Professional Documents
Culture Documents
AfriNIC - 2005
Introductions
Instructor : Students: Full Names & Nationality. Organization/Company Position/Title Brief Responsibilities. AfriNIC Member? Experience with AfriNIC/RIR System. Attendance Sheet :
Logistics
Mobile phones Off or Silent Toilets ? Smoking Room ? Break Tea and Lunch ?
Time line : 09:00 - 13:00 Presentation 14:30 - 15:30 Hands on (Where LAB is arranged) early departures?
Course Objectives:
Requesting IP number resources.
Creating, updating and deleting objects: IP number resource registrations, contact info, reverse domains, etc
Policy Development Process and an overview of current policy proposals under discussion.
Why AfriNIC
Problem:
Lack of co-ordination on IP resource management in Africa. Inconsistency in address allocation policies. Poor involvement of African stakeholders in the IP address allocation system. Policy inappropriate for Africas Internet environment. Money is sent out of the continent
Why AfriNIC
Results:
a common address allocation policy for Africa. a common environment for discussions on IP resources Policy. Application of the bottom-up process to allow participation from the local community. Adoption of new policies more close to the continents realities. Money stays in Africa to support training and other projects.
What is AfriNIC?
AfriNIC : Independent not-for-profit membership organisation supporting its members and the community
ASO
Supporting Organizations
Community*
Community*
ICANN
NRO ASO
ICANN
Constituencies & Advisory bodies
RIPE
IANA
entity based on membership, has developed a Policy Development Process driven by the community.
6 steps
policy- wg-request@afrinic.net
41/8
Recent/Coming Activities
5th Public policy meeting held Mauritius: Dec 2006 6th Public policy meeting held in Abuja: May 2007
Several policy proposals. IPv6 and LIR hands-on training and Workshop.
AfriNIC services
Member Services Registration: IPv4 addresses IPv6 addresses AS numbers Reverse delegation Public Services AFRINIC DB maintenance Coordination & liaison
Meetings
Courses:
Contacts
Head Quarters AfriNIC Ltd. 3rd Floor, Cyber Tower Cyber City, Ebene, Mauritius Phone: Fax:
Hostmaster Billing DB-help Training
Questions?
Introduction
* RIR specific terminology * The whois database
IP Address Space
Address space is not property
Recovered
fulfilled:
e.g: Non Payment of membership fees Not used anymore Policy Violation, Court Orders, etc
Allocation
address space issued by AfriNIC to a LIR. The LIR can further issue IP addresses to end-sites/customers from an allocation.
Sub-Allocation
address space from LIRs allocation set apart by LIR for issuing to downstream ISPs / resellers. made from allocation or sub-allocation. address space in use in networks.
Assignment
assignments
assignment
assignment
sub-allocation
allocation
Classless Addressing
Classful: 3 fixed network sizes: A, B, C Problem: waste of addresses
AfriNIC - 2005
Object Types
IP address space . . . . . . . .inetnum, inet6num Reverse delegation. . . . . . .domain Routing . . . . . . . . . . . . . . . aut-num Organisation . . . . . . . . . . . organisation Contact details . . . . . . . . . .person, role Data protection . . . . . . . . . mntner, keycert
Documents AFRINIC DB User Manual: Getting Started AFRINIC Database Reference Manual
Basic Queries
Use a Whois Client:
** No known command-line whois client for Microsoft Windows. All command line whois clients are usually on Unix/Unix-Like Systems and Linux.
Download a CLI whois client from sourceforge,freshmeat, etc. There may be some commercial windows whois clients.
address: [mandatory] [multiple] [ ] [mandatory] [multiple] [ ] [multiple] [ ] [multiple] [lookup key] [primary/look-up key] [multiple] [ ] [multiple] [inverse key] [multiple] [inverse key] [ ]
nic-hdl: [mandatory] [single] remarks: [optional] notify: mnt-by: source: [optional] [optional]
nic-hdl
Unique identifier for person and role objects Format: <initials>[number] <database>
e.g. PB1-AFRINIC Use AUTO-1 when creating new objects to auto-generate a handle.
person: Pius Bog nic-hdl: auto-1 role: NOC Team nic-hdl: auto-1
person: Pius Bog nic-hdl: PB123-AFRINIC role: NOC Team nic-hdl: NT1-AFRINIC
Database Responses
Successful update: object accepted (or no object found)
Errors: object NOT accepted read error report correct and re-send Send questions to <afrinic-dbm@afrinic.net> include complete error report and original email to DB
Role Objects
Can contain several person objects for a defined role. For Example:
role: . admin-c: admin-c: tech-c: nic-hdl: ISP-X NOC Contacts ABC1-AFRINIC DEF1-AFRINIC GHI1-AFRINIC INC1-AFRINIC
Easier to update multiple objects when contacts change Only role object to be modified (admin-c/tech-c).
IP address IP range
Hierarchical Queries
whois -h whois.afrinic.net -M 80.35.64.0/19 whois -h whois.afrinic.net -m 80.35.64.0/19
(first sub-level only)
80.35.64.0 - 80.35.95.255
80.35.64.080.35.65.191 MARIBU
80.35.80/25 TAIWO
80.35.88/26 CHATHA
80.35.92/29
80.35.92.8/29 CHATHA-8
...
CHATHA-2
Inverse Lookups: -i
To find all objects that contain references to other objects Whois -h whois.afrinic.net -i {attribute} {value} Inverse keys
whois -h whois.afrinic.net -i admin-c,tech-c,zone-c TM125AFRINIC or whois -h whois.afrinic.net -i pn TM125-AFRINIC whois -h whois.afrinic.net -i mnt-by KARIBU-MNT Whois -h whois.afrinic.net -i org ORG-PIE1-AFRINIC
Non-recursive Lookups: -r
whois -h whois.afrinic.net 80.35.64.82
=> inetnum,person(s)
Fax explaining situation on company letter paper signed: admin-c of mntner or any other authority.
Authentication Methods
1. auth: CRYPT-PW <encrypted password> 2. auth: MD5-PW <encrypted password> 3. auth: PGPKEY-<key ID>
Can use multiple authentication methods & multiple
mntners . There is a web-based tool on the AfriNIC website for generating md5-pw and crypt-pw encrypted passwords for use in maintainer objects ('auth' attribute)
Auth: Attribute
CRYPT-PW (easiest to crack) & MD5-PW : (more secure)
Encrypted password can be created via web interface https://www.afrinic.net/tools/whois_crypt.htm to update objects, include:
mntner with other auth: line 2: create a key-pair http://www.gnupg.org/ 3: create key-cert object (includes public key) 4: modify the mntner to include auth: PGPKEY-<key ID>
Protecting DB Objects
African Network Information centre
password:cleartext_password
MATATU-MNT maintainer for all matatu objects -h whois.afrinic.net MAMU MAMU MD5-PW $1$5Uapud4ydfMWhgo/ afrinic_db_oops@matatu.ao afrinic_changes@gmail.com MATATU-MNT hostmaster@bodaboda.bj 20050401 AFRINIC
auth:CRYPTPWq5nd!~Sfhk0#a
Hierarchical Authorisation
mnt-by (mandatory in DB)
protects the object in which it appears and can... authenticate creation / deletion of more specific inetnum, route, domain objects
mandatory in: allocation inetnum objects recommended in sub-allocation inetnum objects authenticates creation of more specific inetnum, domain objects
allocation
sub-allocation
inetnum:193.27.128/22 status: SUB-ALLOCATED PA mnt-by: A-MNT mnt-lower: B-MNT
assignment
DB Update Procedure
Modifying an object:
get exact copy, make changes to it keep same primary key add new changed line in chronological order
changed: didier@drogba.ci
Deleting an object:
whois -h test-whois.afrinic.net
Non-production whois database Interface same as real whois DB
Questions?
AfriNIC - 2005
Membership First!
Fax/Email +Courier/Post the following documents to
AfriNIC:
hostmaster@afrinic.net.
Online Membership Application coming soon!
First Allocations
IPv4 First Allocation Request Form
Which includes:
do LIRs records match RS records/DB? AfriNIC asks for documentation on 3 or more assignments All renumbered networks returned? Quality of AFRINIC DB records Broadband usage verifiable?
PA vs. PI Assignments
Provider Aggregatable
End User addresses out of LIRs allocation must be returned when changing providers Can be made with involving AfriNIC
Provider Independent End User addresses directly from AfriNIC can be kept when changing providers
Some ISPs may have a policy against routing IP addresses not issued/assigned by the ISP.
Requesting PI Space
Organization must first become a member
organisation object created if successful.
IPv4 End-User Assignment Request Form (PI) Every PI assignment has to be requested
separately There will be an evaluation and processing fee for each new End-user assignment. **
Example PI DB Object
inetnum: netname: descr: descr: org: country: admin-c: tech-c: status: mnt-by: mnt-lower: mnt-domains: changed: source: 194.1.208.0 - 194.1.209.255 ClaudeSports Claude Sports retail network Kinshasa, DRC ORG-CS4-AFRINIC CD KANU DIOUF ASSIGNED PI AFRINIC-HM-MNT MAKE-MNT MAKELELE-MNT hostmaster@afrinic.net 20050421 AFRINIC
PA Assignments
IPs issued by LIR to customers/end-sites IPs issued by LIR to own infrastructure: Dial-In pool ADSL pool NOC, Staff LAN, etc Must be recorded in the whois database Recommended: 4 or more IPs
Sub-allocations
Sub-allocation: From LIR to ISP Sub-allocation window: What the LIR can suballocate without AfriNICs approval. (Unless 2nd opinion is needed). If a sub-allocation > Sub-Alloc. Window, IPv4 sub-allocation Request Form Minimum sub-allocation size: /24
Using Sub-allocations
LIR must register sub-allocation in DB
inetnum object: status: SUB-ALLOCATED PA use ISPs mntner in mnt-lower/domains, and LIRs mntner in mnt-by Assignments from sub-allocations From ISP to itself or to End Users/Customers
contact info in case of trouble overview of usage (*when requesting for more)
DB.
* or else delays in: additional allocation, * Identified as Bogon address and blocked by ISPs (in
case of allocations)
Responsibility of the LIR to register assignments. Responsibility of the RIR to register allocations and PI
assignments.
Questions?
AfriNIC - 2005
IPv4: IPv6:
in-addr.arpa. ip6.arpa
IANA centrally administers and delegates corresponding reverse zones for all /8s allocated to AfriNIC.
Request Procedure
Who Can Request and What? Decide what range you want reversed
(whole allocation or specific assignments?)
Decide who will be responsible
Yourself
db. The domain object contains info about your zone and the associated name servers.
The appropriate NS lines will be entered into the parent zone file after about 5 hrs)
Use nslookup or dig or whatever tools to verify setup.
Delegation Sizes
Multiple /24 delegations:
several domain objects can be sent in one e-mail Shorthand notation for consecutive zones
/16 delegation
</24 delegation:
RFC 2317
the requester
correct
auto-dbm@afrinic.net
If problems continue
Questions?
AfriNIC - 2005
Autonomous System
Definition:
An Autonomous System is a collection of IP networks under control of a single entity typically, ISPs (or other orgs) that adhere to a single and clearly defined routing policy.
IANA allocates AS numbers to RIRs RIR assigns AS number to LIRs or to End Users.
Request Template:
address prefix to be announced with this requested ASN or ticket # of pending IP address request (if applicable) peering contacts (2 or more: **policy requirement that stipulates a need to be multihomed before requesting an ASN).
aut-num object:
aut-num: org: remarks: remarks: remarks: remarks: remarks: admin-c:
as-name: descr:
NEW AS30999
WEAH Georges
ORG-WEAH77-AFRINIC import: from AS2 action pref=20; accept AS2 import: from AS3 action pref=100; accept ANY import: from AS2 action pref=200; accept ANY AS30999 export: to AS2 announce NEW export: to AS3 announce NEW AS30999 ETOO-AfriNIC
AS#
IPv6
AfriNIC - 2005
only network/uplink:
"6to4" transition mechanism V6 addresses derived from existing v4 addresses. IPv6 has more levels of hierarchy
Another LIR
leased automatically renewed, if criteria still fulfilled Minimum Allocation easier prefix-based filtering
must be LIR / must not be an End Site plan to provide connectivity to aggregated customers
Size: /32
(eg. 10.9% usage for /32) *** This is being proposed to 0.94
IPv6 Assignments
Assignment size - /48 for all (no approval needed)
smaller size:
Multiple /48s for very large End Users Register every /48 assigned into the whois db Reverse delegation: ip6.arpa.
inet6num Object
inet6num: netname: descr: org: country: admin-c: tech-c: status: mnt-by: mnt-lower: mnt-domains: changed: source: 2001:0888::/32 SA-XS4ALL-20050317 Xs4all Internet ORG-XS4A1-AFRINIC ZA XS-AFRINIC XS-AFRINIC ALLOCATED-BY-RIR AFRINIC-HM-MNT XS4ALL-MNT XS4ALL-MNT hostmaster@afrinic.net 20050317 AFRINIC
Questions?
<training@afrinic.net>