Newbie Questions: How-to remove spurious IRR records (and keep them out for good)?
job at ntt.net
Mon Nov 2 18:51:10 UTC 2020
On Mon, Oct 26, 2020 at 08:13:19PM +0700, Pirawat WATANAPONGSE wrote:
> I am seeking advice concerning someone else announcing IRR records on
> resources belonging to me.
Change is underway in the IRR ecosystem! The situation we are all used
to is that it is rather cumbersome to get IRR databases to remove IRR
objects. The IRR database operator may not trust your request for object
removal, or is busy doing other things. There was no industry-wide
automated process for IRR object removal.
With the introduction of "RIPE-731" (https://www.ripe.net/publications/docs/ripe-731)
in the RIPE region, the "RIPE-NONAUTH" database has slowly been
shrinking. The RIPE-NONAUTH database exclusively contains IRR objects
covering non-RIPE space. As more and more people create RPKI ROAs, which
in turn provide automated evidence whether objects in RIPE-NONAUTH are
valid or not valid. If an object is found to be invalid, it is deleted.
While RIPE-731 addressed the issue of stale objects in the RIPE-NONAUTH
database, of course it did not change anything for non-RIPE databases.
Most non-RIPE databases use software called "IRRd" (the likes of NTTCOM,
RADB, TC, etc). The IRRd software is the main entrypoint into the IRR
system, and recently IRRd v4.1.0 was released which can automatically
delete RPKI invalid IRR route objects.
A youtube video from last week with some information on IRRdv4 can be
seen here: https://www.youtube.com/watch?v=V9fsU0mNcA4
NTT has not yet upgraded from 4.0.0 -> 4.1.0, we are working on that.
RADB is also investigating a migration path. LACNIC & ARIN already are
on the v4 train.
The moment NTT and RADB have deployed 4.1.0 at rr.ntt.net and
whois.radb.net there will be an industry-wide fully automated IRR
cleanup process running which accomplishes two things:
- stale/rogue/erroneous objects (conflicting with RPKI) are deleted
- new objects which are in conflict with RPKI ROAs cannot be created
Using RPKI to clean up the IRR is a continuous process: this mechanism
helps clean up the past, but also going forward ensures that IRR does
not contain new information which is in conflict with published
cryptographically signed RPKI ROAs.
This 2018 video outlines the strategy how to migrate to an improved
state of internet routing security: https://www.youtube.com/watch?v=3BAwBClazWc
Reality is now nearly synced up to all slides of the deck :-)
More information about the NANOG