Providing A Subset of Whois Data Via DNS
19
Providing A Subset of Wh Providing A Subset of Wh ois Data Via DNS ois Data Via DNS Shuang Zhu Shuang Zhu Xing Li Xing Li CERNET Center CERNET Center
-
Upload
quamar-slater -
Category
Documents
-
view
19 -
download
0
description
Providing A Subset of Whois Data Via DNS. Shuang Zhu Xing Li CERNET Center. Problem Statement. Network operators frequently need to check the consistency of the Internet routing Wrong IP prefix announcements (e.g. PA holes) Unauthorized IP prefix announcements - PowerPoint PPT Presentation
Transcript of Providing A Subset of Whois Data Via DNS
Providing A Subset of Whois DatProviding A Subset of Whois Data Via DNSa Via DNS
Shuang ZhuShuang ZhuXing LiXing Li
CERNET CenterCERNET Center
Problem StatementProblem Statement
Network operators frequently need Network operators frequently need to check the consistency of the Interto check the consistency of the Internet routingnet routing Wrong IP prefix announcements (e.g. Wrong IP prefix announcements (e.g.
PA holes)PA holes) Unauthorized IP prefix announcementUnauthorized IP prefix announcement
ss But it is sometimes difficult to tell wBut it is sometimes difficult to tell w
hich AS an IP originates and should hich AS an IP originates and should originate from.originate from.
Problem StatementProblem Statement
A standardized mechanism to deterA standardized mechanism to determine the AS origin of an IP address mine the AS origin of an IP address would be useful, particularly as a diwould be useful, particularly as a diagnostic aid for operators.agnostic aid for operators.
Current PracticesCurrent Practices
To tell which AS an IP address origiTo tell which AS an IP address originates fromnates from sort of routeviews projects, CIDR reporsort of routeviews projects, CIDR repor
t, ….t, …. analysis of routing tablesanalysis of routing tables
To determine which AS an IP addresTo determine which AS an IP address should originate froms should originate from route registration is a part of the servicroute registration is a part of the servic
es of IRRes of IRR
IRR ProvidersIRR Providers
Global scope IRR providers, typically Global scope IRR providers, typically are: are:
RIRRIR APNIC, RIPE, ….APNIC, RIPE, ….
Non-RIRNon-RIR RADB, RADB, SAVVISSAVVIS, …., ….
The ObservationsThe Observations
There exist some shortcomings of There exist some shortcomings of IRRIRR lack of authoritylack of authority less accuracyless accuracy not kept up to datenot kept up to date
The ObservationsThe Observations
RIR IRRsRIR IRRs have the authority of route blockshave the authority of route blocks
Need membership to register the route, by Need membership to register the route, by specifying mnt-routes in inetnum objectsspecifying mnt-routes in inetnum objects
however, ISPs are sometimes lazy or rehowever, ISPs are sometimes lazy or reluctant to maintainluctant to maintain In APNIC route database, only about 10% aIn APNIC route database, only about 10% a
llocated IP addresses registered routes therllocated IP addresses registered routes there.e.
The ObservationsThe Observations
Non-RIR IRRsNon-RIR IRRs No authority of the route blocksNo authority of the route blocks No check, No accuracy guaranteeNo check, No accuracy guarantee
Non-RIR IRR ExamplesNon-RIR IRR Examples For example, the answer to the following IRR wFor example, the answer to the following IRR w
hois query is obviously incorrect, for 211.64.0.0/hois query is obviously incorrect, for 211.64.0.0/13 actually originates from CERNET AS4538.13 actually originates from CERNET AS4538.
% whois -h whois.% whois -h whois.radbradb.net. 211.64.0.0.net. 211.64.0.0 % whois -h rr.% whois -h rr.savvissavvis.net. 211.64.0.0.net. 211.64.0.0
route: 211.64.0.0/13route: 211.64.0.0/13descr: China United Telecomdescr: China United Telecomorigin: AS9800origin: AS9800mnt-by: MAINT-AS9800mnt-by: MAINT-AS9800changed: [email protected] 20050112changed: [email protected] 20050112source: SAVVISsource: SAVVIS
Are There Alternatives?Are There Alternatives?
Can we indicate IRR route origin, a Can we indicate IRR route origin, a subset of whois data, via DNS?subset of whois data, via DNS?
RIR’s IP Allocation database is authorRIR’s IP Allocation database is authoritativeitative APNIC, ARIN, RIPE, ….APNIC, ARIN, RIPE, ….
There is also a natural authorization, alThere is also a natural authorization, along with the delegation of reverse DNS ong with the delegation of reverse DNS of the route blockof the route block
How To Do Via DNSHow To Do Via DNS
Network operators publish the AS origin of tNetwork operators publish the AS origin of their routing announcements by use of TXT heir routing announcements by use of TXT RR in its reverse DNSRR in its reverse DNS
<<reversereverse>.in-addr.arpa. IN TXT “<>.in-addr.arpa. IN TXT “<as numberas number>" “<>" “<network numbernetwork number>" “<>" “<prefix lengthprefix length>“>“
e.g. e.g. 64.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13“64.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13“65.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13"65.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13"66.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13"66.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13"67.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13“67.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13“……..
Example DetailsExample Details
211.64.0.0/13 is the allocation from APNIC for CE211.64.0.0/13 is the allocation from APNIC for CERNETRNETinetnum: 211.64.0.0 - 211.69.255.255inetnum: 211.64.0.0 - 211.69.255.255netname: CERNET-CNnetname: CERNET-CNdescr: China Education and Research Networkdescr: China Education and Research Networkdescr: Room 224, Tsinghua Universitydescr: Room 224, Tsinghua Universitydescr: Beijing, Chinadescr: Beijing, Chinacountry: CNcountry: CN……mnt-by: APNIC-HMmnt-by: APNIC-HMmnt-lower: MAINT-CERNET-APmnt-lower: MAINT-CERNET-APchanged: [email protected] 19990917changed: [email protected] 19990917status: ALLOCATED PORTABLEstatus: ALLOCATED PORTABLEchanged: [email protected] 20041214changed: [email protected] 20041214source: APNICsource: APNIC
Example DetailsExample Details
211.64.0.0/13 is the allocation from APNIC for CE211.64.0.0/13 is the allocation from APNIC for CERNETRNETinetnum: 211.70.0.0 - 211.71.255.255inetnum: 211.70.0.0 - 211.71.255.255netname: CERNETnetname: CERNETdescr: China Education and Research Networkdescr: China Education and Research Networkdescr: Room 224, Tsinghua Universitydescr: Room 224, Tsinghua Universitydescr: Beijing, Chinadescr: Beijing, Chinacountry: CNcountry: CN……mnt-by: APNIC-HMmnt-by: APNIC-HMmnt-lower: MAINT-CERNET-APmnt-lower: MAINT-CERNET-APchanged: [email protected] 20000801changed: [email protected] 20000801status: ALLOCATED PORTABLEstatus: ALLOCATED PORTABLEsource: APNICsource: APNIC
Example DetailsExample Details
APNIC delegates 64-71.211.in-addr.arpa. to CEAPNIC delegates 64-71.211.in-addr.arpa. to CERNET name servers. RNET name servers.
% dig @ns1.apnic.net. +norecurse 64.211.in-addr.arp% dig @ns1.apnic.net. +norecurse 64.211.in-addr.arpa. nsa. ns
;; QUESTION SECTION:;; QUESTION SECTION:;64.211.in-addr.arpa. IN NS;64.211.in-addr.arpa. IN NS
;; AUTHORITY SECTION:;; AUTHORITY SECTION:64.211.in-addr.arpa. 172800 IN NS dns2.edu.c64.211.in-addr.arpa. 172800 IN NS dns2.edu.c
n.n.64.211.in-addr.arpa. 172800 IN NS dns.edu.cn.64.211.in-addr.arpa. 172800 IN NS dns.edu.cn.64.211.in-addr.arpa. 172800 IN NS ns2.net.edu64.211.in-addr.arpa. 172800 IN NS ns2.net.edu
.cn..cn.
Example DetailsExample Details
CERNET makes 211.64.0.0/13 announcementCERNET makes 211.64.0.0/13 announcement
CERNET sets up 64.211.in-addr.arpa. zone CERNET sets up 64.211.in-addr.arpa. zone datadata
64.211.in-addr.arpa. IN SOA NS2.NET.EDU.CN. 64.211.in-addr.arpa. IN SOA NS2.NET.EDU.CN. HOSTMASTER.NET.EDU.CN. 2006072518 28800 7200 604800 HOSTMASTER.NET.EDU.CN. 2006072518 28800 7200 604800 8640086400
64.211.in-addr.arpa. IN NS NS2.NET.EDU.CN.64.211.in-addr.arpa. IN NS NS2.NET.EDU.CN.
64.211.in-addr.arpa. IN NS DNS.EDU.CN.64.211.in-addr.arpa. IN NS DNS.EDU.CN.
64.211.in-addr.arpa. IN NS DNS2.EDU.CN.64.211.in-addr.arpa. IN NS DNS2.EDU.CN.
64.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" 64.211.in-addr.arpa. IN TXT "4538" "211.64.0.0" "13""13"
Example DetailsExample Details
Network operaters make the query, with /16, Network operaters make the query, with /16, /24 reverse names/24 reverse names
%%dig 64.211.in-addr.arpa. txtdig 64.211.in-addr.arpa. txt
;; QUESTION SECTION:;; QUESTION SECTION:;64.211.in-addr.arpa. IN TXT;64.211.in-addr.arpa. IN TXT
;; ANSWER SECTION:;; ANSWER SECTION:64.211.in-addr.arpa. 86400 IN TXT "4538" "211.64.0.64.211.in-addr.arpa. 86400 IN TXT "4538" "211.64.0.
0" "13"0" "13"……
AdvantagesAdvantages
Natural authorization along with thNatural authorization along with the delegation of reverse dns of the roe delegation of reverse dns of the route blockute block
The DNS TXT records are maintaineThe DNS TXT records are maintained locally, and most likely easy to keed locally, and most likely easy to keep up to datep up to date
The DNS is a prevalent distributed sThe DNS is a prevalent distributed service with easy adoptionervice with easy adoption
No obvious disadvantage.No obvious disadvantage.
ConclusionConclusion
We propose an alternative for establWe propose an alternative for establishing IP to AS origin mapping via Dishing IP to AS origin mapping via DNS, hopefully overcoming the drawNS, hopefully overcoming the drawbacks of IRR.backs of IRR.
We think this mechanism of providiWe think this mechanism of providing a subset of Whois Data via DNS is ng a subset of Whois Data via DNS is helpful, and easy to implement.helpful, and easy to implement.
Thanks for your time!Thanks for your time!
Comments?Comments?
