RIPE NCC
- objects for an enterprise: organisation, mntner, 2 role, inetnum
- access via:
- Webupdate
- Syncupdate: ≈ text-based Webupdate, bulk request
- RESTful API
- unreferenced objects are deleted automatically within a few months
- force delete: for inetnum, route, domain that are lower in hierarchy
- rate limit for database access: 100 org/person/role per 24h – protection from reconnaissance with IP blocking
- abuse e-mail is never filtered
- auth in mntner is always filtered
- NS for IPv4 /16 and IPv6 /32
Objects
- nic-hdl
- human ID
- “AUTO-1” = request for ID creation
- person
- human name
- mnt-by
- protection
- authC/authZ
- inetnum
- allocation, assignment
- aut-num
- BGP policy with import/export
- status = assigned
- domain
- reverse DNS
- points to authoritative NS for the range
- role
- e-mail mandatory
- route
- prefix + ASN
- notify
- e-mail about successful object creation
- for aut-num – also about child route creation
- upd-to
- notify about failed authC
- mntner
- mnt-nfy
- notify about successful update using this mntner
- mnt-ref
- mntner that can add references to the organisation in other objects
- mnt-lower
- can assign inetnum, route, domain,
- mnt-by loses access to lower
- mnt-routes
- create routes for inetnum
- takes over authority
- mnt-domains
- create domains for inetnum
- takes over authority
- as-set
- ASN group
- for BGP filter
Flags
- -t:
- object template
- -T
- type
- list separated by commas
- person includes admin-c, tech-c, zone-c, abuse-c
- -i
- inverse
- search through objects that reference the object
- -r
- exclude related personal objects
- needed not to exceed rate limit
- -B
- show filtered attributes (notify)
- -M
- all more specific (e.g. search for /21 yields /24 as well)
- assignment, suballocation, assignment within suballocation
- -m
- one level more specific
- -L
- all less specific
- -l
- one level less specific
- -x
- exact match
- -d
- include corresponding domains in search result (usually with -m/-M)
Mntner
- auth
- SSO
- tie e-mail to mntner
- default
- Webupdate only
- allows to see who made changes
- MD5 password
- password hash
- clear-text for all methods except Webupdate
- PGP
- public key stored in object key-cert
- Syncupdate and e-mail only
- SSO
Contact
- admin-c: administrative queries (network owner)
- tech-c: troubleshoot
- abuse-c: spam, hacking report; separate role
- zone-c: reverse delegation
Allocation
- for LIR: one /24 IPv4, several /32 IPv6
- types:
- IPv4
- end user: assigned PA/PI, sub-allocated PA
- LIR: allocated PA
- RIPE NCC: allocated unspecified
- IPv6
- end user: assigned, assigned PI, aggregated-by-lir, allocated-by-lir
- LIR: allocated-by-rir
- RIPE NCC: allocated-by-rir
- IPv4
- only RIPE can create PI
- aggregated-by-lir group same-sized allocations (e.g. /40 from /56 blocks), up to 2 nesting levels
- only RIPE can remove allocations create by RIPE
RPSL: “import | export: from | to <ASN> | ANY accept | announce <ASN> | ANY”, ASNs are separated by space
Route(6) maintainer
- exact, less specific route(6) mntner
- exact, less specific inet(6)num mntner: mnt-routes > mnt-lower > mnt-by
- no authC for origin ASN
AS-set
- direct: adding to as-set through members
- indirect:
- setting the value of necessary as-set to member-of in aut-num
- mntner aut-num requires access to as-set via mbrs-by-ref
- name always starts with “as-“