Level 3's IRR Database

Joe Abley jabley at hopcount.ca
Mon Jan 31 14:16:38 UTC 2011 

On 2011-01-30, at 12:15, Nick Hilliard wrote:

> On 30/01/2011 09:08, Jeff Wheeler wrote:
>> This brings me to my point, which is that IRR is very good for
>> preventing accidents and automating some common tasks.  It should be
>> "secure" to a point, but just because a route: object exists does not
>> mean that mntner: really has authority over that address space.
> 
> Depends on which IRR you use.  The IRRDBs run by RIPE, APNIC and AfriNIC implement hierarchical object ownership, which means that if you're registering their address space, you can only do so if that address space legitimately belongs to you.

Note that in the case of the RIPE db (and perhaps the others, I don't know) this is only the case for resources that can be traced back to a RIPE NCC-assigned netblock.

I routinely register objects in the RIPE db which were assigned from other regions (e.g. ARIN). Since many European networks have procedures and automation that requires things to be in the RIPE db, using that db as your primary publication mechanism avoids the need to duplicate later.

The parent object in the RIPE db for such foreign resources is

inetnum:      0.0.0.0 - 255.255.255.255
netname:      IANA-BLK
descr:        The whole IPv4 address space
country:      EU # Country is really world wide
org:          ORG-IANA1-RIPE
admin-c:      IANA1-RIPE
tech-c:       IANA1-RIPE
status:       ALLOCATED UNSPECIFIED
remarks:      The country is really worldwide.
remarks:      This address space is assigned at various other places in
remarks:      the world and might therefore not be in the RIPE database.
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    RIPE-NCC-HM-MNT
mnt-routes:   RIPE-NCC-RPSL-MNT
source:       RIPE # Filtered

and the maintainer object for routes is

mntner:         RIPE-NCC-RPSL-MNT
descr:          This maintainer may be used to create objects to represent
descr:          routing policy in the RIPE Database for number resources not
descr:          allocated or assigned from the RIPE NCC.
admin-c:        RD132-RIPE
auth:           MD5-PW $1$ScJSM7nN$Xw3aAduCRZx4QUEq8QjR5/
remarks:        *******************************************************
remarks:        * The password for this object is 'RPSL', without the *
remarks:        * quotes. Do NOT use this maintainer as 'mnt-by'.     *
remarks:        *******************************************************
mnt-by:         RIPE-DBM-MNT
referral-by:    RIPE-DBM-MNT
source:         RIPE # Filtered

This means that anybody can assert pretty much anything they like, so long as the resources are not NCC-assigned.


Joe

More information about the NANOG mailing list