African Network Information centre

Welcome to the AfriNIC LIR Training

AfriNIC <[email protected]>

AfriNIC - 2005

African Network Information centre

Introductions
Instructor : Students: Full Names & Nationality. Organization/Company Position/Title Brief Responsibilities. AfriNIC Member? Experience with AfriNIC/RIR System. Attendance Sheet :

Please Complete and Send back to Instructor.

African Network Information centre

Logistics

Mobile phones Off or Silent Toilets ? Smoking Room ? Break Tea and Lunch ?

Time line : 09:00 - 13:00 Presentation 14:30 - 15:30 Hands on (Where LAB is arranged) early departures?

Online Materials: http://www.afrinic.net/training/index.htm Computer Based Training:

See URL above for download links of the computerbased training CD-ROM

Handouts Already given out.

African Network Information centre

Course Objectives:
Requesting IP number resources.

Membership. * IPv4 / IPv6 addresses, 2-byte and 4-byte AS Numbers

Interacting with the AfriNIC whois db.

Creating, updating and deleting objects: IP number resource registrations, contact info, reverse domains, etc

AfriNIC policies & procedures.

Policy Development Process and an overview of current policy proposals under discussion.

African Network Information centre

Why AfriNIC

Problem:
Lack of co-ordination on IP resource management in Africa. Inconsistency in address allocation policies. Poor involvement of African stakeholders in the IP address allocation system. Policy inappropriate for Africas Internet environment. Money is sent out of the continent

African Network Information centre

Why AfriNIC
Results:
a common address allocation policy for Africa. a common environment for discussions on IP resources Policy. Application of the bottom-up process to allow participation from the local community. Adoption of new policies more close to the continents realities. Money stays in Africa to support training and other projects.

African Network Information centre

What is AfriNIC?
AfriNIC : Independent not-for-profit membership organisation supporting its members and the community

One of 5 Regional Internet Registries (RIR)

African Network Information centre Global Policies

Regional Policies

Internet Community @Large

ASO
Supporting Organizations

Community*

Afr iNIC APNIC

Policy making process

Internet Coordination bodies:

Community*

ICANN

NRO ASO

ICANN
Constituencies & Advisory bodies

ARIN LACNIC RIPENCC

RIPE

IANA

African Network Information centre

AfriNIC Policy Development Process

AfriNIC as a self governed

entity based on membership, has developed a Policy Development Process driven by the community.

6 steps

Subscribe to the policy discussion mailing list

policy- [email protected]

Propose changes or new policies on the mailing list

PDP modification proposal**

African Network Information centre

Global IP allocation Hierarchy

41/8

African Network Information centre

Recent/Coming Activities
5th Public policy meeting held Mauritius: Dec 2006 6th Public policy meeting held in Abuja: May 2007

Several policy proposals. IPv6 and LIR hands-on training and Workshop.

Next meeting is scheduled for September 2007

Durban, South Africa. LIR Training (IPv6 TBC).

African Network Information centre

AfriNIC services
Member Services Registration: IPv4 addresses IPv6 addresses AS numbers Reverse delegation Public Services AFRINIC DB maintenance Coordination & liaison
Meetings

Courses:

Information Tools and Utilities.

LIR courses IPv6 Training

African Network Information centre

Contacts
Head Quarters AfriNIC Ltd. 3rd Floor, Cyber Tower Cyber City, Ebene, Mauritius Phone: Fax:
Hostmaster Billing DB-help Training

+230 466 6616 +230 466 6758

[email protected] [email protected] [email protected] [email protected]

African Network Information centre

Questions?

African Network Information centre

Introduction
* RIR specific terminology * The whois database

African Network Information centre

IP Address Space
Address space is not property

Leased Automatically renewed, if criteria still fulfilled

Recovered

by AfriNIC if criteria not

fulfilled:
e.g: Non Payment of membership fees Not used anymore Policy Violation, Court Orders, etc

African Network Information centre

Allocation

address space issued by AfriNIC to a LIR. The LIR can further issue IP addresses to end-sites/customers from an allocation.

Sub-Allocation

address space from LIRs allocation set apart by LIR for issuing to downstream ISPs / resellers. made from allocation or sub-allocation. address space in use in networks.

Assignment

assignments

assignment

assignment

sub-allocation

allocation

African Network Information centre

Classless Addressing
Classful: 3 fixed network sizes: A, B, C Problem: waste of addresses

A Solution: Classless Inter Domain Routing (CIDR)

-

flexible allocation / assignment sizes! hierarchical distribution

Always make classless assignments

/23 & /25 or /27 etc. not always /24

African Network Information centre

The Whois Database Intro.

Description DB queries Creating contact objects

AfriNIC - 2005

African Network Information centre

AfriNIC WHOIS Database Intro

A Public Network Management Database
Software Maintained and updated by AfriNIC, Originally developed by RIPE NCC. Data

LIRs, End Users, AfriNIC

Test WHOIS Database for practice: online at test-whois.afrinic.net port 43

African Network Information centre

Object Types
IP address space . . . . . . . .inetnum, inet6num Reverse delegation. . . . . . .domain Routing . . . . . . . . . . . . . . . aut-num Organisation . . . . . . . . . . . organisation Contact details . . . . . . . . . .person, role Data protection . . . . . . . . . mntner, keycert
Documents AFRINIC DB User Manual: Getting Started AFRINIC Database Reference Manual

African Network Information centre

Basic Queries
Use a Whois Client:
** No known command-line whois client for Microsoft Windows. All command line whois clients are usually on Unix/Unix-Like Systems and Linux.

whois -h whois.afrinic.net http://www.afrinic.net/cgi-bin/whois

Download a CLI whois client from sourceforge,freshmeat, etc. There may be some commercial windows whois clients.

African Network Information centre

Creating a Person Object

Query the whois server for an object template:

whois h whois.afrinic.net -t person

And for a verbose output:

whois h whois.afrinic.net -v person

Complete in plain text and email to: <[email protected]>

African Network Information centre

whois h whois.afrinic.net -t person

attributes person: org: phone: fax-no: e-mail: values [lookup key] [inverse key] [mandatory] [single] [optional] [optional] [optional] [single]

address: [mandatory] [multiple] [ ] [mandatory] [multiple] [ ] [multiple] [ ] [multiple] [lookup key] [primary/look-up key] [multiple] [ ] [multiple] [inverse key] [multiple] [inverse key] [ ]

nic-hdl: [mandatory] [single] remarks: [optional] notify: mnt-by: source: [optional] [optional]

changed: [mandatory] [multiple] [ ] [mandatory] [single]

African Network Information centre

nic-hdl
Unique identifier for person and role objects Format: <initials>[number] <database>

e.g. PB1-AFRINIC Use AUTO-1 when creating new objects to auto-generate a handle.

person: Pius Bog nic-hdl: auto-1 role: NOC Team nic-hdl: auto-1

person: Pius Bog nic-hdl: PB123-AFRINIC role: NOC Team nic-hdl: NT1-AFRINIC

African Network Information centre

Database Responses
Successful update: object accepted (or no object found)

Errors: object NOT accepted read error report correct and re-send Send questions to <[email protected]> include complete error report and original email to DB

African Network Information centre

Role Objects
Can contain several person objects for a defined role. For Example:
role: . admin-c: admin-c: tech-c: nic-hdl: ISP-X NOC Contacts ABC1-AFRINIC DEF1-AFRINIC GHI1-AFRINIC INC1-AFRINIC

Advisable to use role instead of person objects

Easier to update multiple objects when contacts change Only role object to be modified (admin-c/tech-c).

African Network Information centre

Querying Address Ranges

Standard IPv4 look-ups

IP address IP range

two IP addresses (-) IP address and prefix size (/ )

netname smallest less specific if no exact match

Exact match by default

whois h whois.afrinic.net x [IP range]

If no matching object, nothing is returned

African Network Information centre

Hierarchical Queries
whois -h whois.afrinic.net -M 80.35.64.0/19 whois -h whois.afrinic.net -m 80.35.64.0/19
(first sub-level only)

80.35.64.0 - 80.35.95.255

80.35.64.080.35.65.191 MARIBU

80.35.80/25 TAIWO

80.35.88/26 CHATHA

80.35.92/29

80.35.92.8/29 CHATHA-8

...

CHATHA-2

whois -h whois.afrinic.net -L 80.35.92.10 whois -h whois.afrinic.net -l 80.35.92.10

African Network Information centre

Inverse Lookups: -i
To find all objects that contain references to other objects Whois -h whois.afrinic.net -i {attribute} {value} Inverse keys

mnt-by, mnt-lower, admin-c, etc

whois -h whois.afrinic.net i tech-c TM125-AFRINIC

whois -h whois.afrinic.net -i admin-c,tech-c,zone-c TM125AFRINIC or whois -h whois.afrinic.net -i pn TM125-AFRINIC whois -h whois.afrinic.net -i mnt-by KARIBU-MNT Whois -h whois.afrinic.net -i org ORG-PIE1-AFRINIC

African Network Information centre

Non-recursive Lookups: -r
whois -h whois.afrinic.net 80.35.64.82
=> inetnum,person(s)

whois -h whois.afrinic.net -r 80.35.64.82

=> inetnum

whois -h whois.afrinic.net -T inetnum 80.35.64.82

=> inetnum,person(s)

whois -h whois.afrinic.net -r -T inetnum 80.35.64.82

=> inetnum

To prevent being blocked for too many person object

queries, as DB has limits!

African Network Information centre

Using mntner Objects

mntner: protects objects in DB (via mnt-by)
Creating a mntner:

fill out template (whois -h whois.afrinic.net -t mntner) send to <[email protected]>

Forgot/lost authentication? (Password, PGPkey)

send fax to AfriNIC to modify authentication

Fax explaining situation on company letter paper signed: admin-c of mntner or any other authority.

Inverse: whois -h whois.afrinic.net -i mnt-by XYZ-MNT finds all objects

that are maintained by (mnt-by:) that mntner

African Network Information centre

Authentication Methods
1. auth: CRYPT-PW <encrypted password> 2. auth: MD5-PW <encrypted password> 3. auth: PGPKEY-<key ID>
Can use multiple authentication methods & multiple

mntners . There is a web-based tool on the AfriNIC website for generating md5-pw and crypt-pw encrypted passwords for use in maintainer objects ('auth' attribute)

African Network Information centre

Auth: Attribute
CRYPT-PW (easiest to crack) & MD5-PW : (more secure)

Encrypted password can be created via web interface https://www.afrinic.net/tools/whois_crypt.htm to update objects, include:

password: <cleartext password>

PGP : safer, but much more complex

1: create

mntner with other auth: line 2: create a key-pair http://www.gnupg.org/ 3: create key-cert object (includes public key) 4: modify the mntner to include auth: PGPKEY-<key ID>

to update objects, include: PGP signature.

Protecting DB Objects
African Network Information centre

person: Mario Murillo ... nic-hdl: MAMU ... mntby:MATATUMNT

mntner: descr: admin-c: tech-c: auth: upd-to: mnt-nfy: mnt-by: changed: source:

unprotected person object person mntner protected byobject MATATU-MNT

password:cleartext_password
MATATU-MNT maintainer for all matatu objects -h whois.afrinic.net MAMU MAMU MD5-PW $1$5Uapud4ydfMWhgo/ [email protected] [email protected] MATATU-MNT [email protected] 20050401 AFRINIC

Include authentication of mntner in e-mail if updating object via e-mail

auth:CRYPTPWq5nd!~Sfhk0#a

encryptedpassword ifupdatefails ifupdatesuccessful

African Network Information centre

Hierarchical Authorisation
mnt-by (mandatory in DB)
protects the object in which it appears and can... authenticate creation / deletion of more specific inetnum, route, domain objects

mnt-lower (optional in inetnum template)

mandatory in: allocation inetnum objects recommended in sub-allocation inetnum objects authenticates creation of more specific inetnum, domain objects

mnt-domains (optional in inetnum template)

optional for: allocation and PI inetnum objects recommended in inetnum objects

authenticates creation of domain objects

African Network Information centre

More Hierachical Authorisation

inetnum: 193.27/16 status: ALLOCATED PA mnt-by: AFRINIC-HM-MNT mnt-lower: A-MNT

allocation

sub-allocation
inetnum:193.27.128/22 status: SUB-ALLOCATED PA mnt-by: A-MNT mnt-lower: B-MNT

inetnum:193.27.130/24 status: ASSIGNED PA mnt-by: B-MNT

assignment

African Network Information centre

DB Update Procedure
Modifying an object:

get exact copy, make changes to it keep same primary key add new changed line in chronological order
changed: [email protected]

Deleting an object:

add delete line to exact copy (with some explanation)

delete: [email protected] overlapping inetnum Subject: DELETE does not delete object!

In both cases: Include authentication (e.g. password)

African Network Information centre

whois -h test-whois.afrinic.net
Non-production whois database Interface same as real whois DB

syntax check + error reports

[email protected] nic-hdl: AUTO1-TEST source: TEST referral-by: TEST-DBM-MNT mnt-by: TEST-DB-MNT (only for allocations)

For testing: authorisation schemes, scripts, etc

African Network Information centre

Questions?

African Network Information centre

First IPv4 Allocation

AfriNIC - 2005

African Network Information centre

Membership First!
Fax/Email +Courier/Post the following documents to

AfriNIC:

RSA (Registration Services Agreement) Membership Form All on www.afrinic.net.

E-Mail [email protected] for follow-up. E-Mail Address Space Request Template to

[email protected].
Online Membership Application coming soon!

African Network Information centre

First Allocations
IPv4 First Allocation Request Form

Which includes:

LIR First PA Assignment Request Form

Must show efficient utilization of IP addresses in

addressing plan template

Minimum allocation size: /22

Slow start mechanism for first allocations

African Network Information centre

First allocation template

1st allocation template please see:

www.afrinic.net/documents.htm * Requesting via online forms will be available soon.

African Network Information centre

Additional IPv4 Allocation

African Network Information centre

Evaluation of Allocation Request

Previous allocation used up ~ 80% ?

status: ASSIGNED PA or SUB-ALLOCATED PA

do LIRs records match RS records/DB? AfriNIC asks for documentation on 3 or more assignments All renumbered networks returned? Quality of AFRINIC DB records Broadband usage verifiable?

African Network Information centre

Making New Allocations

If inconsistencies found LIR corrects data before receiving new allocation When data corrected: AfriNIC allocates new block to LIR updates the DB.

African Network Information centre

Allocation inetnum Object

inetnum: netname: org: country: admin-c: tech-c: status: notify: mnt-by: mnt-lower: changed: source: 80.35.64.0 - 80.35.127.255 EG-NILEONLINE-20050401 ORG-NILE32-AFRINIC EG NILE-AFRINIC NILE-AFRINIC ALLOCATED PA [email protected] AFRINIC-HM-MNT NILE-MNT [email protected] 20040503 AFRINIC

African Network Information centre

End-User /PI Requests

African Network Information centre

PA vs. PI Assignments
Provider Aggregatable

End User addresses out of LIRs allocation must be returned when changing providers Can be made with involving AfriNIC

Provider Independent End User addresses directly from AfriNIC can be kept when changing providers

Routability of PI addresses not RIR's responsibility

Some ISPs may have a policy against routing IP addresses not issued/assigned by the ISP.

African Network Information centre

Requesting PI Space
Organization must first become a member
organisation object created if successful.

IPv4 End-User Assignment Request Form (PI) Every PI assignment has to be requested

separately There will be an evaluation and processing fee for each new End-user assignment. **

African Network Information centre

After the PI Assignment Approval

AfriNIC will assign a PI block create assignment object in DB PI holder must not assign further Upstream usually assists PI holder with

reverse DNS and route object

African Network Information centre

Example PI DB Object
inetnum: netname: descr: descr: org: country: admin-c: tech-c: status: mnt-by: mnt-lower: mnt-domains: changed: source: 194.1.208.0 - 194.1.209.255 ClaudeSports Claude Sports retail network Kinshasa, DRC ORG-CS4-AFRINIC CD KANU DIOUF ASSIGNED PI AFRINIC-HM-MNT MAKE-MNT MAKELELE-MNT [email protected] 20050421 AFRINIC

African Network Information centre

PA Assignments
IPs issued by LIR to customers/end-sites IPs issued by LIR to own infrastructure: Dial-In pool ADSL pool NOC, Staff LAN, etc Must be recorded in the whois database Recommended: 4 or more IPs

A pool of dynamically assigned IPs can be recorded as one range of IPs.

80% utilization needed before requesting

more IPs from AfriNIC.

African Network Information centre

Assignment inetnum object

inetnum: netname: descr: country: org: admin-c: tech-c: status: mnt-by: mnt-lower: mnt-domains: changed: source: 196.0.80.0 - 196.0.80.127 JAMBO-NET KaribuWeb customer KE ORG-JA123-AFRINIC AB231-AFRINIC JJ125-AFRINIC ASSIGNED PA Karibuweb-MNT Karibuweb-MNT Jambo-MNT [email protected] 20050411 AFRINIC

African Network Information centre

Sub-allocations
Sub-allocation: From LIR to ISP Sub-allocation window: What the LIR can suballocate without AfriNICs approval. (Unless 2nd opinion is needed). If a sub-allocation > Sub-Alloc. Window, IPv4 sub-allocation Request Form Minimum sub-allocation size: /24

African Network Information centre

Using Sub-allocations
LIR must register sub-allocation in DB

LIR has final responsibility for whole sub-allocation (mntners)

inetnum object: status: SUB-ALLOCATED PA use ISPs mntner in mnt-lower/domains, and LIRs mntner in mnt-by Assignments from sub-allocations From ISP to itself or to End Users/Customers

African Network Information centre

Why Register IPs in the DB?

contact info in case of trouble overview of usage (*when requesting for more)

Address space considered in use only if registered in

DB.

* or else delays in: additional allocation, * Identified as Bogon address and blocked by ISPs (in
case of allocations)

Responsibility of the LIR to register assignments. Responsibility of the RIR to register allocations and PI

assignments.

African Network Information centre

Questions?

African Network Information centre

Reverse Delegation Procedure

AfriNIC - 2005

African Network Information centre

What is Reverse Delegation?

The DNS provides forward (name-to-number) and

reverse (number-to-name) resolutions.

Reverse delegation allows applications to map a domain name from an IP address. Achieved by use of special domain names:

IPv4: IPv6:

in-addr.arpa. ip6.arpa

IANA centrally administers and delegates corresponding reverse zones for all /8s allocated to AfriNIC.

African Network Information centre

Why Do You Need Reverse?

All host to IP mappings in the DNS (A record)

should have a corresponding IP-host mapping (PTR record)

Otherwise

users blocked from various services (ftp, mail, IRC, etc)

African Network Information centre

Request Procedure
Who Can Request and What? Decide what range you want reversed
(whole allocation or specific assignments?)
Decide who will be responsible
Yourself

(LIR)? End User/Customer?

African Network Information centre

How to set up Reverse Delegation

First - Set up the zones (on your name servers) !! Then create domain objects in the AfriNIC whois

db. The domain object contains info about your zone and the associated name servers.

Possible domain boundaries: /24, /16.

(Multiples of course possible*)

(IPv6: /32, /36)

African Network Information centre

Example domain Object

Template: whois h whois.afrinic.net -t domain
Domain: descr: descr: descr: admin-c: tech-c: zone-c: nserver: nserver: mnt-by: changed: source: 32.3.196.in-addr.arpa Reverse delegation for Karibus Customer Jambo Internet Services Ltd. JJ231-AFRINIC SULU-AFRINIC WF2121-AFRINIC ns.karibu.ke ns2.mtn.za KARIBU-MNT [email protected] 20050417 AFRINIC

African Network Information centre

Steps Performed by the System

Checking DB syntax Checking authentication (passwords)

( mnt-domains/mnt-lower in inetnum) Delegation checker Web UI on AfriNIC Tools Website.

Checking if nameserver setup is correct

The appropriate NS lines will be entered into the parent zone file after about 5 hrs)
Use nslookup or dig or whatever tools to verify setup.

Domain object in DB successful reverse

African Network Information centre

Delegation Sizes
Multiple /24 delegations:

several domain objects can be sent in one e-mail Shorthand notation for consecutive zones

/16 delegation

</24 delegation:

Whole /24 delegated to the LIR

You use CNAME to direct to extra domain

RFC 2317

African Network Information centre

Problems with Reverse ?

Database and DNS diagnostics sent to

the requester
correct

errors and re-send to:

[email protected]

If problems continue

<[email protected]> include full error report

African Network Information centre

Questions?

African Network Information centre

Autonomous System Numbers

AfriNIC - 2005

African Network Information centre

Autonomous System
Definition:

A unique number that defines an Autonomous System on the Internet.

An Autonomous System is a collection of IP networks under control of a single entity typically, ISPs (or other orgs) that adhere to a single and clearly defined routing policy.

IANA allocates AS numbers to RIRs RIR assigns AS number to LIRs or to End Users.

2-byte, eg AS34567 4-byte, eg AS5.234 (nomenclature agreed by IESG)

African Network Information centre

How to Get an AS Number ?

Autonomous System (AS) Number

Request Template:

address prefix to be announced with this requested ASN or ticket # of pending IP address request (if applicable) peering contacts (2 or more: **policy requirement that stipulates a need to be multihomed before requesting an ASN).

African Network Information centre

aut-num object:
aut-num: org: remarks: remarks: remarks: remarks: remarks: admin-c:

as-name: descr:

NEW AS30999

WEAH Georges

tech-c: mnt-by: changed: source:

ORG-WEAH77-AFRINIC import: from AS2 action pref=20; accept AS2 import: from AS3 action pref=100; accept ANY import: from AS2 action pref=200; accept ANY AS30999 export: to AS2 announce NEW export: to AS3 announce NEW AS30999 ETOO-AfriNIC

AS#

HADJI-AfriNIC AFRINIC-HM-MNT [email protected] 20050229 AFRINIC

African Network Information centre

Internet Routing Registry

Globally distributed DB with routing data AfriNIC Db does NOT have a IRR component Create route object in RIPE NCC Db use mnt-by: RIPE-NCC-RPSL-MNT ** (unsafe!) password=RPSL Create a maintainer object in the RIPE DB for

use along with the RIPE NCCs generic maintainer!

Else, someone else can delete or modify your data!

African Network Information centre

IPv6

AfriNIC - 2005

African Network Information centre

Get IPv6 Addresses From:

Use of the 2002: prefix to use on an IPv4-

only network/uplink:

"6to4" transition mechanism V6 addresses derived from existing v4 addresses. IPv6 has more levels of hierarchy

Another LIR

RIR Tunnel broker

African Network Information centre

Common IPv6 Policy Principles

Address space not property

leased automatically renewed, if criteria still fulfilled Minimum Allocation easier prefix-based filtering

Different priority of goals

aggregation rather than conservation minimise administration

African Network Information centre

First IPv6 Allocation

Criteria

must be LIR / must not be an End Site plan to provide connectivity to aggregated customers

Size: /32

(bigger if justified) IPv4 infrastructure and users considered

IPv6 First Allocation Template

Subsequent allocation: HD ratio > 0.8 ***

(eg. 10.9% usage for /32) *** This is being proposed to 0.94

African Network Information centre

IPv6 Assignments
Assignment size - /48 for all (no approval needed)

smaller size:

/64 just one subnet /128 just one device

Assignment to operator's infrastructure

/48 per PoP or in-house operations

Multiple /48s for very large End Users Register every /48 assigned into the whois db Reverse delegation: ip6.arpa.

African Network Information centre

inet6num Object
inet6num: netname: descr: org: country: admin-c: tech-c: status: mnt-by: mnt-lower: mnt-domains: changed: source: 2001:0888::/32 SA-XS4ALL-20050317 Xs4all Internet ORG-XS4A1-AFRINIC ZA XS-AFRINIC XS-AFRINIC ALLOCATED-BY-RIR AFRINIC-HM-MNT XS4ALL-MNT XS4ALL-MNT [email protected] 20050317 AFRINIC

African Network Information centre

Questions?

African Network Information centre

Comments? Suggestions? Feedback?

<[email protected]>