The SIX has moved to strict route filtering using the Internet Routing Registry (IRR), because it is the right thing to do.

The SIX has two route servers and they both have strict route filtering (as of March 7, 2017). You need to have valid IRR records for the routes your ASN will be announcing in order for them to be accepted by the SIX route servers. You also will need to keep those IRR records up-to-date for any network changes you make.

In order to create valid IRR records so your announcements are accepted/propagated and do not show errors on the SIX participants page, you need to register prefixes as valid route/route6 objects in an IRR registry and register downstream ASNs as part of your as-set. That can be done at ARIN (tutorial), RIPE (tutorial), and other IRRs. If you have address space with multiple Regional Internet Registries (RIRs) it may make sense to have IRR data in multiple registries. We recommend you create IRR records at the RIR which assigned/allocated your address space.

RPKI: ARIN Tutorial

ARIN Tutorial:

Create a maintainer object by following the steps at https://www.arin.net/resources/routing/irr_quick_start_guide.html. A human handles the processing of this, so it can take a few days on ARIN's side and there is no auto-response until completed. PGP is not recommended at this time (September 2018) since ARIN is moving toward a web-based system for these updates, so save yourself trouble and just use MD5-PW, using a unique password for this purpose. Generate the MD5-PW using 'openssl passwd -1' or use https://www.arin.net/public/hashTool.xhtml. Send the MD5-PW when creating/updating the maintainer object and send the password as "password: 123" (for example) for all object manipulations after the initial maintainer (mntner) object creation.

An example:

From: hostmaster@example.net
To: rr@arin.net

mntner:        MNT-YOURORGID
descr:         Example, Inc.
admin-c:       EXAMPLE123-ARIN
tech-c:        EXAMPLE456-ARIN
upd-to:        hostmaster@example.net
mnt-nfy:       hostmaster@example.net
auth:          MD5-PW $1$DyU6VQsG$MU0joyMejuoXNGCdIB4x90
notify:        hostmaster@example.net
abuse-mailbox: abuse@example.net
mnt-by:        MNT-YOURORGID
referral-by:   MNT-YOURORGID
changed:       hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:        ARIN

ARIN will respond with the MNT-YOURORGID adjusted as needed, so be prepared for it to change and use what they provide going forward.

At this point you can create your aut-num, as-set, route, route6, and route-set objects. Examples below can be sent individually to rr@arin.net or as a group, adjusting the date and other fields as appropriate. The ARIN IRR software will respond in a minute or few with details about the success or failure of the object creation requests. Modifications can be made in the same manner.

From: hostmaster@example.net
To: rr@arin.net

aut-num:      AS64496
as-name:      EXAMPLE-64496
descr:        Example AS 64496
import:       from AS-ANY accept ANY
export:       to AS-ANY announce AS-EXAMPLE
admin-c:      EXAMPLE-ORG-ARIN
tech-c:       EXAMPLE-ORG-ARIN
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

as-set:       AS-EXAMPLE
descr:        Example, Inc.
members:      AS64496
remarks:      For network issues: noc@example.net
remarks:      For peering questions: peering@example.net
tech-c:       EXAMPLE-ORG-ARIN
admin-c:      EXAMPLE-ORG-ARIN
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

route:        192.0.2.0/24
descr:        EXAMPLE-V4-1 assigned by ARIN
origin:       AS64496
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

route6:       2001:DB8::/32
descr:        EXAMPLE-V6-1 assigned by ARIN
origin:       AS64496
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

route-set:    RS-EXAMPLE-v4-ROUTES
descr:        Example, Inc. IPv4 routes
members:      192.0.2.0/24^24-32
tech-c:       EXAMPLE-ORG-ARIN
admin-c:      EXAMPLE-ORG-ARIN
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

route-set:    RS-EXAMPLE-v6-ROUTES
descr:        Example, Inc. IPv6 routes
mp-members:   2001:DB8::/32^32-128
tech-c:       EXAMPLE-ORG-ARIN
admin-c:      EXAMPLE-ORG-ARIN
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

route-set:    RS-EXAMPLE-ROUTES
descr:        Example, Inc. IPv4 & IPv6 routes
members:      RS-EXAMPLE-v4-ROUTES, RS-EXAMPLE-v6-ROUTES
tech-c:       EXAMPLE-ORG-ARIN
admin-c:      EXAMPLE-ORG-ARIN
notify:       hostmaster@example.net
mnt-by:       MNT-YOURORGID
changed:      hostmaster@example.net 20YYMMDD  [Adjust this appropriately!]
source:       ARIN
password:     123

To verify and see everything maintained by the same maintainer object, do:

whois -h rr.arin.net -i mnt-by -B MNT-YOURORGID

Since ARIN's database is mirrored quickly to NTT, you can check out your IRR data with these commands:

IPv4 prefixes: whois -h rr.ntt.net '!gasYOUR_ASN_NUM'
IPv6 prefixes: whois -h rr.ntt.net '!6asYOUR_ASN_NUM'
AS-SET ASNs: whois -h rr.ntt.net '!iYOUR_AS_SET_NAME'

You should also routinely check the SIX participants page to see if your networks have any errors. The error counts/details reset on a daily basis.

ARIN RPKI Tutorial:

Review https://teamarin.net/2017/10/31/implementing-rpki-its-easier-than-you-think/.

Review https://www.arin.net/resources/rpki/using_rpki.html for "Hosted RPKI" and follow steps to generate a ROA Request Key Pair and submit it to ARIN. Wait for ticket to be completed by ARIN, likely within a business day.

Next in ARIN Online go to https://www.arin.net/public/secure/org/index.xhtml and select the organization for which you want to manage RPKI. Under Actions select "Manage RPKI" and then "Create ROA". Create ROAs for your prefixes per https://www.arin.net/resources/rpki/roarequest.html. Set a calendar reminder for your organization to remind in advance of ROA expiration, the need to replace and extend.

You can verify your RPKI records are working at https://rpki-validator.ripe.net/bgp-preview by searching by ASN or prefix.

RIPE Tutorial:

NOTE: As of September 2018, RIPE no longer allows non-RIPE address space to be registered in their database, so if your address space is from ARIN or another RIR, don't use RIPE.

0. If you do not already have a RIPE NCC account, create one. This is a personal account, not an organizational account. If you have one, then login. It is a good idea to setup two-factor verification, and you can do that in your profile.

1. Click on the left side to Create maintainer and person pair. This record must be created before you can create the remaining ones.

2. Create an organization object, by clicking on the left side Create an object and then using the pull-down menu to select "organisation". Use your maintainer object for the mnt-by (it will automatically fill this out if you are still logged in).

3. You must now create an aut-num object. If your ASN was not assigned by RIPE, you must create an "out-of-region" (non-RIPE) placeholder "dummy" aut-num object. This must be done because the "origin:" attribute must not show it is from RIPE. To do this, follow the same link as above to create an aut-num object. For the maintainer field use the following literally, "RIPE-NCC-RPSL-MNT", and then for the password use (again literally), "RPSL" (without the quotes). When using the webupdate mechanism, it will detect that you are creating an aut-num for an ASN that is not managed by RIPE. You can simply create the object with your own maintainer on it. An aut-num object will be created with the status "OTHER", instead of "ASSIGNED", indicating that it is a dummy object. After this, you can create other objects that refer to this aut-num. Keep in mind that if you are using an update method other than webupdates to create a route object for a prefix that is not managed by the RIPE NCC, you must also add the "RPSL" password when submitting it. See the following for more details.

4. For prefixes you directly announce, create a route object for each of your IPv4 netblocks, and create a route6 object for each of your IPv6 netblocks, associating them with your maintainer objects.

5. If you have downstream ASNs, create an as-set object listing them. Then set your PeeringDB IRR Record to be simply your as-set name. (Please no colons in your as-set name. If you must have a colon, email info_a_t_seattleix.net for special handling.)

6. Optionally create a key-cert object with your PGP public key for authorization, it must be formatted correctly, here is an example of correct formatting.

You should be good now! Since RIPE's database is mirrored quickly to NTT, you can check out your IRR data with these commands:

IPv4 prefixes: whois -h rr.ntt.net '!gasYOUR_ASN_NUM'
IPv6 prefixes: whois -h rr.ntt.net '!6asYOUR_ASN_NUM'
AS-SET ASNs: whois -h rr.ntt.net '!iYOUR_AS_SET_NAME'

You should also routinely check the SIX participants page to see if your networks have any errors. The error counts/details reset on a daily basis.

Corrections, additional examples, and questions are welcome at info_a_t_seattleix.net.

RIPE tutorial originally contributed by Riseup Networks.