IRR Tutorial and RPKI Demo, by Nurul Islam. A presentation given at the APNIC 40 APNIC Services session on Wed, 9 Sep 2015.

1. Internet Routing Registry &
RPKI Tutorial
Nurul Islam Roman, APNIC

2. Objectives
• To provide an introduction to the APNIC Routing
Registry
– Explain concepts of the global RR
– Outline the benefits of the APNIC Routing Registry
– Discuss Routing Policy Specification Language (RPSL)
• New Initiative RPKI

3. Overview
• What is IRR?
• Whois DB Recap
• APNIC database and the IRR
• Using the Routing Registry
• Using RPSL in practice
• Benefit of using IRR

4. What is IRR?

5. Prefix Advertise to Internet
• Ingress prefix from downstream:
– Option 1: Customer single home and non portable prefix
• Customer is not APNIC member prefix received from upstream ISP
– Option 2: Customer single home and portable prefix
• Customer is APNIC member receive allocation as service provider but no AS
number yet
– Option 3: Customer multihome and non portable prefix
• Customer is not APNIC member both prefix and ASN received from upstream ISP
– Option 4: Customer multihome and portable prefix
• Customer is APNIC member both prefix and ASN received from APNIC

6. Prefix Filtering BCP [Single home]
• Option 1: Customer single home and non portable prefix
Internet
upstream
downstream
AS17821
Static 3fff:ffff:dcdc::/48 to
customer WAN Interface
No LoA Check of Cust prefix
ISP Prefix
3fff:ffff::/32
Customer Prefix
3fff:ffff:dcdc::/48
NO BGP
Static Default to ISP
WAN Interface

7. Prefix Filtering BCP [Single home]
• Option 2: : Customer single home and portable prefix
Internet
upstream
downstream
AS17821
Static 2001:0DB8::/32 to
customer WAN Interface
BGP network 2001:0DB8::/32 AS17821 i
Check LoA of Cust prefix
ISP Prefix
3fff:ffff::/32
Customer Prefix
2001:0DB8::/32
NO BGP
Static Default to ISP
WAN Interface
Static 2001:0DB8::/32 null0

8. Prefix Filtering [Multihome]
• Option 3: Customer multihome and non portable prefix
Internet
upstream
can not change
AS17821
eBGP peering with customer
WAN interface
No LoA Check of Cust prefix
ISP Prefix
3fff:ffff::/32
Customer Prefix
3fff:ffff:dcdc::/48
AS131107
Check LoA of Cust prefix
Manual process e-mail to tech-c
Automated process route object or RPKI
Nearly same filter requirement as other ISP
AS64500
eBGP peering with both
ISP WAN Interface
BGP network 3fff:ffff:dcdc::/48 AS64500 i
or aggregate address from gateway router
upstream
can change

9. Prefix Filtering [Multihome]
• Option 4: Customer multihome and portable prefix
Internet
upstream
can change
AS17821
Check LoA of Cust prefix
Manual process e-mail to tech-c
Automated process route object or RPKI
ISP Prefix
3fff:ffff::/32
Customer Prefix
2001:0DB8::/32
AS131107
Check LoA of Cust prefix
Manual process e-mail to tech-c
Automated process route object or RPKI
Nearly same filter requirement as other ISP
AS64500
eBGP peering with both
ISP WAN Interface
BGP network 2001:0DB8::/32 AS64500 i
or aggregate address from gateway router
upstream
can change

10. What is a Routing Registry?
• A repository (database) of Internet routing
policy information
• Autonomous Systems exchanges routing information via
BGP
• Exterior routing decisions are based on policy based
rules
• However BGP does not provides a mechanism to
publish/communicate the policies themselves
• RR provides this functionality
• Routing policy information is expressed in a
series of objects
• Stability and consistency of routing
• Network operators share information

11. RIPE
RADB CW
APNIC Connect
ARIN, ArcStar, FGC, Verio,
Bconnex, Optus, Telstra, ...
IRR = APNIC RR + RIPE DB + RADB + C&W + ARIN + …
What is a Routing Registry?

12. What is Routing Policy?
• Description of the routing relationship between
autonomous systems
– Who are my BGP peers?
• Customer, peers, upstream
– What routes are:
• Originated by each neighbour?
• Imported from each neighbour?
• Exported to each neighbour?
• Preferred when multiple routes exist?
– What to do if no route exists?
– What routes to aggregate?

13. Representation of Routing
Policy
AS1 AS2
In order for traffic to flow from NET2 to NET1
between AS1 and AS2:
NET1 NET2
AS1 has to announce NET1 to AS2 via BGP
Resulting in packet flow from NET2 to NET1
And AS2 has to accept this information and use it

14. AS1 AS2
NET1 NET2
In order for traffic to flow towards from NET1 to NET2:
AS2 must announce NET2 to AS1
And AS1 has to accept this information and use it
Resulting in packet flow from NET 1 to NET2
Representation of Routing Policy

15. RPSL
• Routing Policy Specification Language
– Object oriented language
• Based on RIPE-181
– Structured whois objects
• Higher level of abstraction than access lists
• Describes things interesting to routing policy:
– Routes, AS Numbers …
– Relationships between BGP peers
– Management responsibility
RFC
2622
RFC
2725
RFC
2650

16. Routing Policy - Examples
AS 1 AS 2
aut-num: AS1
…
import: from AS2
action pref= 100;
accept AS2
export: to AS2 announce AS1
aut-num: AS2
…
import: from AS1
action pref=100;
accept AS1
export: to AS1 announce AS2
Basic concept
“action pref” - the lower the value,
the preferred the route

17. Routing Policy - Examples
AS 123 AS4 AS5AS5
More complex example
• AS4 gives transit to AS5, AS10
• AS4 gives local routes to AS123
AS10

18. Routing Policy - Examples
AS 123 AS4 AS5AS5
import: from AS123 action pref=100; accept AS123
aut-num: AS4
import: from AS5 action pref=100; accept AS5
import: from AS10 action pref=100; accept AS10
export: to AS123 announce AS4
export: to AS5 announce AS4 AS10
export: to AS10 announce AS4 AS5
Not a path
AS10

19. Routing Policy - Examples
AS123 AS4
More complex example
• AS4 and AS6 private link1
• AS4 and AS123 main transit link2
• backup all traffic over link1 and link3 in event of link2 failure
AS6
private
link1
link3
transit traffic
over link2

20. Routing Policy - Examples
AS123 AS4
AS6
private link1
link3
AS representation
transit traffic
over link2
import: from AS123 action pref=100; accept ANY
aut-num: AS4
import: from AS6 action pref=50; accept AS6
import: from AS6 action pref=200; accept ANY
export: to AS6 announce AS4
export: to AS123 announce AS4
full routing received
higher cost for backup route

21. Whois Database Recap

22. APNIC Database
• Public network management database
– APNIC whois database contains:
• Internet resource information and contact details
– APNIC Routing Registry (RR) contains:
• routing information
• APNIC RR is part of IRR
– Distributed databases that mirror each other

23. Database Object
• An object is a set of attributes and values
• Each attribute of an object...
• Has a value
• Has a specific syntax
• Is mandatory or optional
• Is single- or multi-valued
• Some attributes ...
• Are primary (unique) keys
• Are lookup keys for queries
• Are inverse keys for queries
– Object “templates” illustrate this structure

24. Person Object Example
– Person objects contain contact information
person:
address:
address:
address:
country:
phone:
fax-no:
e-mail:
nic-hdl:
mnt-by:
changed:
source:
Attributes Values
Test Person
ExampleNet Service Provider
2 Pandora St Boxville
Wallis and Futuna Islands
TC
+680-368-0844
+680-367-1797
tperson@example.com
TP17-AP
MAINT-ENET-TC
tperson@example.com 20090731
APNIC

25. Database Queries
– Flags used for inetnum queries
None find exact match
- l find one level less specific matches
- L find all less specific matches
- m find first level more specific matches
- M find all More specific matches
- x find exact match (if no match, nothing)
- d enables use of flags for reverse domains
- r turn off recursive lookups

26. Database Protection
• Authorisation
– “mnt-by” references a mntner object
• Can be found in all database objects
• “mnt-by” should be used with every object!
• Authentication
– Updates to an object must pass authentication rule specified by its
maintainer object

27. Prerequisite for Updating Objects
• Create person objects for contacts
• To provide contact info in other objects
• Create a mntner object
• To provide protection of objects
• Protect your person object

28. APNIC Database and the
IRR

29. APNIC Database & the IRR
• APNIC whois Database
– Two databases in one
• Public Network Management Database
– “whois” info about networks & contact persons
• IP addresses, AS numbers etc
• Routing Registry
– contains routing information
• routing policy, routes, filters, peers etc.
– APNIC RR is part of the global IRR

30. Integration of Whois and IRR
• Integrated APNIC Whois Database &
Internet Routing Registry
APNIC
Whois
IRR
IP, ASNs,
reverse domains,
contacts,
maintainers
etc routes, routing
policy, filters,
peers etc
inetnum, aut-num,
domain, person, role,
maintainer
route, aut-num, as-
set, inet-rtr,
peering-set etc.
Internet resources &
routing information

31. Inter-related IRR Objects
inetnum:
202.0.16.0 - 202.0.16.255
…
tech-c: KX17-AP
mnt-by: MAINT-EX
aut-num: AS1
…
tech-c: KX17-AP
mnt-by: MAINT-EX
…
route:
origin:
…
mnt-by: MAINT-EX
person:
…
nic-hdl: KX17-AP
…
mntner: MAINT-EX
…
202.0.16/24
AS1

32. Inter-related IRR Objects
aut-num: AS2
…
inetnum:
202.0.16.0-202.0.31.255
…
aut-num: AS10
…
route: 202.0.16/20
…
origin: AS2
…
as-set:
AS1:AS-customers
members:
AS10, AS11
route-set:
AS2:RS-routes
members:
218.2/20, 202.0.16/20
route: 218.2/20
…
origin: AS2
…
aut-num: AS2
…
inetnum:
218.2.0.0 - 218.2.15.255
…
aut-num: AS11
…
, AS2

33. Hierarchical Authorisation
• mnt-routes
– authenticates creation of route objects
• creation of route objects must pass authentication of mntner referenced in
the mnt-routes attribute
– Format:
• mnt-routes: <mntner>
In:
routeaut-numinetnum

34. Authorisation Mechanism
inetnum: 202.137.181.0 – 202.137.196.255
netname: SPARKYNET-TC
descr: SparkyNet Service Provider
…
mnt-by: APNIC-HM
mnt-lower: MAINT-SPARKYNET1-TC
mnt-routes: MAINT-SPARKYNET2-TC
This object can only be modified by APNIC
Creation of more specific objects within this range has to
pass the authentication of MAINT-SPARKYNET1-TC
Creation of route objects matching/within this range has
to pass the authentication of MAINT-SPARKYNET2-TC

35. Creating Route Objects
• Multiple authentication checks:
– Originating ASN
• mntner in the mnt-routes is checked
• If no mnt-routes, mnt-lower is checked
• If no mnt-lower, mnt-by is checked
– AND the address space
• Exact match & less specific route
– mnt-routes etc
– AND the route object mntner itself
• The mntner in the mnt-by attribute
aut-num
inetnum
route
route

36. Creating Route Objects
mntner: MAINT-WF-EXNET
auth: CRYPT-PW klsdfji9234
maintainer
inetnum:
202.137.240.0 – 202.137.255.255
mnt-routes: MAINT-WF-EXNET
IP address range
aut-num: AS1
mnt-routes: MAINT-WF-EXNET
AS number
1
route: 202.137.240/20
origin: AS1
route
1. Create route object and submit to APNIC RR database
4. DB checks inetnum obj matching/encompassing IP range in route obj
5. Route obj creation must pass auth of mntner specified in inetnum mnt-routes attribute.
3. Route obj creation must pass auth of mntner specified in aut-num mnt-routes attribute.
2. DB checks aut-num obj corresponding to the ASN in route obj
2
35
4

37. Using RPSL in practice

38. Overview
• Review examples of routing policies expression
– Peering policies
– Filtering policies
– Backup connection
– Multihoming policies

39. RPSL - review
• Purpose of RPSL
– Allows specification of your routing configuration in the public IRR
• Allows you to check “Consistency” of policies and announcements
– Gives opportunities to consider the policies and configuration of
others

40. Address Prefix Range Operator
Operator Meanings
^- Exclusive more specifics of the address
prefix:
E.g. 128.9.0.0/16^- contains all more
specifics of 128.9.0.0/16 excluding
128.9.0.0/16
^+ Inclusive more specific of the address
prefix:
E.g. 5.0.0.0/8^+ contains all more
specifics of 5.0.0.0/8 including 5.0.0.0/8

41. Address Prefix Operator (cont.)
Operator Meanings
^n n = integer, stands for all the length “n”
specifics of the address prefix:
E.g. 30.0.0.0/8^16 contains all the more
specifics of 30.0.0.0/8 which are length of 16
such as 30.9.0.0/16
^n-m m = integer, stands for all the length “n” to
length “m” specifics of the address prefix:
E.g. 30.0.0.0/8^24-32 contains all the more
specifics of 30.0.0.0/8 which are length of 24 to
32 such as 30.9.9.96/28

42. AS-path regular expressions
• Regular expressions
– A context-independent syntax that can represent a wide variety of
character sets and character set orderings
– These character sets are interpreted according to the current The
Open Group Base Specifications (IEEE)
• Can be used as a policy filter by enclosing the
expression in “<“ and “>”.

43. Filter List- Regular Expression
• Like Unix regular expressions
. Match one character
* Match any number of preceding expression
+ Match at least one of preceding expression
^ Beginning of line
$ End of line
Escape a regular expression character
_ Beginning, end, white-space, brace
| Or
() Brackets to contain expression
[ ] Brackets to contain number ranges
Source: www.cisco.com

44. AS-path Regular Expression
Operator Meanings
<AS3> Route whose AS-path contains AS3
<^AS1> Routes whose AS-path starts with AS1
<AS2$> Routes whose AS-path end with AS2
<^AS1 AS2 AS3$> Routes whose AS-path is exactly “1 2 3”
<^AS1 . * AS2$> AS-path starts with AS1 and ends in
AS2 with any number ASN in between
<^AS3+$> AS-path starts with AS3 and ends in
AS3 and
AS3 is the first member of the path and
AS3 occurs one or more times in the
path and no other AS can be present in
the path after AS3

45. AS-path Regular Expression
(cont.)
Operator Meanings
<AS3|AS4> Routes whose AS-path is with AS3
or AS4
<AS3 AS4> Routes whose AS-path with AS3
followed by AS4

46. Common Peering Policies
• Peering policies of an AS
– Registered in an aut-num object
Internet
AS 1 AS 2 AS 3
ISP
(Transit provider) Customer
AS 4 AS 5

47. Common Peering Policies
• Policy for AS3 in the AS2 aut-num object
aut-num: AS2
as-name: SAMPLE-NET
dsescr: Sample AS
import: from AS1 accept ANY
import: from AS3 accept <^AS3+$>
export: to AS3 announce AS2
export: to AS1 announce AS2 AS3
admin-c: TP1-AP
tech-c: TP2-AP
mtn-by: MAINT-SAMPLE-AP
changed: sample@sample.net

48. Transit Provider Policies
• Peering policies of an AS
– Registered in an aut-num object
Internet
AS 1 AS 2 AS 3
ISP
(Transit provider) Customer
AS 4 AS 5

49. ISP Customer – Transit Provider
Policies
• Policy for AS3 and AS4 in the AS2 aut-num object
aut-num: AS2
import: from AS1 accept ANY
import: from AS3 accept <^AS3+$>
import: from AS4 accept <^AS4+$>
export: to AS3 announce ANY
export: to AS4 announce ANY
export: to AS1 announce AS2 AS3 AS4

50. AS-set Object
• Describe the customers of AS2
as-set: AS2:AS-CUSTOMERS
members: AS3 AS4
changed: sample@sample.net
source: APNIC

51. Aut-num Object referring as-set
Object
aut-num: AS2
import: from AS1 accept ANY
import: from AS2:AS-CUSTOMERS accept
<^AS2:AS-CUSTOMERS+$>
export: to AS2:AS-CUSTOMERS announce ANY
export: to AS1 announce AS2 AS2:AS-CUSTOMERS
aut-num: AS1
import: from AS2 accept <^AS2+AS2:AS-CUSTOMERS+$>
export: ………

52. IRRToolSet
• Set of tools developed for using the Internet Routing
Registry (IRR)
• Work with Internet routing policies
– These policies are stored in IRR in the Routing Policy
Specification Language (RPSL)
• The goal of the IRRToolSet is to make routing
information more convenient and useful for network
engineers
– Tools for automated router configuration,
– Routing policy analysis
– On-going maintenance etc.

53. IRRToolSet
• Download: ftp://ftp.isc.org/isc/IRRToolSet/
• Installation needs: lex, yacc and C++ compiler
root@bofh:~ #wget
ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet-
5.0.1/irrtoolset-5.0.1.tar.gz
root@bofh:~ # tar –zxvf irrtoolset-5.0.1.tar.gz
root@bofh:~ # cd irrtoolset-5.0.1
root@bofh:~irrtoolset-5.0.1# ./configure
root@bofh:~irrtoolset-5.0.1# make
root@bofh:~irrtoolset-5.0.1# make install

54. IRRToolSet
root@bofh:~ whois –h whois.apnic.net AS17821
#####snipped######
mp-import: afi any.unicast {
from AS-ANY accept ANY AND NOT RS-MARTIANS;
} refine {
from AS-ANY action pref = 50;
accept community.contains(17821:50);
from AS-ANY action pref = 30;
accept community.contains(17821:70);
from AS-ANY action pref = 10;
accept community.contains(17821:90);
from AS-ANY action pref = 0; accept ANY;
} refine afi ipv4.unicast {

55. IRR Toolset, RPSL: rtconfig(Contd)
Cisco Specific
@rtconfig set cisco_map_name = <map-name>
@rtconfig set cisco_map_first_no = <no>
@rtconfig set cisco_map_increment_by = <no>
@rtconfig set cisco_prefix_acl_no = <no>
@rtconfig set cisco_aspath_acl_no = <no>
@rtconfig set cisco_pktfilter_acl_no = <no>
@rtconfig set cisco_community_acl_no = <no>
@rtconfig set cisco_access_list_no = <no>
@rtconfig set cisco_max_preference = <no>
@rtconfig networks <ASN-1>
@rtconfig inbound_pkt_filter <if-name> <ASN-1> <rtr-1> <ASN-
2> <rtr-2>

56. IRR Toolset, RPSL: rtconfig(Contd)
Junos Specific
@rtconfig set junos_policy_name = <policy-name>
@rtconfig networks <ASN-1>

57. IRR Toolset, RPSL: rtconfig Input
File(Provision)
router bgp 17821
neighbor 103.4.108.54 remote-as 131107
neighbor 103.4.108.54 version 4
!
# X Communication Ltd
@RtConfig set cisco_access_list_no = 500
@RtConfig set cisco_map_name = "AS58715-IN"
@RtConfig import AS131208 103.4.108.62 AS58715 103.4.108.61
@RtConfig set cisco_access_list_no = 599
@RtConfig set cisco_map_name = "ANY"
@RtConfig export AS131208 103.4.108.62 AS58715 103.4.108.61
!
# xyz Ltd
@RtConfig set cisco_access_list_no = 501
@RtConfig set cisco_map_name = "AS58656-IN"
@RtConfig import AS131208 103.4.108.94 AS58656 103.4.108.93
@RtConfig set cisco_access_list_no = 599
@RtConfig set cisco_map_name = "ANY"
@RtConfig export AS131208 103.4.108.94 AS58656 103.4.108.93
!
end

58. Use of RPSL - RtConfig
• RtConfig
• part of IRRToolSet
• Reads policy from IRR (aut-num, route & -set
objects) and generates router configuration
– vendor specific:
• Cisco, Bay's BCC, Juniper's Junos and Gated/RSd
– Creates route-map and AS path filters
– Can also create ingress / egress filters

59. IRR Toolset, RPSL: Uploading
Configuration
Various ways to upload configuration:
– SNMP Write
– NETCONF XML Based
– Automated Script using expect

60. Why use IRR and RtConfig?
• Benefits of RtConfig
– Avoid filter errors (typos)
– Expertise encoded in the tools that generate the policy rather than
engineer configuring peering session
– Filters consistent with documented policy
• (need to get policy correct though)

61. New Initiative RPKI

62. What is RPKI?
• Resource Public Key Infrastructure (RPKI)
• A robust security framework for verifying the association
between resource holder and their Internet resources
• Created to address the issues in RFC 4593 “Generic
Threats to Routing Protocols”
• Helps to secure Internet routing by validating routes
– Proof that prefix announcements are coming from the legitimate
holder of the resource
62

63. Benefits of RPKI - Routing
• Similar objective as IRR but in a robust and scalable way
• Prevents route hijacking
– A prefix originated by an AS without authorization
– Reason: malicious intent
• Prevents mis-origination
– A prefix that is mistakenly originated by an AS which does not own it
– Also route leakage
– Reason: configuration mistake / fat finger
63

64. Public Key Concept
• Private key: This key must be known only by its owner.
• Public key: This key is known to everyone (it is public)
• Relation between both keys: What one key encrypts, the
other one decrypts, and vice versa. That means that if you
encrypt something with my public key (which you would
know, because it's public :-), I would need my private key to
decrypt the message.
• Same as http with SSL aka https
64

65. X.509 Certificates 3779 EXT
65

66. Trust Anchor
66

67. Trust Anchor Locator (TALs)
• In cryptographic systems with hierarchical structure, a Trust
anchor is an authoritative entity for which trust is assumed and
not derived.
• In X.509 architecture, a root certificate would be the trust anchor
from which whole chain of trust is derived. The trust anchor must
be in possession of the trusting party beforehand to make any
further certificate path validation possible.
• RPKI uses Internet Assigned Numbers Authority(IANA) as the
trust anchor, and Regional Internet Registries(RIR) as
immediately subordinate nodes to that anchor (Single Trust
Anchor).
• Split Trust Anchor.
67

68. PKI in IRR
• The RIRs hold a self-signed root certificate for all the
resources that they have in the registry
– They are the trust anchor for the system
• That root certificate is used to sign a certificate that lists
your resources
• You can issue child certificates for those resources to your
customers
– When making assignments or sub allocations
68

69. Route Origination Attestations (ROA)
• Next to the prefix and the ASN which is allowed to
announce it, the ROA contains:
– A minimum prefix length
– A maximum prefix length
– An expiry date
– Origin ASN
• Multiple ROAs can exist for the same prefix
• ROAs can overlap
69

70. Origin Validation
• Router gets ROA information from the RPKI Cache
– RPKI verification is done by the RPKI Cache
• The BGP process will check each announcement with the
ROA information and label the prefix
70

71. Result of Check
• Valid – Indicates that the prefix and AS pair are found in the
database.
• Invalid – Indicates that the prefix is found, but either the
corresponding AS received from the EBGP peer is not the
AS that appears in the database, or the prefix length in the
BGP update message is longer than the maximum length
permitted in the database.
• Not Found / Unknown– Indicates that the prefix is not
among the prefixes or prefix ranges in the database.
Valid > Unknown > Invalid
71

72. ROA Example
72

73. Local Policy
• You can define your policy based on
the outcomes
– Do nothing
– Just logging
– Label BGP communities Modify preference
values Rejecting the announcement
73

74. RPKI Support in Routers
• The RPKI-RTR Protocol is an IETF Internet Draft
Production Cisco Support:
– ASR1000, 7600, ASR903 and ASR901 in releases 15.2(1)S or XE
3.5 Cisco Early Field Trial (EFT):
– ASR9000, CRS1, CRS3 and c12K (IOS-XR 4.3.2)
• Juniper has support since version 12.2
• Quagga has support through BGP-SRX
74

75. RPKI Caveats
• When RTR session goes down, the RPKI status will be “not
found” for all the bgp route after a while
– Invalid => not found
– we need several RTR sessions or care your filtering policy
• In case of the router reload, which one is faster, receiving
ROAs or receiving BGP router?
– If receiving BGP is match faster than ROA, the router propagate the
invalid route to others
– We need to put our Cache validator within our IGP scope
75

76. RPKI Configuration
76

77. Topology for Origin Validation
77

78. Topology for Origin Validation

79. Phase I - Publishing ROA
79

80. Phase I - Publishing ROA
80

81. Phase I - Publishing ROA
81

82. Phase I - Publishing ROA- IPv4
82

83. Phase I - Publishing ROA- IPv6
83

84. Phase I - Check your ROA
84

85. Phase I - Check your ROA
85

86. Phase II - RPKI Validator
86

87. Phase II - RPKI Validator
87

88. Phase II - RPKI Validator
88

89. Phase III - Router Configuration
(Juniper)
89

90. Phase III - Router Configuration
(Juniper)
90

91. Phase III - Router Configuration
(Juniper)
91

92. Check your prefix
92
nurul@rpki-test> show route protocol bgp 202.4.96.0/24 !
!
inet.0: 506658 destinations, 506659 routes (506656 active, 0 holddown, 2 hidden)!
+ = Active Route, - = Last Active, * = Both!
!
202.4.96.0/24 *[BGP/170] 01:42:11, localpref 100!
AS path: 58656 23956 I, validation-state: valid!
> to 103.12.177.221 via ge-1/0/9.0

93. Check your prefix
93
#show validation session!
nurul@rpki-test> show validation session !
Session State Flaps Uptime #IPv4/IPv6 records!
203.176.179.25 Up 0 1d 09:33:54 9728/1431

94. Phase III - Router Configuration
(Cisco IOS)
94
gw1.bne.training.apnic.net#sh running-config | b bgp
router bgp 45192
bgp log-neighbor-changes
no bgp default ipv4-unicast
bgp rpki server tcp 203.176.189.25 port 8282 refresh 500
neighbor IPv4-INTERNAL-iBGP peer-group
neighbor IPv4-INTERNAL-iBGP remote-as 45192
neighbor IPv4-INTERNAL-iBGP update-source Loopback0
neighbor IPv6-INTERNAL-iBGP peer-group
!

95. Phase III - Router Configuration
(Cisco IOS)
95
gw1.bne.training.apnic.net#sh bgp ipv4 unicast rpki servers
BGP SOVC neighbor is 203.176.189.25/8282 connected to port 8282
Flags 64, Refresh time is 500, Serial number is 174, Session ID is 62568
InQ has 0 messages, OutQ has 0 messages, formatted msg 45
Session IO flags 3, Session flags 4008
Neighbor Statistics:
Prefixes 17498
Connection attempts: 1
Connection failures: 0
Errors sent: 0
Errors received: 0

96. Phase III - Router Configuration
(Cisco IOS)
96
gw1.bne.training.apnic.net#sh bgp ipv6 unicast
BGP table version is 4125589, local router ID is 203.176.189.225
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
N ::/0 :: 0 I
N*> 2001:67C:7C::/48 2001:DC0:E007:10::2
100 0 4608 1221 4637 6939 47692 i
V*> 2001:67C:88::/48 2001:DC0:E007:10::2
100 0 4608 1221 4637 6939 57118 I
I* 2001:660:8015::/48
Network Next Hop Metric LocPrf Weight Path
2001:DC0:E007:10::2

97. Phase III - Router Configuration
(Cisco IOS)
97
gw1.bne.training.apnic.net#sh route-map
route-map test-lo-pf, permit, sequence 10
Match clauses: rpki invalid
Set clauses: local-preference 50
Policy routing matches: 0 packets, 0 bytes
route-map test-lo-pf, permit, sequence 20
Match clauses: rpki valid
Set clauses: local-preference 200
Policy routing matches: 0 packets, 0 bytes
route-map test-lo-pf, permit, sequence 30
Match clauses: rpki notfound
Set clauses:
local-preference 100
Policy routing matches: 0 packets, 0 bytes

98. Software Bug 
98

99. Software Bug 
99

100. Unexpected Logic 
100

101. Inconsistent Logic 
101

102. 102

103. • More personalised service
– Range of languages:
Bahasa Indonesia, Bengali, Cantonese, English, Hindi, Mandarin,
Thai, etc.
• Faster response and resolution of queries
– IP resource applications, status of requests, obtaining help in
completing application forms, membership enquiries, billing issues
& database enquiries
Member Services Helpdesk
-One point of contact for all member enquiries
-Online chat services
Helpdesk hours
9:00 am - 9:00 pm (AU EST, UTC + 10 hrs)
ph: +61 7 3858 3188 fax: 61 7 3858 3199

104. Thank You 

105. 105