Something observed while doing IRR cleanup (generic name collisions)
Dan Mahoney (Gushi)
danm at prime.gushi.org
Mon Apr 11 16:56:59 UTC 2022
All,
The dayjob has a LOT of ASes (we peer with a unique AS per-site), so our
IRR entries are kind of a lot. When "email templates" was the only way to
do things, this was really annoying to update and maintain.
I will say that having RPKI roas for the correct ASes for all of our
entries has given my stale-object-deletion-requests more "authoritah" than
those requests would have had a few years ago.
Job's excellent IRRexplorer tool has been wonderful in helping figure this
out and display it all at a glance, and also in finding cases where "we no
longer peer with this group, but we're still in the as-set", and a few
where "they peer with us, but not with this AS".
I don't know how many people use irrd or rtconfig or whatever to generate
your filter-lists. But even with all the work we (the operator community)
is doing to widely deploy RPKI and authenicated IRRs, we still have
stuff like this:
$ whois -h whois.radb.net AS-PEERS | grep
'as-set\|descr\|source\|members\|^\s*$'
as-set: AS-PEERS
descr: autonomous systems that OpenDNS peers with
members: [like 30 of them, one per line, snipped for brevity]
source: RADB
as-set: AS-PEERS
descr: 4b42 Peering Autonomous System Numbers
[no members: line!]
source: RIPE
as-set: AS-PEERS
descr: Peer AS Numbers
members: AS132251,AS132561,AS132516
source: APNIC
as-set: AS-PEERS
descr: swell.network Peers
members: AS-HE,AS-NTT
source: ARIN
..four separate organizations felt it would be clever to create a
vaguely-named AS-PEERS object, each in a different IRR, because the
various IRR's all allow this, and don't check for the existence of objects
in another. No IRR's require any special names, nor do they block on any
generic names. No IRR sends a member warnings when their objects exist in
more than one registry with different data.
I haven't tried to query the peeringdb API to see if any of these are used
as advertised AS-Sets for public use, or if people just created public
objects for their own internal tools. I'm sure this is not the only case
of this.
This might be why we can't have nice things.
-Dan
--
More information about the NANOG
mailing list