Hey!
I am peering with Atlantic Metro at DE-CIX. Their IRR record is "AS-AMC". I have noticed recently some invalid prefixes:
$ bgpq3 -4 -R 24 -m 24 -A -J -E AS-AMC [...] route-filter 1.0.0.0/24 exact; route-filter 1.1.1.0/24 exact;
I didn't check which members of the macro pulled those prefixes (is there an easy way to get where it comes from?) but I thought information from IRR records were veted by RIR. It seems this is not the case. Is it because some RIR don't check anything or just because there is no way to secure such a macro? In this case, what is the best practice when peering with such a transit provider?
Thanks!
❦ 10 mars 2018 23:02 +0100, Vincent Bernat bernat@luffy.cx :
I am peering with Atlantic Metro at DE-CIX. Their IRR record is "AS-AMC". I have noticed recently some invalid prefixes:
$ bgpq3 -4 -R 24 -m 24 -A -J -E AS-AMC [...] route-filter 1.0.0.0/24 exact; route-filter 1.1.1.0/24 exact;
I didn't check which members of the macro pulled those prefixes (is there an easy way to get where it comes from?) but I thought information from IRR records were veted by RIR. It seems this is not the case. Is it because some RIR don't check anything or just because there is no way to secure such a macro? In this case, what is the best practice when peering with such a transit provider?
Those two routes are from CloudFlare (just got it by luck):
http://irrexplorer.nlnog.net/search/AS13335
So ARIN doesn't check anything?
Hey Vincent
Back in 2015 there was a community consultation on the topic and it seems that ARIN is finally making progress when it comes to IRR route validation: You might want to read the announcement made in January https://www.arin.net/announcements/2018/20180109.html
Enjoy your weekend!
Cheers, Manuel
Vincent,
Did you try contacting radb.net or the ARIN first? Their answers would be interesting about it.
My 2 cents,
❦ 11 mars 2018 09:49 +0100, Vincent Jardin vincent.jardin@6wind.com :
Did you try contacting radb.net or the ARIN first? Their answers would be interesting about it.
As I am not familiar with how things work, I did not. But I have mailed CloudFlare NOC.
On 11.03.2018 09:54, Vincent Bernat wrote:
❦ 11 mars 2018 09:49 +0100, Vincent Jardin vincent.jardin@6wind.com :
Did you try contacting radb.net or the ARIN first? Their answers would be interesting about it.
As I am not familiar with how things work, I did not. But I have mailed CloudFlare NOC.
I found Job's presentation "IRR 101" [0] very useful. Absolutely worth to dive into.
Cheers Arnold
[0] https://events.dknog.dk/event/1/contributions/20/attachments/9/10/DKNOG8_IRR...
On Sun, Mar 11, 2018 at 11:28:45AM +0100, Arnold Nipper wrote:
On 11.03.2018 09:54, Vincent Bernat wrote:
❦ 11 mars 2018 09:49 +0100, Vincent Jardin vincent.jardin@6wind.com :
Did you try contacting radb.net or the ARIN first? Their answers would be interesting about it.
As I am not familiar with how things work, I did not. But I have mailed CloudFlare NOC.
I found Job's presentation "IRR 101" [0] very useful. Absolutely worth to dive into.
[0] https://events.dknog.dk/event/1/contributions/20/attachments/9/10/DKNOG8_IRR...
Thanks Arnold for looping me in.
As to the OP's question:
- ARIN IRR does _not_ perform validation at this point in time. The only check is whether the prefix is already covered by another prefix or not.
- RADB IRR does _not_ perform validation, the only check is whether the prefix is already covered by another prefix.
RADB support is quite responsive when you notify them of errors in the data, more responsive than some of the RIRs even.
ARIN is currently soliciting feedback from the community on what the future of their IRR service should be. John Curran from ARIN gave a presentation at NANOG 72. slides: https://pc.nanog.org/static/published/meetings/NANOG72/1618/20180220_Curran_... video: https://youtu.be/tsWq_LgNS5s
Kind regards,
Job
ps. ARIN also has a WHOIS database which contains routing information. :-)
pps. ARIN also has an RPKI repository which contains routing information. :-)
❦ 11 mars 2018 09:54 +0100, Vincent Bernat bernat@luffy.cx :
Did you try contacting radb.net or the ARIN first? Their answers would be interesting about it.
As I am not familiar with how things work, I did not. But I have mailed CloudFlare NOC.
They told me the entries are legit as they are running some experiments with APNIC from their ASN.
-
Arnold Nipper -
Job Snijders -
Manuel Schweizer -
Vincent Bernat -
Vincent Jardin