Dear Lee,
Hi Job,
*ring ring* - "IRR/RPKI helpdesk how may I help you today?"
What a fantastic helpdesk it is, too!
Another way to satisfy this request is to ask the organization's
provider to create an AS-SET (preferably RIR-operatored IRR such as
ARIN, RIPE, etc), and then reference their AS-SET on your own AS-SET.
IRR AS-SETs permit both referencing AS Numbers and AS-SETs as 'members:'.
This brings up a question I've been mulling over lately - if AS64500 has
AS64500:AS-CUSTOMERS and has a customer AS64510, and AS64510 only ever
plans to originate routes themselves, with no downstreams, is there any
reason other than "future flexibility" for AS64510 to create an AS-SET,
e.g.:
as-set: AS64500-CUSTOMERS
-> members: AS64510:AS-AS64510
>-> members: AS64510
versus simply the following:
as-set: AS64500-CUSTOMERS
>-> members: AS64510
It seems to me both are entirely functionally equivalent, aside that if
AS64510 ever wants to change things they would need to get AS64500 to
update their AS64500-CUSTOMERS members.
The industry trend (very noticable the last 3 years) is that the ability
to create proxy route object registrations is slowly fading away.
At at first glance proxy registrations seem better than 'no
registration', the downside is that anyone can create proxy
registrations for any prefix: proxies are not very safe!
I wonder what this means (eventually, anyway) for RADB, NTTCOM, LEVEL3,
etc. Though LEVEL3 can hardly be considered on the bleeding edge of
IRR...
The recommendation is that each and every IP resource holder creates IRR
and/or RPKI objects themselves, or delegates the authority to do so to
their service provider.
What is the mechanism for such a delegation?
It seems to me that with enough RPKI adoption, IRR will eventually go
away, but you mention "and/or" - is that just for current
interoperability?
Taking it a step futher, let's say I have valid ROAs for all my prefixes
today, because I do. But I don't maintain my objects in ARIN's IRR. Do
I need to migrate, and if so, assuming my upstreams still "reject RPKI
invalid but permit rpki unknown AND require an IRR AS-SET to build BGP
filters in the first place" it seems to me that maintaining IRR is
necessary because otherwise the upstream won't listen to the
announcements at all, much less verify RPKI.
Technically this is likely to work, but the downside is that you end up
with a hard dependency on another ISP's proxy registration. If for
whatever reason that registration lapses (failure to pay bills, M&A, who
knows) ... you might end up with a hard to troubleshoot situation where
it is not immediately clear "it was working yesterday, but not today?!".
FWIW, Lee, I ran into this exact scenario this week. Everything was
working, but the route was only being permitted by the customer's
upstream because of a stale object proxy registered by someone else. My
two cents is that this is an exceedling common occurence.
The best course of action is to ensure that objects are either managed
by yourself, or by the customer, so the responsibilities and object
ownership are clear to everyone involved.
And yet, there's probably double-digits of people that fully grok IRR,
despite the years and years of NOG presenations and tutorials and
everything else.
A great tool to gain some insight into various IRR/BGP/RPKI data sources
and what the registration status of various objecst might mean can be
found at this awesome tool: https://irrexplorer.nlnog.net/
There's also a command-line irrtree that's pretty slick, and if you want
to verify AS-SET recursion and ultimately expansion into prefixes,
point your whois client toward filtergen.level3.net [1] and/or
filtergen.dan.me.uk [2]
--Adam
[1] But be careful because L3 filtergen doesn't recurse across
registries and will ignore data that's not source: LEVEL3 +unless* you
put 'remarks: Level3 members: RADB::AS-FOO' in the AS-SET.
[2] If you instead want to filtergen against RADB data (and objects
which RADB mirrors from others) see Filter List Generator