[sdnog] Can not get the real ASNs using traceroute -a
Nishal Goburdhan
nishal at controlfreak.co.za
Tue Oct 27 13:34:26 SAST 2020
On 24 Sep 2020, at 17:07, Willy Manga wrote:
> On 24/09/2020 18:06, Sara Alamin wrote:
>> [...]
>> this correct, but on RADB as Patrick showed us, we don't get the
>> same answer. so aren't these databases syncing from each other? and
>> as Nishal's said this is always CANAR prefix , so how come RADB
>> accept different origins for the same prefix.
>
> Each registry has its own rules :)
you statement is correct, but it’s not the answer to her question.
it is *OK* to have the same object with multiple origin-as. it’s a
feature; not a bug.
imagine if you had your prefix (P) and you used AS1 as your transit
provider.
if you were planning to move to AS2, and you were smart, you would
register the same object, with AS2, as the origin-as *before* you moved.
that would allow operators around the world, to change their BGP
filters *in advance of the change*. later, when you had moved to AS2,
you would then go back and delete the old object, because it was no
longer valid. right? :-)
when you look at the IRR, always pay special attention to the
“SOURCE:” field. in this case, the “source: RADB: tells you
that these objects are registered directly into the RADB. registering
information in the RADB is easy; you pay the annual fee, and you
register whatever you want. there are really no checks; and, the thing
is, because the RADB was considered a “global” database, it’s
really difficult to make 100% accurate checks. afrinic tried this when
they initially launched their database (they meant well) but very soon
found out that the internet is more than the sum of the prefixes that
are in one database. i’ll write more below ..
> My humble advice here is:
> - for each Internet number resource you have received an
> allocation/assignement, register your objects in the database of the
> respective Regional Internet Registry
NO! THIS IS HORRIBLE ADVICE! if you are a netop, please do *NOT* do
this.
> - then if you really need to register in another registry, go ahead
> - AND KEEP ALL YOUR OBJECTS ACCURATE IN ALL REGISTRY
NO, THIS IS HORRIBLE ADVICE!
pick a *single* registry, and register all your objects there. that way
it is a lot easier to keep your objects accurate. unfortunately, the IP
monopolists, er….RIRs, operate registries that limit registration of
objects, to only those that they lease to you. if you’re in this
situation, then, simply use a registry like the RADB, which does not
have these restrictions. there’s a small fee, but it’s not a crazy
amount for a business to cover.
there’s a better reason for using just one registry. let’s assume
your AS-SET is AS-NET1, and that you register all your objects with
IRR1, and that you have a controlfreak in your organisation that keeps
this always in sync. and today, that is six (6) objects. good.
now, let’s say you you try to register different objects in IRR2, and
you accidentally forget one. so the total number of objects that you
register in IRR2, is five (5).
you have no way of knowing how a third party that is using tools to
automatically build network filters for you, is going to process this
information. will they use IRR1? will they use IRR2? will they use
both? what happens to objects that are missing - do they get
overwritten (eg. a filter list of 6 objects is created from IRR1, but
then, overwritten by a filter list of 5 objects from IRR2 …)
and the problem only gets worse if you try to add in *more* IRR
databases. and wait until you find out how operators misuse the
“SOURCE” field to make filters. wooroorook!!!
please. as someone who has spent a fair amount of time teaching
networks how to use IRR tools, please, just use one IRR source. specify
this in peeringdb (like RADB::AS-PCH). and keep your life, and the
life of the netops around you, simple! if you are not going to be a
transit ASN, and have just a few objects (eg, you are an business that
just wants to multihome) then use the afrinic irr. if you’re planning
to be a large transit provider, and have clients and resources from
wonderful places, it’ll be easier for you to use the RADB.
a word of caution; since sudan is in north africa, and back when IP
resources for africa was colonis^W managed by three other external RIRs,
sudan fell into the RIPE-NCC region. so there are old networks, that
likely still have this in place. some time ago, the RIPE-NCC community
stopped the registration of new objects into their IRR for non-RIPE
members. and whilst this won’t affect your already registered
objects, it means that you won’t be able to add new ones. if you fit
into this category, consider either moving to the afrinic, or RADB
registries.
if you’re interested in the IRR, a really good tool to help you
navigate is: http://irrexplorer.nlnog.net
>> according to RPKI stats, We have only one ISP, MAXNET (AS37211 ) has
>> generated ROA for their prefixes. I hope others do it soon.
>
> SUDATEL (AS15706) as well. They created their ROA during the first
> AFRINIC e-deployathon at least for their v6 prefix :2001:4228::/32
> [1].
>
> 1. I did not recall why they did not add their v4 prefix in the same
> certificate. But it should be straightforward.
probably to make sure that their v6 prefix did not mysteriously vanish
off the internet (ie. ROA concerns). we have already seen system
failures at RIRs where this has happened before. but perhaps, now that
they know that even the failure mode is generally safe, maybe we’ll
see more. ISA.
-n.
More information about the sdnog
mailing list