Internet2 Routing Working Group Merit Route Registry Update July 30, 2002 Larry Blunk.
Download ReportTranscript Internet2 Routing Working Group Merit Route Registry Update July 30, 2002 Larry Blunk.
Internet2 Routing Working Group Merit Route Registry Update July 30, 2002 Larry Blunk Agenda Introductions I2RR Status IRRd Update RADB Status RPSL Issues (RPSLng/Authorization) Web interface for Registry Timelines Web interface demo Questions Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 Introductions - Merit staff Merit route registry staff Deb Evans - project manager Engineers Larry Blunk - lead engineer Jake Khuon - lead architect Not present - Dale Fay, Chris Frazier University of Michigan NOC provides 24x7 frontline support Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 I2RR Status I2RR introduced in September 2000 Web page at www.radb.net/i2rr Has not been actively embraced by Internet2 community Merit staff departures in 2000/2001 led to lack of responsiveness Has restaffed project over the last 12 months Merit would like to get clarity regarding the role of the I2RR in the Internet2 community. Merit believes the service is important, but needs to understand Internet2's commitment to using it going forward Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 IRRd Update Reviewed state of code in June 2001 Initial goals Fix memory leaks and other significant bugs (zombie processes) Portability enhancements Targeted Linux and FreeBSD in addition to Solaris Code clean-up (compiler warnings, etc.) RFC 2622 RPSL compliance Mandatory attributes and parsing correctness Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 IRRd Update... Initial goals cont'd... Documentation updates Support for GnuPG Performance issues IRRd 2.1 released in September 2001 Several releases since (now at 2.1.4) Next release to support inverse lookups on maintainer names and performance improvements Available at www.irrd.net Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RADB Status RPSL compliance has been addressed Objects missing mandatory attributes Attributes with invalid values Orphaned objects cleaned up Maintainers deleted, but objects remain in the database with mnt-by referring to maintainer Approximately 1600 paid maintainers Around 3000 maintainers at start of year Source of stale data (defunct/acquired companies) New maintainers continue to be added daily Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RADB Consistency RADB consistency checks currently an ongoing project Route objects with prefixes which have been aggregated, announced by another AS, unrouted Announced prefixes not registered in RADB Aut-num objects with import/export policy which does not match observed policy in annouced prefixes (for example, AS PATH) Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RADB Consistency Analysis Recent analysis of route object consistency with global routing tables 75530 route objects - compare prefix/originAS 50.8% exact or less specific prefix/match AS 35.8% exact or less specific prefix/different AS 13.4% no match (exact or less specific prefix) Route Object Validity V alid I nvalid U nr out ed Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 Registry Maintainer reports Developing per maintainer reports Details number and type of objects Consistency with observed routing policy Route object prefix/originAS correctness Aut-num policy compared with AS Path info Provide an optional monthly email report as well as web based reports Allow maintainers to easily correct discrepancies Working with RIPC NCC to coordinate development efforts on consistency checking tools Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RPSLng Ipv6/Multicast support not defined in RFC2622 RPSLng task force formed to address issue Mailing list - [email protected] Archive - www.ripe.net/ripe/mail-archives/rpslng Internet Draft submitted by Florent Parent in January (draft-parent-multiprotocol-rpsl-00.txt) Draft addresses the following classes: route, route-set, peering-set, aut-num, inet-rtr, filter-set Attempted to extend the syntax of existing attributes rather than creating new attribute names Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RPSLng ... There was considerable concern that simply extending attributes may break existing tools Informal meeting held at March 2002 IETF Consensus reached on RPSLng attributes Will create new attribute names to avoid breaking tools Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RPSLng examples Example of new route object for IPv6 mp-route: afi ipv6 3ffe:ffff::/28 origin: AS1 Example of aut-num object aut-num: AS2 mp-import: afi ipv6.unicast from AS1 accept {3FFE:FFFF::/35}; Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RPSL Authentication security PGP is currently strongest mechanism MAIL-FROM is very weak due to ease of mail spoofing Confirmation messages provides some assurance CRYPT-PW suffers from short password support (8 characters) and dictionary attack vulnerability Email submission of RPSL objects protected by CRYPT-PW requires sending cleartext password Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 RPSL Authentication updates RIPE 41 meeting addressed current weaknesses in RPSL authentication RIPE to phase out support of MAIL-FROM New password-based auth mechanism based on FreeBSD's MD5-CRYPT Allows passwords much longer than 8 characters and more dictionary attack resistent Merit to move to Web-based form with SSL encryption and phase-out of MAIL-FROM Considering hiding password hashes to prevent dictionary attacks Will continue to support PGP for mail based updates Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 Registry Web interface Augment existing mail update process with a web based interface Provides a more intuitive interface (particularly for new users unfamiliar with email based submissions) Security improvement for maintainers with password based authentication (SSL encryption instead of cleartext in email) Merit Route Registry Update Internet2 Routing Working Group July 30, 2002 Timelines Web interface to be completed by August 31 RPSLng to be discussed at RIPE 43 meeting in early September and should be finalized by end of September Merit targeting RPSLng implementation by the end of October Consistency checking tools being coordinated with RIPE. Ongoing effort with initial maintainer reports to be available in November Merit Route Registry Update Internet2 Routing Working Group July 30, 2002