Re: Questions about IRR best practices

[Job Snijders via NANOG <nanog () nanog org>]

Dear Lee,

*ring ring* - "IRR/RPKI helpdesk how may I help you today?" :-)

On Fri, Oct 22, 2021 at 08:25:10AM -0500, Lee Fawkes wrote:
> I have a couple of questions about best practices for Internet Routing
> Registries. I'm able to find lots of documentation about *how* to do
> things, but not a lot of documentation about when I *should* do things. I
> work for a medium-sized ISP in the US, and we are currently using both RADb
> and the ARIN IRR. We peer all over the place, but my main concern is how
> Cogent and Hurricane Electric build prefix filters from our IRRs.
>
> 1. Netflix is asking us to add the AS of a downstream customer of one of
> our customers to our customer AS-SET. We have a direct relationship with
> this organization's provider, but not with this organization itself. Is
> this appropriate?

Another way to satisfy this request is to ask the organization's
provider to create an AS-SET (preferably RIR-operatored IRR such as
ARIN, RIPE, etc), and then reference their AS-SET on your own AS-SET.
IRR AS-SETs permit both referencing AS Numbers and AS-SETs as 'members:'.

> 2. On the ARIN side, when ARIN-NONAUTH goes away next year, does that
> do away with our ability to do proxy route objects? Do we need to
> require all of our BGP customers to set up their own IRRs?

The industry trend (very noticable the last 3 years) is that the ability
to create proxy route object registrations is slowly fading away.

At at first glance proxy registrations seem better than 'no
registration', the downside is that anyone can create proxy
registrations for any prefix: proxies are not very safe!

The recommendation is that each and every IP resource holder creates IRR
and/or RPKI objects themselves, or delegates the authority to do so to
their service provider.

These days everyone wants to see firm cryptographic proof!

> 3. On the RADb side, if we're turning up a new customer that doesn't have
> an IRR, and another ISP already has a proxy registration for that customer,
> is it sufficient for us to add that customer's AS to our customer AS-SET?

Technically this is likely to work, but the downside is that you end up
with a hard dependency on another ISP's proxy registration. If for
whatever reason that registration lapses (failure to pay bills, M&A, who
knows) ... you might end up with a hard to troubleshoot situation where
it is not immediately clear "it was working yesterday, but not today?!".

The best course of action is to ensure that objects are either managed
by yourself, or by the customer, so the responsibilities and object
ownership are clear to everyone involved.

> I've been getting around the fact that RADb doesn't allow multiple
> proxy registrations by registering proxy route objects in
> ARIN-NONAUTH, but that won't be an option much longer, and I can't
> really experiment with our customers' route objects to see what works.

A great tool to gain some insight into various IRR/BGP/RPKI data sources
and what the registration status of various objecst might mean can be
found at this awesome tool: https://irrexplorer.nlnog.net/

Follow up questions welcome!

Kind regards,

Job