SoX IRR Action Report
Purpose of the Report
Internet2 has published a report identifying routing object discrepancies that may affect routing prefixes over the Internet2 I2PX Network and potentially other upstream and commodity providers. The SoX Network, in conjunction with the GlobalNOC and Internet2 Network, has utilized the Internet2 IRR Report Summary to determine the condition of SoX participants' IRR route object registrations. The report will advise if and how to update any records that could potentially cause impact to traffic. Please note that these notifications are purely informative. The SoX Network will NOT block any prefixes found to be invalid, missing, or incorrect but the participant runs the risk of an upstream or commodity provider dropping traffic from their unregistered or incorrectly registered prefixes.
- Reading the Report
- The report uses a color key to identify the potential for impact. Generally the cell’s fill color indicates the following:
- Red = Confirmed impact presently or in the near future for the associated prefix route.
- Yellow = Potential impact presently or in the near future for the associated prefix route.
- Green = No problems with IRR records that would indicate potential impact for the associated prefix route.
- No Fill = Informational and/or is not known to indicate potential impact for the associated prefix route.
- The report has multiple columns but SoX participants only need to evaluate the following for action needed.
- RPKI ROA
- This column determines if the associated prefix has a Resource Public Key Infrastructure (RPKI) Route Origin Authorization (ROA). IRR records can contain invalid and out of date information but RPKI introduces a means to digitally sign a route object associating a prefix with its authorized origin AS number. BGP advertisements are verified against the ROA to prevent IP hijacking and route leaks. According to Internet2 many ISPs will overlook a missing or incorrect IRR Record if a valid RPKI ROA is in place.
- Values and Impact...
- Invalid = There is an existing ROA. The prefix advertisement is being learned from an AS that is not authorized and/or the announcement is a different length than specified in the RPKI. Some upstream and commodity providers have begun to block routes with invalid RPKI ROAs.
- Unknown = No RPKI ROA has been identified. Some upstream and commodity providers may begin blocking prefixes in the future that do not have a valid RPKI ROA.
- Valid = There is an existing ROA. The prefix is being learned from an AS that is authorized and is the length specified in the RPKI ROA.
- IRR Prefix Match
- This column provides information about the status of the IRR route object. The IRR databases are queried to determine if an IRR record is present, if the prefix mask is correct, and if there are more specific routes registered for the associated prefix.
- Values and Impact...
- False = An IRR route object is not present in the IRR databases. Some upstream and commodity providers will drop prefixes without a valid route object.
- More Specific = An IRR route object is present but the prefix being advertised is more specific than the IRR record. IRR records can be used to automate the configuration of import route-policies. If utilized, in the event that the IRR does not match the route being advertised or if the provider does not accept longer than or equal to advertisements the route would be dropped.
- Exact = An IRR route object is present for the prefix and the mask being advertised.
- IRR Origin Match
- This column displays the result of a check that queries the IRR database for the origin AS number, then compares that information to the AS origin from the route advertisement.
- Values and Impact...
- Invalid = Indicates the advertising AS does not match the AS registered with the IRR route object. Some upstream and commodity providers may choose to deny advertisements that are not sourced from the registered AS.
- Valid = Indicates the advertising AS does match the AS registered with the IRR route object.
- IRRs Used
- This column displays a list of what IRR databases a route object is registered with, separated by commas.
- Values and Impact...
- [<IRR Database Name>] = Indicates the route object is registered with the IRR database or databases listed.
- [<IRR Database Name>, ARIN-NONAUTH] = Indicates the route object is registered with the listed IRR databases as well as the ARIN non-authenticated (ARIN-NONAUTH) database. The ARIN-NONAUTH database is expected to be decommissioned on March 31, 2022. If registrations are not complete or accurate in the other IRR databases there is potential for upstream and commodity providers to deny those routes.
- [ARIN-NONAUTH] = Indicates the route object is only found to be registered within the ARIN non-authenticated (ARIN-NONAUTH) database. The ARIN-NONAUTH database is expected to be decommissioned on March 31, 2022. When this occurs no route object will be registered and upstream and commodity providers may deny the routes.
- No Route Object Found = Indicates no route object was located for the associated prefix. Upstream and commodity providers may choose to deny routes without a registered route object.
- Not Covered ARIN RSA
- This column provides the information gathered from a check that determines which Legacy Number Resource Holders or Number Resource Holders do not have a Services Agreement with ARIN.
- Values and Impact...
- Net Not Covered by L/RSA = Indicates that the prefix does not have a formal agreement signed with ARIN. Without this agreement participants will not be able to utilize some ARIN services. Whois information can continue to be maintained without an LRSA or RSA.
- Resolving Prefix Records with Confirmed or Potential Impact
- By resolving flagged items participants will be preventing impact to their traffic and helping to ensure a more secure internet. Information on how to resolve any confirmed or potential impact is below. If participants have any additional questions they are encouraged to reach out to the SoX NOC.
- RPKI ROA
- Invalid = An RPKI ROA is recommended to ensure routes are being advertised correctly and from an authorized source. To ensure the Invalid status of the RPKI ROA is not a false positive, the participant will need to verify their ROA has the correct and most up to date information. Update any needed information with the ARIN API or ARIN Online.
- Unknown = If a participant would like to submit an RPKI ROA they will need to do so via the ARIN API or ARIN Online.
- IRR Prefix Match
- False = When a route object is not present in any of the IRR databases one will need to be created. Route objects can be registered with the participant’s choice of IRR database. The SoX Network can proxy register any routes if requested by the participant via the SoX request form, NOC email, or NOC phone number.
- More Specific = To resolve a more specific prefix advertisement than what is registered in the route object, the participant can either adjust advertisements to match the prefix length in the route object or create registrations for each of the advertisements with matching prefix lengths.
- IRR Origin Match
- Invalid = To resolve an invalid origin, the participant will either need to advertise the route from the AS listed in the route object or update route objects to reflect the correct AS origin.
- IRRs Used
- [ARIN-NONAUTH] = In the event that a route object is only registered in the ARIN-NONAUTH database, participants will need to register with another database a soon as possible. The ARIN-NONAUTH database is projected to be decommissioned March 31, 2022 and missing route objects will result in impact. The SoX Network can proxy register any routes if requested by the participant via the SoX request form, NOC email, or NOC phone number.
- No Route Object Found = In the event that no route object is present the participant will need to create one as soon as possible to prevent or resolve any impact. The SoX Network can proxy register any routes if requested by the participant via the SoX request form, NOC email, or NOC phone number.
- [<IRR Database Name>, ARIN-NONAUTH] = In the event that a route object is registered with the ARIN-NONAUTH and any additional database the participant will need to verify the additional database has complete and up to date information. The ARIN-NONAUTH database is projected to be decommissioned March 31, 2022 and incomplete or incorrect registrations can result in impact. The SoX Network can proxy register any routes if requested by the participant via the SoX request form, NOC email, or NOC phone number.
- Not Covered ARIN RSA
- Net Not Covered by L/RSA = In the event that a prefix is not covered by an L/RSA the participant can contact ARIN to enter into a formal agreement.
- Informative Links
Internet2 Full Route Report for Connector SoX
Source: “Internet2 Route Report”, created by Steven Wallace @ Internet2.
Internet2 Additional Information for IRR Working Document
Registration Services Agreement (RSA) FAQ - American Registry for Internet Numbers
Legacy Resource Services — American Registry for Internet Numbers
Route Origin Authorizations (ROAs) — American Registry for Internet Numbers
IRR and ARIN-NONAUTH: How Do I Use It?
ACSP Consultation 2021.1 - Future of ARIN’s Unauthenticated IRR is now Closed
MANRS Implementation Guide – Online Version