Professional Documents
Culture Documents
Sanog21 Apnic-Irm
Sanog21 Apnic-Irm
APNIC Training
Introduction
• Instructors
1
8/17/09
Overview
• IRMe
– Introduction to APNIC
– APNIC policy development process
– Internet registry policies
– Defining an Addressing Plan
– IP address request
– Second opinion request
– IPv6 Overview
– APNIC Whois database
– MyAPNIC
– Autonomous System Numbers
– Reverse DNS
– Summary
What is APNIC?
• Regional Internet Registry (RIR) for the Asia
Pacific region
– One of five RIRs currently operating around the world
– Non-profit, membership organisation
2
8/17/09
Schedule:
http://www.apnic.net/training
http://www.apnic.net/community/lists/
APNIC is NOT
• A network operator
– Does not provide networking services
• Works closely with APRICOT forum
• A standards body
– Does not develop technical standards
• Works within IETF in relevant areas (IPv6 etc)
3
8/17/09
APNIC membership
NP, 1%
LK, 1%
AF, 1%
MN, 1%
Others, 5%
TW, 1%CN, 1%
KH, 1%
ID, 2%
AU, 27%
PK, 3%
MY, 3%
JP, 4%
TH, 4%
AP, 4%
IN, 12%
SG, 4%
PH, 5%
BD, 5% HK, 9%
NZ, 6%
Unit /8
12 http://www.apnic.net/stats/o3/ as of 26/03/2009
4
8/17/09
ARIN LACNIC
• ASO receives global policies and policy process details from the NRO
• ASO forwards global policies and policy process details to ICANN board
Questions?
5
8/17/09
6
8/17/09
Need
Evaluate Discuss
Implement Consensus
20
7
8/17/09
Questions?
Policies
8
8/17/09
Assignment
“A block of address space used to address an
operational network”
• May be provided to ISP customers, or used for an ISP’s
infrastructure (‘self-assignment’)
APNIC Member
/22
Allocates Assigns
to downstream to end-user Member Allocation
Downstream /24
Assigns Sub-
to end-user Allocation
Non-portable Assignments
– Customer uses ISP’s address space
• Must renumber if changing ISP
– Only way to effectively scale the Internet
Portable allocations
– Allocations made by APNIC/NIRs”
9
8/17/09
Conservation Aggregation
• Efficient use of resources • Limit routing table growth
• Based on demonstrated need • Support provider-based routing
Registration
• Ensure uniqueness
• Facilitate trouble shooting
10
8/17/09
Sustainable
growth?
Dot-Com
boom
Projected routing
table growth
without CIDR
CIDR
deployment
http://bgp.potaroo.net/as1221/bgp-active.html
11
8/17/09
APNIC /8
/22
Member
allocation
Non-portable Portable
assignment assignment
• Classless assignments
• showing use of VLSM
• Size of allocation
– Sufficient for up to 12 months requirement
12
8/17/09
Portable assignments
• Small multihoming assignment policy
– For (small) organisations who require a portable
assignment for multi-homing purposes
Criteria
1a. Applicants currently multihomed APNIC /8
OR
1b. Demonstrate a plan to multihome within 1
month
/22
2. Agree to renumber out of previously Member allocation
assigned space
Demonstrate need to use 25% of requested
space immediately and 50% within 1 year Non-portable Portable
assignment assignment
Sub-allocations
APNIC Member
Allocation /22
/24
Sub-allocation
/27 /26 /25 /26 /27
Customer Assignments Customer Assignments
13
8/17/09
Sub-allocation guidelines
• Sub-allocate cautiously
– Seek APNIC advice if in doubt
– If customer requirements meet min allocation criteria:
• Customers should approach APNIC for portable allocation
• Efficient assignments
– ISPs responsible for overall utilisation
• Sub-allocation holders need to make efficient assignments
• Database registration (WHOIS Db)
– Sub-allocations & assignments to be registered in the
db
14
8/17/09
Questions?
Requesting IP Resources
44
IP Address Request
• You are required to be an APNIC member
in order to initiate your IP Address
Request.
• However you can apply for membership
and an initial address allocation at the
same time.
• http://www.apnic.net/services/become-a-
member
45
15
8/17/09
Streamline processes
Applicant details
Organisation details
Membership and
Membership only Internet number resources
Additional information
• Ticketing system
– Every request is assigned a ticket
• Please keep # in subject line of email eg.
– [APNIC #14122] [CHINANET-CN]
16
8/17/09
17
8/17/09
• Deployment plan
– Give details of phases of deploying equipment
• does deployment plan match information in
network-plan fields?
• Miscellaneous
– Anything not covered by the form, anything
unusual also can be declared
• Supplementary information very useful to the
hostmaster when evaluating your request
18
8/17/09
Additional Information
- Renumbering & Return Policy
• Renumbering?
– one-for-one exchange to assist renumbering
– needs confirmation from upstream ISP to confirm
renumbering will take place
Evaluation by APNIC
• All address space held should be
documented
• Check other RIR, NIR databases for historical
allocations
First allocation
• Must meet criteria
• (discussed in policy section)
• Requires clear detailed and accurate request
• Implementation of ‘Best Current Practice’
• Efficient assignments planned
• Always a /22 ‘slow start’
• Exceptions made for very large networks
but not common
19
8/17/09
Subsequent allocations
• 80% overall utilisation
• Unless large assignment pending
Addressing plan
• To complete documentation
– First need a technical PLAN
• Documenting the architecture of the present and
eventual goal
20
8/17/09
Some icons
Router
(layer 3, IP datagram forwarding)
Ethernet switch
(layer 2, packet forwarding)
Addressing plan
• Identify components of network
– Customer services
– ISP internal infrastructure
Network plan
• Starting off
Interconnected resilience
Upstream
ISP Leased line services
5-8 customers
21
8/17/09
Network plan
‘ip unnumbered’
to upstream ISP one loopback interface per
assigned router /32
‘ip unnumbered’
10 hosts 5 hosts
to customers
15 hosts
Addressing plan
• Initial addressing plan
Network plan
• 6 months later increased number of
– scale increased leased line customers
– redundancy Upstream 5-8 → 30 leased
ISP
line
customers
increased number of
hosts on all LANs
10 → 16
5 →11 hosts
name-based replaced original
hosts-
Servers
modem
added new dial up
equipment
60 dialup 16 → 60
modems (2PRI)
15 → dialup
modems (2PRI)
25 hosts-
NOC
22
8/17/09
Addressing plan
Changed description
New hardware
Network plan
redundancy of WAN connections
• 12 months total now numbered links for BGP4
– site redundancy added new
Upstream
– greater complexity ISP A
customer router
– efficiency 30 → 60 leased
Upstream line
ISP B customers
ip unnumbered
11 hosts
16 →
35 host
60 → 240 60 → 240
dialup 40 hosts dialup
modems (8PRI) modems (8PRI)
two pieces of
essential equipment
8 hosts
Addressing plan
69
23
8/17/09
Addressing plan
Addressing plan
Addressing plan
24
8/17/09
Addressing plan
Questions?
25
8/17/09
Assignment Window
• Size of assignment window
– Evaluated after about three 2nd-opinion
requests
– Increased as member gains experience and
demonstrates understanding of policies
• Assignment window may be reduced, in rare
cases
• Why an assignment window?
– Monitoring ongoing progress and adherence
to policies
– Mechanism for member education
26
8/17/09
Important:
Unregistered assignments are considered as "unused"
27
8/17/09
Customer assignment
• Member updates internal records
– Select address range to be assigned
– Archive original documents sent to APNIC
– Update APNIC database
Questions?
IPv6 Overview
28
8/17/09
Rationale
• Address depletion concerns
– Squeeze on available addresses space
• Probably will never run out, but will be harder to
obtain
– End to end connectivity no longer visible
• Widespread use of NAT
IPv6 addressing
• 128 bits of address space
• Hexadecimal values of eight 16 bit fields
• X:X:X:X:X:X:X:X (X=16 bit number, ex: A2FE)
• 16 bit number is converted to a 4 digit hexadecimal number
• Example:
• FE38:DCE3:124C:C1A2:BA03:6735:EF1C:683D
– Abbreviated form of address
• 4EED:0023:0000:0000:0000:036E:1250:2B00
→4EED:23:0:0:0:36E:1250:2B00
→4EED:23::36E:1250:2B00
(Null value can be used only once)
29
8/17/09
– Multicast
• An identifier for a group of
nodes
30
8/17/09
• Aggregation
– Hierarchical distribution
– Aggregation of routing information
– Limiting number of routing entries advertised
• Minimise overhead
– Associated with obtaining address space
31
8/17/09
Subsequent allocation
• Must meet HD = 0.94 utilisation requirement of
previous allocation (subject to change)
• Other criteria to be met
– Correct registrations (all /48s registered)
– Correct assignment practices etc
• Subsequent allocation results in a doubling of
the address space allocated to it
– Resulting in total IPv6 prefix is 1 bit shorter
– Or sufficient for 2 years requirement
32
8/17/09
IPv6 utilisation
• Utilisation determined from end site
assignments
– ISP responsible for registration of all /48 assignments
– Intermediate allocation hierarchy not considered
RFC 3194
“In a hierarchical address plan, as the size of the allocation increases, the density of
assignments will decrease.”
33
8/17/09
Questions:
email: helpdesk@apnic.net
Helpdesk chat: http://www.apnic.net/helpdesk
34
8/17/09
Questions?
105
35
8/17/09
Object types
OBJECT PURPOSE
person contact persons
role contact groups/roles
inetnum IPv4 addresses
inet6num IPv6 addresses
aut-num Autonomous System number
domain reverse domains
route prefixes being announced
mntner (maintainer) data protection
http://www.apnic.net/db/
36
8/17/09
Inter-related objects
person:
…
nic-hdl: KX17-AP
inetnum:
202.64.10.0 – 202.64.10.255
…
…
admin-c: KX17-AP Contact info
tech-c: ZU3-AP
mntner: … person:
MAINT-WF-EX mnt-by: MAINT-WF-EX …
… … nic-hdl: ZU3-AP
…
IPv4 addresses …
Object templates
To obtain template structure*, use :
whois -t <object type>
% whois -h whois.apnic.net -t person
person: [mandatory] [single] [primary/look-up key]
address: [mandatory] [multiple] [ ]
country: [mandatory] [single] [ ]
phone: [mandatory] [multiple] [ ]
fax-no: [optional] [multiple] [ ]
e-mail: [mandatory] [multiple] [look-up key]
nic-hdl: [mandatory] [single] [primary/look-up key]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]
mnt-by: [mandatory] [multiple] [inverse key]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]
37
8/17/09
What is a nic-hdl?
• Unique identifier for a person
• Represents a person object
– Referenced in objects for contact details
• (inetnum, aut-num, domain…)
– format: <XXXX-AP>
• Eg: KX17-AP
person: Ky Xander
address: ExampleNet Service Provider
address: 2 Pandora St Boxville
address: Wallis and Futuna Islands
country: WF
phone: +680-368-0844
fax-no: +680-367-1797
e-mail: kxander@example.com
nic-hdl: KX17-AP
mnt-by: MAINT-WF-EX
changed: kxander@example.com 20020731
source: APNIC
38
8/17/09
39
8/17/09
2.Search options
(flags)
40
8/17/09
Allocation
1 (Created by APNIC)
person:
nic-hdl:
4 5 6
KX17-AP inetnum: inetnum: inetnum:
... ... ...
Contact info KX17-AP KX17-AP KX17-AP
2 ... ... ...
mntner: mnt-by: mnt-by: mnt-by:
... ... ...
Customer Assignments
(Created by ISP)
Data Protection
Role object
• Represents a group of contact
persons for an organisation
– Eases administration
– Can be referenced in other objects instead of
the person objects for individuals
41
8/17/09
Database protection
- maintainer object
mntner: MAINT-WF-EX
descr: Maintainer for ExampleNet Service Provider
country: WF
admin-c: ZU3-AP
tech-c: KX17-AP
upd-to: kxander@example.com
mnt-nfy: kxander@example.com
auth: CRYPT-PW apHJ9zF3o
mnt-by: MAINT-WF-EX
referral-by: MAINT-APNIC-AP
changed: kxander@example.com 20020731
source: APNIC
42
8/17/09
http://www.apnic.net/services/whois_guide.html
Database protection
• Authorisation
– “mnt-by” references a mntner object
• Can be found in all database objects
• “mnt-by” should be used with every object!
• Authentication
– Updates to an object must pass the
authentication rule specified by its maintainer
object
Authorisation mechanism
inetnum: 202.137.181.0 – 202.137.185.255
netname: EXAMPLENET-WF
descr: ExampleNet Service Provider
……….
mnt-by: MAINT-WF-EX
mntner: MAINT-WF-EX
descr: Maintainer for ExampleNet Service Provider
country: WF
admin-c: ZU3-AP
tech-c: KX17-AP
upd-to: kxander@example.com
mnt-nfy: kxander@example.com
auth: CRYPT-PW apHJ9zF3o
mnt-by: MAINT-WF-EX
changed: kxander@example.com 20020731
source: APNIC
43
8/17/09
Authentication methods
• ‘auth’ attribute
– Crypt-PW
• Crypt (Unix) password encryption
• Use web page to create your maintainer
– PGP – GNUPG
• Strong authentication
• Requires PGP keys
– MD5
• Available
• ‘mnt-by’ attribute
– Can be used to protect any object
– Changes to protected object must satisfy authentication
rules of ‘mntner’ object.
• ‘mnt-lower’ attribute
– Also references mntner object
– Hierarchical authorisation for inetnum & domain objects
– The creation of child objects must satisfy this mntner
– Protects against unauthorised updates to an allocated
range - highly recommended!
Authentication/authorisation
– APNIC allocation to member
• Created and maintained by APNIC
Inetnum: 203.146.96.0 - 203.146.127.255
netname: LOXINFO-TH
descr: Loxley Information Company Ltd.
Descr: 304 Suapah Rd, Promprab,Bangkok
country: TH
admin-c: KS32-AP
tech-c: CT2-AP
1 mnt-by: APNIC-HM
2 mnt-lower: LOXINFO-IS
changed: hostmaster@apnic.net 19990714
source: APNIC
44
8/17/09
Authentication/authorisation
Customer privacy
• Privacy issues
– Concerns about publication of customer information
– Increasing government concern
• APNIC legal risk
– Legal responsibility for accuracy and advice
– Damages incurred by maintaining inaccurate
personal data
• Customer data is hard to maintain
– APNIC has no direct control over accuracy of data
• Customer assignment registration is still
mandatory
45
8/17/09
ISP
visibility
Customer assignments Infrastructure Sub-allocations optional
NON-PORTABLE addresses
Questions?
ASN
46
8/17/09
AS 100
RFC
1930
47
8/17/09
Requesting an ASN
• Complete the request form
– web form available:
• http://www.apnic.net/db/aut-num.html
• Transfers of ASNs
– Need legal documentation (mergers etc)
– Should be returned if no longer required
48
8/17/09
Questions?
4 byte AS number
Background
• Previously 2 byte ASN (16 bits)
– Possibly run into exhaustion by 2010
– 4 byte ASN was developed by IETF
• Currently 4 byte ASN distribution policy
(32 bits)
• Timeline
– Jan 2009: Default 4 byte ASN, 2 byte ASN on
request
– Jan 2010: 4 byte ASN only
49
8/17/09
• 4byte ASN
– If their value lies in the range 0 – 65535
• 4 byte ASN may be represented identically as 2 byte only
ASN.
– Otherwise, they MUST be represented identically as
for 4 byte only ASN.
• For values in the range 0 – 65535 the canonical 4 byte ASN
representation
• 0. <16 bit decimal value>
149
Questions?
50
8/17/09
Registry Procedures
51
8/17/09
Delegation procedures
• Upon allocation, member is asked if they want /24 place
holder domain objects with member maintainer
– Gives member direct control
domain: 124.54.202.in-addr.arpa
descr: co-located server at mumbai
country: IN
admin-c: VT43-AP
tech-c: IA15-AP
zone-c: IA15-AP
nserver: dns.vsnl.net.in
nserver: giasbm01.vsnl.net.in
mnt-by: MAINT-IN-VSNL
changed: gpsingh@vsnl.net.in 20010612
source: APNIC
52
8/17/09
Delegation procedures
– request form
• Complete the documentation
• http://www.apnic.net/db/domain.html
Evaluation
• Parser checks for
– ‘whois’ database
• IP address range is assigned or allocated
• Must be in APNIC database
– Maintainer object
• Mandatory field of domain object
– Nic-handles
• zone-c, tech-c, admin-c
Questions?
53
8/17/09
MyAPNIC
Database tools
User
User Interface
Database
Registry Whois
Private Public
How it works
APNIC internal system APNIC public servers
Firewall Server
Finance MyAPNIC
system server
Member ID
Person
Authority
Membership
& resource
system
https://my.apnic.net
Client
Whois
master Member’s
staff
54
8/17/09
MyAPNIC functions
• Resource information
– IPv4, IPv6, ASN
• Administration
– Membership detail
– Contact persons
– Billing history
• Training
– Training history
– Training registration
• Technical
– Looking glass
• Tools
Digital Certificates
• Are used:
– to manage staff contacts. Only registered
Corporate Contacts have the authority to
change or approve users in MyAPNIC.
– for online voting in the APNIC elections
– to secure email exchange with APNIC
164
55
8/17/09
To request a certificate,
click here
Request a certificate
http://www.apnic.net/ca
56
8/17/09
Common issues
• Issues in getting a certificate
– Forgetting to send the photo ID
– Downloading the certificate to the wrong
computer
• Accessing MyAPNIC
– Using a computer without a digital certificate
– Expired certificate
• It’s easy to renew! Just send a new request via
https://www.apnic.net/ca (renewals do not require
photo ID)
Member Services
Helpdesk
hours
9:00
am
-
7:00
pm
(AU
EST,
UTC
+
10
hrs)
ph:
+61
7
3858
3188
fax:
61
7
3858
3199
Helpdesk
• More personalised service
– Range of languages:
Cantonese, Filipino, Mandarin, Thai, Vietnamese etc.
57
8/17/09
ICONS
Training Survey
• http://www.tiny.cc/apnictrainingsurvey
174
58
8/17/09
Thank you!
59