The SIX has moved to strict route filtering using the Internet Routing Registry (IRR), because it is the right thing to do.
The SIX has two route servers and they both have strict route filtering (as of March 7, 2017). You need to have valid IRR records for the routes your ASN will be announcing in order for them to be accepted by the SIX route servers. You also will need to keep those IRR records up-to-date for any network changes you make.
The route server drops analysis page provides comprehensive details on SIX route server filtering statistics by rule, charts, and BIRD pseudocode to show how filtering is performed. A specific ASN can also be focused on, reachable from the participants page if you have errors indicated, or by adding "?asn=#" to the URL (replace # with an ASN).
In order to create valid IRR records so your announcements are accepted/propagated and do not show errors on the SIX participants page or the route server drops analysis page, you need to register prefixes as valid route/route6 objects in an IRR registry and register downstream ASNs as part of your as-set. That can be done at ARIN (tutorial), RIPE (tutorial), and other IRRs. If you have address space with multiple Regional Internet Registries (RIRs) it may make sense to have IRR data in multiple registries. We recommend you create IRR records at the RIR which assigned/allocated your address space.
Also, the creation of RPKI ROAs is highly recommended, and these replace the need for IRR route objects. IRR as-set objects listing downstream ASNs remain needed.
RPKI: ARIN Tutorial
Create a maintainer object by following the steps at https://www.arin.net/resources/manage/irr/userguide/. A human handles the processing of this, so it can take a few days on ARIN's side and there is no auto-response until completed. PGP is not recommended at this time (June 2020) since ARIN is moving toward a web-based system for these updates, so save yourself trouble and just use MD5-PW, using a unique password for this purpose. Generate the MD5-PW using 'openssl passwd -1' or use https://account.arin.net/public/hash-tool. Send the MD5-PW when creating/updating the maintainer object and send the password as "password: 123" (for example) for all object manipulations after the initial maintainer (mntner) object creation.
An example:
From: hostmaster@example.net To: rr@arin.net mntner: MNT-YOURORGID descr: Example, Inc. admin-c: EXAMPLE123-ARIN tech-c: EXAMPLE456-ARIN upd-to: hostmaster@example.net mnt-nfy: hostmaster@example.net auth: MD5-PW $1$DyU6VQsG$MU0joyMejuoXNGCdIB4x90 notify: hostmaster@example.net abuse-mailbox: abuse@example.net mnt-by: MNT-YOURORGID referral-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN
ARIN will respond with the MNT-YOURORGID adjusted as needed, so be prepared for it to change and use what they provide going forward.
At this point you can create your aut-num, as-set, route, route6, and route-set objects. Examples below can be sent individually to rr@arin.net or as a group, adjusting the date and other fields as appropriate. The ARIN IRR software will respond in a minute or few with details about the success or failure of the object creation requests. Modifications can be made in the same manner.
From: hostmaster@example.net To: rr@arin.net aut-num: AS64496 as-name: EXAMPLE-64496 descr: Example AS 64496 import: from AS-ANY accept ANY export: to AS-ANY announce AS-EXAMPLE admin-c: EXAMPLE-ORG-ARIN tech-c: EXAMPLE-ORG-ARIN notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 as-set: AS-EXAMPLE descr: Example, Inc. members: AS64496 remarks: For network issues: noc@example.net remarks: For peering questions: peering@example.net tech-c: EXAMPLE-ORG-ARIN admin-c: EXAMPLE-ORG-ARIN notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 route: 192.0.2.0/24 descr: EXAMPLE-V4-1 assigned by ARIN origin: AS64496 notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 route6: 2001:DB8::/32 descr: EXAMPLE-V6-1 assigned by ARIN origin: AS64496 notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 route-set: RS-EXAMPLE-v4-ROUTES descr: Example, Inc. IPv4 routes members: 192.0.2.0/24^24-32 tech-c: EXAMPLE-ORG-ARIN admin-c: EXAMPLE-ORG-ARIN notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 route-set: RS-EXAMPLE-v6-ROUTES descr: Example, Inc. IPv6 routes mp-members: 2001:DB8::/32^32-128 tech-c: EXAMPLE-ORG-ARIN admin-c: EXAMPLE-ORG-ARIN notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123 route-set: RS-EXAMPLE-ROUTES descr: Example, Inc. IPv4 & IPv6 routes members: RS-EXAMPLE-v4-ROUTES, RS-EXAMPLE-v6-ROUTES tech-c: EXAMPLE-ORG-ARIN admin-c: EXAMPLE-ORG-ARIN notify: hostmaster@example.net mnt-by: MNT-YOURORGID changed: hostmaster@example.net 20YYMMDD [Adjust this appropriately!] source: ARIN password: 123
To verify and see everything maintained by the same maintainer object, do:
whois -h rr.arin.net -i mnt-by -B MNT-YOURORGID
Since ARIN's database is mirrored quickly to NTT, you can check out your IRR data with these commands:
IPv4 prefixes: whois -h rr.ntt.net '!gasYOUR_ASN_NUM' IPv6 prefixes: whois -h rr.ntt.net '!6asYOUR_ASN_NUM' AS-SET ASNs: whois -h rr.ntt.net '!iYOUR_AS_SET_NAME'
You should also routinely check the SIX participants page or your specific route server drops analysis page to see if your network has any errors. The error counts/details reset on a daily basis.
Review https://teamarin.net/2017/10/31/implementing-rpki-its-easier-than-you-think/.
Review https://www.arin.net/resources/manage/rpki/hosted/ for "Hosted RPKI" and follow steps to generate a ROA Request Key Pair and submit it to ARIN. Wait for ticket to be completed by ARIN, likely within a business day.
Next in ARIN Online go to https://account.arin.net/public/secure/org and select the organization for which you want to manage RPKI. Under Actions select "Manage RPKI" and then "Create ROA". Create ROAs for your prefixes per https://www.arin.net/resources/manage/rpki/roa_request/. Set a calendar reminder for your organization to remind in advance of ROA expiration, the need to replace and extend.
You can verify your RPKI records are working at https://rpki-validator.ripe.net by searching by ASN or prefix.
NOTE: As of September 2018, RIPE no longer allows non-RIPE address space to be registered in their database, so if your address space is from ARIN or another RIR, don't use RIPE.
0. If you do not already have a RIPE NCC account, create one. This is a personal account, not an organizational account. If you have one, then login. It is a good idea to setup two-factor verification, and you can do that in your profile.
1. Create an 'role and maintainer pair' object. This record must be created before you can create the remaining ones.
2. Create an 'organisation' object. Use your maintainer object for the mnt-by (it will automatically fill this out if you are still logged in).
3. You must now create an aut-num object. If your ASN was not assigned by RIPE, you must create an "out-of-region" (non-RIPE) placeholder "dummy" aut-num object. This must be done because the "origin:" attribute must not show it is from RIPE. To do this, follow the same link as above to create an aut-num object. For the maintainer field use the following literally, "RIPE-NCC-RPSL-MNT", and then for the password use (again literally), "RPSL" (without the quotes). When using the webupdate mechanism, it will detect that you are creating an aut-num for an ASN that is not managed by RIPE. You can simply create the object with your own maintainer on it. An aut-num object will be created with the status "OTHER", instead of "ASSIGNED", indicating that it is a dummy object. After this, you can create other objects that refer to this aut-num. Keep in mind that if you are using an update method other than webupdates to create a route object for a prefix that is not managed by the RIPE NCC, you must also add the "RPSL" password when submitting it. See the following for more details.
4. For prefixes you directly announce, create a route object for each of your IPv4 netblocks, and create a route6 object for each of your IPv6 netblocks, associating them with your maintainer objects.
5. If you have downstream ASNs, create an as-set object listing them. Then set your PeeringDB IRR Record to be simply your as-set name. (Email info_a_t_seattleix.net if your as-set is not being recognized, for special handling.)
6. Optionally create a key-cert object with your PGP public key for authorization, it must be formatted correctly, here is an example of correct formatting.
You should be good now! Since RIPE's database is mirrored quickly to NTT, you can check out your IRR data with these commands:
IPv4 prefixes: whois -h rr.ntt.net '!gasYOUR_ASN_NUM' IPv6 prefixes: whois -h rr.ntt.net '!6asYOUR_ASN_NUM' AS-SET ASNs: whois -h rr.ntt.net '!iYOUR_AS_SET_NAME'
You should also routinely check the SIX participants page or your specific route server drops analysis page to see if your network has any errors. The error counts/details reset on a daily basis.
Corrections, additional examples, and questions are welcome at info_a_t_seattleix.net.
RIPE tutorial originally contributed by Riseup Networks.