[ARIN-consult] ACSP Consultation: ARIN Internet Routing Registry (IRR) Roadmap

Jason Schiller jschiller at google.com
Fri Jan 12 11:04:37 EST 2018


The road map for the ARIN IRR re-spin states:

>>   * Provide an Easy IRR integration tool within ARIN Online:  ARIN will
provide an simple tool within ARIN online for
>>     those users who wish to explore the routing of their existing number
resources and after successful review,
>>     automatically update their corresponding IRR records to match
existing routing.

I have concerns that the text above suggests a less close coupling between
WHOIS data and IRR data that I had hoped
for.  I think without a close coupling the work to reform the IRR becomes a
lot less meaningful.

Either my memory is faulty as to the extent the community wanted tight
coupling with the WHOIS data, or the message
was not clear enough.  Either way I think it is worth while to get a
clearer picture of what the community desires WRT
close coupling of WHOIS and IRR data.

This is not a simple question.  There are a lot of different relationships,
and there is a spectrum of the strength of the
relationship between ARIN and the resource holder.  For clarity I think it
is best to initially scope our discussion to
only the strongest ARIN - resource holder relationships, and decide about
the level of coupling that makes sense,
and then open the discussion up to some of the weaker relationships, and if
we draw the line differently in those
cases.

For ARIN direct allocations, ARIN direct assignments,and ARIN assigned
ASes, the relationship is strongest.
ARIN knows the OrgID, ARIN has contact info, and ARIN interacts with the
Organization at least once a year
for payment.  These resources can be managed by any ARIN Online account
linked to the Org.  Lets only
consider these resources initially.


1. First, there is some overlapping data in ARIN WHOIS and ARIN IRR.  It
should be impossible for these to be
out of sync.

- If a resource's ARIN WHOIS information is updated, if there is IRR data
it must also be updated.
  (see examples below ====)

- If a resource is revoked / marked stale in WHOIS , the IRR (if it exists)
must also be revoked / marked.


2. ARIN knows who can manage the resources of a given OrgID based on linked
ARIN Online accounts
 and API keys those accounts have created.
These same accounts / API Keys should be the ones that can manage IRR data
either through
ARIN online or a more traditional way that is tied back to the ARIN online
account.

(perhaps ARIN online accounts can be linked to maintainers managed in ARIN
online)

(might be useful for an ARIN online account to generate different API Keys,
label them,
and restrict access.  e.g. the GFiber-SWIP key can SWIP /deSWIP anything in
these
ranges, and the bulk-whois key can download bulk whois, but nothing else.)

- If a resource is transfered and that is reflected in the WHOIS, ownership
of the IRR data
  must like wise be transfered.


3. When an IRR contains a relationship between two or more resources that
have different
owners is authorization from both required?
(i think we have to sort this out a bit.  Please Help)

3.a. Should a route holder be able to to designate an origin AS that they
do not hold
       without the AS holder's acknowledgment?   (maybe)

3.b. Should an AS holder be able to designate their AS as an origin for a
route they
       do not hold with out the route holder's acknowledgement?
       (no.  they can do all the work and just get the route holder to ack
it though)

3.c. Should a route holder be able to remove an origin AS from their route
without
      the AS holder's acknowledgment? (yes)

3.d. Should a route holder be able to adjust the routing policy associated
with
        someone else's AS, but only with respect to their route without AS
holders
        acknowledgment ?  (no)

3.e. Should an AS holder be able to document a Peering relationship, transit
       customer relationship, or transit provider relationship with another
AS without
       that AS holder's approval? (maybe yes)

4. If we include routes where the strength of the relationship between ARIN
and
the resource holder is weaker, then I suggest we clearly mark them.
- Think there is a big spectrum here and we should table this discussion
until
   we sort out the clear case first.


In short to what extent do we think ARIN's IRR data should leverage
(where it exists) the unique relationship ARIN has between it and
the resource holders?

___Jason


=============
this should not be possible:


whois -h rr.arin.net as19527

% Information related to 'AS19527'

aut-num:        AS19527
as-name:        MEEBO
descr:          Meebo, Inc.
admin-c:        CKO60-ARIN
tech-c:         CKO60-ARIN
mnt-by:         MNT-MEEBO
source:         ARIN # Filtered

whois -h whois.arin.net 19527

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/asns;q=19527?showDetails=true&ext=netref2
#

ASNumber:       19527
ASName:         GOOGLE-2
ASHandle:       AS19527
RegDate:        2007-08-17
Updated:        2018-01-10
Ref:            https://whois.arin.net/rest/asn/AS19527

OrgName:        Google LLC
OrgId:          GOOGL-2
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2006-09-29
Updated:        2017-12-21
Ref:            https://whois.arin.net/rest/org/GOOGL-2

OrgNOCHandle: GCABU-ARIN
OrgNOCName:   GC Abuse
OrgNOCPhone:  +1-650-253-0000
OrgNOCEmail:  google-cloud-compliance at google.com
OrgNOCRef:    https://whois.arin.net/rest/poc/GCABU-ARIN

OrgAbuseHandle: GCABU-ARIN
OrgAbuseName:   GC Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  google-cloud-compliance at google.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/GCABU-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google LLC
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact at google.com
OrgTechRef:    https://whois.arin.net/rest/poc/ZG39-ARIN



whois -h rr.arin.net "74.114.24.0/21"

% Information related to '74.114.24.0/21AS19527'

route:          74.114.24.0/21
descr:          meebo-east
origin:         AS19527
mnt-by:         MNT-MEEBO
source:         ARIN # Filtered



whois -h whois.arin.net 74.114.24.0

#
# The following results may also be obtained via:
#
https://whois.arin.net/rest/nets;q=74.114.24.0?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       74.114.24.0 - 74.114.31.255
CIDR:           74.114.24.0/21
NetName:        GOOGLE
NetHandle:      NET-74-114-24-0-1
Parent:         NET74 (NET-74-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS15169
Organization:   Google LLC (GOGL)
RegDate:        2009-05-21
Updated:        2018-01-12
Ref:            https://whois.arin.net/rest/net/NET-74-114-24-0-1



OrgName:        Google LLC
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2017-12-21
Ref:            https://whois.arin.net/rest/org/GOGL


OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  network-abuse at google.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE5250-ARIN

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google LLC
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact at google.com
OrgTechRef:    https://whois.arin.net/rest/poc/ZG39-ARIN

On Tue, Jan 9, 2018 at 4:27 PM, ARIN <info at arin.net> wrote:

> Over the last several years, ARIN has received multiple ARIN Consultation
> and Suggestion Process (ACSP) requests and fielded many customer
> suggestions about our existing Internet Routing Registry (IRR), and as a
> result, a community consultation was issued to gauge community interest for
> ARIN to take on the project of improving this service. The consensus
> response was that the community would like ARIN to:
>
>   *  Improve the validity of the IRR data
>   *  Work with the other RIR's on authorization schemes
>   *  Provide appropriate proxy registration services
>   *  Integrate/validate with the registration database
>
> To accomplish these goals, we anticipate that this work effort will
> involve a fair bit of community involvement (RIR communities, IETF, and
> operational forums such as NANOG and CaribNOG) in order to create the
> appropriate incremental upgrades to the IRR.
>
> We are opening a new Community Consultation to solicit feedback on the
> ARIN IRR Roadmap, detailed below.
>
> Please provide comments to arin-consult at arin.net.
>
> This consultation will remain open through 5:00 PM EST on Friday, 9
> February 2018.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> *ARIN IRR Roadmap*
>
> *Background*
>
> In response to multiple ACSPs regarding IRR route validation (i.e. the
> function whereby route objects are validated via the authorization of the
> appropriate number resource holder), ARIN conducted an IRR community
> consultation in April 2015. This consultation was opened because the issues
> around IRR route validation are complex, and implementation was anticipated
> to exceed the cost of most ACSP implementations.
> Within the consultation, the ARIN community was asked three questions:
>
>     * Should ARIN begin a new project to enable IRR route object
> validation to the ARIN registry database?
>     * If yes, should this effort be coordinated with other RIRs to help
> facilitate cross-registry authentication?
>     * If yes, should this effort also support third party IRR route object
> authentication?
>
> There were eighteen individual participants in the consultation.  Thirteen
> were in favor of ARIN creating a more robust IRR, two were publicly
> against, and three were unclear in their support or opposition.
>
> Nine participants expressed support for efforts to facilitate inter-RIR
> authentication, and eight participants expressed support for 3rd party or
> proxy registrations for authentication of route objects.
>
> Two participants suggested ARIN provide facilities for
> authentication/authorization or delegation to IRRs not operated by an RIR.
> Several participants had concerns regarding the implementation of an
> ARIN-validated IRR. Three noted ARIN's past experience with the
> implementation and cost of RPKI with respect to both community adoption and
> opportunity-cost, and one participant expressed concerns for contractual
> obligations that ARIN may place on resource holders provisioning
> information in a validated IRR.
>
> *Implementation Experience Regarding ARIN's Current IRR*
>
> ARIN initially setup a RIPE-based IRR years ago.  Over the years, we
> upgraded it based on ACSP suggestions: IPv6 support was implemented in
> December 2009, and PGP support with additional notifications was released
> in September 2011. In both of these releases, we replicated the original
> approach of using the RIPE database software system with loose coupling to
> our mainline ARIN Online registry system.  These upgrades did allow for
> additional functionality, but it came at a very substantial cost of time
> and unanticipated functionality issues related to the upgrades.
>
> When we undertook these upgrades, we chose to continue the separation in
> the hopes of doing minimal environmental changes to ARIN's infrastructure
> to add the suggested improvements. However, the RIPE codebase was not
> modularized, with significant dependencies on RIPE environment, and
> consequently was not ideal for use in ARIN's environment. One consequence
> was the repeated need to pull down the latest release from RIPE, adjust the
> environment for their software to work, make changes to it to allow
> functionality that we support, remove out dependencies to resource checks
> that would not exist in our system, and add dependency links to our system.
> This has been a very labor-intensive process and it took a lot of
> engineering time to make the system work.
>
> Adjusting to each upgrade from RIPE has also been challenging because of
> innate differences our database structures. RIPE had two systems – one
> being a front-end database and the other being a back-end database with
> manual synchronization between these two systems. At ARIN, we have just one
> system that is placed behind the firewall and replicated out to the
> publically available ARIN slaves as changes are made. The RIPE IRR codebase
> provided for limited information to be shared to slaves via its replication
> schemes.   Given that ARIN's publically available interface is a slave, the
> output available to our community was not the same as our internal master,
> and has resulted in some confusion for ARIN IRR users.
>
> ARIN Registration Services Department also has challenges providing
> customer support to IRR users. Common problems include:
>
>     * Maintainers not being notified upon changes
>     * Cryptic responses to pgp-validation errors
>     * General lack of customer support features
>
> It was our hope that code re-use would save time and money. Unfortunately,
> this was not the case, and the result was an awkward, difficult-to-operate,
> and user-unfriendly system that requires considerable engineering time to
> maintain.
> It should also be noted that the IRR codebase in use by ARIN is no longer
> supported or maintained by the RIPE NCC, as they have since completely
> rewritten their IRR software.
>
> *Proposed Roadmap*
>
> Given the community feedback received in the consultation, and with due
> regard to the past experience with reusing code for IRR software, ARIN
> staff proposes a "ground-up" implementation of a validated IRR that will
> better integrate with ARIN's current web portal, provisioning system, and
> other registry functions. This path forward will be a multi-phased approach
> and will rely on community–defined specifications and global RIR community
> consensus.
>
> This approach will allow ARIN to field a routing registry incrementally,
> providing utility to the community much sooner than a monolithic "big-bang"
> release, and it will provide the community an opportunity to provide
> feedback with respect to features and cost as the project progresses.
>
>     * Produce a Simplified Profile of RPSL: Most of the complexity of RPSL
> comes from routing registry features rarely used by the community. To
> reduce the implementation costs around data modeling and parsing of complex
> RPSL structures, ARIN will work with the operational community to identify
> the most commonly used features of the language, and this subset will be
> documented as an simplified RPSL profile to be used to guide development
> efforts.
>     * Schedule Frequent Deployments: ARIN will adopt "continuous
> deployment" strategies to allow for more frequent deployments, similar to
> the strategy used today in development of the ARIN Online registry system.
> This will allow the community to use new features of the IRR as they are
> developed.
>
>     * Collaborate on Cross-RIR Authentication: ARIN will work with the
> other RIRs engineering coordination activities to create an appropriate
> mechanism for authentication and authorization of routing registry objects
> for which the resources cross regional boundaries.
>
>     * Provide an Easy IRR integration tool within ARIN Online:  ARIN will
> provide an simple tool within ARIN online for those users who wish to
> explore the routing of their existing number resources and after successful
> review, automatically update their corresponding IRR records to match
> existing routing.
>
>     * Migrate Data to the New IRR: Where possible, ARIN will create tools
> and practices to help migrate data from the existing IRR to the new IRR
> under the authority of resource holders in the ARIN registry.
>
>     * Cooperate on Standards and Best Practices: Where applicable and
> appropriate, ARIN will work with the IETF and the other RIRs on documenting
> any resulting operational standards, profiles, and best practices.
>
> We do feel that this effort, once deployed, will help improve routing
> coordination that exists on the Internet today. The proposed new ARIN IRR
> will provide a clear and consistent path to allow ISPs to share their
> routing policies.
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>



-- 
_______________________________________________________
Jason Schiller|NetOps|jschiller at google.com|571-266-0006
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20180112/40eb74ba/attachment.html>


More information about the ARIN-consult mailing list