Operational question: Building filters from IRRdbs

Sun Jan 3 17:37:28 UTC 1999

We build config from boths RIPE and internal data bases, but - 
we use two-step process (build data base object -> write it to the file -> builkd 
config) and do not allow to many changes be done at once (if the number of changes
is too much, system ask manyal confirmation). All this allow to prevent troubles
from unaccessable RIPE data base or from mistakes.

Btw, it's VERY IMPORTANT to restrict the possibility for this system to chehange
configs hardly - if daily change is not more than 10 objects and 400 lites (for a;
all objects are build) it prevent you from discovering your system be totally
broken by the simple programming or operational mistake done by the other people.

Alex.
In message <199901030102.BAA13296 at diamond.xara.net> Alex Bligh writes:

>Here's a couple of operational questions for those who build
>filters from IRRdb's.

>Background:

>* peval / rpsl.merit.edu *may* be incorrectly evaluating
>  RIPE database entries currently - but this isn't my main
>  thrust. The scary thing is suddenly what I'm 99% sure used
>  to work (expanding AS Macros) now silently fails if they
>  are in RIPE. [for details see the end]

>* I'm not saying the server is broken (I guess it has something to
>  do with the 'server is running at low priority' line), but if I had
>  this in an automatic filter generating run, it would generate
>  the RADB stuff just fine, and silently filter out all RIPE based
>  peerings. Even if it's working perfectly correctly, the questions
>  are still interesting, at least to me.

>Questions:

>* Does anyone actually do build filters without running
>  their own complete database mirror, i.e. do they rely real
>  time on a database working. If so, which one?

>* Does anyone let this config their routers automatically? To peers
>  customers, transits, or all three? Or do you rely on humans to
>  reinstall the lists once autogenerated?

>* If it's just a fact of life that occasionally this thing turns up duff
>  data, and if people are in general doing automatic installation, what
>  data validation heuristics are used?

>I'll summarize to the list any off-list replies that are interesting.

>--

>Alex Bligh
>GX Networks (formerly Xara Networks)

>Boring details:

>[ If anyone from merit/isi is interested this is peval (RAToolSet v4.3.1)
>  binaries from the isi site running on Solaris 2.5.1 and I'm
>  sure it was working a little while ago.

>  I can't get peval to produce anything sensible at the moment
>  for anything in a database other than RADB. For instance:

>    opal[amb].158$ ./peval -no-as -T all AS-EUNET
>    Whois: Open rpsl.merit.edu, 43, RADB,MCI,RIPE,ANS,CANET
>    Whois: WriteQuery -V RAToolSet4.3.1 --single --silent -k -r -s
>       RADB,MCI,RIPE,ANS,CANET -u -T as-set AS-EUNET

>    Whois: Response 
>    % RIPEdb(3.0.0a13) with ISI RPSL extensions

>    % Server is running at low priority for -M, -m and -k queries

>    % No entries found in RADB, MCI, RIPE, ANS and CANET database.

>    NOT ANY

>  A 'whois -h whois.ripe.net AS-EUNET' demonstrates that this isn't
>  in fact the case.

>  Works for anything in RADB, including my macros which are in both.

>  As I said, I'm not saying the server is broken (I guess it has something to
>  do with the 'server is running at low priority' line), but if I had
>  this in an automatic filter generating run, it would generate
>  the RADB stuff just fine, and silently filter out all RIPE based
>  networks

>]

>-- 
>Alex Bligh
>GX Networks (formerly Xara Networks)

-- 
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)