RIPE NCC

1. RIPE NCC
2. Objects
3. Flags
4. Mntner
5. Contact
6. Allocation
7. Route(6) maintainer
8. AS-set
9. BGP relationship (AS1)

• objects for an enterprise: organisation, mntner, 2 role, inetnum
• access via:
  • Webupdate
  • Syncupdate: ≈ text-based Webupdate, bulk request
  • e-mail
  • RESTful API
• unreferenced objects are deleted automatically within a few months
• force delete: for inetnum, route, domain that are lower in hierarchy
• rate limit for database access: 100 org/person/role per 24h – protection from reconnaissance with IP blocking
• abuse e-mail is never filtered
• auth in mntner is always filtered
• NS for IPv4 /16 and IPv6 /32

Objects

• nic-hdl
  • human ID
  • “AUTO-1” = request for ID creation
• person
  • human name
• mnt-by
  • protection
  • authC/authZ
• inetnum
  • allocation, assignment
• aut-num
  • BGP policy with import/export
  • status = assigned
• domain
  • reverse DNS
  • points to authoritative NS for the range
• role
  • e-mail mandatory
• route
  • prefix + ASN
• notify
  • e-mail about successful object creation
  • for aut-num – also about child route creation
• upd-to
  • notify about failed authC
  • mntner
• mnt-nfy
  • notify about successful update using this mntner
• mnt-ref
  • mntner that can add references to the organisation in other objects
• mnt-lower
  • can assign inetnum, route, domain,
  • mnt-by loses access to lower
• mnt-routes
  • create routes for inetnum
  • takes over authority
• mnt-domains
  • create domains for inetnum
  • takes over authority
• as-set
  • ASN group
  • for BGP filter

Flags

• -t:
  • object template
• -T
  • type
  • list separated by commas
  • person includes admin-c, tech-c, zone-c, abuse-c
• -i
  • inverse
  • search through objects that reference the object
• -r
  • exclude related personal objects
  • needed not to exceed rate limit
• -B
  • show filtered attributes (notify)
• -M
  • all more specific (e.g. search for /21 yields /24 as well)
  • assignment, suballocation, assignment within suballocation
• -m
  • one level more specific
• -L
  • all less specific
• -l
  • one level less specific
• -x
  • exact match
• -d
  • include corresponding domains in search result (usually with -m/-M)

Mntner

• auth
  • SSO
    • tie e-mail to mntner
    • default
    • Webupdate only
    • allows to see who made changes
  • MD5 password
    • password hash
    • clear-text for all methods except Webupdate
  • PGP
    • public key stored in object key-cert
    • Syncupdate and e-mail only

Contact

• admin-c: administrative queries (network owner)
• tech-c: troubleshoot
• abuse-c: spam, hacking report; separate role
• zone-c: reverse delegation

Allocation

• for LIR: one /24 IPv4, several /32 IPv6
• types:
  • IPv4
    • end user: assigned PA/PI, sub-allocated PA
    • LIR: allocated PA
    • RIPE NCC: allocated unspecified
  • IPv6
    • end user: assigned, assigned PI, aggregated-by-lir, allocated-by-lir
    • LIR: allocated-by-rir
    • RIPE NCC: allocated-by-rir
• only RIPE can create PI
• aggregated-by-lir group same-sized allocations (e.g. /40 from /56 blocks), up to 2 nesting levels
• only RIPE can remove allocations create by RIPE

RPSL: “import | export: from | to <ASN> | ANY accept | announce <ASN> | ANY”, ASNs are separated by space

Route(6) maintainer

1. exact, less specific route(6) mntner
2. exact, less specific inet(6)num mntner: mnt-routes > mnt-lower > mnt-by

• no authC for origin ASN

AS-set

• direct: adding to as-set through members
• indirect:
  • setting the value of necessary as-set to member-of in aut-num
  • mntner aut-num requires access to as-set via mbrs-by-ref
• name always starts with “as-“

BGP relationship (AS1)