welcome apnic members training course
Download
Skip this Video
Download Presentation
Welcome! APNIC Members Training Course

Loading in 2 Seconds...

play fullscreen
1 / 241

Welcome! APNIC Members Training Course - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Welcome! APNIC Members Training Course. Internet Resource Management Essentials 09 June 2004, Nha Trang, Vietnam Sponsored by VNPT. Introduction. Presenters Son Tran Resource Services Manager [email protected] Champika Wijayatunga Senior Training Specialist [email protected]

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Welcome! APNIC Members Training Course' - vin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
welcome apnic members training course

Welcome!APNIC Members Training Course

Internet Resource Management Essentials

09 June 2004, Nha Trang, Vietnam

Sponsored by VNPT

introduction
Introduction
  • Presenters
    • Son Tran

Resource Services Manager [email protected]

    • Champika Wijayatunga

Senior Training Specialist [email protected]

assumptions objectives
Assumptions

Are current APNIC/NIR or prospective member

Not familiar with registry function

Are not familiar / up-to-date with policies

Objectives

Teach how to request resources from registry

Keep the community up-to-date with latest policies

Liaise with the community

 Faces behind the e-mails

Assumptions & Objectives
schedule
APNIC’s role in the Asia Pacific

Internet Registry Policies

TEA BREAK (10:30 – 11:00)

Addressing Plan

Requesting an IP allocation

APNIC database

LUNCH (12:30 – 13:30)

SPAM & Network Abuse

Reverse DNS

ASN

TEA BREAK (15:30 – 16:00)

IRR

IPv6

Summary

Schedule
apnic s role in the asia pacific

APNIC’s role in the Asia Pacific

Asia Pacific Network Information Centre

overview
IntroOverview
  • What is APNIC?
      • Regional Internet Registry
      • APNIC structure
  • What Does APNIC do ?
      • APNIC Membership services
  • Why APNIC ?
      • APNIC resources
      • APNIC environment
      • APNIC responsibilities
what is apnic
IntroWhat is APNIC?
  • RIR for the Asia Pacific
      • Regional Internet Registry
    • Regional authority for Internet Resource distribution
    • IPv4 & IPv6 addresses, ASNs, reverse dns delegation
  • Industry self-regulatory body
    • Non-profit, neutral and independent
  • Open membership-based structure
apnic is not
IntroAPNIC is not…
  • Not a network operator
    • Does not provide networking services
      • Works closely with APRICOT forum
  • Not a standards body
    • Does not develop technical standards
      • Works within IETF in relevant areas (IPv6 etc)
  • Not a domain name registry or registrar
      • Will refer queries to relevant parties
apnic structure
IntroAPNIC structure
  • Industry self-regulatory structure
    • Participation by those who use Internet resources
    • Consensus-based decision making
      • Eg. Policy changes, db requirements etc
    • Open and transparent
  • Meetings and mailing lists
    • Open to anyone
apnic membership
IntroAPNIC Membership

Last Update – May 2004

Total Members 913

apnic services activities
Resources Services

IPv4, IPv6, ASN, reverse DNS

Policy development

Approved and implemented by membership

APNIC whois db

whois.apnic.net

Registration of resources

Information dissemination

APNIC meetings

Web and ftp site

Mailing lists

Open for anyone!

Training Courses

DNS Workshops, IRR Tutorial

Subsidised for members

Co-ordination & liaison

With membership, other RIRs & other Internet Orgs.

Intro

APNIC Services & Activities
policy development in the asia pacific

Policy Development in the Asia Pacific

The APNIC Community

&

the Policy Development Process

what is the apnic community
What is the APNIC community?
  • Open forum in the Asia Pacific
    • Open to any interested parties
  • Voluntary participation
  • Decisions made by consensus
  • Public meetings
  • Mailing lists
    • web archived
  • A voice in regional Internet operations through participation in APNIC activities
participation in policy development
Participation in policy development
  • Why should I bother?
    • Responsibility as an APNIC member
      • To be aware of the current policies for managing address space allocated to you
    • Business reasons
      • Policies affect your business operating environment and are constantly changing
      • Ensure your ‘needs’ are met
    • Educational
      • Learn and share experiences
      • Stay abreast with ‘best practices’ in the Internet
policy development cycle
Policy development cycle

OPEN

Need

Anyone can participate

Evaluate

Discuss

‘BOTTOM UP’

TRANSPARENT

Consensus

Implement

Internet community proposes and approves policy

All decisions & policies documented & freely available to anyone

how to make your voice heard
How to make your voice heard
  • Contribute on the public mailing lists
      • http://www.apnic.net/community/lists/index.html
  • Attend meetings
    • Or send a representative
    • Gather input at forums
  • Give feedback
    • Training or seminar events
come to the apnic meeting
Come to the APNIC meeting!
  • APNIC 18
  • Nadi, Fiji, 31 Aug- 3 Sep 2004
  • Participate in policy development
  • Attend workshops, tutorials & presentations
  • Exchange knowledge and information with peers
  • Stay abreast with developments in the Internet
  • View multicast online
  • Provide your input in matters important to you
  • Fellowships Available
  • http://www.apnic.net/meetings/18
slide20
Questions ?
  • Policy making process description
    • http://www.apnic.net/docs/policy/dev/index.html

Material available at: www.apnic.net/training/recent/

overview of apnic policies
PoliciesOverview of APNIC policies
  • Definitions
  • Objectives
  • Environment
  • Allocation & Assignment Policies
  • Summary
allocation and assignment
PoliciesAllocation and Assignment

Allocation

“A block of address space held by an IR (or downstream ISP) for subsequent allocation or assignment”

  • Not yet used to address any networks

Assignment

“A block of address space used to address an operational network”

  • May be provided to LIR customers, or used for an LIR’s infrastructure (‘self-assignment’)
allocation and assignment1
Policies

/8

APNIC Allocation

/20

/22

Member Allocation

Sub-Allocation

/27

/26

/26

/25

/24

Allocation and Assignment

APNICAllocatesto APNIC Member

APNIC Member

Assignsto end-user

Allocatesto downstream

DownstreamAssignsto end-user

Customer / End User

Customer Assignments

portable non portable
PoliciesPortable & non-portable

Portable Assignments

  • Customer addresses independent from ISP
    • Keeps addresses when changing ISP
  • Bad for size of routing tables
  • Bad for QoS: routes may be filtered, flap-dampened

Non-portable Assignments

  • Customer uses ISP’s address space
    • Must renumber if changing ISP
  • Only way to effectively scale the Internet

address management objectives
Address management objectives
  • Aggregation
  • Limit routing table growth
  • Support provider-based routing
  • Conservation
  • Efficient use of resources
  • Based on demonstrated need
  • Registration
  • Ensure uniqueness
  • Facilitate trouble shooting
growth of global routing table
Policies

But they cannot be

relied on forever

Projected routing table growth without CIDR

CIDR made it work for a while

ISPs

tend to

filter

longer

prefixes

DeploymentPeriod of CIDR

Growth of global routing table

http://bgp.potaroo.net/as1221/bgp-active.html

  • last updated 09 Mar 2004
apnic policy environment
PoliciesAPNIC policy environment

“IP addresses not freehold property”

  • Assignments & allocations on license basis
    • Addresses cannot be bought or sold
    • Internet resources are public resources
    • ‘Ownership’ is contrary to management goals

“Confidentiality & security”

  • APNIC to observe and protect trust relationship
    • Non-disclosure agreement signed by staff
apnic allocation policies
PoliciesAPNIC allocation policies
  • Aggregation of allocation
    • Provider responsible for aggregation
    • Customer assignments /sub-allocations must be non-portable
  • Allocations based on demonstrated need
    • Detailed documentation required
      • All address space held to be declared
    • Address space to be obtained from one source
      • routing considerations may apply
    • Stockpiling not permitted
initial ipv4 allocation
Policies

/8

APNIC

Non-portable

assignment

Portable

assignment

Policy will change

Based on the APNIC 17

consensus

Initial IPv4 allocation
  • Initial (portable) allocation: /20 (4096 addresses).
    • The allocation can be used for further assignments to customers or your own infrastructure.

Criteria

1a. Have used a /22 from upstream provider

  • Demonstrated efficient address usage

OR

1b. Show immediate need for /22

    • Can include customer projections &

infrastructure equipment

2. Detailed plan for use of /21 within 1 year

3. Renumber to new space within 1 year

/20

Member allocation

initial ipv4 allocation criteria
IPReqInitial IPv4 allocation criteria
  • Min allocation size may be lowered from /20 to /21
  • LIR have used a /23 from their upstream provider or demonstrate an immediate need for a

/23; and

2. Detailed plan for use of a /22 within a year

3. Renumber to new space within 1 year

    • Meet all policy requirements
      • Applicants may be required to show purchase receipts

APNIC 17

Consensus

portable assignments
Policies

/8

APNIC

/20

Member allocation

Non-portable

assignment

Portable assignments
  • Small multihoming assignment policy
    • For (small) organisations who require a portable assignment for multi-homing purposes

Criteria

1a. Applicants currently multihomed

OR

1b. Demonstrate a plan to multihome within 1 month

2. Agree to renumber out of previously assigned space

  • Demonstrate need to use 25% of requested space immediately and 50% within 1 year

Portable

assignment

portable assignments for ixps
Portable assignments for IXPs

Criteria

    • 3 or more peers
    • Demonstrate “open peering policy”
  • APNIC has a reserved block of space from which to make IXP assignments
portable critical infrastructure assignments
Portable critical infrastructure assignments
  • What is Critical Internet Infrastructure?
    • Domain registry infrastructure
      • Root DNS operators, gTLD & ccTLD operators
    • Address Registry Infrastructure
      • RIRs & NIRs, IANA
  • Why a specific policy ?
      • Protect stability of core Internet function
  • Assignment sizes:
    • IPv4: /24
    • IPv6: /32
renumbering return policy
Renumbering & return policy
  • Renumbering?
      • one-for-one exchange to assist renumbering
      • needs confirmation from upstream ISP to confirm renumbering will take place
  • ‘No Questions Asked’ return prefix policy
      • swap 3 or more discontiguous prefixes (ISP or customers) for single prefix, no charge
        • ftp://ftp.apnic.net/apnic/docs/no-questions-policy
    • Form for returning addresses
        • ftp://ftp.apnic.net/apnic/docs/address-return-request
slide38
Questions ?

Material available at: www.apnic.net/training/recent/

addressing plan
AddressingPlanAddressing plan
  • To complete documentation
    • First need a technical PLAN
      • Documenting the architecture of the present and eventual goal
    • IP addressing is fundamental part of network design
    • IP addressing ‘planning’ example to follow..
some icons
AddressingPlanSome icons

Router

(layer 3, IP datagram forwarding)

Network Access Server

(layer 3, IP datagram forwarding )

Ethernet switch

(layer 2, packet forwarding)

addressing plan1
AddressingPlanAddressing plan
  • Identify components of network
    • Customer services
    • ISP internal infrastructure
  • Identify phases of deployment
    • Starting off, 6 months, 12 months
  • Identify equipment and topology changes
    • Need for redundancy
    • Need for increased scale
network plan
AddressingPlan

Interconnected resilience

UpstreamISP

10 hosts Internal DNS,Web Mail servers

Dialup services 16 modems

ISP Infrastructure

15 hosts NOC operations

Network plan
  • Starting off

Leased line services 5-8 customers

Customer services

5 hosts

Virtual web (name based)

network plan1
AddressingPlan

one loopback interface per assigned router /32

‘ip unnumbered’

to upstream ISP

5-8 leased line customers

UpstreamISP

‘ip unnumbered’

to customers

10 hosts

5 hosts

WAN point to point /30

16 dialup modems

15 hosts

Network plan
addressing plan2
AddressingPlan
  • - numbers of host addresses (interfaces)

network-plan:

network-plan:

network-plan:

16

5

128

  • analogue dialup modems, vendor ‘x’
  • LAN -web hosting (Name-based hosting)
  • 5-8 leased line customers (/28)

15

10

4

2

network-plan:

network-plan:

network-plan:

network-plan:

  • LAN -NOC and Ops management
  • LAN -mail,DNS, web servers internal
  • loopback router interfaces
  • router WAN ports (x 5 lines)
Addressing plan

Initial addressing plan

network plan2
AddressingPlan

increased number of leased line customers

replaced original

modem

added new router and LAN for redundancy

Network plan
  • 6 months later
    • scale increased
    • redundancy

5-8 →30 leased linecustomers

UpstreamISP

increased number of

hosts on all LANs

10 → 16 hosts- Servers

5 →11 hosts name-based

added new dial up

equipment

16 →60 dialupmodems (2PRI)

60 dialupmodems (2PRI)

15 →25 hosts- NOC

8 hosts- 2ndary Servers

addressing plan3
AddressingPlan
  • - increases in hosts (interfaces)

Changed description

network-plan:

network-plan:

network-plan:

16/

5/

128/

15/

10/

4/

2/

  • 2 PRI dialup modems, vendor ‘y’
  • LAN -web hosting (Name-based hosting)
  • 30 leased line customers (pool)

60

11

512

25

16

6

2

network-plan:

network-plan:

network-plan:

network-plan:

  • LAN -NOC and Ops management
  • LAN -mail,DNS, web servers internal
  • loopback router interfaces
  • router WAN ports (x 8 lines)
  • 2 PRI dialup modems
  • LAN-secondary servers

60

8

0/

0/

network-plan:

network-plan:

New hardware

Addressing plan

Network plan at 6 months

network plan3
AddressingPlan

redundancy of WAN connections now numbered links for BGP4

Network plan
  • 12 months total
    • site redundancy
    • greater complexity
    • efficiency

added new customer router

UpstreamISP A

30 →60 leased linecustomersip unnumbered

UpstreamISP B

16 →35 host

11 hosts

60 →240 dialupmodems (8PRI)

60 →240 dialupmodems (8PRI)

40 hosts

two pieces of

essential equipment

8 hosts

addressing plan4
AddressingPlan
  • -increases in hosts (interfaces)
  • -one year total

network-plan:

network-plan:

network-plan:

network-plan:

16/60/

0/60/

5/11/

128/512/

15/25/

10/16/

0/8/

2/2/

4/6

240

240

11

1020

40

35

8

2

12

  • 8 PRI dialup modems, vendor x
  • 8 PRI dialup modems, vendor y
  • LAN -web hosting (Name-based hosting) 60 leased line customers (pool)

network-plan:

network-plan:

network-plan:

network-plan:

network-plan:

  • LAN -NOC and Ops management
  • LAN -mail,DNS, web servers internal
  • LAN-secondary servers
  • router WAN ports (x 8 lines)
  • loopback router interfaces
Addressing plan

Network plan at 12 months

addressing plan5
AddressingPlan

Can now determine subnet sizes

network-plan:

network-plan:

network-plan:

network-plan:

256

256

16

1024

64

64

8

16

16

16/60/240

0/60/240

5/11/11

128/512/1020

15/25/40

10/16/35

0/8/8

2/2/2

4/6/12

  • 8 PRI dialup modems, vendor x
  • 8 PRI dialup modems, vendor y
  • LAN -web hosting (Name-based hosting)
  • 60 leased line customers (pool)

network-plan:

network-plan:

network-plan:

network-plan:

network-plan:

  • LAN -NOC and Ops management
  • LAN -mail,DNS, web servers internal
  • LAN-secondary servers
  • router WAN ports (x 8 lines)
  • loopback router interfaces
Addressing plan
addressing plan6
AddressingPlanAddressing plan
  • Addressing plan for network-plan
      • re-ordered large to small according to relative subnet size
      • determination of relative subnet addresses

network-plan: 0.0.0.0 1024 128/512/1020 60 leased line customers (pool)

network-plan: 0.0.4.0 256 16/60/240 8 PRI dial up modems, vendor x

network-plan: 0.0.5.0 256 0/60/240 8 PRI dial up modems, vendor y

network-plan: 0.0.6.0 64 10/16/35 LAN -mail,DNS, web internal

network-plan: 0.0.6.64 64 15/25/40 LAN -NOC and Ops management

network-plan: 0.0.6.128 16 5/11/11 LAN -web hosting (Name-based hosting)

network-plan: 0.0.6.144 160/8/8 LAN -secondary servers

network-plan: 0.0.6.160 16 4/6/12 loopback router interfaces

network-plan: 0.0.6.176 16 2/2/2 router WAN ports (x8)

      • cumulative total 0.0.6.208
addressing plan7
AddressingPlanAddressing plan
  • Addressing plan for network-plan
      • connect to the Internet (full-time, part-time)?

network-plan: 0.0.0.0 255.255.252.0 YES 1024 128/512/1020 60 leased customers

network-plan: 0.0.4.0 255.255.255.0 PART 256 16/60/240 8 PRI dial up modems..

network-plan: 0.0.5.0 255.255.255.0 PART 256 0/60/240 8 PRI dial up modems..

network-plan: 0.0.6.0 255.255.255.192 YES 64 10/16/35 LAN -mail,DNS, web internal

network-plan: 0.0.6.64 255.255.255.192 YES 64 15/25/40 LAN -NOC & Ops mgmt

network-plan: 0.0.6.128 255.255.255.240 YES 16 5/11/11 LAN -web hosting (Name-based)

network-plan: 0.0.6.144 255.255.255.240 YES 16 0/8/8 LAN -secondary servers

network-plan: 0.0.6.160 255.255.255.240 YES 16 4/6/12 loopback router interfaces

network-plan: 0.0.6.176 255.255.255.252 YES 16 2/2/2 router WAN ports (x 8 )

addressing plan8
AddressingPlanAddressing plan
  • Addressing plan complete
      • total planned for customer assignments /22
      • total planned for ISP infrastructure /24 + /23

network-plan: 0.0.0.0 255.255.252.0 YES 1024 128/512/1020 60 leased line customers

network-plan: 0.0.4.0 255.255.255.0 PART 256 16/60/240 8 PRI dial up modems..

network-plan: 0.0.5.0 255.255.255.0 PART 256 0/60/240 8 PRI dial up modems..

network-plan: 0.0.6.0 255.255.255.192 YES64 10/16/35 LAN -mail,DNS, web internal

network-plan: 0.0.6.64 255.255.255.192 YES64 15/25/40 LAN -NOC & Ops mgmnt

network-plan: 0.0.6.128 255.255.255.240 YES16 5/11/11 LAN -web hosting (Name-based)

network-plan: 0.0.6.144 255.255.255.240 YES 16 0/8/8 LAN -secondary servers

network-plan: 0.0.6.160 255.255.255.240 YES 16 4/6/12 loopback router interfaces

network-plan: 0.0.6.176 255.255.255.252 YES 16 2/2/2 router WAN ports (x 8 lines )

  • detailed,efficient and accurate
ip growth in asia pacific
IP Growth in Asia Pacific

Last Update May 2004

first allocation
IPReqFirst allocation
  • Must meet criteria
      • (discussed in policy section)
  • Requires cleardetailed and accurate request
  • Implementation of ‘Best Current Practice’
  • Efficient assignments planned
  • Always a /20 ‘slow start’
      • Exceptions made for very large networks but not common

APNIC 17

Consensus

/21

subsequent allocations
IPReqSubsequent allocations
  • 80% overall utilisation
      • Unless large assignment pending
  • Demonstrated conservative assignments
  • Correct customer registrations in db
      • Need to fix inconsistencies before next allocation
  • Allocation size to cover 1 year need
      • Based on previous utilisation rate
  • Contiguous allocation not guaranteed
      • But every effort made
evaluation guidelines cable dsl
IPReqEvaluation guidelines – Cable/DSL
  • Bootstrap criteria
    • Simplified, optional criteria
    • Assumption of /24 per CMTS
  • Subsequent allocation
      • CMTS devices per headend
      • 3 month subscriber projection
      • Average growth per month
        • option: MRTG to support growth rate evaluation
      • equipment purchase receipts
evaluation guidelines virtual web hosting
IPReqEvaluation guidelines – Virtual web hosting
  • Name based hosting
    • ‘Strongly recommended’
      • Use ‘infrastructure’ field to describe web servers
  • IP based hosting
    • Permitted on technical grounds
        • SSL, virtual ftp..
        • Use ‘infrastructure’ field to describe web servers
    • Special verification for IP based
        • If more than /22 used for this purpose
        • Requestor must send list of URLs of virtual domain and corresponding IP address
sub allocations
IPReqSub-allocations
  • No max or min size
    • Max 1 year requirement
  • Assignment Window & 2nd Opinion applies
    • to both sub-allocation & assignments
      • Sub-allocation holders don’t need to send in 2nd opinions

/20

Member Allocation

/22

Sub-allocation

/27

/24

/26

/26

/25

Customer Assignments

Customer Assignments

sub allocation guidelines
IPReqSub-allocation guidelines
  • Sub-allocate cautiously
    • Seek APNIC advice if in doubt
    • If customer requirements meet min allocation criteria:
      • Customers should approach APNIC for portable allocation
  • Efficient assignments
    • LIRs responsible for overall utilisation
      • Sub-allocation holders need to make efficient assignments
  • Database registration
    • Sub-allocations & assignments to be registered in the db
what is the apnic database
What is the APNIC database?
  • Public network management database
      • Operated by IRs
  • Tracks network resources
      • IP addresses, ASNs, Reverse Domains, Routing policies
  • Records administrative information
      • Contact information (persons/roles)
      • Authorisation
object types
Object types

OBJECTPURPOSE

person contact persons

role contact groups/roles

inetnum IPv4 addresses

inet6num IPv6 addresses

aut-num Autonomous System number

domain reverse domains

route prefixes being announced

mntner (maintainer) data protection

http://www.apnic.net/db/

object templates
whois -t Object templates

To obtain template structure*, use :

% whois -h whois.apnic.net -t person

person: [mandatory] [single] [primary/look-up key]

address: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

phone: [mandatory] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [mandatory] [multiple] [look-up key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

*Recognised by the RIPE whois client/server

person object example
Person object example
  • Person objects contain contact information

Values

Attributes

  • person:
  • address:
  • address:address:
  • country:
  • phone:
  • fax-no:
  • e-mail:
  • nic-hdl:
  • mnt-by:
  • changed:
  • source:

Ajith SinghExampleNet Service Provider2 Main St, Mount courtWallis and Futuna [email protected][email protected] 20020731APNIC

what is a nic hdl
What is a nic-hdl?
  • Unique identifier for a person
  • Represents a person object
    • Referenced in objects for contact details
      • (inetnum, aut-num, domain…)
    • format:
      • Eg: AS17-AP

person: Ajith Singh

address: ExampleNet Service Provider

address: 2 Main St, Mount court

address: Wallis and Futuna Islands

country: WF

phone: +680-368-0844

fax-no: +680-367-1797

e-mail: [email protected]

nic-hdl: AS17-AP

mnt-by: MAINT-WF-EX

changed: [email protected] 20020731

source: APNIC

inetnum object example
Inetnum object example
  • Contain IP address allocations / assignments

Attributes

Values

202.51.64.0 - 202.51.95.255CCNEP-NP-APCommunication & Communicate Nepal LtdVSAT Service Provider, KathmanduNPAS75-APAS75-AP

ALLOCATED [email protected] 20010205APNIC

inetnum:netname:

descr:

descr:

country:

admin-c:

tech-c:

status:

mnt-by:

mnt-lower:

changed:

source:

inter related objects
inetnum:202.64.10.0 – 202.64.10.255…

admin-c:KX17-AP

tech-c:ZU3-AP…

mnt-by:MAINT-WF-EX

Contact info

person:…

nic-hdl: ZU3-AP

person:…

nic-hdl: KX17-AP

mntner:MAINT-WF-EX

……

IPv4 addresses

Contact info

Data protection

Inter-related objects
database query clients
Database query - clients
  • Standard whois client
      • Included with many Unix distributions
    • RIPE extended whois client
      • http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client.tar.gz
  • Query via the APNIC website
      • http://www.apnic.net/apnic-bin/whois2.pl
  • Query clients - MS-Windows etc
    • Many available
database query unix inetnum
inetnum: 203.127.128.0 - 203.127.159.255netname: SINGNET-SG descr: Singapore Telecommunications Ltd

descr: 31, Exeter Road, #02-00, Podium Blockdescr: Comcentre, 0923 country: SGadmin-c: CWL3-APtech-c: CWL3-APmnt-by: APNIC-HM changed: [email protected] 19990803source: APNIC

Database query (unix)- inetnum

% whois 203.127.128.0 - 203.127.159.255

% whois 203.127.128.0/19

% whois SINGNET-SG

  • Note
    • Incomplete addresses padded with “.0”
    • Address without prefix interpreted as “/32”
database query web role
Database query (web) - role

http://www.apnic.net/apnic-bin/whois2.pl

Query the APNIC Whois Database

1.Type in search key

3. ‘Search Whois’

2.Search options

(flags)

advanced database queries
Advanced database queries
  • Flags used for inetnum queries

None find exact match

- l find one level less specific matches

- L find all less specific matches

- m find first level more specific matches

- M find all More specific matches

- x find exact match (if no match, nothing)

- d enables use of flags for reverse domains

- r turn off recursive lookups

database query inetnum
inetnum:202.0.0.0 – 202.255.255.255

202.0.0.0/8

inetnum:

inetnum:

Database query - inetnum

whois -L 202.64.0.0 /20(all less specific)

inetnum:

whois -l 202.64.0.0 /20(1 level less specific)

202.64.0.0/16

whois 202.64.0.0 /20

202.64.0.0/20

whois –m 202.64.0.0 /20(1 level more specific)

202.64.10.0/24

whois –M 202.64.0.0 /20(all more specific)

inetnum:

202.64.10.192/26

recursive lookups
personRecursive lookups
  • whois 202.12.29.0

    • whois -r 202.12.29.0

    • whois -T inetnum 202.12.29.0

    • whois -r -T inetnum 202.12.29.0

recursion enabled by default

person

route

inetnum

,

&

recursion turned off

route

inetnum

&

‘type’ of object specified

person

inetnum

&

‘type’ of object specified & recursion turned off

inetnum

database query recursion
inetnum: 203.113.0.0 - 203.113.31.255

netname: TOTNET-AP

descr: Telephone Organization of THAILAND(TOT)

descr: Telephone and IP Network Service Provider

descr: State Enterprise Thailand Government

country: TH

admin-c: NM18-AP

tech-c: RC80-AP

…….

person: Nopparat Maythaveekulchai

address: YTEL-1234 Office address: Telephone Organizationof THAILAND(TOT)

…….

person: Rungsun Channarukul

address: YTEL-1234 OfficeP

address: Telephone Organization of THAILAND(TOT)

Database query - recursion

Recursion is enabled by default

%whois 203.113.0.0/19

database query no recursion
inetnum: 203.113.0.0 - 203.113.31.255netname: TOTNET-APdescr: Telephone Organization of THAILAND(TOT)descr: Telephone and IP Network Service Providerdescr: State Enterprise Thailand Governmentcountry: THadmin-c: NM18-APtech-c: RC80-APmnt-by: APNIC-HMmnt-lower: MAINT-TH-SS163-APchanged: [email protected] 19990922source: APNIC Database query – no recursion

Turn off recursion ‘-r’ no nic-handle lookup

%whois -r 203.113.0.0/19

inverse queries
Inverse queries
  • Inverse queries are performed on inverse keys
      • See object template (whois –t)
  • Returns all objects that reference the object with the key specified as a query argument
      • Practical when searching for objects in which a particular value is referenced, such as your nic-hdl
  • Syntax: whois -i
database query inverse
Database query - inverse

Inverse lookup with ‘-i ‘

% whois -i person DK26-AP

inetnum: 202.101.128.0 - 202.101.159.255

netname: CHINANET-FJ

descr: chinanet fujian province network

country: CN

admin-c: DK26-AP……domain: 128.103.202.in-addr.arpa

descr: in-addr.arpa zone for 128.103.202.in-addr.arpa

admin-c: DK26-AP

…….

aut-num: AS4811

as-name: CHINANET-CORE-WAN-EAST

descr: CHINANET core WAN EAST

descr: connect to AT&T,OPTUS

country: CN

admin-c: DK26-AP

……

person: Dongmei Kou

address: A12,Xin-Jie-Kou-Wai Street,

address: Beijing,100088

country: CN

phone: +86-10-62370437

nic-hdl: DK26-AP

spam network abuse

Spam & Network Abuse

‘Best Current Practices’

overview1
Overview
  • ‘Best Current Practice’
  • Principles
  • Customer Education
  • Network Abuse
  • Summary
best current practice
‘Best Current Practice’
  • ‘Best Current Practice’ (BCP)
    • Voluntary code of conduct for ISPs
    • Consensus on code
    • Many ISPs wish to be seen publicly combating UCE
    • Need to work with all customers, especially ISP customers so their customers adopt the BCP
principles
Principles
  • No email relaying
    • Historically SMTP systems ‘relayed’ email from anyone to destination
  • Requirement
    • Provide SMTP delivery for customers only
      • As determined by domain and/or IP address
    • ISPs should configure email systems to prevent relaying
    • Check customers do not run open relays
principles1
Principles
  • Must be able to trace email passing through a system
    • Add a ‘received’ header
    • Machine name can be forged
      • ‘received’ line should contain name and IP address
  • Identification of the sender of the email
    • Dial up connections with dynamic addressing
  • Recommended
    • Time stamps based on NTP to identify sender
    • ISPs should keep logs for reasonable time
principles2
Principles
  • AUP (Acceptable User Policy)
    • ISPs should publish
  • Handle abuse reports
    • ISPs should accept and process reports of abuse by their customers
    • ISP should acknowledge receipt of abuse
      • Ticketing system to allow tracking of reports
    • Identity of reporter should be kept confidential
    • ISP may immediately terminate customers account
      • May also apply ‘warning’ then eventual termination
      • According to ISPs AUP
principles3
Principles
  • Disseminate information to community
    • On action taken against customers
    • Publish overview statistical information
    • Ensure terminated accounts are not re-opened
  • Dealing with UCE
    • Enhances an ISP’s standing in global community
    • Avoid mass filtering of ISP emails
    • Avoid unwanted attention from legal authorities
education
Education
  • Difficult, but important
    • Marketing departments don’t like it
    • Incorporate into ISP AUP (terms & contracts)
  • ISP should provide documentation
    • Explaining nature of UBE
    • Why sending it is considered unacceptable
    • State what is required for a ‘spam abuse’ report
    • Where such reports can be sent
  • Prevention is better than cure
customer education important facts
Customer education – important facts
  • Be careful about giving the email addresses to unknown sources (e.g. when filling in forms online etc.)
  • Do not write back to the spammer
    • Confirm the validity of the e-mail id
    • Has a link for removal from their list
      • normally doesn’t work
  • Report the complaints to the spammer's ISP
    • Search spammers IP in the Whois database
    • Include the full header with the complain
detecting network abuse
Detecting network abuse
  • Software to detect Network Abuse
    • Mostly designed to search the ARIN Whois database
    • May refer to APNIC
  • Many websites with whois lookup functions
    • has the same limitations
  • However the IP addresses are registered by four RIRs on a regional basis
detecting network abuse1
Detecting network abuse
  • If a standard search refers you to APNIC
    • It means only that the network in question is registered in the Asia Pacific region
    • Does not mean that APNIC is responsible or that the hacker/spammer is using APNIC network
investigation of network abuse complaints
Investigation of network abuse complaints
  • APNIC is not able to investigate these complaints
  • Can use the APNIC Whois Database to find out where to take your complaint
  • APNIC does not regulate the conduct of Internet activity (legally or practically)
investigation of network abuse complaints1
Investigation of network abuse complaints
  • Laws relating to network abuse vary from country to country
  • Investigation possibilities
    • Cooperation of the network administrators
    • law enforcement agencies
      • Local jurisdiction
      • jurisdiction where the problem originates
how can apnic help you
How can APNIC help you ?
  • The APNIC Whois Database
    • Holds IP address records within the AP region
    • Can use this database to track down the source of the network abuse
    • Can find contact details of the relevant network administrators
      • not the individual users
      • use administrators log files to contact the individual involved
how can apnic help you1
How can APNIC help you ?
  • Education of network operators in the Asia Pacific community
    • Address policies and the importance of registration of resources
  • Community discussions can be raised in the APNIC open policy meetings / mailing lists etc.
questions
Questions?
  • Useful FAQ
    • http://www.apnic.net/info/faq/abuse/
overview2
Overview
  • Principles – recap
  • Creating reverse zones
  • Setting up nameservers
  • Reverse delegation procedures
  • IPv6 reverse delegations
  • Current status
principles4
Principles
  • Mapping from names to addresses is common
    • Forward DNS
  • Sometimes its necessary to know which name comes with a given address
    • Security, Spam detection, Diagnostics etc.
    • Reverse DNS

test.example.com A 193.0.0.4

principles dns tree
arpa

in-addr

202 203 210 211..

202

64

64

22

22

Principles – DNS tree

- Mapping numbers to names - ‘reverse DNS’

Root DNS

net

edu

com

au

apnic

whois

RIR

whois

ISP

.arpa

.in-addr

.202

.64

22

Customer

start of authority soa record1
Start of Authority (SOA) record
    • Name of the domain where SOA belongs
    • Can use ‘@’ as well
    • e.g: 253.253.192.in-addr.arpa.
  • IN
    • The class of the DNS record
  • SOA
    • The type of DNS record
    • Indicates authority for this zone
start of authority soa record2
Start of Authority (SOA) record
    • 'master' field
    • hostname of the primary zone server
    • e-mail address of the person responsible for maintaining the zone
    • '@' symbol is replaced by a '.', and any '.' before the "@" was replaced by '\'
start of authority soa record3
Start of Authority (SOA) record
    • To compare between the primary and secondary servers
    • How often a secondary should check the primary
    • If a refresh attempt fails, a secondary server will retry based on the time specified in the retry field
start of authority soa record4
Start of Authority (SOA) record
    • If the refresh and retry attempts fail, the secondary server will stop serving the zone after this period
    • How long a remote name server can cache negative responses about a zone
      • Domain name or type of data doesn’t exists
example soa record
Example SOA record

253.253.192.in-addr.arpa. IN SOA ns.test-domain.net. admin.test-domain.net ( <2003033101> <10800> <3600> <604800> <10800> )

nameserver ns records
Nameserver (NS) records
  • Declares the nameservers that serve a given zone
    • Domain which the NS belongs
      • Ex: 253.253.192.in-addr.arpa or @ or
  • IN is the class of the DNS record
  • NS is the type
    • Name Server in this case
    • Hostname of the authoritative server

IN NS

example ns record
Example NS record

IN NS ns.apnic.net. IN NS svc00.apnic.net. IN NS ns.telstra.net. IN NS rs.arin.net.

pointer ptr records
Pointer (PTR) records
  • Create pointer (PTR) records for each IP address

or

131.28.12.202.in-addr.arpa. IN PTR svc00.apnic.net.

131 IN PTR svc00.apnic.net.

a reverse zone example
Note trailing dotsA reverse zone example

$ORIGIN 1.168.192.in-addr.arpa.

@ 3600 IN SOA test.company.org. (

sys\.admin.company.org.

2002021301 ; serial

1h ; refresh

30M ; retry

1W ; expiry

3600 ) ; neg. answ. ttl

NS ns.company.org.

NS ns2.company.org.

1 PTR gw.company.org.

router.company.org.

2 PTR ns.company.org.

; BIND9 auto generate: 65 PTR host65.company.org

$GENERATE 65-127 $ PTR host$.company.org.

name server software
Name server software
  • ISC BIND (Berkeley Internet Name Domain)
    • Version 8
      • In use, available, obsolete
      • Don't start to use it
      • Migrate to Version 9
    • Version 9
      • Current version (9.2.3 as of Jan 2004)
        • Release
        • Release Candidate (Betas)
        • Snapshots (Alphas)
          • 9.3
    • Never Use Snapshots on production servers
  • Other name server software
    • Microsoft DNS server
    • DJBDNS
setting up the primary nameserver
Setting up the primary nameserver
  • Add an entry specifying the primary server to the named.conffile
    • Ex: 28.12.202.in-addr.arpa.
    • Define the name server as the primary
    • location of the file that contains the zone records

zone "" in {

type master;

file ""; };

setting up the secondary nameserver
Setting up the secondary nameserver
  • Add an entry specifying the primary server to the named.conf file
    • Define the name server as the secondary
    • IP address of the primary name server
  • , , are same as before

zone "" in {

type slave;

file "";

Masters { ; };};

reverse delegation requirements
Reverse delegation requirements
  • /24 Delegations
      • Address blocks should be assigned/allocated
      • At least two name servers
  • /16 Delegations
      • Same as /24 delegations
      • APNIC delegates entire zone to member
      • Recommend APNIC secondary zone
  • < /24 Delegations
      • Read “classless in-addr.arpa delegation”

RFC

2317

subdomains of in addr arpa domain
Subdomains of in-addr.arpa domain
  • Subnetting on an Octet Boundary
    • Similar to delegating subdomains of forward-mapping domains
  • Mapping problems
    • In IPv4 the mapping is done on 8 bit boundaries (classful), address allocation is classless
    • Zone administration does not always overlap address administration
subdomains of in addr arpa domain1
Subdomains of in-addr.arpa domain
  • Example: an organisation given a /16
    • 192.168.0.0/16 (one zone file and further delegations to downstreams)
    • 168.192.in-addr.arpa zone file should have:

0.168.192.in-addr.arpa. NS ns1.organisation0.com.

0.168.192.in-addr.arpa. NS ns2.organisation0.com.

1.168.192.in-addr.arpa. NS ns1.organisation1.com.

1.168.192.in-addr.arpa. NS ns2.organisation1.com.

2.168.192.in-addr.arpa. NS ns1.organisation2.com.

2.168.192.in-addr.arpa. NS ns2.organisation2.com.

:

:

subdomains of in addr arpa domain2
Subdomains of in-addr.arpa domain
  • Example: an organisation given a /20
    • 192.168.0.0/20 (a lot of zone files!) – have to do it per /24)
    • Zone files

0.168.192.in-addr.arpa.

1.168.192.in-addr.arpa.

2.168.192.in-addr.arpa.

:

:

15.168.192.in-addr.arpa.

subdomains of in addr arpa domain3
Subdomains of in-addr.arpa domain
  • Example: case of a /24 subnetted with the mask 255.255.255.192
    • In-addr zone – 254.253.192.in-addr.arpa
    • Subnets
      • 192.253.254.0/26
      • 192.253.254.64/26
      • 192.253.254.128/26
      • 192.253.254.192/26
    • If different organisations has to manage the reverse-mapping for each subnet
      • Solution to follow…
classless in addr for 192 253 254 24
Classless in-addr for 192.253.254/24
  • CNAME records for each of the domain names in the zone
    • Pointing to domain names in the new subdomains

$ORIGIN 254.253.192.in-addr.arpa.

0-63 NS ns1.organisation1.com.

0-63 NS ns2.organisation1.com.

1 CNAME 1.0-63

2 CNAME 2.0-63

64-127 NS ns1.organisation2.com.

64-127 NS ns2.organisation2.com.

65 CNAME 65.64-127

66 CNAME 66.64-127

classless in addr for 192 253 254 241
Classless in-addr for 192.253.254/24
  • Using $GENERATE (db.192.253.254 file)

$ORIGIN 254.253.192.in-addr.arpa.

0-63 NS ns1.organisation1.com.

0-63 NS ns2.organisation1.com.

$GENERATE 1-63$ CNAME $.0-63

64-127 NS ns1.organisation2.com.

64-127 NS ns2.organisation2.com.

$GENERATE 65-127$ CNAME $.64-127

classless in addr for 192 253 254 0 26
Classless in-addr for 192.253.254.0/26
  • Now, the zone data file for 0-63.254.253.192.in-addr.arpa can contain just PTR records for IP addresses 192.253.254.1 through 192.253.154.63

$ORIGIN0-63.254.253.192.in-addr.arpa.

$TTL 1d

@ SOA ns1.organisation1.com. Root.ns1.organisation1.com. (

1 ; Serial

3h ; Refresh

1h ; Retry

1w ; Expire

1h ) ; Negative caching TTL

NS ns1.organisation1.com.

NS ns2.organisation1.com.

1 PTR org1-name1.organisation1.com.

2 PTR org1-name2.organisation1.com.

3 PTR org1-name3.organisation1.com.

apnic member responsibilities
Rev. DNSAPNIC & Member responsibilities
  • APNIC
    • Manage reverse delegations of address block distributed by APNIC
    • Process members requests for reverse delegations of network allocations
  • Members
    • Be familiar with APNIC procedures
    • Ensure that addresses are reverse-mapped
    • Maintain nameservers for allocations
      • Minimise pollution of DNS
example domain object
domain: 124.54.202.in-addr.arpa

descr: co-located server at mumbai

country: IN

admin-c: VT43-AP

tech-c: IA15-AP

zone-c: IA15-AP

nserver: dns.vsnl.net.in

nserver: giasbm01.vsnl.net.in

mnt-by: MAINT-IN-VSNL

changed: [email protected] 20010612

source: APNIC

Rev. DNS

Example ‘domain’ object
questions1
Questions?
  • Are all your zones, and your customer zones registered?

Material available at: www.apnic.net/training/recent/

overview3
ASNOverview
  • What is an AS?
  • Guidelines and procedures
  • Application form (documentation)
  • Policy expression
what is an autonomous system
ASN

AS 100

What is an Autonomous System?
  • Collection of networks with same routing policy
  • Usually under single ownership, trust and administrative control
when do i need an asn
ASNWhen do I need an ASN?
  • When do I need an AS?
    • Multi-homed network to different providers and
    • Routing policy different to external peers
  • Recommended reading!
    • RFC1930: Guidelines for creation, selection and registration of an Autonomous System

RFC

1930

when don t i need an asn
ASNWhen don’t I need an ASN?
  • Factors that don’t count
    • Transition and ‘future proofing’
    • Multi-homing to the same upstream
      • RFC2270: A dedicated AS for sites

homed to a single provider

    • Service differentiation
      • RFC1997: BGP Communities attribute

RFC

2270

RFC

1997

requesting an asn customers
ASNRequesting an ASN - Customers
  • Requested directly from Registry
      • AS number is “portable”
  • Requested via member
      • ASN is “non-portable”
      • ASN returned if customer changes provider
  • Transfers of ASNs
    • Need legal documentation (mergers etc)
    • Should be returned if no longer required
aut num object example
ASNAut-num object example

aut-num: AS4777

as-name: APNIC-NSPIXP2-AS

descr: Asia Pacific Network Information Centre

descr: AS for NSPIXP2, remote facilities site

import: from AS2500 action pref=100; accept ANY

import: rom AS2524 action pref=100; accept ANY

import: from AS2514 action pref=100; accept ANY

export: to AS2500 announce AS4777

export: to AS2524 announce AS4777

export: to AS2514 announce AS4777

default: to AS2500 action pref=100; networks ANY

admin-c: PW35-AP

tech-c: NO4-AP

remarks: Filtering prefixes longer than /24

mnt-by: MAINT-APNIC-AP

changed: [email protected] 19981028

source: APNIC

POLICY

RPSL

representation of routing policy
ASNRepresentation of routing policy
  • Routing and packet flows

announces

accepts

packet flow

routing flow

AS 1

AS 2

packet flow

announces

accepts

  • For AS1 and AS2 networks to communicate
      • AS1 must announce to AS2
      • AS2 must accept from AS1
      • AS2 must announce to AS1
      • AS1 must accept from AS2
representation of routing policy1
ASNRepresentation of routing policy

Basic concept

AS 1

AS 2

“action pref”- the lower the value, the preferred the route

aut-num: AS1

import: from AS2 action pref=100; accept AS2

export: to AS2 announce AS1

aut-num: AS2

import: from AS1

action pref=100; accept AS1

export: to AS1 announce AS2

representation of routing policy2
ASNRepresentation of routing policy

AS4

AS5

AS5

AS 123

  • More complex example
  • AS4 gives transit to AS5, AS10
  • AS4 gives local routes to AS123

AS10

representation of routing policy3
ASN

Not a path

Representation of routing policy

AS4

AS5

AS 123

AS5

aut-num: AS4

import: from AS123 action pref=100; accept AS123

AS10

import: from AS5 action pref=100; accept AS5

import: from AS10 action pref=100; accept AS10

export: to AS123 announce AS4

export: to AS5 announce AS4 AS10

export: to AS10 announce AS4 AS5

representation of routing policy4
ASNRepresentation of routing policy

transit traffic over link2

AS4

AS123

link3

private

link1

AS6

  • More complex example
    • AS4 and AS6 private link1
    • AS4 and AS123 main transit link2
    • backup all traffic over link1 and link3 in event of link2 failure
representation of routing policy5
ASN

full routing received

higher cost for backup route

Representation of routing policy

transit traffic over link2

AS4

AS123

link3

private link1

AS6

AS representation

aut-num: AS4

import: from AS123 action pref=100; accept ANY

import: from AS6 action pref=50; accept AS6

import: from AS6 action pref=200; accept ANY

export: to AS6 announce AS4

export: to AS123 announce AS4

slide140
Questions ?

Material available at: www.apnic.net/training/recent/

slide142
What is an IRR?
  • Global Internet Routing Registry database
    • http://www.irr.net/
      • Uses RPSL
    • Established in 1995
  • Stability and consistency of routing
    • network operators share information
  • Both public and private databases
    • These databases are independent
      • but some exchange data
      • only register your data in one database
slide143
Internet Routing Registries

ARIN, ArcStar, FGC, Verio, Bconnex, Optus, Telstra, ...

RIPE

CW

RADB

Connect

APNIC

  • IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
why use an irr
Why use an IRR?
  • Route filtering
      • Peering networks
      • A provider and its customer
  • Network troubleshooting
      • Easier to locate routing problems outside your network
  • Router configuration
      • By using IRRToolSet
        • ftp.ripe.net/tools/IRRToolSet
  • Global view of routing
      • A global view of routing policy improves the integrity of Internet’s routing as a whole.
apnic database the irr
APNIC Database & the IRR
  • APNIC whois Database
    • Two databases in one
  • Public Network Management Database
    • “whois” info about networks & contact persons
      • IP addresses, AS numbers etc
  • Routing Registry
    • contains routing information
      • routing policy, routes, filters, peers etc.
    • APNIC RR is part of the global IRR
slide146
IP, ASNs,reverse domains,contacts,maintainers etc

APNIC Whois

routes, routingpolicy, filters,

peers etc

IRR

Integration of Whois and IRR

  • Integrated APNIC Whois Database & Internet Routing Registry

inetnum, aut-num, domain, person, role, maintainer

route, aut-num, as-set, int-rtr, peering-set etc.

Internet resources & routing information

slide147
RPSL
  • Routing Policy Specification Language
    • Object oriented language
      • Based on RIPE-181
    • Structured whois objects
  • Higher level of abstraction than access lists
  • Describes things interesting to routing policy:
    • Routes, AS Numbers …
    • Relationships between BGP peers
    • Management responsibility
  • Relevant RFCs
    • Routing Policy Specification Language
    • Routing Policy System Security
    • Using RPSL in Practice

RFC

2622

RFC

2725

RFC

2650

irr objects
route

Specifies interAS routes

aut-num

Represents an AS. Used to describe external routing policy

inet-rtr

Represents a router

peering-set

Defines a set of peerings

route-set

Defines a set of routes

as-set

Defines a set of aut-num objects

rtr-set

Defines a set of routers

filter-set

Defines a set of routes that are matched by its filter

IRR objects

www.apnic.net/db/ref/db-objects.html

inter related irr objects
Inter-related IRR objects

route: origin:

…mnt-by:MAINT-EX

inetnum:

202.0.16 - 202.0.31.255

tech-c: KX17-AP mnt-by: MAINT-EX

aut-num: AS1 …tech-c:KX17-APmnt-by:MAINT-EX…

AS1

202.0.16/20

AS1

202.0.16 - 202.0.31.255

person: …nic-hdl: KX17-AP

mntner: MAINT-EX

inter related irr objects1
Inter-related IRR objects

route-set:AS2:RS-routes

members: 218.2/20, 202.0.16/20

as-set: AS1:AS-customers

members: AS10, AS11

, AS2

route: 218.2/20…

origin: AS2…

route: 202.0.16/20

…origin: AS2…

aut-num: AS10

inetnum:218.2.0.0 - 218.2.15.255

inetnum:202.0.16.0-202.0.31.255

aut-num: AS11

aut-num: AS2

aut-num: AS2

set objects and their members
1

1

2

2

3

3

‘Set-’ objects and their members
  • Two ways of referencing members

members- members specified in the ‘set-’ object

mbrs-by-ref- ‘set’ specified in the member objects

as-set: AS1:AS-CUSTS

members: AS10, AS11

as-set: AS1:AS-PEERS

mbrs-by-ref:MAINT-EX

aut-num: AS10

aut-num: AS11

aut-num: AS20member-of:AS1:AS-PEERS

mnt-by: MAINT-EX

aut-num: AS21

member-of:AS1:AS-PEERS

mnt-by: MAINT-EX

  • ‘members’ specifies members of the set
  • Members added in the ‘set-’ object
  • No need to modify the member object when adding members
  • ‘mbrs-by-ref’ specifies the maintainer of the members.
  • Members reference the ‘set-’ object in the ‘member-of’ attribute
  • Members are maintained by the maintainer specified in the ‘set-’
hierarchical authorisation
In:

, and objects

route

inetnum

aut-num

Hierarchical authorisation
  • mnt-routes
    • authenticates creation of route objects
      • creation of route objects must pass authentication of mntner referenced in the mnt-routes attribute
    • Format:
      • mnt-routes:
authorisation mechanism
Authorisation mechanism

inetnum: 202.137.181.0 – 202.137.185.255netname: SPARKYNET-WF

descr: SparkyNet Service Provider

mnt-by: MAINT-APNIC-AP

mnt-lower: MAINT-SPARKYNET

mnt-routes: MAINT-SPARKYNET-WF

This object can only be modified by APNIC

Creation of more specific objects (assignments) within this range has to pass the authentication of MAINT-SPARKYNET

Creation of route objects matching/within this range has

to pass the authentication of MAINT-SPARKYNET-WF

creating route objects
Creating route objects
  • Multiple authentication checks:
    • Originating ASN
      • mntner in the mnt-routes is checked
      • If no mnt-routes, mnt-lower is checked
      • If no mnt-lower, mnt-by is checked
    • AND the address space
      • Exact match & less specific route
        • mnt-routes etc
      • Exact match & less specific inetnum
        • mnt-routes etc
    • AND the route object mntner itself
      • The mntner in the mnt-by attribute

aut-num

inetnum

route

(encompassing)

route

creating route objects1
route

1

2

4

route:202.137.240/20origin:AS1

AS number

IP address range

aut-num: AS1mnt-routes: MAINT-WF-EXNET

inetnum: 202.137.240.0 – 202.137.255.255mnt-routes: MAINT-WF-EXNET

maintainer

5

3

mntner: MAINT-WF-EXNET

auth: CRYPT-PW klsdfji9234

Creating route objects

1. Create route object and submit to APNIC RR database

2. Db checks inetnum obj matching/encompassing IP range in route obj

3. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.

4. Db checks aut-num obj corresponding to the ASN in route obj

5. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute.

apnic rr service scope
APNIC RR service scope
  • Support
    • APNIC Helpdesk support
  • Training
      • IRR workshop under development
  • Mirroring
    • APNIC mirrors IRRs within Asia Pacific and major IRRs outside of the region.

summary
Summary
  • APNIC RR integrated in APNIC Whois DB
      • whois.apnic.net
  • IRR benefits
    • Facilitates network troubleshooting
    • Generation of router configuration
    • Provides global view of routing
  • APNIC RR benefits
    • Single maintainer (& person obj) for all objects
    • APNIC asserts resources for a registered route
    • Part of the APNIC member service!
slide159

IPv6

Technical overview

Policies & Procedures

slide160
Overview
  • Rationale
  • IPv6 Addressing
  • Features of IPv6
  • Transition Techniques
  • Current status
  • IPv6 Policies & Procedures
  • Statistics
rationale
Rationale
  • Address depletion concerns
    • Squeeze on available addresses space
      • Probably will never run out, but will be harder to obtain
    • End to end connectivity no longer visible
      • Widespread use of NAT
    • IPv6 provides much larger IP address space than IPv4
rationale cont
Rationale (Cont.)
  • Increase of backbone routing table size
    • Current backbone routing table size > 100K
      • CIDR does not guarantee an efficient and scalable hierarchy
      • The lack of uniformity of the current hierarchical system
      • Routing aggregation is still a concern in IPv6
    • IPv6 address architecture is more hierarchical than IPv4
ipv6 a ddress m anagement h ierarchy
IPv6IPv6 address management hierarchy

IANA

/23

RIR

RIR

NIR

LIR/ISP

/32

LIR/ISP

/64

/48

Customer Site

Customer Site

/128

rationale cont1
Rationale (Cont.)
  • Needs to improve the Internet environment
    • Encryption, authentication, and data integrity safeguards needed
      • Necessity of IP level security
    • Plug and Play function needed
      • Reduce network administrators work load
      • Reduce errors caused by individual users
    • More recent technologies (security, Plug and Play, multicast, etc.) available by default in IPv6
  • Useful reading:
    • “The case for IPv6”: http://www.6bone.net/misc/case-for-ipv6.html
ipv6 addressing
IPv6 addressing
  • 128 bits of address space
  • Hexadecimal values of eight 16 bit fields
      • X:X:X:X:X:X:X:X (X=16 bit number, ex: A2FE)
      • 16 bit number is converted to a 4 digit hexadecimal number
  • Example:
      • FE38:DCE3:124C:C1A2:BA03:6735:EF1C:683D
    • Abbreviated form of address
      • 4EED:0023:0000:0000:0000:036E:1250:2B00

→4EED:23:0:0:0:36E:1250:2B00

→4EED:23::36E:1250:2B00

(Null value can be used only once)

ipv6 addressing model
IPv6 addressing model

RFC

3513

  • IPv6 Address type
    • Unicast
      • An identifier for a single interface
    • Anycast
      • An identifier for a set of interfaces
    • Multicast
      • An identifier for a group of nodes
unicast address
Unicast address
  • Address given to interface for communication between host and router
    • Aggregatable global unicast address
    • Local use unicast address
      • Link-local address (starting with FE80::)
      • Site-local address (starting with FEC0::)

001

FP subnet prefix Interface ID

3bits 64 bits

1111111010 000…….0000 Interface ID

10 bits 54 bits 64 bits

1111111011 Subnet-ID Interface ID

10 bits 54 bits 64 bits

ipv6 header
IPv6 Header

Version Traffic Class Flow Label

4bits 8 bits 20 bits

Payload Length Next Header Hop Limit

16 bits 8 bits 8 bits

Version IHL Type of Service Total Length

4 bits 4bits 8bits 16bits

Source Address

128 bits

Identification Flags Fragment Offset

16 bits 4 bits 12 bits

TTL Protocol Header Header Checksum

8 bits 8 bits 16 bits

Source Address

32 bits

Destination Address

32 bits

Destination Address

128 bits

IP options

0 or more bits

Enhanced in IPv6

Enhanced in IPv6

Enhanced in IPv6

IPv6 header

IPv4 Header

  • Comparison between IPv4 header and IPv6 header

IHL

IHL=IP Header Length

TTL=Time to Live

= Eliminated in IPv6

ipv6 security
IPv6 security
  • Convey the authentication information via IPv6 extension header: Authentication header
  • Method to transport encrypted data: Encapsulating Security Payload (ESP) header

Next Header

Length

Reserved

Security Parameters Index (SPI)

Authentication Data

Security Parameters Index (SPI)

Sequence Number

Payload Data

Padding

Pad Length

Next Header

Authentication Data

ipv6 features autoconfigutation cont
Tentative address (link-local address)

Well-known link local prefix +Interface ID (EUI -64)

Ex: FE80::310:BAFF:FE64:1D

IPv6 features – autoconfigutation (Cont.)

Is this address unique?

Assign

FE80::310:BAFF:FE64:1D

3FFE:0:0:1/64 network

  • A new host is turned on.
  • Tentative address will be assigned to the new host.
  • Duplicate Address Detection (DAD) is performed on all unicast address.
  • If no ND message comes back then the address is unique.
  • FE80::310:BAFF:FE64:1D will be assigned to the new host.
ipv6 feature autoconfiguration cont
IPv6 feature: autoconfiguration (Cont.)

Send me

Router Advertisement

FE80::310:BAFF:FE64:1D

Router

Advertisement

3FFE:0:0:1/64 network

Assign

3FFE:0:0:1:310:BAFF:FE64:1D

  • The new host will send “router solicitation” request via multicasting to obtain the network prefix.
  • The router will reply “routing advertisement”.
  • The new host will learn the network prefix. Ex: 3FFE:0:0:1
  • The new host will assigned a new address Network prefix+Interface ID Ex: 3FFE:0:0:1:310:BAFF:FE64:1D
ipv4 to ipv6 transition
IPv4 to IPv6 transition
  • Implementation rather than transition
  • The key to successful IPv6 transition
    • Maintaining compatibility with IPv4 hosts and routers while deploying IPv6
      • Millions of IPv4 nodes already exist
      • Upgrading every IPv4 nodes to IPv6 is not feasible
      • Transition process will be gradual
  • Commonly utilised transition techniques
    • Dual Stack Transition
    • Tunneling
dual stack transition
APPLICATION

TCP/UDP

IPv4 IPv6

DRIVER

IPv6

IPv4

Dual Stack

Host

Dual stack transition
  • Dual stack = TCP/IP protocol stack running both IPv4 and IPv6 protocol stacks simultaneously
  • Useful at the early phase of transition
tunneling
IPv6

IPv6 network

Tunneling
  • Commonly utilised transition method
  • IP v6 packet encapsulated in an IPv4 header
  • Destination routers will decapsulate the packets and send IPv6 packets to destination IPv6 host

IPv6 Host Y

IPv6 Host X

Router α

Router β

Decapsulation

Encapsulation

IPv4 network

IPv6 network

Add IPv4 Header

Eliminate IPv4 Header

IPv4 header

IPv6 data

IPv6 header

IPv6 header

IPv6 data

IPv6 header

IPv4 header

IPv6 data

ipv6 address policy g oals
IPv6IPv6 address policy goals
  • Efficient address usage
      • Avoid wasteful practices
  • Aggregation
      • Hierarchical distribution
      • Aggregation of routing information
      • Limiting number of routing entries advertised
  • Minimise overhead
      • Associated with obtaining address space
  • Registration, Uniqueness, Fairness & consistency
      • Same as IPv4
ipv6 a ddressing s tructure
32

16

16

64

LIR

/32

Customer

Site /48

Device /128

Subnet /64

IPv6 addressing structure

128 bits

0

127

ipv6 initial a llocation
32 bits

32 bits

48 bits

48 bits

IPv6 initial allocation
  • Initial allocation criteria
    • Plan to connect 200 end sites within 2 years
      • Default allocation (“slow start”)
  • Initial allocation size is /32
    • Provides 16 bits of site address space
    • Larger initial allocations can be made if justified according to:
      • IPv6 network infrastructure plan
      • Existing IPv4 infrastructure and customer base

128 bits

ipv6 a ssignments
48 bits

48 bits

64 bits

64 bits

128 bits

IPv6 assignments
  • Default assignment /48 for all end sites
      • POP also defined as end site
    • Providing 16 bits of space for subnets
  • Other assignment sizes
    • /64 only one subnet
    • /128 only one device connecting
  • Larger assignments - Multiple /48s
    • Should be reviewed by RIR/NIR
      • Follow second opinion procedure
ipv6 utilisation
IPv6 utilisation
  • Utilisation determined from end site assignments
    • LIR responsible for registration of all /48 assignments
    • Intermediate allocation hierarchy not considered
  • Utilisation of IPv6 address space is measured differently from IPv4
ipv6 u tilisation r equirement
log (10,000)

log (Assigned address space)

log (Assigned address space)

UtilisationHD =

log (Available address space)

log (Available address space)

IPv6 utilisation requirement
  • IPv6 utilisation measured according to HD-Ratio (RFC 3194):
  • IPv6 utilisation requirement is HD=0.80
    • Measured according to assignments only
      • E.g. ISP has assigned 10000 (/48s) addresses of /32

=

=

0.83

log (65,536)

ipv6 u tilisation r equirement cont
43.5%

18.9%

16.5%

7.2%

3.6%

1.2%

0.4%

0.2%

IPv6 utilisation requirement (Cont.)
  • HD Ratio utilisation requirement of 0.80

10.9%

  • RFC 3194
  • “In a hierarchical address plan, as the size of the allocation increases, the density of assignments will decrease.”
subsequent a llocation
Subsequent allocation
  • Must meet HD = 0.8 utilisation requirement of previous allocation
      • (7132 /48s assignments in a /32)
  • Other criteria to be met
    • Correct registrations (all /48s registered)
    • Correct assignment practices etc
  • Subsequent allocation results in a doubling of the address space allocated to it
    • Resulting in total IPv6 prefix is 1 bit shorter
    • Or sufficient for 2 years requirement
ixp ipv6 assignment policy
IPv6IXP IPv6 assignment policy
  • Criteria
    • Demonstrate ‘open peering policy’
    • 3 or more peers
  • Portable assignment size: /48
    • All other needs should be met through normal processes
    • /64 holders can “upgrade” to /48
      • Through NIRs/ APNIC
      • Need to return /64
current status implementations
IPv6Current Status - Implementations
  • Most vendors are shipping supported products today
      • eg. 3Com, Apple, Bay Networks, BSDI, Bull, Cisco, Dassault, Digital, Epilogue, Ericsson/Telebit, FreeBSD, IBM, Hitachi, HP, KAME, Linux, Mentat, Microsoft, Nokia, Novell, Nortel, OpenBSD, SCO, Siemens Nixdorf, Silicon Graphics, Sun, Trumpet
ipv6 deployment current experiments
Light

Air conditioner

IPv6 deployment current experiments

PC

Home hub

Mobile viewer Access point

IPv6 network

Home router

Home hub

Ethernet

IPv6-washing machine IPv6-refrigerator IPv6-microwave

Wireless

current issues multihoming
Current issues: Multihoming
  • Assigned portable address is not available
  • Multiple unicast addresses per node
    • How to determine the source address?
  • Multiple interfaces per host
    • Possible defeat ICMP redirect
    • How to achieve “load-sharing” across multiple interfaces?
  • Other issues too
    • IETF is working for possible solutions
current issues dns
Current issues: DNS
  • Need for a root name server, TLDs name server accessible via IPv6
  • Human error easily made in IPv6 reverse DNS record
    • Dynamic update may provide a solution
    • Security system while update required
      • Ex: DNSSEC
ipv6 representation in the dns
IPv6 representation in the DNS
  • Forward lookup support: Multiple RR records for name to number
    • AAAA (Similar to A RR for IPv4 )
    • A6 without chaining (prefix length set to 0 )
  • Reverse lookup support:
    • Reverse nibble format for zone ip6.int
    • Reverse nibble format for zone ip6.arpa
ipv6 forward and reverse mappings
IPv6 forward and reverse mappings
  • Existing A record will not accommodate IPv6’s 128 bit addresses
  • BIND expects an A record’s record-specific data to be a 32-bit address (in dotted-octet format)
  • An address record
    • AAAA (RFC 1886)
  • A reverse-mapping domain
    • Ip6.int (now replaced by ip6.arpa)
the reverse dns tree with ipv6
arpa

202 203 210

202

64

64

22

22

The reverse DNS tree – with IPv6

Root DNS

net

edu

com

int

in-addr

apnic

IP6

whois

RIR

whois

ISP

IPv6 Addresses

Customer

slide192
Root DNS

int

IP6

Downstream

ISP

ISP

Customer

Devices

arpa

/32

H8

/40

H10

H1

64

/48

H12

/128

H32

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

ipv6 forward lookups
IPv6 forward lookups
  • Multiple addresses possible for any given name
    • Ex: in a multi-homed situation
  • Can assign A records and AAAA records to a given name/domain
  • Can also assign separate domains for IPv6 and IPv4
sample forward lookup file
Sample forward lookup file

;; domain.edu

$TTL 86400

@ IN SOA ns1.domain.edu. root.domain.edu. (

2002093000 ; serial - YYYYMMDDXX

21600 ; refresh - 6 hours

1200 ; retry - 20 minutes

3600000 ; expire - long time

86400) ; minimum TTL - 24 hours

;; Nameservers

IN NS ns1.domain.edu.

IN NS ns2.domain.edu.

;; Hosts with just A records

host1 IN A 1.0.0.1

;; Hosts with both A and AAAA records

host2 IN A 1.0.0.2

IN AAAA 2001:468:100::2

ipv6 reverse lookups
IPv6 reverse lookups
  • IETF decided to restandardize IPv6 PTR RRs
    • They will be found in the IP6.ARPA namespace rather than under the IP6.INT namespace
  • The ip6.int domains has been deprecated, but some hosts still use them
    • Supported for backwards compatiblity
  • Now using ip6.arpa for reverse
ipv6 reverse lookups aaaa and ip6 arpa
IPv6 reverse lookups - AAAA and ip6.arpa
  • Address record four times longer than A
    • Quad A ( AAAA )
  • AAAA record is a parallel to the IPv4 A record
  • It specifies the entire address in a single record
ipv6 reverse lookups aaaa and ip6 arpa1
IPv6 reverse lookups - AAAA and ip6.arpa
  • Example
    • Each level of subdomain
      • Represents 4 bits

4.3.2.1.0.0.0.0.0.0.0.1.0.0.0.2.0.0.0.3.0.0.0.4.0.5.6.7.8.9.a.b

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

Ipv6-host IN AAAA 4321:0:1:2:3:4:567:89ab

ipv6 reverse lookups ptr records
IPv6 reverse lookups - PTR records
  • Similar to the in-addr.arpa
  • Example: reverse name lookup for a host with address 3ffe:8050:201:1860:42::1

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa.

IN PTR test.ip6.example.com.

$ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa.

1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR host.example.com.

sample reverse lookup file
Sample reverse lookup file

;; 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev;; These are reverses for 2001:468:100::/64)

;; File can be used for both ip6.arpa and ip6.int.

$TTL 86400

@ IN SOA ns1.domain.edu. root.domain.edu. (

2002093000 ; serial - YYYYMMDDXX

21600 ; refresh - 6 hours

1200 ; retry - 20 minutes

3600000 ; expire - long time

86400) ; minimum TTL - 24 hours

;; Nameservers

IN NS ns1.domain.edu.

IN NS ns2.domain.edu.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.ip6.domain.edu

2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.domain.edu

;;

;; Can delegate to other nameservers in the usual way

;;

sample configuration file
Sample configuration file

// named.conf

zone “domain.edu” {

type master;

file “master/domain.edu”;

}

zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.int" {

type master;

file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";

};

zone “0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.arpa" {

type master;

file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev";

};

reverse delegation for existing 35 holders
Reverse delegation for existing /35 holders
  • Reverse tree has 4bit ‘boundary’
    • /35 allocation needs two /36 delegations
  • Delegation for two /36

0.8.3.2.0.1.0.0.2.ip6.arpa

1.8.3.2.0.1.0.0.2.ip6.arpa

FP | /35 allocations|

|3 | /32 |

|--|----------------------------|--|----……

00100000000000010000001000111000000?

------------ 35 bits --------------

2 0 0 1: 0 2 3 8 0/35

Can be 1 or 0

current status ipv6 in dns
Current Status – IPv6 in DNS
  • A6 and Bit label specifications has been made experimental
    • RFC3363
  • IETF standardized 2 different formats
    • AAAA and A6
    • Confusions on which format to deploy
    • More than one choice will lead to delays in the deployment of IPv6
ipv6 address allocation procedures
IPv6IPv6 Address Allocation Procedures
  • IPv6 Allocations to RIRs from IANA
    • APNIC 2001:0200::/23

2001:0C00::/23

2001:0E00::/23

    • ARIN 2001:0400::/23

2001:1800::/23

    • LACNIC 2001:1200::/23
    • RIPE NCC 2001:0600::/23

2001:0800::/23

2001:0A00::/23

2001:1400::/23

2001:1600::/23

2001:1A00::/23

  • IPv6 Address Request form

http://ftp.apnic.net/apnic/docs/ipv6-alloc-request

  • IPv6 FAQhttp://www.apnic.net/faq/IPv6-FAQ.html
ipv6 distribution per rir
IPv6 distribution per RIR

Source: APNIC statistic data - Last update March 2004

slide205
IPv6 allocations from RIRs to LIRs/ISPs yearly comparison

Source: RIR reports and joint statistics presented at APNIC 17

slide206
IPv6 allocations in Asia Pacific

Source: APNIC statistic data - Last update May 2004

global ipv6 routing table
Global IPv6 routing table

Source: http://bgp.potaroo.net/v6/as1221/index.html - Last updated 06/05/2004

ipv6 allocation announcements
IPv6 allocation announcements

Data obtained from RIPE RIS Looking Glass as of 11/03/2004

slide209
Questions ?

Material available at: www.apnic.net/training/recent/

summary1

Summary

What we have covered today

summary2
Summary
  • APNIC’s role in the Asia Pacific
  • Internet Registry Policies
  • IPv4 Allocation & Assignments
  • APNIC Database usage
  • Reverse DNS
  • SPAM and Network Abuse
  • ASN Assignment
  • Internet Routing Registry
  • IPv6 Overview and Policies
summary responsibilities
Summary - Responsibilities
  • As an APNIC member and custodian of address space
    • Be aware of your responsibilities
    • Register customer assignments in APNIC database
      • Keep this data up-to-date & accurate
    • Educate your customers
    • Document your network in detail
      • Keep local records
    • Register reverse DNS delegations
slide213
MemberServices Helpdesk
  • - One point of contact for all member enquiries
  • [email protected]
  • www.apnic.net/helpdesk
  • Helpdesk hours
  • 9:00 am - 7:00 pm (AU EST, UTC + 10 hrs)
      • ph: +61 7 3858 3188 fax: +61 7 3858 3199
  • More personalised service
    • Range of languages:
  • Faster response and resolution of queries
    • IP resource applications, status of requests, membership enquiries,billing issues & database enquiries
  • Filipino (Tagalog)
  • Mandarin
  • Vietnamese
  • Cantonese
  • Hindi
  • Sinhalese
  • English
  • Japanese
  • Telugu
summary3
Summary
  • “Do the right thing”
    • Think about routing table size & scalability of Internet
    • Encourage renumbering
    • Announce aggregate prefixes
    • Think global not local
apnic 18 sponsorships
APNIC 18 Sponsorships
  • Interested to be one of the Sponsors?
    • http://www.apnic.net/meetings/18/sponsors
  • Benefits include valuable opportunities to expose your
    • Organisation
    • Products
    • Services to an international audience of Internet leaders
thank you

Thank you !!

Your feedback is appreciated

introduction1
Introduction

Regional Registry web sites

  • APNIC:

http://www.apnic.net

  • ARIN:

http://www.arin.net

  • LACNIC:

http://www.lacnic.net

  • RIPE NCC:

http://www.ripe.net

APNIC past meetings

http://www.apnic.net/meetings

introduction2
Introduction

APNIC members

http://www.apnic.net/members.html

Membership

  • Membership procedure

http://www.apnic.net/membersteps.html

  • Membership application form http://www.apnic.net/apnic-bin/membership-application.pl
  • Membership fees http://www.apnic.net/docs/corpdocs/FeeSchedule.htm
introduction to apnic ip policy
Introduction to APNIC & IP Policy

Classless techniques

  • CIDR

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1517-19.txt

  • Network Addressing when using CIDR ftp://ftp.uninett.no/pub/misc/eidnes-cidr.ps.Z
  • Variable Length Subnet Table http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1878.txt

Private Address Space

  • Address Allocation for Private Internets

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1918.txt

  • Counter argument: “Unique addresses are good”

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1814.txt

bit boundary chart
Bit boundary chart

+------------------------------------------------------+

| addrs bits pref class mask |

+------------------------------------------------------+

| 1 0 /32 255.255.255.255 |

| 2 1 /31 255.255.255.254 |

| 4 2 /30 255.255.255.252 |

| 8 3 /29 255.255.255.248 |

| 16 4 /28 255.255.255.240 |

| 32 5 /27 255.255.255.224 |

| 64 6 /26 255.255.255.192 |

| 128 7 /25 255.255.255.128 |

| 256 8 /24 1C 255.255.255 |

| 512 9 /23 2C 255.255.254 |

| 1,024 10 /22 4C 255.255.252 |

| 2,048 11 /21 8C 255.255.248 |

| 4,096 12 /20 16C 255.255.240 |

| 8,192 13 /19 32C 255.255.224 |

| 16,384 14 /18 64C 255.255.192 |

| 32,768 15 /17 128C 255.255.128 |

| 65,536 16 /16 1B 255.255 |

| 131,072 17 /15 2B 255.254 |

| 262,144 18 /14 4B 255.252 |

| 524,288 19 /13 8B 255.248 |

| 1,048,576 20 /12 16B 255.240 |

| 2,097,152 21 /11 32B 255.224 |

| 4,194,204 22 /10 64B 255.192 |

| 8,388,608 23 /9 128B 255.128 |

| 16,777,216 24 /8 1A 255 |

| 33,554,432 25 /7 2A 254 |

| 67,108,864 26 /6 4A 252 |

| 134,217,728 27 /5 8A 248 |

| 268,435,456 28 /4 16A 240 |

| 536,870,912 29 /3 32A 224 |

|1,073,741,824 30 /2 64A 192 |

+------------------------------------------------------+

apnic mailing lists
APNIC Mailing Lists
  • apnic-talk
    • Open discussions relevant to APNIC community & members
  • apnic-announce
    • Announcements of interest to the AP community
  • sig-policy
    • IPv4 and IPv6 allocation and assignment policies
  • global-v6
    • Global IPv6 policy mailing list
  • subscribe via
  • archives:

http://ftp.apnic.net/apnic/mailing-lists

http://www.apnic.net/net_comm/lists/

the rir system
The RIR System
  • “Development of the Regional Internet Registry System” Internet Protocol Journal
      • Short history of the Internet

http://www.cisco.com/warp/public/759/ipj_4-4/ipj_4-4_regional.html

policies policy environment
Policies & Policy Environment

Policy Documentation

  • Policies for address space management in the Asia Pacific region

http://www.apnic.net/docs/policy/add-manage-policy.html

  • RFC2050: Internet Registry IP allocation Guidelines

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2050.txt

address request procedures
Address Request Procedures

Addressing Guidelines

  • “Designing Addressing Architectures for Routing & Switching”, Howard C. Berkowitz

Address Request Forms

  • ISP Address Request Form http://www.apnic.net/services/ipv4/
  • Second-opinion Request Form

http://www.apnic.net/services/second-opinion/

  • No Questions Asked http://ftp.apnic.net/apnic/docs/no-questions-policy
apnic database
APNIC Database

APNIC Database Documentation

  • Updating information in the APNIC Database

http://ftp.apnic.net/apnic/docs/database-update-info

  • Maintainer & Person Object Request Form

http://ftp.apnic.net/apnic/docs/mntner-person-request

  • APNIC Maintainer Object Request

http://www.apnic.net/apnic-bin/maintainer.pl

  • APNIC Whois Database objects resource guide

http://www.apnic.net/services/whois_guide.html

apnic database1
APNIC Database

RIPE Database Documentation

  • RIPE Database Reference Manual

http://www.ripe.net/docs/databaseref-manual.html

Database ‘whois’ Client

http://ftp.apnic.net/apnic/dbase/tools/ripe-dbase-client.tar.gz

Database web query

http://www.apnic.net/apnic-bin/whois2.pl

person object template
person: [mandatory] [single] [lookup key]

address: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

phone: [mandatory] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [mandatory] [multiple] [lookup key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

Person object template
role object template
Role object template

role: [mandatory] [single] [lookup key]

address: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

phone: [mandatory] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [mandatory] [multiple] [lookup key]

trouble: [optional] [multiple] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [mandatory] [multiple] [inverse key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

maintainer object template
Maintainer Object Template

mntner: [mandatory] [single] [primary/look-up key]

descr: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [optional] [multiple] [inverse key]

upd-to: [mandatory] [multiple] [inverse key]

mnt-nfy: [optional] [multiple] [inverse key]

auth: [mandatory] [multiple] [ ]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

referral-by: [mandatory] [single] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

inetnum object template
Inetnum object template

inetnum: [mandatory] [single] [primary/look-up key]

netname: [mandatory] [single] [lookup key]

descr: [mandatory] [multiple] [ ]

country: [mandatory] [multiple] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [mandatory] [multiple] [inverse key]

rev-srv: [optional] [multiple] [inverse key]

status: [mandatory] [single] [ ]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

mnt-lower: [optional] [multiple] [inverse key]

mnt-routes:[optional] [multiple] [inverse key]

mnt-irt: [optional] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

aut num object template
Aut-num Object Template

aut-num: [mandatory] [single] [primary/look-up key]

as-name: [mandatory] [single] [ ]

descr: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

member-of: [optional] [multiple] [ ]

import: [optional] [multiple] [ ]

export: [optional] [multiple] [ ]

default: [optional] [multiple] [ ]

remarks: [optional] [multiple] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [mandatory] [multiple] [inverse key]

cross-mnt: [optional] [multiple] [inverse key]

cross-nfy: [optional] [multiple] [inverse key]

notify: [optional] [multiple] [inverse key]

mnt-lower: [optional] [multiple] [inverse key]

mnt-routes: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

domain object template
Domain object template

domain: [mandatory] [single] [primary/look-up key]

descr: [mandatory] [multiple] [ ]

country: [optional] [single] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [mandatory] [multiple] [inverse key]

zone-c: [mandatory] [multiple] [inverse key]

nserver: [mandatory] [multiple] [inverse key]

sub-dom: [optional] [multiple] [inverse key]

dom-net: [optional] [multiple] [ ]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

mnt-lower: [optional] [multiple] [inverse key]

refer: [optional] [single] [ ]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

reverse dns1
Reverse DNS

Request Forms

  • Guide to reverse zones

http://www.apnic.net/db/revdel.html

  • Registering your Rev Delegations with APNIC

http://www.apnic.net/db/domain.html

Relevant RFCs

  • Classless Delegations

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt

  • Common DNS configuration errors

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1537.txt

reverse dns2
Reverse DNS

Documentation

  • Domain name structure and delegation

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1591.txt

  • Domain administrators operations guide

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1033.txt

  • Taking care of your domain

ftp://ftp.ripe.net/ripe/docs/ripe-114.txt

  • Tools for DNS debugging

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2317.txt

as assignment procedures
AS Assignment Procedures

Policy

  • Guidelines for the creation, selection, and registration of an AS

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1930.txt

RFCs

  • Routing Policy Specification Language (RPSL)

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2280.txt

  • A dedicated AS for sites homed to a single provider

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2270.txt

  • RFC1997: BGP Communities attribute

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2270.txt

slide237
IPv6

Policy Documents

  • IPv6 Address Policy

http://ftp.apnic.net/apnic/docs/ipv6-address-policy

  • IPv6 Address request form

http://ftp.apnic.net/apnic/docs/ipv6-alloc-request

Useful reading

  • The case for IPv6

http://www.6bone.net/misc/case-for-ipv6.html

FAQ

http://www.apnic.net/info/faq/IPv6-FAQ.html

ipv6 hd ratio 0 8
IPv6: HD Ratio 0.8
  • RFC3194 “The Host-Density Ratio for Address Assignment Efficiency”
other supplementary reading
Other supplementary reading

Operational Content Books

  • ISP Survival Guide, Geoff Huston
  • Cisco ISP Essentials, Philip Smith

BGP Table

http://www.telstra.net/ops/bgptable.html

http://www.merit.edu/ipma/reports

http://www.merit.edu/ipma/routing_table/mae-east/prefixlen.990212.html

http://www.employees.org/~tbates/cidr.hist.plot.html

Routing Instability

http://zounds.merit.net/cgi-bin/do.pl

other supplementary reading1
Other supplementary reading

Routing & Mulithoming

  • Internet Routing Architectures - Bassam Halabi
  • BGP Communities Attribute

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1997.txt

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1998.txt

Filtering

  • Egress Filtering

http://www.cisco.com/public/cons/isp

  • Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2267.txt

other supplementary reading2
Other Supplementary Reading
  • Dampening case studies at

http://www.cisco.com/warp/public/459/16.html

  • Traceroute Server

http://nitrous.digex.net

  • Network Renumbering Overview: Why Would I Want It and What Is It Anyway?

http://ftp.apnic.net/ietf/rfc/rfc2000/rfc2071.txt

  • Procedures for Enterprise Renumbering

http://www.isi.edu/div7/pier/papers.html

  • NAT
    • The IP Network Address Translator

http://ftp.apnic.net/ietf/rfc/rfc1000/rfc1631.txt

ad