North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Has PSI been assigned network 1?
Dale, thanks for the informative response (much better than our regularly scheduled flames). Few remarks: > 1) The availability of useful tools (such as prtraceroute) that will > only work correctly across you network if your data is registered > correctly. (Even if you don't use these tools, your neighbor ISPs > may start sending you prtraceroutes across your network that show your > routing or your policy description is wrong). Long time ago i asked our friends at cisco to do the neat thing which in many cases does what prtraceroute would do (note AS tags). Granted, it does not check correspondence with registry data :) SL-DC-1>trace sovcom.kiae.su Translating "SOVCOM.KIAE.SU"...domain server (22.214.171.124) [OK] Type escape sequence to abort. Tracing the route to SOVCOM.KIAE.SU (126.96.36.199) 1 SL-DC-8-F0/0.SPRINTLINK.NET (188.8.131.52) 4 msec 0 msec 4 msec 2 SL-MAE-E-H2/0-T3.SPRINTLINK.NET (184.108.40.206) 8 msec 0 msec 4 msec 3 VIENNA1.VA.ALTER.NET (220.127.116.11) [AS 701] 12 msec 4 msec 4 msec 4 VIENNA3.VA.ALTER.NET (18.104.22.168) [AS 701] 4 msec 96 msec 4 msec 5 AMSTERDAM2.NL.EU.NET (22.214.171.124) [AS 286] 88 msec 204 msec 220 msec 6 AMSTERDAM6.NL.EU.NET (126.96.36.199) [AS 286] 108 msec 104 msec 104 msec 7 HELSINKI1.FI.EU.NET (188.8.131.52) [AS 286] 200 msec 172 msec 128 msec 8 STPETERSBURG.RU.EU.NET (184.108.40.206) [AS 286] 188 msec 196 msec * 9 MOSCOW-M9-2.RELCOM.EU.NET (220.127.116.11) [AS 2118] 204 msec 188 msec 260 msec 10 MOSCOW-KIAE-3.RELCOM.EU.NET (18.104.22.168) [AS 2118] 256 msec 388 msec 424 msec 11 SOVCOM.KIAE.SU (22.214.171.124) [AS 2118] 240 msec 248 msec 188 msec SL-DC-1> > 2) The registry is the method by which you specify your policy for > the Route Servers (if you use them). Yes. That's the point -- RSes aren't immediately useful (at least with our particular setup), and registry will not have accurate data if that data is not used to actually do routing. > 3) Some other major ISPs will not route nets that are not registered. My private communications with engineering people of several major ISPs indicate that they're essentially in the same position re. RS as we are. >The email interface to the RADB and IRR is one that has been running at >RIPE for a couple of years (also an email/template interface). e-mail is fine when you file one change a week. When you have to keep a full-time person just to process NACRs (as we are) things are different. >RIPE's user community lists improving the user interface as a rather low >priority. Yeah -- but that is exactly what can kill IRR in US. >Nonetheless, the code is structured in such a way that >telnet, web, or other interfaces would be extremely easy to integrate >(once authentication was established). What kind of interface would >you like to see? telnet & web. Also, some formalized interface for direct database interaction is necessary. We configure routers automatically when implementation people create appropriate recodrs in our internal database. We'd like to do that with entering routing data as well. E-mail is not sufficient because you have to parse replies. I would prefer SMTP-style interface, so when our database program is used to configure routing it can automatically connect the IRR and update it. There should be two different IRR machines for AS owners only (the one which allows updates) and the one which responds on queries from the general public, so we can get reasonable responsiveness, w/o "please try again"s. >How often >ISPs choose to regenerate their config files is a separate question. >(I think everyone is planning updates more frequently than twice per >week now). This is inacceptable. It should be done immediately; or people will simply ignore the whole thing (why should we wait when we simply can establish BGP peering, so it will work immediately?) >If you want to add a net to the IRR and then have that change immediately >reflected in the configuration files of all ISPs who do full net-based >filtering, you may have to have some discussions with them. (But the >data will be there and waiting in the registry). No, there should be some protocol for dynamic updating ISP's copies of the database. > There should be well-defined and useful interface to service > providers databases. >I'm not sure what you mean by this. If you issue the command: "whois >-h whois.ra.net <net>" It is retrieval. It is not interactive modification. (And it is slow. I would like to be able to establish a connection and do a thousand of queries. Some my nasty scripts call whois several thousand times.) It also lacks query functions (what are all networks i'm supposed to hear from peer X?, which networks Lollypop Inc. owns?) For example, one menu of Sprint's internal database: Please enter customer ID [type Return if not known]: You may try to find the customer by: 1) Organization name 2) City name 3) Name of a person 4) Telephone/fax number 5) E-mail address 6) IP network address 7) Dial-in phone number Your choice? >> It should be secure. >This has lots of aspects. We have implemented PGP for the interface >(not yet released), and are working with the CERT to establish that >other security concerns are addressed. More specific discussion is >welcome on a smaller list. It should be _very_ secure. It would be very attractive target for hackers. PGP is fine; what about security for on-line interfaces; and who guarantees security of RS machines? A multimillion corporation cannot put its business at risk of being dependent on a machine controlled by somebody else, w/o contractual obligations on adequate security. [I understand that i want too much, but then...] >Yes, we were listening in Boulder. Some enhancements (to support >AS-path expressions) have all ready been coded, and Cengiz Alaettinoglu >and Daniel Karrenberg have all ready set up an IETF working group with >an aggressive schedule for implementing for an enhanced language. >(An early version of the implementation is started, I believe). Glad to hear that :) --vadim