RIPE whois Database

34
1 NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net RIPE whois Database RIPE Network Coordination Centre <[email protected]>

description

RIPE whois Database. RIPE Network Coordination Centre . Schedule. intro basic DB queries creating person/role object creating network object advanced DB queries protecting objects updating objects exercises / examples. RIPE Database Intro. - PowerPoint PPT Presentation

Transcript of RIPE whois Database

Page 1: RIPE whois Database

1NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net

RIPE whois Database

RIPE Network Coordination Centre

<[email protected]>

Page 2: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net2

Schedule

• intro• basic DB queries• creating person/role object

• creating network object• advanced DB queries• protecting objects• updating objects

• exercises / examples

Page 3: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net3

RIPE Database Intro

• Public Network Management Database• Software Management

• RIPE NCC• requirements by RIPE community ([email protected])• download from ftp://ftp.ripe.net/

• Data Management• LIRs, other users

• RIPE NCC

• Information content not responsibility of RIPE NCC• Exchange of knowledge

– <[email protected]>

• Transition to RPSL

Page 4: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net4

Object Types• Information about: objects:

IP address space inetnum, inet6num

reverse domains domain

routing policies route, aut-num, etc

contact details person, role, mntner

• Server whois.ripe.net• UNIX client (command line queries)

• http://www.ripe.net/db/• The most important documents

– Representation of IP Routing Policies in a Routing Registry (ripe-181)

– RIPE NCC Database Reference Manual (ripe-223) New!

Page 5: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net5

Basic Queries• Whois (client, web interface)

– searches only look-up keys– returns exact match

• Look-up keys - usually the object name– person, role: name, email, nic-hdl– inetnum: address (or range), netname

• Glimpse - full text search• e.g. searching for address space based on the postal address

or the name of the organisation

Examples

Page 6: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net6

Creating person Object

• Check if person object exists in RIPE DB– only one object per person

• Obtain and complete a template whois -t person

• whois -v person (verbose)

Send to <[email protected]>

• Each person and role object has a unique nic-hdl

Page 7: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net7

whois -t person

person: [mandatory] [single] [lookup key]

address: [mandatory] [multiple] [ ]

phone: [mandatory] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [optional] [multiple] [lookup key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [optional] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

Page 8: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net8

whois -t rolerole: [mandatory] [single] [lookup key]

address: [mandatory] [multiple] [ ]

phone: [optional] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [mandatory] [multiple] [lookup key]

trouble: [optional] [multiple] [ ]

admin-c: [mandatory] [multiple] [inverse key]

tech-c: [mandatory] [multiple] [inverse key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [optional] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

Page 9: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net9

role: Technical BlueLight Staff ...nic-hdl: AUTO-#initials

AUTO-2BL

nic-hdl

person: Piet Bakker...nic-hdl: AUTO-1PB1234-RIPE

• Unique identifier for person and role objects– primary key for person and role objects

• Format: <initials>[number]-<database>– e.g. CD567-RIPE, JFK11-RIPE

• Used in all attributes where contact info is needed

Use “AUTO-#” placeholders

BL112-RIPE

Page 10: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net10

Database Robot Responses<[email protected]>

• Successful update– acknowledgement

• Warnings– object accepted but might be ambiguous– object corrected and accepted

• Errors– object NOT corrected and NOT accepted– diagnostics in acknowledgement

• If not clear send questions to <[email protected]>– include error report and the original message

Page 11: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net11

Creating Network Objects

• AW=0 or AW<request_size– take the “network template” from the approved request

• otherwise– whois -t inetnum

• Send to <[email protected]>

– with (only) the keyword NEW in the subject line• to avoid over-writing the existing objects

(address range is the primary key for inetnum)

Page 12: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net12

whois -t inetnuminetnum: [mandatory] [single] [primary/look-up key]netname: [mandatory] [single] [lookup key]descr: [mandatory] [multiple][ ]country: [mandatory] [multiple][ ]admin-c: [mandatory] [multiple][inverse key]tech-c: [mandatory] [multiple][inverse key]rev-srv: [optional] [multiple][inverse key]status: [mandatory] [single] [ ]remarks: [optional] [multiple][ ]notify: [optional] [multiple][inverse key]mnt-by: [mandatory] [multiple][inverse key]mnt-lower: [optional] [multiple][inverse key]mnt-routes: [optional] [multiple][inverse key]changed: [mandatory] [multiple][ ]source: [mandatory] [single] [ ]

Page 13: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net13

Pay Attention to...• Insert the address range

– in the ‘network template’ from the approved request form

• Keep the same netname attribute as approved• Create person or role objects in advance

– admin-c: on site; client’s MD– tech-c: LIR or consultant

• Status: ASSIGNED PA• In the changed attribute leave out the date

– DB will add the current date

Protection is mandatory – recommended: include mnt-lower and mnt-routes

Page 14: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net14

Changes with RPSL

• Objects format - stricter syntax checks!!!– line continuation (white space or “+” sign)– attribute order is relevant and preserved– support for end of line comments (after “#”)– no empty attributes allowed

• inetnum value can not be in prefix notation!• correct: a.b.c.d<space>-<space>w.x.y.z

• Submission to the DB supports:– MIME – PGP (GnuPG)

New in RPSL!

Page 15: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net15

Querying Address Ranges– whois [customer’s IP range, customer’s netname]

• netname not unique search key

– whois -m [LIR allocated IP range]• list of biggest sub-ranges (first level more specific)

– whois -M [LIR allocated IP range]• all sub-ranges

– whois -L [customer’s IP range]• exact match & bigger encompassing ranges

– LIR’s own allocation object & RIPE NCC’s /8

– whois -l [customer’s IP range]• not the exact match, but the smallest bigger object

– whois -x [IP range]• if no matching object is found nothing is returned

New in RPSL!

New in RPSL!

Page 16: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net16

Example DB Queries

195.35.64.0-

195.35.65.191195.35.88/26

195.35.64.0 -

195.35.95.255

195.35.80/25

BLUELIGHT GOODY2SHOES

whois -M 195.35.64.0/19

whois -m 195.35.64.0/19

whois -L 195.35.92.10

ENGOS ...195.35.92/29

ENGO-7

195.35.92.8/29

ENGO-8

Page 17: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net17

Inverse Lookups in RIPE DB

• whois -i {attribute} {value}• Inverse keys

– notify, mnt-by, mnt-lower, admin-c, tech-c, zone-c,

• whois –i tech-c JJ125-RIPE– whois -i admin-c,tech-c,zone-c -T domain JJ125-RIPE– whois -ipn JJ125-RIPE

• whois -i mnt-by BLUELIGHT-MNT• whois -i notify [email protected]

New in RPSL!

Page 18: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net18

Non-Recursive Lookups: “-r”

• whois 193.35.64.82 => inetnum,route,person(s)– whois -r 193.35.64.82 => inetnum, route– whois -T inetnum 193.35.64.82 => inetnum,persons– whois -r -T inetnum 193.35.64.82 => inetnum– whois -T route 193.35.64.82 => route

• Summary -- DB flags:– -i, -r, -T, -m, -M, -l, -L, -x

Page 19: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net19

Questions?

(link back to the Assignment Process)

Page 20: RIPE whois Database

20NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net

Advanced Database Issues

• Protection• DB administration

– updating objects– deleting objects

•Test whois Database

Page 21: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net21

Notification / Authorisation

• notify attribute (optional)– sends notification of change to the email address

specified

mnt-by attribute & mntner object– mnt-by mandatory (except dn, pn, ro)

Hierarchical authorisation for inetnum, domain, route, aut-num objects– mnt-lower attribute– mnt-routes attribute

New in RPSL!

New in RPSL!

Page 22: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net22

Creating Maintainer Object

• Mandatory protection of objects• except for person, role and domain

– updates of objects that contain mnt-by attribute must pass the authentication rules in the mntner object

• Decide on the authentication method– ripe-223

• ripe-157, ripe-189 documents obsolete

• Manual registration necessary– send the mntner object to <[email protected]>– requester needs to be contact person from the LIR

See also: Protection of RIPE DB objects

New!

Page 23: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net23

Authorisation Mechanism inetnum: 195.35.64.0 - 195.35.65.191netname: BLUELIGHT-1descr: Blue Light Internet…………..mnt-by: BLUELIGHT-MNT mntner: BLUELIGHT-MNTdescr: Maintainer for all Bluelight objectsadmin-c: JJ231-RIPEtech-c: BL112-RIPEauth: CRYPT-PW q5nd!~sfhk0#upd-to: [email protected]: [email protected]

referral-by: RIPE-DBM-MNTmnt-by: BLUELIGHT-MNTchanged: [email protected] 19991112source: RIPE

Page 24: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net24

Maintainer Object Attributes

auth (mandatory, multiple)• upd-to (mandatory)

– notification for failed updates

• mnt-nfy (optional, encouraged)– works like notify but for all objects that refer to this mntner

• mnt-by (mandatory)– can reference the object itself

• referral-by (mandatory)– references mntner object that created this object

• Manual registration of object necessary• Send object to <[email protected]>

New in RPSL!

Page 25: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net25

Authentication Methods

1. auth: NONE• could be used with mnt-nfy attribute

2. auth: MAIL-FROM {e-mail, reg-exp}– e.g. MAIL-FROM .*@bluelight\.nl

• protection from typos

3. auth: CRYPT-PW {encrypted password}• include password attribute in your updates

– value is clear text password

4. auth: PGPKEY-<argument>• key-cert object

– see: ripe-223

• http://www.gnupg.org/

Page 26: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net26

inetnum: 195.35.64.0 - 195.35.79.255netname: NL-BLUELIGHT-20000909… ...status: ALLOCATED PAmnt-by: RIPE-NCC-HM-MNTmnt-lower: BLUELIGHT-MNTmnt-routes: BLUELIGHT-MNTchanged: [email protected] 20000909changed: [email protected] 20001111source: TEST

• Ask <[email protected]> to add mnt-lower and mnt-routes attributes into your allocation inetnum objects

Hierarchical Authorisation

Page 27: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net27

Hierarchical Authorisation (cont’d)

• mnt-lower and mnt-routes attributes– authenticate only creation of more specific objects– only one level below

• mandatory in allocation inetnum objects• mandatory in PI assignment inetnum objects• recommended in PA inetnum objects, and route objects

• mnt-routes in aut-num object e.g. AS42– authenticates creation of route objects with

origin: AS42 New in RPSL!

Page 28: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net28

DB Update ProcedureSend to: <[email protected]>

• Modifying an object– obtain object from RIPE DB– make needed changes– keep the same primary key– add the changed line to the new version of object

changed: [email protected] 20010505• keep the old changed lines in to show history

– include authentication (password, PGP signature)

• Deleting an object– add delete line to the exact copy of current objectdelete: [email protected] overlapping inetnum 20010606

– include authentication (password, PGP signature)

Page 29: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net29

When to Update Your Objects • Fixing overlapping assignments• Merging two inetnum (domain, route) objects Splitting one assignment into smaller ones• Changing the netname• Protecting unprotected objects

– including mnt-by attribute

• Updating peering agreements in aut-num Updating references to new contact persons/roles

– admin-c, tech-c, zone-c

• Updating contact info– phone/address change in person/role/mntner

Page 30: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net30

Inetnum: person:

195.35.64.80 JAJA1-RIPE JAJA1-RIPE

Case Study 1 -- Contact Person Left

1. whois -i tech-c JAJA1-RIPE

2. Create new person object (for Carl Dickens, new guy)

3. Change the tech-c reference in all inetnum objects

4. Delete old person object

Inetnum:

195.35.64.130

JAJA1-RIPE

...CD2-RIPE

CD2-RIPE

CD2-RIPE

person:

Page 31: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net31

195.35.64.130

CD2-RIPE

195.35.64.80

CD2-RIPE

Case Study 2 --Replacing tech-c Using role Object

1. Create person object for each tech-c

2. Create role object for all tech-c:s

3. Change the tech-c reference in all inetnum

objects to reference role object

4. Keep role object up-to-date with staff changes

CD2-RIPEBL112-RIPE

BL112-RIPE

... BL112-RIPECD2-RIPE

JJ231-RIPE

role:person:

JJ231-RIPE

person:

Page 32: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net32

Case Study 3 -- Replacing Assignment Objects

• Splitting any approved assignment • e.g. moving first assignment registered as one

block, at the beginning of allocated range

– delete the original object– create two or more new objects– keep the same netname

• or let RIPE NCC know of the change• using the same ticket number

Page 33: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net33

Test whois Database

• Non-production whois Database• Similar interface as “real” RIPE whois Database

– whois & email• whois -h test-whois.ripe.net ; <[email protected]>

– syntax checking – error reports

• Possible to automatically create mntner• Ideal for testing

– various authorisation schemes– self-made scripts that update RIPE whois DB

• Source: TEST

Page 34: RIPE whois Database

NATO Advanced Networking Workshop . Ljubljana, 19 September 2001 . http://www.ripe.net34

Questions?

Questions, bug reports: <[email protected]>