AFRINIC Internet Routing Registry (IRR) Tutorial

1. By Keessun Fokeerah Member Services(MS) Team irr@afrinic.net Routing Security: AFRINIC Internet Routing Registry(IRR) Tutorial

2. Network engineers(registered technical contacts of AFRINIC members) Prior AFRINIC INRM training including WHOIS-101 is recommended Conversant with the AFRINIC whois database & RPSL(rfc2622) Have appropriate rights to create/migrate route objects (hold organisation’s maintainer password). Target Audience

3. Create awareness of the AFRINIC IRR Increase adoption of the AFRINIC IRR Aid with migration of existing route objects & routing information from other Routing registries. How to create your Route objects Sensitise on impacts of the “AFRINIC IRR homing project” at RIPE NCC Objectives

4. AFRINIC deployed and showcased a Internet Routing Registry(IRR) during its AFRINIC-18 meeting(17th June 2013). Up till last year, AFRINIC members were asked by AFRINIC to add route objects on the RIPE IRR. Some members also had routing policy information hidden in 'remarks' fields in the AFRINIC WHOIS itself. Introduction

5. Why do we need a routing registry? Each RIR database is independent from the other RIRs databases. Routing registries are queried by upstream/transit providers for: Update filter lists, ensuring stability and consistency of routing information shared via BGP. Better control on BGP traffic, example to avoid BOGONS. If you don't have objects in RIPE NCC database then you need to create new objects to avoid being filtered by upstream providers; Based on the routing policy, other objects may need to be created(AS-SET & ROUTE-SET). For routing purposes not all objects are needed. It depends on the situation and routing policy.

6. AFRINIC IRR Features Open to AFRINIC Resource members and Legacy Resource Holders in AFRINIC service region AFRINIC IRR is mirrored by the other IRRs such as APNIC, RIPENCC, NTTCOM,AMS-IX,Work Online(SA) and even RADB. Network Operators will be able to point to our routing registry and enjoy a one stop-shop kind of service for routing related information. Stable & Secure source of routing information AFRINIC IRR service is now part of the WHOIS service.

7. Benefits of the AFRINIC IRR • Cost - Free service provided to the community. • Easy maintenance - Integrated to the AFRINIC whois, so same set of objects are used(Aut-num, maintainer etc) • Security - Route objects are tied to aut-num; created only by AFRINIC Hostmasters. - Only “holder" of prefixes can create route objects for given inetnum. - Considerable reduced risk of hijacking. - No publicly available password such as RIPE-NCC-RPSL-MNT at RIPE NCC

8. AFRINIC Routing Registry Overview

9. WHOIS DB Objects List Mntner: Maintainer used to protect objects and associated with authentication either password, x509 or PGP key. Aut-num: information about the Autonomous System Number (ASN). Route: describes routing information about specific IPv4 range intended to be advertised to Internet. Route6: describes routing information about specific IPv6 range intended to be advertised to Internet. AS-Set: describes set of Aut-num which usually identifies the origin of all the prefixes that will be advertised by the organisation. Applicable to a member using multiple ASNs to announce same prefix(es) ROUTE-Set: The simple method to maintain a list of routes is to use a route-set object. A customer using a route-set object to maintain their list of advertised routes would simply ask their upstream to use an import policy to build their filter.

10. Route/route6 object creation workflow Route/Route6- The workflow not make a difference between route and route6 objects. The resources AFRINIC manages are considered "in region" and will be called "IN". The resources AFRINIC does not manage are called "OUT".

11. Route/route6 object creation workflow(old)

12. Route/route6 object creation new workflow

13. Route/route6 object creation workflow(cont) Scenario 1: Prefix OUT & ASN(IN or OUT) If the prefix is OUT, request to create the route object will be rejected irrespective of ASN being administered by AFRINIC or not.

14. Route/route6 object creation – Prefix OUT

15. Route/route6 object creation – Prefix OUT

16. Scenario 2: Prefix IN & ASN IN Both the prefix and the aut-num are administered by AFRINIC. Creation shall be allowed, if the 3 “phases” of authentications succeed: 1. Inetnum authentication by the first of the following maintainers: - mnt-routes - mnt-lower - mnt-by 2. Autnum authentication by the first of the following maintainers: - mnt-routes - mnt-by 3. Route object authentication using mnt-by(of the route object) Note: If different maintainers are used, all the authentications concluded no later than 7 days after the first submission. Route/route6 object creation workflow(cont)

17. Route(6) creation – Prefix & ASN OUT/IN

18. Route(6) object creation – Prefix & ASN IN

19. Route(6) object creation – Prefix & ASN IN

20. RIPE: Afrinic IRR homing project Proposed Implementation Step 1: Communicate Operators are encouraged to add the AFRINIC IRR to their tool chains AFRINIC continues aiding migration of objects into the AFRINIC IRR Step 2: Freeze in RIPE IRR 3 months after step 1 No new route(6) objects allowed for AFRINIC ASN and prefix Modify or delete for existing objects by maintainers Step 3: Clean-up objects 3 months after step 2 Remaining route(6) objects are deleted in the RIPE IRR and imported as locked objects in the AFRINIC IRR. AFRINIC resource holders can delete objects On 26th May 2016 during RIPE-72

21. RIPE: Afrinic IRR homing project Proposed Implementation Step 1: Communicate Operators are encouraged to add the AFRINIC IRR to their tool chains AFRINIC continues aiding migration of objects into the AFRINIC IRR Step 2: Freeze/lock in RIPE IRR implemented as part of NWI-5

22. NWI-5 Changes on RIPE IRR Effective: 4th Sept 2018 • The RIPE-NCC-RPSL-MNT maintainer was deleted • Creation of out-of-region aut-num(ASN) is no longer possible • The RIPE IRR no longer supports the creation of out-of-region route(6) objects • Existing non-RIPE-managed route(6) objects have been moved under the source: “RIPE-NONAUTH” • The existing out-of-region objects may eventually be deleted after further discussion by the RIPE Database Working Group

23. NWI-5 impacts Impact Operators still having their objects on RIPE no-auth have been impacted during the change Operators who still did not migrate are liable to future delete and thus their traffic will be affected

24. AFRINIC IRR adoption AFRINIC encourages adoption of the IRR through: 1. BoFs at AFRINIC meetings and outreach at regional events 2. During boot camps. Purpose: ● Inform the community the AFRINIC IRR is ready& invite members to use it ● Promote use of migration tool to simplify migration of existing objects from other IRRs ● Encourage participants to use AFRINIC tools (MyAFRINIC, webupdate) to manage their route objects & Routing Policy ● Encourage them to clean up the various registries to avoid inconsistencies using tools such as http://irrexplorer.nlnog.net

25. AFRINIC IRR adoption

26. AFRINIC IRR adoption

27. AFRINIC recommends that:1. Contact details are updated after staff joins in or leave your company2. Maintainer passwords are kept up to date3. If you hold resources from AFRINIC, have your route object registered4. To avoid negative impacts on your business, migrate your route objects to AFRINIC IRR from RIPE NCC’s IRR Recommendations

28. Contact us at:irr@afrinic.nethostmaster@afrinic.netRefer to how to manuals:www.afrinic.net/en/library/membership-documentsMeet us at the AFRINIC booth for support

29. Want more Security on your Routing?

30. Let’s talk about RPKI!

31. Thank you for your Attention Questions? twitter.com/flickr.com/ facebook.com/linkedin.com/company/youtube.com/www. afrinicafrinicafrinic afrinic afrinic afrinic media .net