

3.1.  “route” and “route6” objects

Each “route” or “route6” object describes the linkage between an IPv4 or IPv6 prefix, and the autonomous system that plans to announce the prefix as a BGP route.  Essentially, each route or route6 object says “This IPv4 or IPv6 prefix may be announced in BGP by this ASN.”  There is also information about the organisation, contact persons or role accounts, and maintainers who are allowed to edit the object.

These are possibly the most critical objects for most operators.  If you don’t register a route or route6 object, then your peers or upstream providers may configure their routers with filters that do not accept your prefix in BGP announcements.

3.2.  “aut-num” objects

Each “aut-num” object describes an autonomous system or ASN.  The objects include information about the organisation that the ASN has been assigned to, contact persons, and information about the ASN’s routing policy, such as which other ASNs they peer with, and how they filter routing announcements.

3.3.  “inetnum” and “inet6num” objects

The inetnum and inet6num objects describe IPv4 or IPv6 prefixes.  They may be prefixes that were allocated or assigned directly by an RIR, or more-specifics that were sub-allocated or assigned by a network operator.

3.4.  “mntner” objects

The “mntner” objects specify maintainers, who may create or make changes to other objects.  Every object is linked to one or more maintainers, and every maintainer has one or more passwords or cryptographic keys that are used to authenticate updates.

The authentication rules are somewhat complex, but a simplified version is that:

  • “mnt-by” refers to a maintainer who may edit THIS object.  In the case of resources allocated or assigned by AFRINIC, “mnt-by” refers to a privileged maintainer controlled by AFRINIC hostmaster staff.
  • In objects that have an “mnt-lower” attribute, it refers to a maintainer who may create or edit information relating to more-specific address blocks.
  • In objects that have an “mnt-routes” attribute, it refers to a maintainer who may create or edit routes or routing policies associated with the address block or ASN.

4.  About AFRINIC’s IRR

image12

The AFRINIC routing registry is a free service, open to AFRINIC members, and to legacy resource holders in the AFRINIC region.  It is mirrored by several other IRR operators, and it has never experienced any down time.

The AFRINIC routing registry was launched in 2013.  Prior to that, AFRINIC members were encouraged to use the RIPE routing registry, and more than 1000 AFRINIC members have created more than 48000 route and route6 objects in the RIPE IRR.

image16

Since the AFRINIC routing registry was launched, we have encouraged AFRINIC members to use the AFRINIC IRR.  We also help members to register or change their objects.   We do this through initiatives such as tutorials, face to face consultations, one on one “bootcamps” conducted remotely, and assistance via email.

image9

As of a few days ago, 32% of AFRINIC members are using AFRINIC’s IRR.  That’s a big increase from 23% a month ago, and we’d like to increase it to 50% over the next 12 months.

image11

Over the past month, 61 AFRINIC members have started using the AFRINIC IRR, and they have created more than 8000 routes.  You can see a gradual increase beginning around June 2018, and a big jump in September, following very little growth over the preceding year.  This rapid increase is due to AFRINIC members preparing for and reacting to changes in the RIPE IRR.

5. What has changed in the RIPE IRR

image8

In the past, the RIPE IRR was open to anybody, and it was possible for AFRINIC members to register route and route6 objects in the RIPE IRR.  This was even encouraged, before AFRINIC’s IRR was created in 2013.

In 2017, the RIPE membership decided to close access to the RIPE database, and the change was implemented about a month ago, on 4 September 2018.

This means that it is no longer possible to register non-RIPE ASNs in the RIPE IRR, and it is no longer possible to register route or route6 objects for non-RIPE address space in the RIPE IRR.  Any existing out of region objects will not be deleted, but the “source” attribute will be changed from “RIPE” to “RIPE-NONAUTH”, and it will not be possible to edit the objects.

6.  How many AFRINIC members are affected?

image10

More than 1000 AFRINIC members have registered more than 48000 route and route6 objects in the RIPE routing registry.  All of these AFRINIC members will be affected eventually.

7.  What is the impact on AFRINIC members?

image3

 If you had routes with AFRINIC address space, registered in the RIPE IRR, then the change from “source: RIPE” to “source: RIPE-NONAUTH” may have affected you. Some operators create filters for their routers using information from the IRR, and the tools that they use to generate the filters might not recognise “source: RIPE-NONAUTH”.

I know that this caused a problem for some AFRINIC members the day after the change was made.  If you were affected, you’d know about it, because the change took place three weeks ago.  I am embarrassed to say that AFRINIC had a technical problem on that day, which made it impossible to register routes with non-AFRINIC ASNs in the AFRINIC IRR, until we fixed it several hours later. 

8.  What should you do?

image1

If you still have route or route6 objects in the RIPE IRR, for AFRINIC address space, then you may be OK in the short term, but you will not be able to edit those objects, so you really should migrate them to another routing registry.  Of course we encourage you to use the AFRINIC IRR, but you may choose one of the paid routing registries.

If your peers or upstream providers don’t accept objects from the AFRINIC IRR, then please ask them to start using it.  The AFRINIC IRR supports the same query mechanism as other routing registries, and it’s mirrored by several other routing registries, so it is a simple configuration change for organisations to query the AFRINIC IRR in addition to any other sources that they already use.  You may ask the AFRINIC team for help by sending mail to This email address is being protected from spambots. You need JavaScript enabled to view it..

image15

If you are an upstream provider that uses the IRR to create filters, then please ensure that you are using the AFRINIC IRR along with any other IRR sources that you also use.  To make things easier for your customers who might still have objects in the RIPE IRR with non-RIPE address space, you can configure your tools to accept “source: RIPE-NONAUTH”.  We’d also like you to encourage your customers to use the AFRINIC IRR.

9.  How to register in the AFRINIC IRR

image13

The AFRINIC IRR is a free service for AFRINIC members, and also for holders of legacy address space in the AFRINIC region.  Essentially, if you have IPv4 or IPv6 space that’s registered through AFRINIC, then you may use the AFRINIC IRR.

You can send updates to the database through a form linked to the WHOIS web client, or through an email robot.  We have documentation on a web page, and we can help via email.

9.1.  Current process

image4

As of today 24 September 2018, route and route6 objects in the AFRINIC IRR must be authorised by both the holder of the address space, and the holder of the ASN. We will remove the need for ASN authentication later this week, and I’ll discuss that a little later, but now I’ll describe the process as it is today. 

In the simplest case, where the ASN and the address space are both associated with the same organisation — actually, with the same maintainer — then you simply send the route or route6 object to AFRINIC’s database frontend, via email or web service, using a password or cryptographic key that is specified in the maintainer object.

If the ASN and the address space are associated with different organisations, then it’s more complicated.  This can easily happen when the address space is associated with a downstream customer of the ASN.  Here, there’s a dual authentication scheme, where the same objects have to be sent to AFRINIC twice, with different passwords associated with the two different maintainers.  You send the objects with the first password, and they get kept in a holding space for a week waiting for the same objects to be sent again with the second password, and then the objects are moved from the holding space to the live database.

image14

If the ASN is registered through an RIR other than AFRINIC, then almost the same dual authentication scheme can be used, but this time the second authentication is from AFRINIC hostmaster staff, and they will do so only after verifying that the ASN is registered under the same organisation in the other RIR.  If the organisations don’t match then staff will not create the route object.. 

9.2.  New process

image7

New authorisation rules will be implemented on Thursday 27 September 2018.  Based on discussion in AFRINIC’s database working group, we have decided to remove the need for route or route6 objects to be authorised by the ASN holder.   This matches common practice in other IRRs.

The route or route6 objects must still be authorised by the IPv4 or IPv6 address space holder.  If you are the ASN, and the address space is allocated to your customer, then you may have to ask your customer to submit the route or route6 objects using their maintainer password.  Alternatively, the address space holder may authorise the upstream provider to manage any route or route6 objects associated with their address space; they can do this by adding “mnt-routes” attributes to the inetnum or inet6num objects.

9.3.  More difficult cases

When we say that route or route6 objects must be authorised by the holder of the address space, the underlying technical meaning is that the IPv4 or IPv6 prefix that is mentioned in the route or route6 object must exactly correspond to a prefix that is mentioned in an inetnum or inet6num object in the AFRINIC database, or must be a more-specific, and the relevant maintainer must use their password or cryptographic key to add or edit the route object. 

That’s easily workable if the route is the same as the address block, or if the route is more-specific than the address block, but there’s a problem when the route is an aggregate that’s less-specific than the address blocks inside the aggregate.  We do not yet have a plan to deal with this. 

10.  How to get help

image2

AFRINIC is ready to help you use the IRR, whether it’s migrating objects from the RIPE IRR, updating existing objects, resetting a forgotten password, or any other issue.

IRR changes are discussed in our Database Working Group; you can subscribe through https://lists.afrinic.net/

Please also see our IRR information page at https://afrinic.net/en/services/afrinic-irr, and the comprehensive guide linked from that page.

We will also be running an IRR tutorial here at SAFNOG this afternoon.

Thank you for your interest.

Tags:
© 2017 AFRINIC. All Rights Reserved. Designed By AFRINIC