Something observed while doing IRR cleanup (generic name collisions)

• Previous message (by thread): Spoofer Report for NANOG for Mar 2022
• Next message (by thread): Something observed while doing IRR cleanup (generic name collisions)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All,

The dayjob has a LOT of ASes (we peer with a unique AS per-site), so our 
IRR entries are kind of a lot.  When "email templates" was the only way to 
do things, this was really annoying to update and maintain.

I will say that having RPKI roas for the correct ASes for all of our 
entries has given my stale-object-deletion-requests more "authoritah" than 
those requests would have had a few years ago.

Job's excellent IRRexplorer tool has been wonderful in helping figure this 
out and display it all at a glance, and also in finding cases where "we no 
longer peer with this group, but we're still in the as-set", and a few 
where "they peer with us, but not with this AS".

I don't know how many people use irrd or rtconfig or whatever to generate 
your filter-lists.  But even with all the work we (the operator community) 
is doing to widely deploy RPKI and authenicated IRRs, we still have 
stuff like this:

$ whois -h whois.radb.net AS-PEERS | grep 
'as-set\|descr\|source\|members\|^\s*$'
as-set:     AS-PEERS
descr:      autonomous systems that OpenDNS peers with
members:    [like 30 of them, one per line, snipped for brevity]
source:     RADB

as-set:         AS-PEERS
descr:          4b42 Peering Autonomous System Numbers
[no members: line!]
source:         RIPE

as-set:         AS-PEERS
descr:          Peer AS Numbers
members:        AS132251,AS132561,AS132516
source:         APNIC

as-set:         AS-PEERS
descr:          swell.network Peers
members:        AS-HE,AS-NTT
source:         ARIN

..four separate organizations felt it would be clever to create a 
vaguely-named AS-PEERS object, each in a different IRR, because the 
various IRR's all allow this, and don't check for the existence of objects 
in another.  No IRR's require any special names, nor do they block on any 
generic names. No IRR sends a member warnings when their objects exist in 
more than one registry with different data.

I haven't tried to query the peeringdb API to see if any of these are used 
as advertised AS-Sets for public use, or if people just created public 
objects for their own internal tools.  I'm sure this is not the only case 
of this.

This might be why we can't have nice things.

-Dan


-- 

• Previous message (by thread): Spoofer Report for NANOG for Mar 2022
• Next message (by thread): Something observed while doing IRR cleanup (generic name collisions)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]