Level 3's IRR Database

Jeff Wheeler jsw at inconcepts.biz
Sun Jan 30 09:08:45 UTC 2011


On Sun, Jan 30, 2011 at 3:23 AM, Andrew Alston <aa at tenet.ac.za> wrote:
> I've just noticed that Level 3 is allowing people to register space in its IRR database that A.) is not assigned to the people registering it and B.) is not assigned via/to Level 3.

This is not unique to Level3 -- it is the industry standard practice
and has been since the dawn of time.  You must be a Level3 customer to
have a mntner: for publishing to their IRR database (in theory.)

Since there isn't an automatic mechanism for verifying that a given
ISP is really allowed to originate a route (or provide transit for an
AS, etc.) there is simply no practical way to change this at this
time, without processing updates manually (and introducing human error
into that yes/no authorization check.)

IRR is a convenience that many networks rely on.  When done correctly,
this is not a bad idea by any means.

In theory, RPKI will fix the real problem you are addressing -- that
it is really difficult to verify whether or not a neighboring AS is
allowed to carry a given route.  In practice, vendors need to support
it on routers, networks need to upgrade, ARIN (and other RIRs) need to
do their part, and thousands of auto-pilot networks will need to be
hand-held by their ISPs in order to make this happen.  How soon theory
can become reality is not easy to predict.  How many networks have
ubiquitous support for 32 bit ASN?  IPv6?  RPKI is a bastard thing
created out of a perceived (perhaps correctly) need for real security,
when in fact basically all of the events that have led to its creation
(except for some scare-tactic papers and presentations) were not
deliberate.

This brings me to my point, which is that IRR is very good for
preventing accidents and automating some common tasks.  It should be
"secure" to a point, but just because a route: object exists does not
mean that mntner: really has authority over that address space.  You
can pretty much rely on the fact that the given origin AS is
intentionally announcing the route, as opposed to leaking it by
accident.

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list