1 / 34

RIPE whois Database

RIPE whois Database. RIPE Network Coordination Centre <BECHA@ripe.net>. Schedule. intro basic DB queries creating person/role object creating network object advanced DB queries protecting objects updating objects exercises / examples. RIPE Database Intro.

karina-duran
Download Presentation

RIPE whois Database

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RIPE whois Database RIPE Network Coordination Centre <BECHA@ripe.net>

  2. Schedule • intro • basic DB queries • creating person/role object • creating network object • advanced DB queries • protecting objects • updating objects • exercises / examples

  3. RIPE Database Intro • Public Network Management Database • Software Management • RIPE NCC • requirements by RIPE community (db-wg@ripe.net) • download from ftp://ftp.ripe.net/ • Data Management • LIRs, other users • RIPE NCC • Information content not responsibility of RIPE NCC • Exchange of knowledge • <db-help@ripe.net> • Transition to RPSL

  4. New! Object Types • Information about: objects: IP address space inetnum, inet6num reverse domains domain routing policies route, aut-num, etc contact details person, role, mntner • Server whois.ripe.net • UNIX client (command line queries) • http://www.ripe.net/db/ • The most important documents • Representation of IP Routing Policies in a Routing Registry (ripe-181) • RIPE NCC Database Reference Manual(ripe-223)

  5. Basic Queries • Whois (client, web interface) • searches only look-up keys • returns exact match • Look-up keys - usually the object name • person, role: name, email, nic-hdl • inetnum: address (or range), netname • Glimpse - full text search • e.g. searching for address space based on the postal address or the name of the organisation Examples

  6. Creating person Object • Check if person object exists in RIPE DB • only one object per person • Obtain and complete a template • whois -t person • whois -v person (verbose) • Send to <auto-dbm@ripe.net> • Each person and role object has a unique nic-hdl

  7. whois -t person person: [mandatory] [single] [lookup key] address: [mandatory] [multiple] [ ] phone: [mandatory] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [optional] [multiple] [lookup key] nic-hdl: [mandatory] [single] [primary/look-up key] remarks: [optional] [multiple] [ ] notify: [optional] [multiple] [inverse key] mnt-by: [optional] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ]

  8. whois -t role role: [mandatory] [single] [lookup key] address: [mandatory] [multiple] [ ] phone: [optional] [multiple] [ ] fax-no: [optional] [multiple] [ ] e-mail: [mandatory] [multiple] [lookup key] trouble: [optional] [multiple] [ ] admin-c: [mandatory] [multiple] [inverse key] tech-c: [mandatory] [multiple] [inverse key] nic-hdl: [mandatory] [single] [primary/look-up key] remarks: [optional] [multiple] [ ] notify: [optional] [multiple] [inverse key] mnt-by: [optional] [multiple] [inverse key] changed: [mandatory] [multiple] [ ] source: [mandatory] [single] [ ]

  9. nic-hdl • Unique identifier for person and role objects • primary key for person and role objects • Format: <initials>[number]-<database> • e.g. CD567-RIPE, JFK11-RIPE • Used in all attributes where contact info is needed • Use “AUTO-#” placeholders person: Piet Bakker ... nic-hdl: AUTO-1 PB1234-RIPE role: Technical BlueLight Staff ... nic-hdl: AUTO-#initials AUTO-2BL BL112-RIPE

  10. Database Robot Responses<auto-dbm@ripe.net> • Successful update • acknowledgement • Warnings • object accepted but might be ambiguous • object corrected and accepted • Errors • object NOT corrected and NOT accepted • diagnostics in acknowledgement • If not clear send questions to <ripe-dbm@ripe.net> • include error report and the original message

  11. Creating Network Objects • AW=0 or AW<request_size • take the “network template” from the approved request • otherwise • whois -t inetnum • Send to <auto-dbm@ripe.net> • with (only) the keyword NEW in the subject line • to avoid over-writing the existing objects (address range is the primary key for inetnum)

  12. whois -t inetnum inetnum: [mandatory] [single] [primary/look-up key] netname: [mandatory] [single] [lookup key] descr: [mandatory] [multiple][ ] country: [mandatory] [multiple][ ] admin-c: [mandatory] [multiple][inverse key] tech-c: [mandatory] [multiple][inverse key] rev-srv: [optional] [multiple][inverse key] status: [mandatory] [single] [ ] remarks: [optional] [multiple][ ] notify: [optional] [multiple][inverse key] mnt-by: [mandatory] [multiple][inverse key] mnt-lower: [optional] [multiple][inverse key] mnt-routes: [optional] [multiple][inverse key] changed: [mandatory] [multiple][ ] source: [mandatory] [single] [ ]

  13. Pay Attention to... • Insert the address range • in the ‘network template’ from the approved request form • Keep the same netname attribute as approved • Create person or role objects in advance • admin-c: on site; client’s MD • tech-c: LIR or consultant • Status: ASSIGNED PA • In the changed attribute leave out the date • DB will add the current date • Protection is mandatory • recommended: include mnt-lower and mnt-routes

  14. New in RPSL! Changes with RPSL • Objects format - stricter syntax checks!!! • line continuation (white space or “+” sign) • attribute order is relevant and preserved • support for end of line comments (after “#”) • no empty attributes allowed • inetnum value can not be in prefix notation! • correct: a.b.c.d<space>-<space>w.x.y.z • Submission to the DB supports: • MIME • PGP (GnuPG)

  15. New in RPSL! New in RPSL! Querying Address Ranges • whois [customer’s IP range, customer’s netname] • netname not unique search key • whois -m [LIR allocated IP range] • list of biggest sub-ranges (first level more specific) • whois -M [LIR allocated IP range] • all sub-ranges • whois -L [customer’s IP range] • exact match & bigger encompassing ranges • LIR’s own allocation object & RIPE NCC’s /8 • whois -l [customer’s IP range] • not the exact match, but the smallest bigger object • whois -x [IP range] • if no matching object is found nothing is returned

  16. Example DB Queries whois -M 195.35.64.0/19 whois -m 195.35.64.0/19 195.35.64.0 - 195.35.95.255 195.35.64.0- 195.35.65.191 195.35.92.8/29 ENGO-8 195.35.92/29 ENGO-7 195.35.80/25 195.35.88/26 ... ENGOS GOODY2SHOES BLUELIGHT whois -L 195.35.92.10

  17. New in RPSL! Inverse Lookups in RIPE DB • whois -i {attribute} {value} • Inverse keys • notify, mnt-by, mnt-lower, admin-c, tech-c, zone-c, • whois –i tech-c JJ125-RIPE • whois -i admin-c,tech-c,zone-c -Tdomain JJ125-RIPE • whois -ipn JJ125-RIPE • whois -i mnt-by BLUELIGHT-MNT • whois -i notify jan@bluelight.nl

  18. Non-Recursive Lookups: “-r” • whois 193.35.64.82 => inetnum,route,person(s) • whois -r 193.35.64.82 => inetnum, route • whois -T inetnum 193.35.64.82 => inetnum,persons • whois -r -T inetnum 193.35.64.82 => inetnum • whois -T route 193.35.64.82 => route • Summary -- DB flags: • -i, -r, -T, -m, -M, -l, -L, -x

  19. Questions? (link back to the Assignment Process)

  20. Advanced Database Issues Protection DB administration updating objects deleting objects Test whois Database

  21. New in RPSL! New in RPSL! Notification / Authorisation • notify attribute (optional) • sends notification of change to the email address specified • mnt-by attribute & mntner object • mnt-by mandatory (except dn, pn, ro) • Hierarchical authorisation for inetnum, domain, route, aut-num objects • mnt-lower attribute • mnt-routes attribute

  22. New! Creating Maintainer Object • Mandatory protection of objects • except for person, role and domain • updates of objects that contain mnt-by attribute must pass the authentication rules in the mntner object • Decide on the authentication method • ripe-223 • ripe-157, ripe-189 documents obsolete • Manual registration necessary • send the mntner object to <ripe-dbm@ripe.net> • requester needs to be contact person from the LIR • See also: Protection of RIPE DB objects

  23. Authorisation Mechanism inetnum: 195.35.64.0 - 195.35.65.191 netname: BLUELIGHT-1 descr: Blue Light Internet ………….. mnt-by: BLUELIGHT-MNT mntner: BLUELIGHT-MNT descr: Maintainer for all Bluelight objects admin-c: JJ231-RIPE tech-c: BL112-RIPE auth: CRYPT-PW q5nd!~sfhk0# upd-to: jan@bluelight.nl mnt-nfy: auto-mnt@bluelight.nl referral-by: RIPE-DBM-MNT mnt-by: BLUELIGHT-MNT changed: hostmaster@bluelight.nl 19991112 source: RIPE

  24. New in RPSL! Maintainer Object Attributes • auth (mandatory, multiple) • upd-to (mandatory) • notification for failed updates • mnt-nfy (optional, encouraged) • works like notify but for all objects that refer to this mntner • mnt-by (mandatory) • can reference the object itself • referral-by (mandatory) • references mntner object that created this object • Manual registration of object necessary • Send object to <ripe-dbm@ripe.net>

  25. Authentication Methods 1. auth:NONE • could be used with mnt-nfy attribute 2. auth: MAIL-FROM {e-mail, reg-exp} • e.g. MAIL-FROM .*@bluelight\.nl • protection from typos 3. auth: CRYPT-PW {encrypted password} • include password attribute in your updates • value is clear text password 4. auth: PGPKEY-<argument> • key-cert object • see: ripe-223 • http://www.gnupg.org/

  26. Hierarchical Authorisation inetnum: 195.35.64.0 - 195.35.79.255 netname: NL-BLUELIGHT-20000909 … ... status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: BLUELIGHT-MNT mnt-routes: BLUELIGHT-MNT changed: hostmaster@ripe.net 20000909 changed: hostmaster@ripe.net 20001111 source: TEST • Ask <lir-help@ripe.net> to add mnt-lower and mnt-routes attributes into your allocation inetnum objects 

  27. New in RPSL! Hierarchical Authorisation (cont’d) • mnt-lower and mnt-routes attributes • authenticate only creation of more specific objects • only one level below • mandatory in allocation inetnum objects • mandatory in PI assignment inetnum objects • recommended in PA inetnum objects, and route objects • mnt-routes in aut-num object e.g. AS42 • authenticates creation of route objects with origin: AS42

  28. DB Update ProcedureSend to:<auto-dbm@ripe.net> • Modifying an object • obtain object from RIPE DB • make needed changes • keep the same primary key • add the changed line to the new version of object changed: jan@bluelight.nl 20010505 • keep the old changed lines in to show history • include authentication (password, PGP signature) • Deleting an object • add delete line to the exact copy of current object delete: jan@bluelight.nl overlapping inetnum 20010606 • include authentication (password, PGP signature)

  29. When to Update Your Objects • Fixing overlapping assignments • Merging two inetnum (domain, route) objects • Splitting one assignment into smaller ones • Changing the netname • Protecting unprotected objects • including mnt-by attribute • Updating peering agreements in aut-num • Updating references to new contact persons/roles • admin-c, tech-c, zone-c • Updating contact info • phone/address change in person/role/mntner

  30. person: CD2-RIPE CD2-RIPE CD2-RIPE Case Study 1 -- Contact Person Left 1. whois -i tech-c JAJA1-RIPE 2. Create new person object (for Carl Dickens, new guy) 3. Change the tech-c reference in allinetnum objects 4. Delete old person object Inetnum: person: 195.35.64.80 JAJA1-RIPE JAJA1-RIPE ... Inetnum: 195.35.64.130 JAJA1-RIPE

  31. role: person: JJ231-RIPE BL112-RIPE JJ231-RIPE CD2-RIPE BL112-RIPE BL112-RIPE Case Study 2 --Replacing tech-c Using role Object 1. Create person object for each tech-c 2. Create role object for all tech-c:s 3. Change the tech-c reference in allinetnum objects to reference role object 4. Keep role object up-to-date with staff changes person: 195.35.64.80 CD2-RIPE CD2-RIPE ... 195.35.64.130 CD2-RIPE

  32. Case Study 3 --Replacing Assignment Objects • Splitting any approved assignment • e.g. moving first assignment registered as one block, at the beginning of allocated range • delete the original object • create two or more new objects • keep the same netname • or let RIPE NCC know of the change • using the same ticket number

  33. Test whois Database • Non-production whois Database • Similar interface as “real” RIPE whois Database • whois & email • whois -h test-whois.ripe.net; <test-dbm@ripe.net> • syntax checking • error reports • Possible to automatically create mntner • Ideal for testing • various authorisation schemes • self-made scripts that update RIPE whois DB • Source: TEST

  34. Questions? Questions, bug reports: <ripe-dbm@ripe.net>

More Related