RIPE Database. Updates and Extras. Alvaro Vives Amsterdam RIPE 77

Similar documents
RIPE Database. Training Course

Local Internet Registry Training Course

RIPE Database Workshop

RIPE Database Training Course

Database Update. Denis Walker Business Analyst and Edward Shryane Senior Software Engineer. RIPE NCC Warsaw May 2014 RIPE 68

WHOIS Database and MyAPNIC

Database Update. Kaveh Ranjbar Database Department Manager, RIPE NCC

The RIPE Database & The Internet Routing Registry

Update from the RIPE NCC. David Hilario, RIPE NCC

RIPE NCC Tools. Christian Teuschel & Mirjam Kühne

LIR and RIPE Database. Training Course

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

APNIC Whois Database and use of Incident Response Team (IRT) registration. Terry Manderson APNIC AusCERT 2003

APNIC Internet Resource Management (IRM) Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

RIPE Database Update Reference Manual

LEA Workshop. Champika Wijayatunga & George Kuo, APNIC Wellington, New Zealand 09, May, 2013

APNIC Training. Internet Routing Registry (IRR)

APNIC. Database Tutorial. 3 September, Kitakyushu, Japan. 14 th APNIC Open Policy Meeting

RIPE Database Documentation RIPE Database Documentation

Reverse DNS Project Update

The whois Database. Introduction and Usage. Anne Lord & Mirjam Kühne. AfNOG Workshop, 10 May

Database Update. Paul Palse Database Manager, RIPE NCC

This form should be sent following the submission of Provider Aggregatable (PA) Assignment Request Form(s) found at:

MANRS How to behave on the internet

ISP-NAP & Direct Members (Feb 2018)

RIPE NCC Status Update

APNIC Internet Routing Registry. Tutorial Seoul 19 August 2003

Internet Routing Registry Tutorial

Supporting Notes for the Autonomous System (AS) Number Request Form

What s new at the RIPE NCC?

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

APNIC Whois & RDAP. Elly Tawhai AusNOG

RIPE Database Operations Update

RPKI and Routing Security

Welcome! APNIC Internet Routing Registry Tutorial. In conjunction with SANOG IV

Supporting Notes for the Provider Independent (PI) Assignment Request Form

RIPE 55 DB Status Update Jos I. Boumans RIPE NCC. Jos Boumans RIPE 55

APNIC elearning: Reverse DNS for IPv4 and IPv6

RIPE NCC Status Report at ARIN. leo vegoda. ARIN X, Oct. 30 Nov. 1, 2002, Eugene, OR.

APNIC Internet Resource Management (IRM) Tutorial. Revision: 2.1

Anti-spam WG. RIPE 49 Manchester, September Rodney Tillotson, JANET-CERT

RIPE NCC IPv6 Update. 4th Belgian IPv6 Council Meeting 11 September Nathalie Trenaman

Internet Engineering Task Force (IETF) Request for Comments: 7485 Category: Informational ISSN: S. Sheng ICANN A. Servin LACNIC March 2015

News from RIPE NCC, RIPE, and IPv6. Vesna Manojlovic, RIPE NCC ES.NOG / GORE 3, Madrid 11 May 2009

IRT-Object in the RIPE Database, "interim" meeting

RIPE NCC Status Update

Just give me a button!

RIPE NCC Database documentation update to support RIPE DB ver

IPv6 for LIRs. March 2012

Supporting Notes for the Provider Independent (PI) Assignment Request Form

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

A Happy Story of Inter-RIR Transfer of Legacy Blocks from ARIN to RIPE

Transition to RIPE DB v3.0

Managing Internet Resources

RIPE NCC DNS Update. K-root and DNSSEC. Anand Buddhdev October 2018 RIPE 77

RIPE NCC Services & Activities

RIPE NCC Measurements and Tools Training Course

The IRT Object in the RIPE Database

RPSLng. Routing Policy Specification Language - Next Generation

Securing Routing: RPKI Overview. Mark Kosters Chief Technology Officer

Basic IPv6 Tutorial. Sandra Brás RIPE NCC.!! Regional Meeting Tehran November 2014

Routing Security. Training Course

UWho and CRISP. Mark Kosters VeriSign Labs ARIN IX, April 2002

Local Internet Registry. Training Course

IPv6: The Future of the Internet? July 27th, 1999 Auug

RIPE Policy Proposal

Removing IPv6 PI RIPE Jordi Palet

Routing Policy Specification Language next generation. 6DEPLOY. IPv6 Deployment and Support

IPv6 Addressing Status and Policy Report. Paul Wilson Director General, APNIC

RIPE NCC Measurements and Tools Training Course

To assist you with debugging problems, this whois query was received from IP Address. Your web client may be behind a web proxy.

Route Management Guide to manage your routes and (RPKI) ROA

Resource Certification. Alex Band, Product Manager DENIC Technical Meeting

Handling Network Abuse Reports at APNIC

RIPE NCC Technical Services

RESTFUL WEB SERVICES - INTERVIEW QUESTIONS

RIPE NCC Introduction. Jochem de Ruig Chief Financial Officer

Basic IPv6. Training Course

APNIC Training. Internet Resource Management. 17 November 2009 Nadi, Fiji. Sixth PacNOG Meeting, Conference and Educational Workshop

RIPE NCC Technical Services. Kaveh Ranjbar, Chief Information Officer

RIPE Network Coordination Centre RIPE Labs Nathalie Trenaman UKNOF 17 - Sept

Registry. NTT Communications. JPNIC IP Committee / JPNIC IRR-Plan Chair. Tomoya Yoshida Topics

Lameness in Reverse DNS

Security Overlays on Core Internet Protocols DNSSEC and RPKI. Mark Kosters ARIN CTO

IPv6 Address Allocation and Assignment Policy

Resource Certification

APNIC Status Report. LACNIC III Mexico City 11 November 2002

IRR 101. Job Snijders, DKNOG 8 1 / 35

LUCITY REST API INTRODUCTION AND CORE CONCEPTS

IPv6 Allocation Policy and Procedure. Global IPv6 Summit in China 2007 April 13, 2007 Gerard Ross and Guangliang Pan

News from RIPE and RIPE NCC

Internet Resource Policy - Why should I care?

APNIC Routing Workshop

Lessons learned running an RPKI service

Obtaining and Managing IP Addresses. Xavier Le Bris IP Resource Analyst - Trainer

APNIC Update. Amsterdam, Jan 2001 A S I A P A C I F I C N E T W O R K I N F O R M A T I O N

RIR Update. A Joint Presentation Prepared By APNIC, ARIN, RIPE NCC. 17 March 2002 IEPG - Minneapolis

Feedback From RIPE NCC Registration Services. Andrea Cima 24 October 2017 RIPE 75

European Internet Registry Policies and Procedures

APNIC allocation and policy update. JPNIC OPM July 17, Tokyo, Japan Guangliang Pan

Transcription:

RIPE Database Updates and Extras Alvaro Vives Amsterdam RIPE 77

RIPE Database DB Clients Quality of Access Quality of Data Domain Objects Creation Wizard NWI-7: abuse-c implementation RESTful API NWI-5: Out of region route(6)/aut-num!2

Domain Objects Creation Wizard

What is Reverse DNS? Mapping of IP addresses to host names 193.2.6.139 2001:67c:2e8:22::c100:68b www.ripe.net!4

Reverse Delegation Basics IPv4 - in-addr.arpa zone - /24 or /16 blocks only IPv6 - ip6.arpa zone - Blocks multiple of 4 bits (/28, /32, /36, /40, /44, /48)!5

Setting Up Reverse Delegation Configure your DNS servers - at least two name servers in different subnets - create a zone file on each for each chunk Check your zones: http://dnscheck.ripe.net!6

Domain Objects Create records on RIPE NCC DNS servers Pointing to authoritative name servers domain For this zone, go to these DNS servers: nserver1 nserver2 nserver1 RIPE NCC Name Servers nserver2!7

Reverse DNS for IPv4 192.33.28.0 /24 28.33.192.in-addr.arpa /16 33.192.in-addr.arpa /8 192.in-addr.arpa!8

Domain Object for 192.33.28.0/24 domain: descr: admin-c: tech-c: zone-c: nserver: nserver: ds-rdata: mnt-by: created: last-modified: source: 28.33.192.in-addr.arpa rdns for my IPv4 network NOC12-RIPE NOC12-RIPE NOC12-RIPE pri.example.net sns.company.org 45062 8 2 275d9acbf3d3fec11b6d6 EXAMPLE-LIR MNT 2015-01-21T13:52:29Z 2016-02-07T15:09:46Z RIPE!9

Reverse DNS for IPv6 2001:0db8:003e:ef11:0000:0000:c100:004d /48 e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa /44 3.0.0.8.b.d.0.1.0.0.2.ip6.arpa /40 0.0.8.b.d.0.1.0.0.2.ip6.arpa /36 0.8.b.d.0.1.0.0.2.ip6.arpa /32 8.b.d.0.1.0.0.2.ip6.arpa /28 b.d.0.1.0.0.2.ip6.arpa!10

Domain object for 2001:db8::/32 domain: descr: admin-c: tech-c: zone-c: nserver: nserver: ds-rdata: mnt-by: created: last-modified: source: 8.b.d.0.1.0.0.2.ip6.arpa rdns for my IPv6 network NOC12-RIPE NOC12-RIPE NOC12-RIPE pri.example.net sns.company.org 45062 8 2 275d9acbf3d3fec11b6d6 EXAMPLE-LIR MNT 2015-01-21T13:52:29Z 2016-02-07T15:09:46Z RIPE!11

Create Domain Objects Wizard domain: 16.155.10.in-addr.arpa domain: mnt-by: 17.155.10.in-addr.arpa EXAMPLE-MNT domain: nserver: tinny.arin.net mnt-by: nserver: EXAMPLE-MNT sec3.apnic.net domain: nserver: tinny.arin.net mnt-by: nserver: EXAMPLE-MNT sec3.apnic.net nserver: tinny.arin.net mnt-by: nserver: EXAMPLE-MNT sec3.apnic.net nserver: tinnie.arin.net 18.155.10.in-addr.arpa 19.155.10.in-addr.arpa nserver: sec3.apnic.net!12

stat.ripe.net!13

RESTful API

Textual representations of web resources Uniform and predefined set of stateless operations Client-Server Characteristics URIs Response standard formats: HTML, XML, JSON RESTful Web Service Common use of HTTP(S): GET, POST, PUT, DELETE Performance Properties Reliability Scalability Simplicity Portability!15

URI for each Database Object URI Format: https://rest.db.ripe.net/{source}/{objecttype}/{key} RIPE Database RESTful API POST: create Supported Methods GET: lookup PUT: update DELETE: delete HTTP/1.1 Content Negotiation Accept: application/xml Accept: application/json.xml.json!16

URI Format: https://rest.db.ripe.net/{source}/{objecttype}/{key} ripe: RIPE database {source} test: TEST database person, role, organisation {objecttype} inet(6)num, aut-num route(6), domain, mntner, etc. {key} Primary key of the object unfiltered, unformatted!17

HTTP Status Code Cause Bad Request (400) The service is unable to understand and process the request. Forbidden (403) Query limit exceeded. Not Found (404) No results were found (on a search request), or object specified in URI does not exist. Conflict (409) Integrity constraint was violated (e.g. when creating, object already exists). Internal Server Error (500) The server encountered an unexpected condition which prevented it from fulfilling the request.!18

WHOIS REST API Lookup http(s)://rest.db.ripe.net/{source}/{objecttype}/{key} GET RIPE Database DB Clients 200 Object found 400 Bad request 404 No valid object!19

Lookup Examples curl 'http://rest.db.ripe.net/ripe/mntner/ripe-dbm-mnt' curl -H 'Accept: application/json' 'http://rest.db.ripe.net/ripe/ mntner/ripe-dbm-mnt' curl 'http://rest-test.db.ripe.net/test/person/aa1-test? unfiltered' curl http://rest.db.ripe.net/ripe/inetnum/193.0.0.0%20- %20193.0.7.255.json'!20

WHOIS REST API Update https://rest.db.ripe.net/{source}/{objecttype}/{key}?password={password} PUT RIPE Database DB Clients 200 Successful update 400 Bad request: incorrect object type or key 401 Incorrect password 404 Object not found!21

Lookup Examples curl -X PUT -H 'Content-Type: application/xml' --data @form.txt 'https://rest.db.ripe.net/ripe/person/pp1-ripe?password=...' curl -X PUT -H 'Content-Type: application/json' -H 'Accept:application/json' --data @form.txt 'https:// rest.db.ripe.net/ripe/person/pp1-ripe?password=...' curl -X PUT --data @form.txt 'https://rest.db.ripe.net/ripe/ person/tp1-ripe?dry-run&password=...'!22

WHOIS REST API Create https://rest.db.ripe.net/{source}/{objecttype}?password={password} POST RIPE Database DB Clients 200 Success (object created) 400 Bad request 401 Incorrect password 409 Object already exists!23

Create Examples curl -X POST -H 'Content-Type: application/xml' --data @form.txt 'https://rest.db.ripe.net/ripe/person?password=...' curl -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' --data @form.txt 'https://rest.db.ripe.net/ripe/ person?password=...' curl -X POST --data @form.txt 'https://rest.db.ripe.net/ripe/ person?dry-run&password=...'!24

WHOIS REST API Delete https://rest.db.ripe.net/{source}/{objecttype}/{key}?password={password} &reason={reason} DELETE RIPE Database DB Clients 200 Successful delete 400 Bad request: invalid object type or key 401 IncorrecT password 404 Object not found!25

Delete Examples curl -X DELETE 'https://rest.db.ripe.net/ripe/person/pp1-ripe? password=123' curl -X PUT --data @form.txt 'https://rest.db.ripe.net/ripe/ person/tp1-ripe?dry-run&password=...'!26

Demo Doing it for real!

Demo Lookup RIPE Database Location: rest.db.ripe.net Source: ripe Object Type Type: inet6num Key Key: 2001:67c:64::/48 Format XML and JSON!28

Demo: Update TEST Database Location: rest-test.db.ripe.net Source: test Object Type Type: person Key Key: TP29-TEST Format XML!29

Demo: Create TEST Database Location: rest-test.db.ripe.net Source: test Object Type Type: inet6num (ASSIGNED) Key Key: 2001:ff29:1234::/48 Format XML!30

Demo: Delete TEST Database Location: rest-test.db.ripe.net Source: test Object Type Type: inet6num (ASSIGNED) Key Key: 2001:ff29:1234::/48 Format XML!31

Search Metadata Additional Services Geolocation Abuse Contact!32

References GitHub WHOIS REST API: https://github.com/ripe-ncc/whois/wiki/whois-rest-api GitHub WHOIS REST API WhoisResources: https://github.com/ripe-ncc/whois/wiki/whois-rest-api- WhoisResources!33

NWI-7 Abuse-c implementation

Internet resource holders need to be contactable in case of problems.!35

Before Resource org: organisation role: Abuse Reports inetnum abuse-c: AR0555-RIPE nic-hdl: AR0555-RIPE inet6num abuse-mailbox: report-it@example.com aut-num!36

How abuse-c is displayed!37

Problem Statement Can t specify other abuse contacts for different resources from the same organisation Can t specify alternative abuse contacts for resources assigned to organisations other than the parent organisation After introduction of abuse-c", "abuse-mailbox:" in person, mntner, organisation and irt objects was intended to be deprecated!38

What did we improve?!39

Changes in the Database Clean legacy/temporal information: - Removed abuse-mailbox: from person, mntner, organisation, irt objects (NWI-7) - abuse-mailbox: only allowed in role objects abuse-c: allowed in inetnum, inet6num and aut-num objects!40

After Resource role: Abuse Reports abuse-c: AR0123-RIPE org: organisation nic-hdl: abuse-mailbox: AR0123-RIPE noc@example.com inetnum inet6num abuse-c: AR0555-RIPE role: Abuse Reports nic-hdl: AR0555-RIPE aut-num abuse-mailbox: report-it@example.com!41

RIPE NCC Mandate Regular validation of all abuse-mailbox: attributes First trial soon after RIPE meeting Start with initial validation beginning of 2019 Presentation in the Anti-abuse WG - Thursday, 18 October 11:00-12:30!42

References Abuse Contact Management in the RIPE Database - RIPE-705 - https://www.ripe.net/publications/docs/ripe-705!43

NWI-5 Out of region Route(6)/ AUT-NUM objects

How route(6) objects used to be created You needed permission from: 1. aut-num 2. inetnum or inet6num 3. route or route6 ALLOCATION aut-num: AS12345 2 mnt-by: RIPE-NCC-HM-MNT mnt-by: ONE-MNT 1 mnt-by: DEFAULT-LIR-MNT mnt-routes: TWO-MNT mnt-routes: ANOTHER-MNT mnt-routes: ANOTHER-MNT route(6) origin: mnt-by: AS12345 ANOTHER-MNT 3!45

Out of Region Resources Because: - Need for route(6) objects - No authoritative alternative IRR available - No proper mntners RIPE community allowed placeholder objects - Using RIPE-NCC-RPSL-MNT inet(6)num as-block mnt-by: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-RPSL-MNT!46

Some numbers 68,343 out-of-region ROUTE objects (28/6/18) 1,902 out-of-region ROUTE6 objects (28/6/18)!47

Problem Statement Out-of-region objects authorisation is anecdotal Globally duplicate AUT-NUM objects are required for out-ofregion ASNs, confusing contact information, policy, etc. This facilitates hijacking for out-of-region resources and RIPE NCC is neither mandated nor well-staffed enough to deal with these issues Detailed placeholders need maintenance, causing overhead especially with inter-rir transfers!48

What changed? (I) Removed ASN authorisation requirement for route(6) Deprecated "mnt-routes:" attribute in aut-num Removed 'pending object creation' functionality for route creation!49

What changed? (II) Created new source RIPE-NONAUTH Moved all route(6) objects relating to non-ripe-managed address space to new source Moved all non-ripe managed aut-num objects to new source Disallowed creation of new aut-num/route(6) objects for non- RIPE-managed resources Removed mnt-routes:" from placeholder inet(6)num objects for non-ripe-managed address space!50

How to create route(6) objects You needed permission from: 1. inetnum or inet6num 2. route or route6 ALLOCATION route(6) 1 mnt-by: RIPE-NCC-HM-MNT mnt-by: DEFAULT-LIR-MNT origin: AS12345 2 mnt-routes: ANOTHER-MNT mnt-by: ANOTHER-MNT!51

Registering IPv4 Routes inetnum: 10.30.0.0/22 mnt-by: mnt-by: TEST-NCC-HM-MNT SM30-MNT route: 10.30.0.0/22 origin: mnt-by: AS65530 SM30-MNT!52

Registering IPv6 Routes inet6num: 2002:ff30::/32 mnt-by: mnt-by: TEST-NCC-HM-MNT SM30-MNT route6: 2002:ff30::/32 origin: mnt-by: AS65530 SM30-MNT!53

References Out-of-Region ROUTE(6) and AUT-NUM Objects in the RIPE Database - https://labs.ripe.net/members/denis/out-of-region-route-6-and-aut-num-objects-inthe-ripe-database Impact Analysis for NWI-5 Implementation Using RIPE-NCC- RPSL-MNT - https://www.ripe.net/manage-ips-and-asns/db/impact-analysis-for-nwi-5- implementation!54

Questions training@ripe.net!55

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback