Welcome apnic members training course
This presentation is the property of its rightful owner.
Sponsored Links
1 / 241

Welcome! APNIC Members Training Course PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Welcome! APNIC Members Training Course. Internet Resource Management Essentials 09 June 2004, Nha Trang, Vietnam Sponsored by VNPT. Introduction. Presenters Son Tran Resource Services Manager [email protected] Champika Wijayatunga Senior Training Specialist [email protected]

Download Presentation

Welcome! APNIC Members Training Course

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Welcome apnic members training course

Welcome!APNIC Members Training Course

Internet Resource Management Essentials

09 June 2004, Nha Trang, Vietnam

Sponsored by VNPT


Introduction

Introduction

  • Presenters

    • Son Tran

      Resource Services Manager [email protected]

    • Champika Wijayatunga

      Senior Training Specialist [email protected]

      <[email protected]>


Assumptions objectives

Assumptions

Are current APNIC/NIR or prospective member

Not familiar with registry function

Are not familiar / up-to-date with policies

Objectives

Teach how to request resources from registry

Keep the community up-to-date with latest policies

Liaise with the community

 Faces behind the e-mails

Assumptions & Objectives


Schedule

APNIC’s role in the Asia Pacific

Internet Registry Policies

TEA BREAK (10:30 – 11:00)

Addressing Plan

Requesting an IP allocation

APNIC database

LUNCH (12:30 – 13:30)

SPAM & Network Abuse

Reverse DNS

ASN

TEA BREAK (15:30 – 16:00)

IRR

IPv6

Summary

Schedule


Apnic s role in the asia pacific

APNIC’s role in the Asia Pacific

Asia Pacific Network Information Centre


Overview

Intro

Overview

  • What is APNIC?

    • Regional Internet Registry

    • APNIC structure

  • What Does APNIC do ?

    • APNIC Membership services

  • Why APNIC ?

    • APNIC resources

    • APNIC environment

    • APNIC responsibilities


  • What is apnic

    Intro

    What is APNIC?

    • RIR for the Asia Pacific

      • Regional Internet Registry

    • Regional authority for Internet Resource distribution

    • IPv4 & IPv6 addresses, ASNs, reverse dns delegation

  • Industry self-regulatory body

    • Non-profit, neutral and independent

  • Open membership-based structure


  • Apnic is not

    Intro

    APNIC is not…

    • Not a network operator

      • Does not provide networking services

        • Works closely with APRICOT forum

    • Not a standards body

      • Does not develop technical standards

        • Works within IETF in relevant areas (IPv6 etc)

    • Not a domain name registry or registrar

      • Will refer queries to relevant parties


    Apnic structure

    Intro

    APNIC structure

    • Industry self-regulatory structure

      • Participation by those who use Internet resources

      • Consensus-based decision making

        • Eg. Policy changes, db requirements etc

      • Open and transparent

    • Meetings and mailing lists

      • Open to anyone


    Apnic region

    Intro

    APNIC region


    Apnic membership

    Intro

    APNIC Membership

    Last Update – May 2004

    Total Members 913


    Apnic services activities

    Resources Services

    IPv4, IPv6, ASN, reverse DNS

    Policy development

    Approved and implemented by membership

    APNIC whois db

    whois.apnic.net

    Registration of resources

    Information dissemination

    APNIC meetings

    Web and ftp site

    Mailing lists

    Open for anyone!

    Training Courses

    DNS Workshops, IRR Tutorial

    Subsidised for members

    Co-ordination & liaison

    With membership, other RIRs & other Internet Orgs.

    Intro

    APNIC Services & Activities


    Welcome apnic members training course

    Questions ?


    Policy development in the asia pacific

    Policy Development in the Asia Pacific

    The APNIC Community

    &

    the Policy Development Process


    What is the apnic community

    What is the APNIC community?

    • Open forum in the Asia Pacific

      • Open to any interested parties

    • Voluntary participation

    • Decisions made by consensus

    • Public meetings

    • Mailing lists

      • web archived

    • A voice in regional Internet operations through participation in APNIC activities


    Participation in policy development

    Participation in policy development

    • Why should I bother?

      • Responsibility as an APNIC member

        • To be aware of the current policies for managing address space allocated to you

      • Business reasons

        • Policies affect your business operating environment and are constantly changing

        • Ensure your ‘needs’ are met

      • Educational

        • Learn and share experiences

        • Stay abreast with ‘best practices’ in the Internet


    Policy development cycle

    Policy development cycle

    OPEN

    Need

    Anyone can participate

    Evaluate

    Discuss

    ‘BOTTOM UP’

    TRANSPARENT

    Consensus

    Implement

    Internet community proposes and approves policy

    All decisions & policies documented & freely available to anyone


    How to make your voice heard

    How to make your voice heard

    • Contribute on the public mailing lists

      • http://www.apnic.net/community/lists/index.html

  • Attend meetings

    • Or send a representative

    • Gather input at forums

  • Give feedback

    • Training or seminar events


  • Come to the apnic meeting

    Come to the APNIC meeting!

    • APNIC 18

    • Nadi, Fiji, 31 Aug- 3 Sep 2004

    • Participate in policy development

    • Attend workshops, tutorials & presentations

    • Exchange knowledge and information with peers

    • Stay abreast with developments in the Internet

    • View multicast online

    • Provide your input in matters important to you

    • Fellowships Available

    • http://www.apnic.net/meetings/18


    Welcome apnic members training course

    Questions ?

    • Policy making process description

      • http://www.apnic.net/docs/policy/dev/index.html

    Material available at: www.apnic.net/training/recent/


    Internet registry allocation and assignment

    Internet Registry Allocation and Assignment

    Policies


    Overview of apnic policies

    Policies

    Overview of APNIC policies

    • Definitions

    • Objectives

    • Environment

    • Allocation & Assignment Policies

    • Summary


    Allocation and assignment

    Policies

    Allocation and Assignment

    Allocation

    “A block of address space held by an IR (or downstream ISP) for subsequent allocation or assignment”

    • Not yet used to address any networks

      Assignment

      “A block of address space used to address an operational network”

    • May be provided to LIR customers, or used for an LIR’s infrastructure (‘self-assignment’)


    Allocation and assignment1

    Policies

    /8

    APNIC Allocation

    /20

    /22

    Member Allocation

    Sub-Allocation

    /27

    /26

    /26

    /25

    /24

    Allocation and Assignment

    APNICAllocatesto APNIC Member

    APNIC Member

    Assignsto end-user

    Allocatesto downstream

    DownstreamAssignsto end-user

    Customer / End User

    Customer Assignments


    Portable non portable

    Policies

    Portable & non-portable

    Portable Assignments

    • Customer addresses independent from ISP

      • Keeps addresses when changing ISP

    • Bad for size of routing tables

    • Bad for QoS: routes may be filtered, flap-dampened

      Non-portable Assignments

    • Customer uses ISP’s address space

      • Must renumber if changing ISP

    • Only way to effectively scale the Internet


    Address management objectives

    Address management objectives

    • Aggregation

    • Limit routing table growth

    • Support provider-based routing

    • Conservation

    • Efficient use of resources

    • Based on demonstrated need

    • Registration

    • Ensure uniqueness

    • Facilitate trouble shooting


    Why do we need policies global ipv4 delegations

    Policies

    Why do we need policies ?- Global IPv4 Delegations

    (Pre-RIR)


    Growth of global routing table

    Policies

    But they cannot be

    relied on forever

    Projected routing table growth without CIDR

    CIDR made it work for a while

    ISPs

    tend to

    filter

    longer

    prefixes

    DeploymentPeriod of CIDR

    Growth of global routing table

    http://bgp.potaroo.net/as1221/bgp-active.html

    • last updated 09 Mar 2004


    Routing table prefix distribution

    Policies

    Routing table prefix distribution

    Last updated Feb 2004


    Apnic policy environment

    Policies

    APNIC policy environment

    “IP addresses not freehold property”

    • Assignments & allocations on license basis

      • Addresses cannot be bought or sold

      • Internet resources are public resources

      • ‘Ownership’ is contrary to management goals

        “Confidentiality & security”

    • APNIC to observe and protect trust relationship

      • Non-disclosure agreement signed by staff


    Apnic allocation policies

    Policies

    APNIC allocation policies

    • Aggregation of allocation

      • Provider responsible for aggregation

      • Customer assignments /sub-allocations must be non-portable

    • Allocations based on demonstrated need

      • Detailed documentation required

        • All address space held to be declared

      • Address space to be obtained from one source

        • routing considerations may apply

      • Stockpiling not permitted


    Initial ipv4 allocation

    Policies

    /8

    APNIC

    Non-portable

    assignment

    Portable

    assignment

    Policy will change

    Based on the APNIC 17

    consensus

    Initial IPv4 allocation

    • Initial (portable) allocation: /20 (4096 addresses).

      • The allocation can be used for further assignments to customers or your own infrastructure.

    Criteria

    1a.Have used a /22 from upstream provider

    • Demonstrated efficient address usage

      OR

      1b.Show immediate need for /22

      • Can include customer projections &

        infrastructure equipment

        2.Detailed plan for use of /21 within 1 year

        3.Renumber to new space within 1 year

    /20

    Member allocation


    Initial ipv4 allocation criteria

    IPReq

    Initial IPv4 allocation criteria

    • Min allocation size may be lowered from /20 to /21

    • LIR have used a /23 from their upstream provider or demonstrate an immediate need for a

      /23; and

      2.Detailed plan for use of a /22 within a year

      3.Renumber to new space within 1 year

      • Meet all policy requirements

        • Applicants may be required to show purchase receipts

    APNIC 17

    Consensus


    Portable assignments

    Policies

    /8

    APNIC

    /20

    Member allocation

    Non-portable

    assignment

    Portable assignments

    • Small multihoming assignment policy

      • For (small) organisations who require a portable assignment for multi-homing purposes

    Criteria

    1a. Applicants currently multihomed

    OR

    1b. Demonstrate a plan to multihome within 1 month

    2. Agree to renumber out of previously assigned space

    • Demonstrate need to use 25% of requested space immediately and 50% within 1 year

    Portable

    assignment


    Portable assignments for ixps

    Portable assignments for IXPs

    Criteria

    • 3 or more peers

    • Demonstrate “open peering policy”

  • APNIC has a reserved block of space from which to make IXP assignments


  • Portable critical infrastructure assignments

    Portable critical infrastructure assignments

    • What is Critical Internet Infrastructure?

      • Domain registry infrastructure

        • Root DNS operators, gTLD & ccTLD operators

      • Address Registry Infrastructure

        • RIRs & NIRs, IANA

    • Why a specific policy ?

      • Protect stability of core Internet function

  • Assignment sizes:

    • IPv4: /24

    • IPv6: /32


  • Renumbering return policy

    Renumbering & return policy

    • Renumbering?

      • one-for-one exchange to assist renumbering

      • needs confirmation from upstream ISP to confirm renumbering will take place

  • ‘No Questions Asked’ return prefix policy

    • swap 3 or more discontiguous prefixes (ISP or customers) for single prefix, no charge

      • ftp://ftp.apnic.net/apnic/docs/no-questions-policy

  • Form for returning addresses

    • ftp://ftp.apnic.net/apnic/docs/address-return-request


  • Welcome apnic members training course

    Questions ?

    Material available at: www.apnic.net/training/recent/


    Internet registry procedures

    Internet Registry Procedures

    Addressing Plan


    Addressing plan

    AddressingPlan

    Addressing plan

    • To complete documentation

      • First need a technical PLAN

        • Documenting the architecture of the present and eventual goal

      • IP addressing is fundamental part of network design

      • IP addressing ‘planning’ example to follow..


    Some icons

    AddressingPlan

    Some icons

    Router

    (layer 3, IP datagram forwarding)

    Network Access Server

    (layer 3, IP datagram forwarding )

    Ethernet switch

    (layer 2, packet forwarding)


    Addressing plan1

    AddressingPlan

    Addressing plan

    • Identify components of network

      • Customer services

      • ISP internal infrastructure

    • Identify phases of deployment

      • Starting off, 6 months, 12 months

    • Identify equipment and topology changes

      • Need for redundancy

      • Need for increased scale


    Network plan

    AddressingPlan

    Interconnected resilience

    UpstreamISP

    10 hosts Internal DNS,Web Mail servers

    Dialup services 16 modems

    ISP Infrastructure

    15 hosts NOC operations

    Network plan

    • Starting off

    Leased line services 5-8 customers

    Customer services

    5 hosts

    Virtual web (name based)


    Network plan1

    AddressingPlan

    one loopback interface per assigned router /32

    ‘ip unnumbered’

    to upstream ISP

    5-8 leased line customers

    UpstreamISP

    ‘ip unnumbered’

    to customers

    10 hosts

    5 hosts

    WAN point to point /30

    16 dialup modems

    15 hosts

    Network plan


    Addressing plan2

    AddressingPlan

    • - numbers of host addresses (interfaces)

    network-plan:

    network-plan:

    network-plan:

    16

    5

    128

    • analogue dialup modems, vendor ‘x’

    • LAN -web hosting (Name-based hosting)

    • 5-8 leased line customers (/28)

    15

    10

    4

    2

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    • LAN -NOC and Ops management

    • LAN -mail,DNS, web servers internal

    • loopback router interfaces

    • router WAN ports (x 5 lines)

    Addressing plan

    Initial addressing plan


    Network plan2

    AddressingPlan

    increased number of leased line customers

    replaced original

    modem

    added new router and LAN for redundancy

    Network plan

    • 6 months later

      • scale increased

      • redundancy

    5-8 →30 leased linecustomers

    UpstreamISP

    increased number of

    hosts on all LANs

    10 → 16 hosts- Servers

    5 →11 hosts name-based

    added new dial up

    equipment

    16 →60 dialupmodems (2PRI)

    60 dialupmodems (2PRI)

    15 →25 hosts- NOC

    8 hosts- 2ndary Servers


    Addressing plan3

    AddressingPlan

    • - increases in hosts (interfaces)

    Changed description

    network-plan:

    network-plan:

    network-plan:

    16/

    5/

    128/

    15/

    10/

    4/

    2/

    • 2 PRI dialup modems, vendor ‘y’

    • LAN -web hosting (Name-based hosting)

    • 30 leased line customers (pool)

    60

    11

    512

    25

    16

    6

    2

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    • LAN -NOC and Ops management

    • LAN -mail,DNS, web servers internal

    • loopback router interfaces

    • router WAN ports (x 8 lines)

    • 2 PRI dialup modems

    • LAN-secondary servers

    60

    8

    0/

    0/

    network-plan:

    network-plan:

    New hardware

    Addressing plan

    Network plan at 6 months


    Network plan3

    AddressingPlan

    redundancy of WAN connections now numbered links for BGP4

    Network plan

    • 12 months total

      • site redundancy

      • greater complexity

      • efficiency

    added new customer router

    UpstreamISP A

    30 →60 leased linecustomersip unnumbered

    UpstreamISP B

    16 →35 host

    11 hosts

    60 →240 dialupmodems (8PRI)

    60 →240 dialupmodems (8PRI)

    40 hosts

    two pieces of

    essential equipment

    8 hosts


    Addressing plan4

    AddressingPlan

    • -increases in hosts (interfaces)

    • -one year total

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    16/60/

    0/60/

    5/11/

    128/512/

    15/25/

    10/16/

    0/8/

    2/2/

    4/6

    240

    240

    11

    1020

    40

    35

    8

    2

    12

    • 8 PRI dialup modems, vendor x

    • 8 PRI dialup modems, vendor y

    • LAN -web hosting (Name-based hosting) 60 leased line customers (pool)

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    • LAN -NOC and Ops management

    • LAN -mail,DNS, web servers internal

    • LAN-secondary servers

    • router WAN ports (x 8 lines)

    • loopback router interfaces

    Addressing plan

    Network plan at 12 months


    Addressing plan5

    AddressingPlan

    Can now determine subnet sizes

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    256

    256

    16

    1024

    64

    64

    8

    16

    16

    16/60/240

    0/60/240

    5/11/11

    128/512/1020

    15/25/40

    10/16/35

    0/8/8

    2/2/2

    4/6/12

    • 8 PRI dialup modems, vendor x

    • 8 PRI dialup modems, vendor y

    • LAN -web hosting (Name-based hosting)

    • 60 leased line customers (pool)

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    network-plan:

    • LAN -NOC and Ops management

    • LAN -mail,DNS, web servers internal

    • LAN-secondary servers

    • router WAN ports (x 8 lines)

    • loopback router interfaces

    Addressing plan


    Addressing plan6

    AddressingPlan

    Addressing plan

    • Addressing plan for network-plan

      • re-ordered large to small according to relative subnet size

      • determination of relative subnet addresses

        network-plan: 0.0.0.01024128/512/1020 60 leased line customers (pool)

        network-plan:0.0.4.025616/60/240 8 PRI dial up modems, vendor x

        network-plan:0.0.5.02560/60/240 8 PRI dial up modems, vendor y

        network-plan:0.0.6.06410/16/35 LAN -mail,DNS, web internal

        network-plan:0.0.6.646415/25/40 LAN -NOC and Ops management

        network-plan:0.0.6.128165/11/11 LAN -web hosting (Name-based hosting)

        network-plan:0.0.6.144160/8/8 LAN -secondary servers

        network-plan:0.0.6.160164/6/12 loopback router interfaces

        network-plan:0.0.6.176162/2/2 router WAN ports (x8)

      • cumulative total 0.0.6.208


    Addressing plan7

    AddressingPlan

    Addressing plan

    • Addressing plan for network-plan

      • connect to the Internet (full-time, part-time)?

        network-plan: 0.0.0.0255.255.252.0 YES 1024 128/512/1020 60 leased customers

        network-plan:0.0.4.0255.255.255.0 PART 256 16/60/240 8 PRI dial up modems..

        network-plan:0.0.5.0255.255.255.0PART 256 0/60/240 8 PRI dial up modems..

        network-plan:0.0.6.0255.255.255.192YES 6410/16/35 LAN -mail,DNS, web internal

        network-plan:0.0.6.64255.255.255.192YES 6415/25/40 LAN -NOC & Ops mgmt

        network-plan:0.0.6.128255.255.255.240YES 165/11/11 LAN -web hosting (Name-based)

        network-plan:0.0.6.144255.255.255.240 YES 16 0/8/8 LAN -secondary servers

        network-plan:0.0.6.160255.255.255.240YES 16 4/6/12 loopback router interfaces

        network-plan:0.0.6.176255.255.255.252YES 162/2/2 router WAN ports (x 8 )


    Addressing plan8

    AddressingPlan

    Addressing plan

    • Addressing plan complete

      • total planned for customer assignments /22

      • total planned for ISP infrastructure /24 + /23

        network-plan: 0.0.0.0255.255.252.0 YES 1024 128/512/1020 60 leased line customers

        network-plan:0.0.4.0255.255.255.0 PART 256 16/60/2408 PRI dial up modems..

        network-plan:0.0.5.0255.255.255.0PART 256 0/60/2408 PRI dial up modems..

        network-plan:0.0.6.0255.255.255.192YES6410/16/35LAN -mail,DNS, web internal

        network-plan:0.0.6.64255.255.255.192YES6415/25/40 LAN -NOC & Ops mgmnt

        network-plan:0.0.6.128255.255.255.240YES165/11/11 LAN -web hosting (Name-based)

        network-plan:0.0.6.144255.255.255.240 YES 16 0/8/8LAN -secondary servers

        network-plan:0.0.6.160255.255.255.240YES 16 4/6/12loopback router interfaces

        network-plan:0.0.6.176255.255.255.252YES 162/2/2router WAN ports (x 8 lines )

  • detailed,efficient and accurate


  • Welcome apnic members training course

    Questions ?


    Internet registry polices procedures

    Internet Registry Polices & Procedures

    IP Request


    Ip growth in asia pacific

    IP Growth in Asia Pacific

    Last Update May 2004


    First allocation

    IPReq

    First allocation

    • Must meet criteria

      • (discussed in policy section)

  • Requires cleardetailed and accurate request

  • Implementation of ‘Best Current Practice’

  • Efficient assignments planned

  • Always a /20 ‘slow start’

    • Exceptions made for very large networks but not common

  • APNIC 17

    Consensus

    /21


    Subsequent allocations

    IPReq

    Subsequent allocations

    • 80% overall utilisation

      • Unless large assignment pending

  • Demonstrated conservative assignments

  • Correct customer registrations in db

    • Need to fix inconsistencies before next allocation

  • Allocation size to cover 1 year need

    • Based on previous utilisation rate

  • Contiguous allocation not guaranteed

    • But every effort made


  • Evaluation guidelines cable dsl

    IPReq

    Evaluation guidelines – Cable/DSL

    • Bootstrap criteria

      • Simplified, optional criteria

      • Assumption of /24 per CMTS

    • Subsequent allocation

      • CMTS devices per headend

      • 3 month subscriber projection

      • Average growth per month

        • option: MRTG to support growth rate evaluation

      • equipment purchase receipts


    Evaluation guidelines virtual web hosting

    IPReq

    Evaluation guidelines – Virtual web hosting

    • Name based hosting

      • ‘Strongly recommended’

        • Use ‘infrastructure’ field to describe web servers

    • IP based hosting

      • Permitted on technical grounds

        • SSL, virtual ftp..

        • Use ‘infrastructure’ field to describe web servers

    • Special verification for IP based

      • If more than /22 used for this purpose

      • Requestor must send list of URLs of virtual domain and corresponding IP address


    Sub allocations

    IPReq

    Sub-allocations

    • No max or min size

      • Max 1 year requirement

    • Assignment Window & 2nd Opinion applies

      • to both sub-allocation & assignments

        • Sub-allocation holders don’t need to send in 2nd opinions

    /20

    Member Allocation

    /22

    Sub-allocation

    /27

    /24

    /26

    /26

    /25

    Customer Assignments

    Customer Assignments


    Sub allocation guidelines

    IPReq

    Sub-allocation guidelines

    • Sub-allocate cautiously

      • Seek APNIC advice if in doubt

      • If customer requirements meet min allocation criteria:

        • Customers should approach APNIC for portable allocation

    • Efficient assignments

      • LIRs responsible for overall utilisation

        • Sub-allocation holders need to make efficient assignments

    • Database registration

      • Sub-allocations & assignments to be registered in the db


    Welcome apnic members training course

    Questions ?


    The apnic database

    The APNIC Database

    Usage


    What is the apnic database

    What is the APNIC database?

    • Public network management database

      • Operated by IRs

  • Tracks network resources

    • IP addresses, ASNs, Reverse Domains, Routing policies

  • Records administrative information

    • Contact information (persons/roles)

    • Authorisation


  • Object types

    Object types

    OBJECTPURPOSE

    personcontact persons

    rolecontact groups/roles

    inetnumIPv4 addresses

    inet6numIPv6 addresses

    aut-numAutonomous System number

    domainreverse domains

    routeprefixes being announced

    mntner(maintainer) data protection

    http://www.apnic.net/db/


    Object templates

    whois -t <object type>

    Object templates

    To obtain template structure*, use :

    % whois -h whois.apnic.net -t person

    person: [mandatory] [single] [primary/look-up key]

    address: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    phone: [mandatory] [multiple] [ ]

    fax-no: [optional] [multiple] [ ]

    e-mail: [mandatory] [multiple] [look-up key]

    nic-hdl: [mandatory] [single] [primary/look-up key]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]

    *Recognised by the RIPE whois client/server


    Person object example

    Person object example

    • Person objects contain contact information

    Values

    Attributes

    • person:

    • address:

    • address:address:

    • country:

    • phone:

    • fax-no:

    • e-mail:

    • nic-hdl:

    • mnt-by:

    • changed:

    • source:

    Ajith SinghExampleNet Service Provider2 Main St, Mount courtWallis and Futuna [email protected][email protected] 20020731APNIC


    What is a nic hdl

    What is a nic-hdl?

    • Unique identifier for a person

    • Represents a person object

      • Referenced in objects for contact details

        • (inetnum, aut-num, domain…)

      • format: <XXXX-AP>

        • Eg: AS17-AP

    person: Ajith Singh

    address: ExampleNet Service Provider

    address: 2 Main St, Mount court

    address: Wallis and Futuna Islands

    country: WF

    phone: +680-368-0844

    fax-no: +680-367-1797

    e-mail: [email protected]

    nic-hdl: AS17-AP

    mnt-by: MAINT-WF-EX

    changed: [email protected] 20020731

    source: APNIC


    Inetnum object example

    Inetnum object example

    • Contain IP address allocations / assignments

    Attributes

    Values

    202.51.64.0 - 202.51.95.255CCNEP-NP-APCommunication & Communicate Nepal LtdVSAT Service Provider, KathmanduNPAS75-APAS75-AP

    ALLOCATED [email protected] 20010205APNIC

    inetnum:netname:

    descr:

    descr:

    country:

    admin-c:

    tech-c:

    status:

    mnt-by:

    mnt-lower:

    changed:

    source:


    Inter related objects

    inetnum:202.64.10.0 – 202.64.10.255…

    admin-c:KX17-AP

    tech-c:ZU3-AP…

    mnt-by:MAINT-WF-EX

    Contact info

    person:…

    nic-hdl: ZU3-AP

    person:…

    nic-hdl: KX17-AP

    mntner:MAINT-WF-EX

    ……

    IPv4 addresses

    Contact info

    Data protection

    Inter-related objects


    Database query clients

    Database query - clients

    • Standard whois client

      • Included with many Unix distributions

    • RIPE extended whois client

      • http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client.tar.gz

  • Query via the APNIC website

    • http://www.apnic.net/apnic-bin/whois2.pl

  • Query clients - MS-Windows etc

    • Many available


  • Database query unix inetnum

    inetnum: 203.127.128.0 - 203.127.159.255netname: SINGNET-SG descr: Singapore Telecommunications Ltd

    descr: 31, Exeter Road, #02-00, Podium Blockdescr: Comcentre, 0923 country: SGadmin-c: CWL3-APtech-c: CWL3-APmnt-by: APNIC-HM changed: [email protected] 19990803source: APNIC

    Database query (unix)- inetnum

    % whois 203.127.128.0 - 203.127.159.255

    % whois 203.127.128.0/19

    % whois SINGNET-SG

    • Note

      • Incomplete addresses padded with “.0”

      • Address without prefix interpreted as “/32”


    Database query web role

    Database query (web) - role

    http://www.apnic.net/apnic-bin/whois2.pl

    Query the APNIC Whois Database

    1.Type in search key

    3. ‘Search Whois’

    2.Search options

    (flags)


    Advanced database queries

    Advanced database queries

    • Flags used for inetnum queries

      None find exact match

      - l find one level less specific matches

      - L find all less specific matches

      - m find first level more specific matches

      - M find all More specific matches

      - x find exact match (if no match, nothing)

      - d enables use of flags for reverse domains

      - r turn off recursive lookups


    Database query inetnum

    inetnum:202.0.0.0 – 202.255.255.255

    202.0.0.0/8

    inetnum:

    inetnum:

    Database query - inetnum

    whois -L 202.64.0.0 /20(all less specific)

    inetnum:

    whois -l 202.64.0.0 /20(1 level less specific)

    202.64.0.0/16

    whois 202.64.0.0 /20

    202.64.0.0/20

    whois –m 202.64.0.0 /20(1 level more specific)

    202.64.10.0/24

    whois –M 202.64.0.0 /20(all more specific)

    inetnum:

    202.64.10.192/26


    Recursive lookups

    person

    Recursive lookups

    • whois 202.12.29.0

      • whois -r 202.12.29.0

      • whois -T inetnum 202.12.29.0

      • whois -r -T inetnum 202.12.29.0

    recursion enabled by default

    person

    route

    inetnum

    ,

    &

    recursion turned off

    route

    inetnum

    &

    ‘type’ of object specified

    person

    inetnum

    &

    ‘type’ of object specified & recursion turned off

    inetnum


    Database query recursion

    inetnum: 203.113.0.0 - 203.113.31.255

    netname: TOTNET-AP

    descr: Telephone Organization of THAILAND(TOT)

    descr: Telephone and IP Network Service Provider

    descr: State Enterprise Thailand Government

    country: TH

    admin-c: NM18-AP

    tech-c: RC80-AP

    …….

    person: Nopparat Maythaveekulchai

    address: YTEL-1234 Office address: Telephone Organizationof THAILAND(TOT)

    …….

    person: Rungsun Channarukul

    address: YTEL-1234 OfficeP

    address: Telephone Organization of THAILAND(TOT)

    Database query - recursion

    Recursion is enabled by default

    %whois 203.113.0.0/19


    Database query no recursion

    inetnum: 203.113.0.0 - 203.113.31.255netname: TOTNET-APdescr: Telephone Organization of THAILAND(TOT)descr: Telephone and IP Network Service Providerdescr: State Enterprise Thailand Governmentcountry: THadmin-c: NM18-APtech-c: RC80-APmnt-by: APNIC-HMmnt-lower: MAINT-TH-SS163-APchanged: [email protected] 19990922source: APNIC

    Database query – no recursion

    Turn off recursion ‘-r’ no nic-handle lookup

    %whois -r 203.113.0.0/19


    Inverse queries

    Inverse queries

    • Inverse queries are performed on inverse keys

      • See object template (whois –t)

  • Returns all objects that reference the object with the key specified as a query argument

    • Practical when searching for objects in which a particular value is referenced, such as your nic-hdl

  • Syntax: whois -i <attribute> <value>


  • Database query inverse

    Database query - inverse

    Inverse lookup with ‘-i ‘

    % whois -i person DK26-AP

    inetnum: 202.101.128.0 - 202.101.159.255

    netname: CHINANET-FJ

    descr: chinanet fujian province network

    country: CN

    admin-c: DK26-AP……domain: 128.103.202.in-addr.arpa

    descr: in-addr.arpa zone for 128.103.202.in-addr.arpa

    admin-c: DK26-AP

    …….

    aut-num: AS4811

    as-name: CHINANET-CORE-WAN-EAST

    descr: CHINANET core WAN EAST

    descr: connect to AT&T,OPTUS

    country: CN

    admin-c: DK26-AP

    ……

    person: Dongmei Kou

    address: A12,Xin-Jie-Kou-Wai Street,

    address: Beijing,100088

    country: CN

    phone: +86-10-62370437

    nic-hdl: DK26-AP


    Welcome apnic members training course

    Questions ?


    Spam network abuse

    Spam & Network Abuse

    ‘Best Current Practices’


    Overview1

    Overview

    • ‘Best Current Practice’

    • Principles

    • Customer Education

    • Network Abuse

    • Summary


    Best current practice

    ‘Best Current Practice’

    • ‘Best Current Practice’ (BCP)

      • Voluntary code of conduct for ISPs

      • Consensus on code

      • Many ISPs wish to be seen publicly combating UCE

      • Need to work with all customers, especially ISP customers so their customers adopt the BCP


    Principles

    Principles

    • No email relaying

      • Historically SMTP systems ‘relayed’ email from anyone to destination

    • Requirement

      • Provide SMTP delivery for customers only

        • As determined by domain and/or IP address

      • ISPs should configure email systems to prevent relaying

      • Check customers do not run open relays


    Principles1

    Principles

    • Must be able to trace email passing through a system

      • Add a ‘received’ header

      • Machine name can be forged

        • ‘received’ line should contain name and IP address

    • Identification of the sender of the email

      • Dial up connections with dynamic addressing

    • Recommended

      • Time stamps based on NTP to identify sender

      • ISPs should keep logs for reasonable time


    Principles2

    Principles

    • AUP (Acceptable User Policy)

      • ISPs should publish

    • Handle abuse reports

      • ISPs should accept and process reports of abuse by their customers

        • Set up a specialist [email protected] mailbox

      • ISP should acknowledge receipt of abuse

        • Ticketing system to allow tracking of reports

      • Identity of reporter should be kept confidential

      • ISP may immediately terminate customers account

        • May also apply ‘warning’ then eventual termination

        • According to ISPs AUP


    Principles3

    Principles

    • Disseminate information to community

      • On action taken against customers

      • Publish overview statistical information

      • Ensure terminated accounts are not re-opened

    • Dealing with UCE

      • Enhances an ISP’s standing in global community

      • Avoid mass filtering of ISP emails

      • Avoid unwanted attention from legal authorities


    Education

    Education

    • Difficult, but important

      • Marketing departments don’t like it

      • Incorporate into ISP AUP (terms & contracts)

    • ISP should provide documentation

      • Explaining nature of UBE

      • Why sending it is considered unacceptable

      • State what is required for a ‘spam abuse’ report

      • Where such reports can be sent

    • Prevention is better than cure


    Customer education important facts

    Customer education – important facts

    • Be careful about giving the email addresses to unknown sources (e.g. when filling in forms online etc.)

    • Do not write back to the spammer

      • Confirm the validity of the e-mail id

      • Has a link for removal from their list

        • normally doesn’t work

    • Report the complaints to the spammer's ISP

      • Search spammers IP in the Whois database

      • Include the full header with the complain


    Detecting network abuse

    Detecting network abuse

    • Software to detect Network Abuse

      • Mostly designed to search the ARIN Whois database

      • May refer to APNIC

    • Many websites with whois lookup functions

      • has the same limitations

    • However the IP addresses are registered by four RIRs on a regional basis


    Detecting network abuse1

    Detecting network abuse

    • If a standard search refers you to APNIC

      • It means only that the network in question is registered in the Asia Pacific region

      • Does not mean that APNIC is responsible or that the hacker/spammer is using APNIC network


    Investigation of network abuse complaints

    Investigation of network abuse complaints

    • APNIC is not able to investigate these complaints

    • Can use the APNIC Whois Database to find out where to take your complaint

    • APNIC does not regulate the conduct of Internet activity (legally or practically)


    Investigation of network abuse complaints1

    Investigation of network abuse complaints

    • Laws relating to network abuse vary from country to country

    • Investigation possibilities

      • Cooperation of the network administrators

      • law enforcement agencies

        • Local jurisdiction

        • jurisdiction where the problem originates


    How can apnic help you

    How can APNIC help you ?

    • The APNIC Whois Database

      • Holds IP address records within the AP region

      • Can use this database to track down the source of the network abuse

      • Can find contact details of the relevant network administrators

        • not the individual users

        • use administrators log files to contact the individual involved


    How can apnic help you1

    How can APNIC help you ?

    • Education of network operators in the Asia Pacific community

      • Address policies and the importance of registration of resources

    • Community discussions can be raised in the APNIC open policy meetings / mailing lists etc.


    Questions

    Questions?

    • Useful FAQ

      • http://www.apnic.net/info/faq/abuse/


    Reverse dns

    Reverse DNS


    Overview2

    Overview

    • Principles – recap

    • Creating reverse zones

    • Setting up nameservers

    • Reverse delegation procedures

    • IPv6 reverse delegations

    • Current status


    Principles4

    Principles

    • Mapping from names to addresses is common

      • Forward DNS

    • Sometimes its necessary to know which name comes with a given address

      • Security, Spam detection, Diagnostics etc.

      • Reverse DNS

    test.example.com A 193.0.0.4


    Principles dns tree

    arpa

    in-addr

    202 203 210 211..

    202

    64

    64

    22

    22

    Principles – DNS tree

    - Mapping numbers to names - ‘reverse DNS’

    Root DNS

    net

    edu

    com

    au

    apnic

    whois

    RIR

    whois

    ISP

    .arpa

    .in-addr

    .202

    .64

    22

    Customer


    Start of authority soa record

    Start of Authority (SOA) record

    <domain.name.> IN SOA <hostname.domain.name.> <mailbox.domain.name> ( <serial-number> <refresh> <retry> <expire> <negative-caching> )


    Start of authority soa record1

    Start of Authority (SOA) record

    • <domain.name>

      • Name of the domain where SOA belongs

      • Can use [email protected] as well

      • e.g: 253.253.192.in-addr.arpa.

    • IN

      • The class of the DNS record

    • SOA

      • The type of DNS record

      • Indicates authority for this zone


    Start of authority soa record2

    Start of Authority (SOA) record

    • <hostname.domain.name.>

      • 'master' field

      • hostname of the primary zone server

    • <mailbox.domain.name.>

      • e-mail address of the person responsible for maintaining the zone

      • '@' symbol is replaced by a '.', and any '.' before the "@" was replaced by '\'

        • Ex: [email protected] written as dns-admin.apnic.net

        • [email protected] written as dns\.admin.apnic.net


    Start of authority soa record3

    Start of Authority (SOA) record

    • <serial-number>

      • To compare between the primary and secondary servers

    • <refresh>

      • How often a secondary should check the primary

    • <retry>

      • If a refresh attempt fails, a secondary server will retry based on the time specified in the retry field


    Start of authority soa record4

    Start of Authority (SOA) record

    • <expire>

      • If the refresh and retry attempts fail, the secondary server will stop serving the zone after this period

    • <negative caching>

      • How long a remote name server can cache negative responses about a zone

        • Domain name or type of data doesn’t exists


    Example soa record

    Example SOA record

    253.253.192.in-addr.arpa. IN SOA ns.test-domain.net. admin.test-domain.net ( <2003033101> <10800> <3600> <604800> <10800> )


    Nameserver ns records

    Nameserver (NS) records

    • Declares the nameservers that serve a given zone

    • <domain.name>

      • Domain which the NS belongs

        • Ex: 253.253.192.in-addr.arpa or @ or <space>

    • IN is the class of the DNS record

    • NS is the type

      • Name Server in this case

    • <hostname.domain.name>

      • Hostname of the authoritative server

    <domain.name.> IN NS <hostname.domain.name.>


    Example ns record

    Example NS record

    IN NS ns.apnic.net. IN NS svc00.apnic.net. IN NS ns.telstra.net. IN NS rs.arin.net.


    Pointer ptr records

    Pointer (PTR) records

    • Create pointer (PTR) records for each IP address

      or

    131.28.12.202.in-addr.arpa. IN PTR svc00.apnic.net.

    131 IN PTR svc00.apnic.net.


    A reverse zone example

    Note trailing dots

    A reverse zone example

    $ORIGIN 1.168.192.in-addr.arpa.

    @3600 IN SOA test.company.org. (

    sys\.admin.company.org.

    2002021301; serial

    1h; refresh

    30M; retry

    1W; expiry

    3600 ); neg. answ. ttl

    NSns.company.org.

    NSns2.company.org.

    1PTRgw.company.org.

    router.company.org.

    2PTRns.company.org.

    ; BIND9 auto generate: 65 PTR host65.company.org

    $GENERATE 65-127 $ PTR host$.company.org.


    Name server software

    Name server software

    • ISC BIND (Berkeley Internet Name Domain)

      • Version 8

        • In use, available, obsolete

        • Don't start to use it

        • Migrate to Version 9

      • Version 9

        • Current version (9.2.3 as of Jan 2004)

          • Release

          • Release Candidate (Betas)

          • Snapshots (Alphas)

            • 9.3

      • Never Use Snapshots on production servers

    • Other name server software

      • Microsoft DNS server

      • DJBDNS


    Setting up the primary nameserver

    Setting up the primary nameserver

    • Add an entry specifying the primary server to the named.conffile

    • <domain-name>

      • Ex: 28.12.202.in-addr.arpa.

    • <type master>

      • Define the name server as the primary

    • <path-name>

      • location of the file that contains the zone records

    zone "<domain-name>" in {

    type master;

    file "<path-name>"; };


    Setting up the secondary nameserver

    Setting up the secondary nameserver

    • Add an entry specifying the primary server to the named.conf file

    • <type slave>

      • Define the name server as the secondary

    • <ip address>

      • IP address of the primary name server

    • <domain-name>, <master>, <path-name> are same as before

    zone "<domain-name>" in {

    type slave;

    file "<path-name>";

    Masters { <IP address> ; };};


    Reverse delegation requirements

    Reverse delegation requirements

    • /24 Delegations

      • Address blocks should be assigned/allocated

      • At least two name servers

  • /16 Delegations

    • Same as /24 delegations

    • APNIC delegates entire zone to member

    • Recommend APNIC secondary zone

  • < /24 Delegations

    • Read “classless in-addr.arpa delegation”

  • RFC

    2317


    Subdomains of in addr arpa domain

    Subdomains of in-addr.arpa domain

    • Subnetting on an Octet Boundary

      • Similar to delegating subdomains of forward-mapping domains

    • Mapping problems

      • In IPv4 the mapping is done on 8 bit boundaries (classful), address allocation is classless

      • Zone administration does not always overlap address administration


    Subdomains of in addr arpa domain1

    Subdomains of in-addr.arpa domain

    • Example: an organisation given a /16

      • 192.168.0.0/16 (one zone file and further delegations to downstreams)

      • 168.192.in-addr.arpa zone file should have:

        0.168.192.in-addr.arpa. NS ns1.organisation0.com.

        0.168.192.in-addr.arpa. NS ns2.organisation0.com.

        1.168.192.in-addr.arpa. NS ns1.organisation1.com.

        1.168.192.in-addr.arpa. NS ns2.organisation1.com.

        2.168.192.in-addr.arpa. NS ns1.organisation2.com.

        2.168.192.in-addr.arpa. NS ns2.organisation2.com.

        :

        :


    Subdomains of in addr arpa domain2

    Subdomains of in-addr.arpa domain

    • Example: an organisation given a /20

      • 192.168.0.0/20 (a lot of zone files!) – have to do it per /24)

      • Zone files

        0.168.192.in-addr.arpa.

        1.168.192.in-addr.arpa.

        2.168.192.in-addr.arpa.

        :

        :

        15.168.192.in-addr.arpa.


    Subdomains of in addr arpa domain3

    Subdomains of in-addr.arpa domain

    • Example: case of a /24 subnetted with the mask 255.255.255.192

      • In-addr zone – 254.253.192.in-addr.arpa

      • Subnets

        • 192.253.254.0/26

        • 192.253.254.64/26

        • 192.253.254.128/26

        • 192.253.254.192/26

      • If different organisations has to manage the reverse-mapping for each subnet

        • Solution to follow…


    Classless in addr for 192 253 254 24

    Classless in-addr for 192.253.254/24

    • CNAME records for each of the domain names in the zone

      • Pointing to domain names in the new subdomains

    $ORIGIN 254.253.192.in-addr.arpa.

    0-63 NS ns1.organisation1.com.

    0-63 NS ns2.organisation1.com.

    1 CNAME 1.0-63

    2CNAME 2.0-63

    64-127 NS ns1.organisation2.com.

    64-127 NS ns2.organisation2.com.

    65 CNAME 65.64-127

    66CNAME 66.64-127


    Classless in addr for 192 253 254 241

    Classless in-addr for 192.253.254/24

    • Using $GENERATE (db.192.253.254 file)

    $ORIGIN 254.253.192.in-addr.arpa.

    0-63 NS ns1.organisation1.com.

    0-63 NS ns2.organisation1.com.

    $GENERATE 1-63$ CNAME $.0-63

    64-127 NS ns1.organisation2.com.

    64-127NS ns2.organisation2.com.

    $GENERATE 65-127$ CNAME $.64-127


    Classless in addr for 192 253 254 0 26

    Classless in-addr for 192.253.254.0/26

    • Now, the zone data file for 0-63.254.253.192.in-addr.arpa can contain just PTR records for IP addresses 192.253.254.1 through 192.253.154.63

    $ORIGIN0-63.254.253.192.in-addr.arpa.

    $TTL 1d

    @ SOA ns1.organisation1.com. Root.ns1.organisation1.com. (

    1; Serial

    3h; Refresh

    1h; Retry

    1w; Expire

    1h ); Negative caching TTL

    NS ns1.organisation1.com.

    NSns2.organisation1.com.

    1PTR org1-name1.organisation1.com.

    2PTR org1-name2.organisation1.com.

    3PTR org1-name3.organisation1.com.


    Apnic member responsibilities

    Rev. DNS

    APNIC & Member responsibilities

    • APNIC

      • Manage reverse delegations of address block distributed by APNIC

      • Process members requests for reverse delegations of network allocations

    • Members

      • Be familiar with APNIC procedures

      • Ensure that addresses are reverse-mapped

      • Maintain nameservers for allocations

        • Minimise pollution of DNS


    Example domain object

    domain: 124.54.202.in-addr.arpa

    descr:co-located server at mumbai

    country: IN

    admin-c: VT43-AP

    tech-c: IA15-AP

    zone-c: IA15-AP

    nserver: dns.vsnl.net.in

    nserver: giasbm01.vsnl.net.in

    mnt-by: MAINT-IN-VSNL

    changed: [email protected] 20010612

    source: APNIC

    Rev. DNS

    Example ‘domain’ object


    Questions1

    Questions?

    • Are all your zones, and your customer zones registered?

    Material available at: www.apnic.net/training/recent/


    Autonomous system numbers

    Autonomous System Numbers

    Procedures


    Overview3

    ASN

    Overview

    • What is an AS?

    • Guidelines and procedures

    • Application form (documentation)

    • Policy expression


    What is an autonomous system

    ASN

    AS 100

    What is an Autonomous System?

    • Collection of networks with same routing policy

    • Usually under single ownership, trust and administrative control


    When do i need an asn

    ASN

    When do I need an ASN?

    • When do I need an AS?

      • Multi-homed network to different providers and

      • Routing policy different to external peers

    • Recommended reading!

      • RFC1930: Guidelines for creation, selection and registration of an Autonomous System

    RFC

    1930


    When don t i need an asn

    ASN

    When don’t I need an ASN?

    • Factors that don’t count

      • Transition and ‘future proofing’

      • Multi-homing to the same upstream

        • RFC2270: A dedicated AS for sites

          homed to a single provider

      • Service differentiation

        • RFC1997: BGP Communities attribute

    RFC

    2270

    RFC

    1997


    Requesting an asn customers

    ASN

    Requesting an ASN - Customers

    • Requested directly from Registry

      • AS number is “portable”

  • Requested via member

    • ASN is “non-portable”

    • ASN returned if customer changes provider

  • Transfers of ASNs

    • Need legal documentation (mergers etc)

    • Should be returned if no longer required


  • Aut num object example

    ASN

    Aut-num object example

    aut-num:AS4777

    as-name: APNIC-NSPIXP2-AS

    descr:Asia Pacific Network Information Centre

    descr: AS for NSPIXP2, remote facilities site

    import:from AS2500 action pref=100; accept ANY

    import:rom AS2524 action pref=100; accept ANY

    import:from AS2514 action pref=100; accept ANY

    export: to AS2500 announce AS4777

    export:to AS2524 announce AS4777

    export:to AS2514 announce AS4777

    default:to AS2500 action pref=100; networks ANY

    admin-c:PW35-AP

    tech-c: NO4-AP

    remarks: Filtering prefixes longer than /24

    mnt-by: MAINT-APNIC-AP

    changed: [email protected] 19981028

    source:APNIC

    POLICY

    RPSL


    Representation of routing policy

    ASN

    Representation of routing policy

    • Routing and packet flows

    announces

    accepts

    packet flow

    routing flow

    AS 1

    AS 2

    packet flow

    announces

    accepts

    • For AS1 and AS2 networks to communicate

      • AS1 must announce to AS2

      • AS2 must accept from AS1

      • AS2 must announce to AS1

      • AS1 must accept from AS2


    Representation of routing policy1

    ASN

    Representation of routing policy

    Basic concept

    AS 1

    AS 2

    “action pref”- the lower the value, the preferred the route

    aut-num: AS1

    import:from AS2 action pref=100;accept AS2

    export:to AS2 announce AS1

    aut-num: AS2

    import: from AS1

    action pref=100;accept AS1

    export: to AS1 announce AS2


    Representation of routing policy2

    ASN

    Representation of routing policy

    AS4

    AS5

    AS5

    AS 123

    • More complex example

    • AS4 gives transit to AS5, AS10

    • AS4 gives local routes to AS123

    AS10


    Representation of routing policy3

    ASN

    Not a path

    Representation of routing policy

    AS4

    AS5

    AS 123

    AS5

    aut-num: AS4

    import: from AS123 action pref=100; accept AS123

    AS10

    import: from AS5 action pref=100; accept AS5

    import: from AS10 action pref=100; accept AS10

    export: to AS123 announce AS4

    export: to AS5 announce AS4 AS10

    export: to AS10 announce AS4 AS5


    Representation of routing policy4

    ASN

    Representation of routing policy

    transit traffic over link2

    AS4

    AS123

    link3

    private

    link1

    AS6

    • More complex example

      • AS4 and AS6 private link1

      • AS4 and AS123 main transit link2

      • backup all traffic over link1 and link3 in event of link2 failure


    Representation of routing policy5

    ASN

    full routing received

    higher cost for backup route

    Representation of routing policy

    transit traffic over link2

    AS4

    AS123

    link3

    private link1

    AS6

    AS representation

    aut-num: AS4

    import:from AS123 action pref=100; accept ANY

    import:from AS6 action pref=50; accept AS6

    import:from AS6 action pref=200; accept ANY

    export:to AS6 announce AS4

    export:to AS123 announce AS4


    Welcome apnic members training course

    Questions ?

    Material available at: www.apnic.net/training/recent/


    Apnic internet routing registry

    APNIC Internet Routing Registry


    Welcome apnic members training course

    What is an IRR?

    • Global Internet Routing Registry database

      • http://www.irr.net/

        • Uses RPSL

      • Established in 1995

    • Stability and consistency of routing

      • network operators share information

    • Both public and private databases

      • These databases are independent

        • but some exchange data

        • only register your data in one database


    Welcome apnic members training course

    Internet Routing Registries

    ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ...

    RIPE

    CW

    RADB

    Connect

    APNIC

    • IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …


    Why use an irr

    Why use an IRR?

    • Route filtering

      • Peering networks

      • A provider and its customer

  • Network troubleshooting

    • Easier to locate routing problems outside your network

  • Router configuration

    • By using IRRToolSet

      • ftp.ripe.net/tools/IRRToolSet

  • Global view of routing

    • A global view of routing policy improves the integrity of Internet’s routing as a whole.


  • Apnic database the irr

    APNIC Database & the IRR

    • APNIC whois Database

      • Two databases in one

    • Public Network Management Database

      • “whois” info about networks & contact persons

        • IP addresses, AS numbers etc

    • Routing Registry

      • contains routing information

        • routing policy, routes, filters, peers etc.

      • APNIC RR is part of the global IRR


    Welcome apnic members training course

    IP, ASNs,reverse domains,contacts,maintainers etc

    APNIC Whois

    routes, routingpolicy, filters,

    peers etc

    IRR

    Integration of Whois and IRR

    • Integrated APNIC Whois Database & Internet Routing Registry

    inetnum, aut-num, domain, person, role, maintainer

    route, aut-num, as-set, int-rtr, peering-set etc.

    Internet resources & routing information


    Welcome apnic members training course

    RPSL

    • Routing Policy Specification Language

      • Object oriented language

        • Based on RIPE-181

      • Structured whois objects

    • Higher level of abstraction than access lists

    • Describes things interesting to routing policy:

      • Routes, AS Numbers …

      • Relationships between BGP peers

      • Management responsibility

    • Relevant RFCs

      • Routing Policy Specification Language

      • Routing Policy System Security

      • Using RPSL in Practice

    RFC

    2622

    RFC

    2725

    RFC

    2650


    Irr objects

    route

    Specifies interAS routes

    aut-num

    Represents an AS. Used to describe external routing policy

    inet-rtr

    Represents a router

    peering-set

    Defines a set of peerings

    route-set

    Defines a set of routes

    as-set

    Defines a set of aut-num objects

    rtr-set

    Defines a set of routers

    filter-set

    Defines a set of routes that are matched by its filter

    IRR objects

    www.apnic.net/db/ref/db-objects.html


    Inter related irr objects

    Inter-related IRR objects

    route: origin:

    …mnt-by:MAINT-EX

    inetnum:

    202.0.16 - 202.0.31.255

    tech-c: KX17-AP mnt-by: MAINT-EX

    aut-num: AS1 …tech-c:KX17-APmnt-by:MAINT-EX…

    AS1

    202.0.16/20

    AS1

    202.0.16 - 202.0.31.255

    person: …nic-hdl: KX17-AP

    mntner: MAINT-EX


    Inter related irr objects1

    Inter-related IRR objects

    route-set:AS2:RS-routes

    members: 218.2/20, 202.0.16/20

    as-set: AS1:AS-customers

    members: AS10, AS11

    , AS2

    route: 218.2/20…

    origin: AS2…

    route: 202.0.16/20

    …origin: AS2…

    aut-num: AS10

    inetnum:218.2.0.0 - 218.2.15.255

    inetnum:202.0.16.0-202.0.31.255

    aut-num: AS11

    aut-num: AS2

    aut-num: AS2


    Set objects and their members

    1

    1

    2

    2

    3

    3

    ‘Set-’ objects and their members

    • Two ways of referencing members

    members- members specified in the ‘set-’ object

    mbrs-by-ref- ‘set’ specified in the member objects

    as-set: AS1:AS-CUSTS

    members: AS10, AS11

    as-set: AS1:AS-PEERS

    mbrs-by-ref:MAINT-EX

    aut-num: AS10

    aut-num: AS11

    aut-num: AS20member-of:AS1:AS-PEERS

    mnt-by: MAINT-EX

    aut-num: AS21

    member-of:AS1:AS-PEERS

    mnt-by: MAINT-EX

    • ‘members’ specifies members of the set

    • Members added in the ‘set-’ object

    • No need to modify the member object when adding members

    • ‘mbrs-by-ref’ specifies the maintainer of the members.

    • Members reference the ‘set-’ object in the ‘member-of’ attribute

    • Members are maintained by the maintainer specified in the ‘set-’


    Hierarchical authorisation

    In:

    , and objects

    route

    inetnum

    aut-num

    Hierarchical authorisation

    • mnt-routes

      • authenticates creation of route objects

        • creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute

      • Format:

        • mnt-routes: <mntner>


    Authorisation mechanism

    Authorisation mechanism

    inetnum: 202.137.181.0 – 202.137.185.255netname: SPARKYNET-WF

    descr: SparkyNet Service Provider

    mnt-by: MAINT-APNIC-AP

    mnt-lower: MAINT-SPARKYNET

    mnt-routes: MAINT-SPARKYNET-WF

    This object can only be modified by APNIC

    Creation of more specific objects (assignments) within this range has to pass the authentication of MAINT-SPARKYNET

    Creation of route objects matching/within this range has

    to pass the authentication of MAINT-SPARKYNET-WF


    Creating route objects

    Creating route objects

    • Multiple authentication checks:

      • Originating ASN

        • mntner in the mnt-routes is checked

        • If no mnt-routes, mnt-lower is checked

        • If no mnt-lower, mnt-by is checked

      • AND the address space

        • Exact match & less specific route

          • mnt-routes etc

        • Exact match & less specific inetnum

          • mnt-routes etc

      • AND the route object mntner itself

        • The mntner in the mnt-by attribute

    aut-num

    inetnum

    route

    (encompassing)

    route


    Creating route objects1

    route

    1

    2

    4

    route:202.137.240/20origin:AS1

    AS number

    IP address range

    aut-num: AS1mnt-routes: MAINT-WF-EXNET

    inetnum: 202.137.240.0 – 202.137.255.255mnt-routes: MAINT-WF-EXNET

    maintainer

    5

    3

    mntner: MAINT-WF-EXNET

    auth: CRYPT-PW klsdfji9234

    Creating route objects

    1. Create route object and submit to APNIC RR database

    2. Db checks inetnum obj matching/encompassing IP range in route obj

    3. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.

    4. Db checks aut-num obj corresponding to the ASN in route obj

    5. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute.


    Apnic rr service scope

    APNIC RR service scope

    • Support

      • APNIC Helpdesk support

    • Training

      • IRR workshop under development

  • Mirroring

    • APNIC mirrors IRRs within Asia Pacific and major IRRs outside of the region.

  • <[email protected]>


    Summary

    Summary

    • APNIC RR integrated in APNIC Whois DB

      • whois.apnic.net

      • <[email protected]>

  • IRR benefits

    • Facilitates network troubleshooting

    • Generation of router configuration

    • Provides global view of routing

  • APNIC RR benefits

    • Single maintainer (& person obj) for all objects

    • APNIC asserts resources for a registered route

    • Part of the APNIC member service!


  • Welcome apnic members training course

    Questions ?


    Welcome apnic members training course

    IPv6

    Technical overview

    Policies & Procedures


    Welcome apnic members training course

    Overview

    • Rationale

    • IPv6 Addressing

    • Features of IPv6

    • Transition Techniques

    • Current status

    • IPv6 Policies & Procedures

    • Statistics


    Rationale

    Rationale

    • Address depletion concerns

      • Squeeze on available addresses space

        • Probably will never run out, but will be harder to obtain

      • End to end connectivity no longer visible

        • Widespread use of NAT

      • IPv6 provides much larger IP address space than IPv4


    Rationale cont

    Rationale (Cont.)

    • Increase of backbone routing table size

      • Current backbone routing table size > 100K

        • CIDR does not guarantee an efficient and scalable hierarchy

        • The lack of uniformity of the current hierarchical system

        • Routing aggregation is still a concern in IPv6

      • IPv6 address architecture is more hierarchical than IPv4


    Ipv6 a ddress m anagement h ierarchy

    IPv6

    IPv6 address management hierarchy

    IANA

    /23

    RIR

    RIR

    NIR

    LIR/ISP

    /32

    LIR/ISP

    /64

    /48

    Customer Site

    Customer Site

    /128


    Rationale cont1

    Rationale (Cont.)

    • Needs to improve the Internet environment

      • Encryption, authentication, and data integrity safeguards needed

        • Necessity of IP level security

      • Plug and Play function needed

        • Reduce network administrators work load

        • Reduce errors caused by individual users

      • More recent technologies (security, Plug and Play, multicast, etc.) available by default in IPv6

    • Useful reading:

      • “The case for IPv6”: http://www.6bone.net/misc/case-for-ipv6.html


    Ipv6 addressing

    IPv6 addressing

    • 128 bits of address space

    • Hexadecimal values of eight 16 bit fields

      • X:X:X:X:X:X:X:X (X=16 bit number, ex: A2FE)

      • 16 bit number is converted to a 4 digit hexadecimal number

  • Example:

    • FE38:DCE3:124C:C1A2:BA03:6735:EF1C:683D

  • Abbreviated form of address

    • 4EED:0023:0000:0000:0000:036E:1250:2B00

      →4EED:23:0:0:0:36E:1250:2B00

      →4EED:23::36E:1250:2B00

      (Null value can be used only once)


  • Ipv6 addressing model

    IPv6 addressing model

    RFC

    3513

    • IPv6 Address type

      • Unicast

        • An identifier for a single interface

      • Anycast

        • An identifier for a set of interfaces

      • Multicast

        • An identifier for a group of nodes


    Unicast address

    Unicast address

    • Address given to interface for communication between host and router

      • Aggregatable global unicast address

      • Local use unicast address

        • Link-local address (starting with FE80::)

        • Site-local address (starting with FEC0::)

    001

    FP subnet prefix Interface ID

    3bits 64 bits

    1111111010 000…….0000 Interface ID

    10 bits 54 bits 64 bits

    1111111011 Subnet-ID Interface ID

    10 bits 54 bits 64 bits


    Ipv6 header

    IPv6 Header

    Version Traffic Class Flow Label

    4bits 8 bits 20 bits

    Payload Length Next Header Hop Limit

    16 bits 8 bits 8 bits

    Version IHL Type of Service Total Length

    4 bits 4bits 8bits 16bits

    Source Address

    128 bits

    Identification Flags Fragment Offset

    16 bits 4 bits 12 bits

    TTL Protocol Header Header Checksum

    8 bits 8 bits 16 bits

    Source Address

    32 bits

    Destination Address

    32 bits

    Destination Address

    128 bits

    IP options

    0 or more bits

    Enhanced in IPv6

    Enhanced in IPv6

    Enhanced in IPv6

    IPv6 header

    IPv4 Header

    • Comparison between IPv4 header and IPv6 header

    IHL

    IHL=IP Header Length

    TTL=Time to Live

    = Eliminated in IPv6


    Ipv6 security

    IPv6 security

    • Convey the authentication information via IPv6 extension header: Authentication header

    • Method to transport encrypted data: Encapsulating Security Payload (ESP) header

    Next Header

    Length

    Reserved

    Security Parameters Index (SPI)

    Authentication Data

    Security Parameters Index (SPI)

    Sequence Number

    Payload Data

    Padding

    Pad Length

    Next Header

    Authentication Data


    Ipv6 features autoconfigutation cont

    Tentative address (link-local address)

    Well-known link local prefix +Interface ID (EUI -64)

    Ex: FE80::310:BAFF:FE64:1D

    IPv6 features – autoconfigutation (Cont.)

    Is this address unique?

    Assign

    FE80::310:BAFF:FE64:1D

    3FFE:0:0:1/64 network

    • A new host is turned on.

    • Tentative address will be assigned to the new host.

    • Duplicate Address Detection (DAD) is performed on all unicast address.

    • If no ND message comes back then the address is unique.

    • FE80::310:BAFF:FE64:1D will be assigned to the new host.


    Ipv6 feature autoconfiguration cont

    IPv6 feature: autoconfiguration (Cont.)

    Send me

    Router Advertisement

    FE80::310:BAFF:FE64:1D

    Router

    Advertisement

    3FFE:0:0:1/64 network

    Assign

    3FFE:0:0:1:310:BAFF:FE64:1D

    • The new host will send “router solicitation” request via multicasting to obtain the network prefix.

    • The router will reply “routing advertisement”.

    • The new host will learn the network prefix. Ex: 3FFE:0:0:1

    • The new host will assigned a new address Network prefix+Interface ID Ex: 3FFE:0:0:1:310:BAFF:FE64:1D


    Ipv4 to ipv6 transition

    IPv4 to IPv6 transition

    • Implementation rather than transition

    • The key to successful IPv6 transition

      • Maintaining compatibility with IPv4 hosts and routers while deploying IPv6

        • Millions of IPv4 nodes already exist

        • Upgrading every IPv4 nodes to IPv6 is not feasible

        • Transition process will be gradual

    • Commonly utilised transition techniques

      • Dual Stack Transition

      • Tunneling


    Dual stack transition

    APPLICATION

    TCP/UDP

    IPv4 IPv6

    DRIVER

    IPv6

    IPv4

    Dual Stack

    Host

    Dual stack transition

    • Dual stack = TCP/IP protocol stack running both IPv4 and IPv6 protocol stacks simultaneously

    • Useful at the early phase of transition


    Tunneling

    IPv6

    IPv6 network

    Tunneling

    • Commonly utilised transition method

    • IP v6 packet encapsulated in an IPv4 header

    • Destination routers will decapsulate the packets and send IPv6 packets to destination IPv6 host

    IPv6 Host Y

    IPv6 Host X

    Router α

    Router β

    Decapsulation

    Encapsulation

    IPv4 network

    IPv6 network

    Add IPv4 Header

    Eliminate IPv4 Header

    IPv4 header

    IPv6 data

    IPv6 header

    IPv6 header

    IPv6 data

    IPv6 header

    IPv4 header

    IPv6 data


    Ipv6 address policy g oals

    IPv6

    IPv6 address policy goals

    • Efficient address usage

      • Avoid wasteful practices

  • Aggregation

    • Hierarchical distribution

    • Aggregation of routing information

    • Limiting number of routing entries advertised

  • Minimise overhead

    • Associated with obtaining address space

  • Registration, Uniqueness, Fairness & consistency

    • Same as IPv4


  • Ipv6 a ddressing s tructure

    32

    16

    16

    64

    LIR

    /32

    Customer

    Site /48

    Device /128

    Subnet /64

    IPv6 addressing structure

    128 bits

    0

    127


    Ipv6 initial a llocation

    32 bits

    32 bits

    48 bits

    48 bits

    IPv6 initial allocation

    • Initial allocation criteria

      • Plan to connect 200 end sites within 2 years

        • Default allocation (“slow start”)

    • Initial allocation size is /32

      • Provides 16 bits of site address space

      • Larger initial allocations can be made if justified according to:

        • IPv6 network infrastructure plan

        • Existing IPv4 infrastructure and customer base

    128 bits


    Ipv6 a ssignments

    48 bits

    48 bits

    64 bits

    64 bits

    128 bits

    IPv6 assignments

    • Default assignment /48 for all end sites

      • POP also defined as end site

    • Providing 16 bits of space for subnets

  • Other assignment sizes

    • /64 only one subnet

    • /128 only one device connecting

  • Larger assignments - Multiple /48s

    • Should be reviewed by RIR/NIR

      • Follow second opinion procedure


  • Ipv6 utilisation

    IPv6 utilisation

    • Utilisation determined from end site assignments

      • LIR responsible for registration of all /48 assignments

      • Intermediate allocation hierarchy not considered

    • Utilisation of IPv6 address space is measured differently from IPv4


    Ipv6 u tilisation r equirement

    log (10,000)

    log (Assigned address space)

    log (Assigned address space)

    UtilisationHD =

    log (Available address space)

    log (Available address space)

    IPv6 utilisation requirement

    • IPv6 utilisation measured according to HD-Ratio (RFC 3194):

    • IPv6 utilisation requirement is HD=0.80

      • Measured according to assignments only

        • E.g. ISP has assigned 10000 (/48s) addresses of /32

    =

    =

    0.83

    log (65,536)


    Ipv6 u tilisation r equirement cont

    43.5%

    18.9%

    16.5%

    7.2%

    3.6%

    1.2%

    0.4%

    0.2%

    IPv6 utilisation requirement (Cont.)

    • HD Ratio utilisation requirement of 0.80

    10.9%

    • RFC 3194

    • “In a hierarchical address plan, as the size of the allocation increases, the density of assignments will decrease.”


    Subsequent a llocation

    Subsequent allocation

    • Must meet HD = 0.8 utilisation requirement of previous allocation

      • (7132 /48s assignments in a /32)

  • Other criteria to be met

    • Correct registrations (all /48s registered)

    • Correct assignment practices etc

  • Subsequent allocation results in a doubling of the address space allocated to it

    • Resulting in total IPv6 prefix is 1 bit shorter

    • Or sufficient for 2 years requirement


  • Ixp ipv6 assignment policy

    IPv6

    IXP IPv6 assignment policy

    • Criteria

      • Demonstrate ‘open peering policy’

      • 3 or more peers

    • Portable assignment size: /48

      • All other needs should be met through normal processes

      • /64 holders can “upgrade” to /48

        • Through NIRs/ APNIC

        • Need to return /64


    Current status implementations

    IPv6

    Current Status - Implementations

    • Most vendors are shipping supported products today

      • eg. 3Com, Apple, Bay Networks, BSDI, Bull, Cisco, Dassault, Digital, Epilogue, Ericsson/Telebit, FreeBSD, IBM, Hitachi, HP, KAME, Linux, Mentat, Microsoft, Nokia, Novell, Nortel, OpenBSD, SCO, Siemens Nixdorf, Silicon Graphics, Sun, Trumpet


    Ipv6 deployment current experiments

    Light

    Air conditioner

    IPv6 deployment current experiments

    PC

    Home hub

    Mobile viewer Access point

    IPv6 network

    Home router

    Home hub

    Ethernet

    IPv6-washing machine IPv6-refrigerator IPv6-microwave

    Wireless


    Current issues multihoming

    Current issues: Multihoming

    • Assigned portable address is not available

    • Multiple unicast addresses per node

      • How to determine the source address?

    • Multiple interfaces per host

      • Possible defeat ICMP redirect

      • How to achieve “load-sharing” across multiple interfaces?

    • Other issues too

      • IETF is working for possible solutions


    Current issues dns

    Current issues: DNS

    • Need for a root name server, TLDs name server accessible via IPv6

    • Human error easily made in IPv6 reverse DNS record

      • Dynamic update may provide a solution

      • Security system while update required

        • Ex: DNSSEC


    Ipv6 reverse delegations

    IPv6 Reverse delegations


    Ipv6 representation in the dns

    IPv6 representation in the DNS

    • Forward lookup support: Multiple RR records for name to number

      • AAAA (Similar to A RR for IPv4 )

      • A6 without chaining (prefix length set to 0 )

    • Reverse lookup support:

      • Reverse nibble format for zone ip6.int

      • Reverse nibble format for zone ip6.arpa


    Ipv6 forward and reverse mappings

    IPv6 forward and reverse mappings

    • Existing A record will not accommodate IPv6’s 128 bit addresses

    • BIND expects an A record’s record-specific data to be a 32-bit address (in dotted-octet format)

    • An address record

      • AAAA (RFC 1886)

    • A reverse-mapping domain

      • Ip6.int (now replaced by ip6.arpa)


    The reverse dns tree with ipv6

    arpa

    202 203 210

    202

    64

    64

    22

    22

    The reverse DNS tree – with IPv6

    Root DNS

    net

    edu

    com

    int

    in-addr

    apnic

    IP6

    whois

    RIR

    whois

    ISP

    IPv6 Addresses

    Customer


    Welcome apnic members training course

    Root DNS

    int

    IP6

    Downstream

    ISP

    ISP

    Customer

    Devices

    arpa

    /32

    H8

    /40

    H10

    H1

    64

    /48

    H12

    /128

    H32

    b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.


    Ipv6 forward lookups

    IPv6 forward lookups

    • Multiple addresses possible for any given name

      • Ex: in a multi-homed situation

    • Can assign A records and AAAA records to a given name/domain

    • Can also assign separate domains for IPv6 and IPv4


    Sample forward lookup file

    Sample forward lookup file

    ;; domain.edu

    $TTL 86400

    @ IN SOA ns1.domain.edu. root.domain.edu. (

    2002093000; serial - YYYYMMDDXX

    21600; refresh - 6 hours

    1200; retry - 20 minutes

    3600000; expire - long time

    86400); minimum TTL - 24 hours

    ;; Nameservers

    INNSns1.domain.edu.

    INNSns2.domain.edu.

    ;; Hosts with just A records

    host1INA1.0.0.1

    ;; Hosts with both A and AAAA records

    host2INA1.0.0.2

    INAAAA2001:468:100::2


    Ipv6 reverse lookups

    IPv6 reverse lookups

    • IETF decided to restandardize IPv6 PTR RRs

      • They will be found in the IP6.ARPA namespace rather than under the IP6.INT namespace

    • The ip6.int domains has been deprecated, but some hosts still use them

      • Supported for backwards compatiblity

    • Now using ip6.arpa for reverse


    Ipv6 reverse lookups aaaa and ip6 arpa

    IPv6 reverse lookups - AAAA and ip6.arpa

    • Address record four times longer than A

      • Quad A ( AAAA )

    • AAAA record is a parallel to the IPv4 A record

    • It specifies the entire address in a single record


    Ipv6 reverse lookups aaaa and ip6 arpa1

    IPv6 reverse lookups - AAAA and ip6.arpa

    • Example

      • Each level of subdomain

        • Represents 4 bits

          4.3.2.1.0.0.0.0.0.0.0.1.0.0.0.2.0.0.0.3.0.0.0.4.0.5.6.7.8.9.a.b

          b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

    Ipv6-host IN AAAA 4321:0:1:2:3:4:567:89ab


    Ipv6 reverse lookups ptr records

    IPv6 reverse lookups - PTR records

    • Similar to the in-addr.arpa

    • Example: reverse name lookup for a host with address 3ffe:8050:201:1860:42::1

    b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

    IN PTRtest.ip6.example.com.

    $ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa.

    1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.


    Sample reverse lookup file

    Sample reverse lookup file

    ;; 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev;; These are reverses for 2001:468:100::/64)

    ;; File can be used for both ip6.arpa and ip6.int.

    $TTL 86400

    @ IN SOA ns1.domain.edu. root.domain.edu. (

    2002093000; serial - YYYYMMDDXX

    21600; refresh - 6 hours

    1200; retry - 20 minutes

    3600000; expire - long time

    86400); minimum TTL - 24 hours

    ;; Nameservers

    INNSns1.domain.edu.

    INNSns2.domain.edu.

    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0INPTRhost1.ip6.domain.edu

    2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0INPTRhost2.domain.edu

    ;;

    ;; Can delegate to other nameservers in the usual way

    ;;


    Sample configuration file

    Sample configuration file

    // named.conf

    zone “domain.edu” {

    type master;

    file “master/domain.edu”;

    }

    zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.int" {

    type master;

    file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";

    };

    zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.arpa" {

    type master;

    file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";

    };


    Reverse delegation for existing 35 holders

    Reverse delegation for existing /35 holders

    • Reverse tree has 4bit ‘boundary’

      • /35 allocation needs two /36 delegations

    • Delegation for two /36

      0.8.3.2.0.1.0.0.2.ip6.arpa

      1.8.3.2.0.1.0.0.2.ip6.arpa

    FP | /35 allocations|

    |3 | /32 |

    |--|----------------------------|--|----……

    00100000000000010000001000111000000?

    ------------ 35 bits --------------

    2 0 0 1: 0 2 3 8 0/35

    Can be 1 or 0


    Current status ipv6 in dns

    Current Status – IPv6 in DNS

    • A6 and Bit label specifications has been made experimental

      • RFC3363

    • IETF standardized 2 different formats

      • AAAA and A6

      • Confusions on which format to deploy

      • More than one choice will lead to delays in the deployment of IPv6


    Ipv6 address allocation procedures

    IPv6

    IPv6 Address Allocation Procedures

    • IPv6 Allocations to RIRs from IANA

      • APNIC2001:0200::/23

        2001:0C00::/23

        2001:0E00::/23

      • ARIN 2001:0400::/23

        2001:1800::/23

      • LACNIC2001:1200::/23

      • RIPE NCC 2001:0600::/23

        2001:0800::/23

        2001:0A00::/23

        2001:1400::/23

        2001:1600::/23

        2001:1A00::/23

    • IPv6 Address Request form

      http://ftp.apnic.net/apnic/docs/ipv6-alloc-request

    • IPv6 FAQhttp://www.apnic.net/faq/IPv6-FAQ.html


    Ipv6 distribution per rir

    IPv6 distribution per RIR

    Source: APNIC statistic data - Last update March 2004


    Welcome apnic members training course

    IPv6 allocations from RIRs to LIRs/ISPs yearly comparison

    Source: RIR reports and joint statistics presented at APNIC 17


    Welcome apnic members training course

    IPv6 allocations in Asia Pacific

    Source: APNIC statistic data - Last update May 2004


    Global ipv6 routing table

    Global IPv6 routing table

    Source: http://bgp.potaroo.net/v6/as1221/index.html - Last updated 06/05/2004


    Ipv6 allocation announcements

    IPv6 allocation announcements

    Data obtained from RIPE RIS Looking Glass as of 11/03/2004


    Welcome apnic members training course

    Questions ?

    Material available at: www.apnic.net/training/recent/


    Summary1

    Summary

    What we have covered today


    Summary2

    Summary

    • APNIC’s role in the Asia Pacific

    • Internet Registry Policies

    • IPv4 Allocation & Assignments

    • APNIC Database usage

    • Reverse DNS

    • SPAM and Network Abuse

    • ASN Assignment

    • Internet Routing Registry

    • IPv6 Overview and Policies


    Summary responsibilities

    Summary - Responsibilities

    • As an APNIC member and custodian of address space

      • Be aware of your responsibilities

      • Register customer assignments in APNIC database

        • Keep this data up-to-date & accurate

      • Educate your customers

      • Document your network in detail

        • Keep local records

      • Register reverse DNS delegations


    Welcome apnic members training course

    • MemberServices Helpdesk

    • - One point of contact for all member enquiries

    • [email protected]

    • www.apnic.net/helpdesk

    • Helpdesk hours

    • 9:00 am - 7:00 pm (AU EST, UTC + 10 hrs)

      • ph: +61 7 3858 3188fax: +61 7 3858 3199

    • More personalised service

      • Range of languages:

    • Faster response and resolution of queries

      • IP resource applications, status of requests, membership enquiries,billing issues & database enquiries

    • Filipino (Tagalog)

    • Mandarin

    • Vietnamese

    • Cantonese

    • Hindi

    • Sinhalese

    • English

    • Japanese

    • Telugu


    Summary3

    Summary

    • “Do the right thing”

      • Think about routing table size & scalability of Internet

      • Encourage renumbering

      • Announce aggregate prefixes

      • Think global not local


    Apnic 18 sponsorships

    APNIC 18 Sponsorships

    • Interested to be one of the Sponsors?

      • http://www.apnic.net/meetings/18/sponsors

    • Benefits include valuable opportunities to expose your

      • Organisation

      • Products

      • Services to an international audience of Internet leaders


    Thank you

    Thank you !!

    Your feedback is appreciated


    Supplementary reading

    Supplementary Reading


    Introduction1

    Introduction

    Regional Registry web sites

    • APNIC:

      http://www.apnic.net

    • ARIN:

      http://www.arin.net

    • LACNIC:

      http://www.lacnic.net

    • RIPE NCC:

      http://www.ripe.net

      APNIC past meetings

      http://www.apnic.net/meetings


    Introduction2

    Introduction

    APNIC members

    http://www.apnic.net/members.html

    Membership

    • Membership procedure

      http://www.apnic.net/membersteps.html

    • Membership application form http://www.apnic.net/apnic-bin/membership-application.pl

    • Membership fees http://www.apnic.net/docs/corpdocs/FeeSchedule.htm


    Introduction to apnic ip policy

    Introduction to APNIC & IP Policy

    Classless techniques

    • CIDR

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1517-19.txt

    • Network Addressing when using CIDR ftp://ftp.uninett.no/pub/misc/eidnes-cidr.ps.Z

    • Variable Length Subnet Table http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1878.txt

      Private Address Space

    • Address Allocation for Private Internets

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1918.txt

    • Counter argument: “Unique addresses are good”

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1814.txt


    Bit boundary chart

    Bit boundary chart

    +------------------------------------------------------+

    | addrs bits pref class mask |

    +------------------------------------------------------+

    | 1 0 /32 255.255.255.255 |

    | 2 1 /31 255.255.255.254 |

    | 4 2 /30 255.255.255.252 |

    | 8 3 /29 255.255.255.248 |

    | 16 4 /28 255.255.255.240 |

    | 32 5 /27 255.255.255.224 |

    | 64 6 /26 255.255.255.192 |

    | 128 7 /25 255.255.255.128 |

    | 256 8 /24 1C 255.255.255 |

    | 512 9 /23 2C 255.255.254 |

    | 1,024 10 /22 4C 255.255.252 |

    | 2,048 11 /21 8C 255.255.248 |

    | 4,096 12 /20 16C 255.255.240 |

    | 8,192 13 /19 32C 255.255.224 |

    | 16,384 14 /18 64C 255.255.192 |

    | 32,768 15 /17 128C 255.255.128 |

    | 65,536 16 /16 1B 255.255 |

    | 131,072 17 /15 2B 255.254 |

    | 262,144 18 /14 4B 255.252 |

    | 524,288 19 /13 8B 255.248 |

    | 1,048,576 20 /12 16B 255.240 |

    | 2,097,152 21 /11 32B 255.224 |

    | 4,194,204 22 /10 64B 255.192 |

    | 8,388,608 23 /9 128B 255.128 |

    | 16,777,216 24 /8 1A 255 |

    | 33,554,432 25 /7 2A 254 |

    | 67,108,864 26 /6 4A 252 |

    | 134,217,728 27 /5 8A 248 |

    | 268,435,456 28 /4 16A 240 |

    | 536,870,912 29 /3 32A 224 |

    |1,073,741,824 30 /2 64A 192 |

    +------------------------------------------------------+


    Apnic mailing lists

    APNIC Mailing Lists

    • apnic-talk

      • Open discussions relevant to APNIC community & members

    • apnic-announce

      • Announcements of interest to the AP community

    • sig-policy

      • IPv4 and IPv6 allocation and assignment policies

    • global-v6

      • Global IPv6 policy mailing list

    • subscribe via <[email protected]>

    • archives:

      http://ftp.apnic.net/apnic/mailing-lists

      http://www.apnic.net/net_comm/lists/


    The rir system

    The RIR System

    • “Development of the Regional Internet Registry System” Internet Protocol Journal

      • Short history of the Internet

        http://www.cisco.com/warp/public/759/ipj_4-4/ipj_4-4_regional.html


    Policies policy environment

    Policies & Policy Environment

    Policy Documentation

    • Policies for address space management in the Asia Pacific region

      http://www.apnic.net/docs/policy/add-manage-policy.html

    • RFC2050: Internet Registry IP allocation Guidelines

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2050.txt


    Address request procedures

    Address Request Procedures

    Addressing Guidelines

    • “Designing Addressing Architectures for Routing & Switching”, Howard C. Berkowitz

      Address Request Forms

    • ISP Address Request Form http://www.apnic.net/services/ipv4/

    • Second-opinion Request Form

      http://www.apnic.net/services/second-opinion/

    • No Questions Asked http://ftp.apnic.net/apnic/docs/no-questions-policy


    Apnic database

    APNIC Database

    APNIC Database Documentation

    • Updating information in the APNIC Database

      http://ftp.apnic.net/apnic/docs/database-update-info

    • Maintainer & Person Object Request Form

      http://ftp.apnic.net/apnic/docs/mntner-person-request

    • APNIC Maintainer Object Request

      http://www.apnic.net/apnic-bin/maintainer.pl

    • APNIC Whois Database objects resource guide

      http://www.apnic.net/services/whois_guide.html


    Apnic database1

    APNIC Database

    RIPE Database Documentation

    • RIPE Database Reference Manual

      http://www.ripe.net/docs/databaseref-manual.html

      Database ‘whois’ Client

      http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client.tar.gz

      Database web query

      http://www.apnic.net/apnic-bin/whois2.pl


    Person object template

    person: [mandatory] [single] [lookup key]

    address: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    phone: [mandatory] [multiple] [ ]

    fax-no: [optional] [multiple] [ ]

    e-mail: [mandatory] [multiple] [lookup key]

    nic-hdl: [mandatory] [single] [primary/look-up key]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]

    Person object template


    Role object template

    Role object template

    role: [mandatory] [single] [lookup key]

    address: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    phone: [mandatory] [multiple] [ ]

    fax-no: [optional] [multiple] [ ]

    e-mail: [mandatory] [multiple] [lookup key]

    trouble: [optional] [multiple] [ ]

    admin-c: [mandatory] [multiple] [inverse key]

    tech-c: [mandatory] [multiple] [inverse key]

    nic-hdl: [mandatory] [single] [primary/look-up key]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]


    Maintainer object template

    Maintainer Object Template

    mntner: [mandatory] [single] [primary/look-up key]

    descr: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    admin-c: [mandatory] [multiple] [inverse key]

    tech-c: [optional] [multiple] [inverse key]

    upd-to: [mandatory] [multiple] [inverse key]

    mnt-nfy: [optional] [multiple] [inverse key]

    auth: [mandatory] [multiple] [ ]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    referral-by: [mandatory] [single] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]


    Inetnum object template

    Inetnum object template

    inetnum: [mandatory] [single] [primary/look-up key]

    netname: [mandatory] [single] [lookup key]

    descr: [mandatory] [multiple] [ ]

    country: [mandatory] [multiple] [ ]

    admin-c: [mandatory] [multiple] [inverse key]

    tech-c: [mandatory] [multiple] [inverse key]

    rev-srv: [optional] [multiple] [inverse key]

    status: [mandatory] [single] [ ]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    mnt-lower: [optional] [multiple] [inverse key]

    mnt-routes:[optional] [multiple] [inverse key]

    mnt-irt: [optional] [multiple] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]


    Aut num object template

    Aut-num Object Template

    aut-num: [mandatory] [single] [primary/look-up key]

    as-name: [mandatory] [single] [ ]

    descr: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    member-of: [optional] [multiple] [ ]

    import: [optional] [multiple] [ ]

    export: [optional] [multiple] [ ]

    default: [optional] [multiple] [ ]

    remarks: [optional] [multiple] [ ]

    admin-c: [mandatory] [multiple] [inverse key]

    tech-c: [mandatory] [multiple] [inverse key]

    cross-mnt: [optional] [multiple] [inverse key]

    cross-nfy: [optional] [multiple] [inverse key]

    notify: [optional] [multiple] [inverse key]

    mnt-lower: [optional] [multiple] [inverse key]

    mnt-routes: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]


    Domain object template

    Domain object template

    domain: [mandatory] [single] [primary/look-up key]

    descr: [mandatory] [multiple] [ ]

    country: [optional] [single] [ ]

    admin-c: [mandatory] [multiple] [inverse key]

    tech-c: [mandatory] [multiple] [inverse key]

    zone-c: [mandatory] [multiple] [inverse key]

    nserver: [mandatory] [multiple] [inverse key]

    sub-dom: [optional] [multiple] [inverse key]

    dom-net: [optional] [multiple] [ ]

    remarks: [optional] [multiple] [ ]

    notify: [optional] [multiple] [inverse key]

    mnt-by: [mandatory] [multiple] [inverse key]

    mnt-lower: [optional] [multiple] [inverse key]

    refer: [optional] [single] [ ]

    changed: [mandatory] [multiple] [ ]

    source: [mandatory] [single] [ ]


    Reverse dns1

    Reverse DNS

    Request Forms

    • Guide to reverse zones

      http://www.apnic.net/db/revdel.html

    • Registering your Rev Delegations with APNIC

      http://www.apnic.net/db/domain.html

      Relevant RFCs

    • Classless Delegations

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt

    • Common DNS configuration errors

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1537.txt


    Reverse dns2

    Reverse DNS

    Documentation

    • Domain name structure and delegation

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1591.txt

    • Domain administrators operations guide

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1033.txt

    • Taking care of your domain

      ftp://ftp.ripe.net/ripe/docs/ripe-114.txt

    • Tools for DNS debugging

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt


    As assignment procedures

    AS Assignment Procedures

    Policy

    • Guidelines for the creation, selection, and registration of an AS

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1930.txt

      RFCs

    • Routing Policy Specification Language (RPSL)

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2280.txt

    • A dedicated AS for sites homed to a single provider

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2270.txt

    • RFC1997: BGP Communities attribute

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2270.txt


    Welcome apnic members training course

    IPv6

    Policy Documents

    • IPv6 Address Policy

      http://ftp.apnic.net/apnic/docs/ipv6-address-policy

    • IPv6 Address request form

      http://ftp.apnic.net/apnic/docs/ipv6-alloc-request

      Useful reading

    • The case for IPv6

      http://www.6bone.net/misc/case-for-ipv6.html

      FAQ

      http://www.apnic.net/info/faq/IPv6-FAQ.html


    Ipv6 hd ratio 0 8

    IPv6: HD Ratio 0.8

    • RFC3194 “The Host-Density Ratio for Address Assignment Efficiency”


    Other supplementary reading

    Other supplementary reading

    Operational Content Books

    • ISP Survival Guide, Geoff Huston

    • Cisco ISP Essentials, Philip Smith

      BGP Table

      http://www.telstra.net/ops/bgptable.html

      http://www.merit.edu/ipma/reports

      http://www.merit.edu/ipma/routing_table/mae-east/prefixlen.990212.html

      http://www.employees.org/~tbates/cidr.hist.plot.html

      Routing Instability

      http://zounds.merit.net/cgi-bin/do.pl


    Other supplementary reading1

    Other supplementary reading

    Routing & Mulithoming

    • Internet Routing Architectures - Bassam Halabi

    • BGP Communities Attribute

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1997.txt

      http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1998.txt

      Filtering

    • Egress Filtering

      http://www.cisco.com/public/cons/isp

    • Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2267.txt


    Other supplementary reading2

    Other Supplementary Reading

    • Dampening case studies at

      http://www.cisco.com/warp/public/459/16.html

    • Traceroute Server

      http://nitrous.digex.net

    • Network Renumbering Overview: Why Would I Want It and What Is It Anyway?

      http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2071.txt

    • Procedures for Enterprise Renumbering

      http://www.isi.edu/div7/pier/papers.html

    • NAT

      • The IP Network Address Translator

        http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1631.txt


  • Login