11.2 RPSL

In 1999 RPSL was designed to replace RIPE-181 [16], the first common language widely deployed in the Internet for routing-policy definition. A new language was needed because operators found it hard to express policies used in practice in the RIPE policy language. As a result, RPSL was developed and released by the IETF Routing Policy System Working Group .

A common RPSL has been defined in RFC 2622 [2], a proposed standard as of the time of this writing. Before we talk about RPSL, it is important to understand where the language originated and the role played by a group called the Internet Routing Registry (IRR, www.irr.net), a collection of databases made up of routing policies from a number of international participants . The idea behind the IRR was to provide a central repository for routing and addressing information. The IRR was originally made up of five registries and today consists of about 50 members , including operators such as Verio, Cogent (formerly Netrail), and Level 3, who each run their own registries.

These registries register routing policies from different operators in databases that are synchronized with each other several times a day. Among these databases are the Route Arbiter Database (RADB) registry in the United States, and the RIPE registry in Europe. What sets these registries apart is that they are both public registries in which any ISP can publish its policies. It is recommended that ISPs publish their policies with a single registry as registering with multiple registries can lead to inconsistencies when the databases synchronize.

Objects registered in the IRR can be queried using the UNIX whois command, which is an Internet domain name and network number directory service query tool. The general usage for the whois command is as follows :

 whois [-adptr][-h host] name  [-adptr] has two options: -a for the American Registry for Internet Numbers (ARIN) database d for the US military Defense Data Network (DDN) [-h host] has two options: -p to use the Asia Pacific Network Information Center (APNIC) database -r to use the Rseaux IP Europens (RIPE) database 

If no options are specified, the command searches the default network information center (NIC), whois.internic.net, which is the central repository. A whois query is normally performed for a real Internet address. However, for the purposes of this book, we will use a private network address and private ASNs as defined by RFC 1918 [6] and RFC 1930 [7], respectively, so as not to infringe on any public IP address space or AS space. Private addresses will suffice for demonstration purposes.

The following is an example of a whois query of the RIPE database -r for the network 192.168.4.0 :

 UnixServer> whois -r 192.168.4.0  % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See www.ripe.net/ripencc/pub-services/db/copyright.html inetnum:      192.168.4.0 - 192.168.7.255 netname:      customer1-net descr:        Telco123 descr:        Unit 30a descr:        Littletown country:      Ireland admin-c:      XX3241-RIPE tech-c:       ABEC1-RIPE rev-srv:      ns1.ec.abxy.net rev-srv:      ns2.ec.abxy.net status:       ASSIGNED PA mnt-by:       INETEC-MNT changed:      chd@INET.net 19991217 source:       RIPE route:        192.168.0.0/19 descr:        INET EC Block 4 origin:       AS65535 mnt-by:       INETEC-MNT changed:      bb@INET.net 19980513 changed:      lr@INET.net 19990929 source:       RIPE role:        INET Ireland IP-oper address:     INET  An Internet Company address:     bigstreet address:     Dublin address:     Ireland phone:       +353 99 233445 fax-no: :    +353 99 233446 e-mail:      help@INET.net trouble:     abuse@INET.net admin-c:     ANR13-RIPE admin-c:     OC855-RIPE tech-c:      BMS13-RIPE tech-c:      AND9-RIPE tech-c:      LBST4-RIPE tech-c:      EHU1-RIPE tech-c:      LBUJ1-RIPE nic-hdl:     BNEC1-RIPE remarks:     -------------------------------------------------------- remarks:     For complaints about abusive/malicious behavior remarks:     please contact one of the following addresses: remarks:     E-mail abuse(SPAM/UCE): abuse-mail@INET.net remarks:     USENET/Newsgroup abuse: abuse-news@INET remarks:     Security/hacking/etc  : security@INET.net remarks:     All other issues      : abuse@INET.net remarks:     -------------------------------------------------------- remarks:     *** IF ABUSE IS GOING ON AT THIS VERY MOMENT *** remarks:     *** PLEASE CALL 919-555-1212,OPTION 2,3,1 Ask for RORO * remarks:     -------------------------------------------------------- notify:      ripe-notify@INET.net notify:      hm-dbm-msgs@ripe.net mnt-by:      INETEC1-MNT changed:     dan@INET.net 20010429 changed:     lt@INET.net 20010602 source:      RIPE person:       I. M. Responsible address:      Unit 30a address:      a street, Littletown address:      Ireland phone:        +353 11 361921 fax-no:       +353 11 361736 e-mail:       cd-e@telco123.net nic-hdl:      XC6541-RIPE mnt-by:       INETEC1-MNT changed:      lcr@19990416 source:       RIPE 

Table 11-1 describes the less intuitive fields returned from the previous whois network query.

More information about these fields can be obtained from www.ripe.net/ripe/docs/databaseref-manual.html.

Table 11-1. whois Network Query Fields

If you do not have access to a UNIX box, then whois queries can be performed over the Web at numerous Web sites, the main ones being the following:

• RIPE ”www.ripe.net/perl/whois

• APNIC ”www.apnic.org/apnic-bin/whois2.pl

• InterNIC ”www.internic.org/whois.html

Note that RPSL is not a router configuration language. It is an object-oriented language that permits the generation of a router configuration from the description of a router combined with the description of an AS.

When policy objects are registered in the IRR, they can also be queried using the whois service. Any public ASN in the range of 1 to 64,511 can be queried. The block of ASNs from 64,512 to 65,535 are reserved for private use as defined in RFC 1930. In the following example, we can see how the whois command can be adopted to query an entire AS. This is, of course, a private ASN, but imagine the depth of publicly available data that is obtainable through a public AS query.

 unixserver> whois -r as65535  % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See www.ripe.net/ripencc/pub-services/db/copyright.html as-block:    AS64512  AS65535 descr:       RIPE NCC ASN block remarks:     These AS numbers are further assigned by RIPE NCC remarks:     to LIRs and end-users in the RIPE NCC region remarks:     Please refer to RIPE Document ripe-185 remarks:     and RIPE Document ripe-147 admin-c:     MM45-RIPE tech-c:      OPT5-RIPE mnt-by:      RIPE-NCC-TT-MNT mnt-lower:   RIPE-NCC-TT-MNT changed:     hostmaster@ripe.net 20010526 source:      RIPE aut-num:      AS65535 as-name:      UNSPECIFIED descr:        Telecommunications 123 Ltd descr:        Unit 30a descr:        A street, Littletown descr:        Ireland import:       from AS65534               action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65534               announce AS-TELCO123 import:       from AS65533               action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65533               announce AS- AS-TELCO123 import:       from AS65532               action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65532               announce AS- AS-TELCO123 import:       from AS65531               action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65531               announce AS- AS-TELCO123 import:       from AS65530               action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65530               announce AS- AS-TELCO123 admin-c:      ACBN1-RIPE tech-c:       ACBN1-RIPE tech-c:       ADAM1-RIPE mnt-by:       TELCO123-MNTNR notify:       hostmaster@itelco123.net changed:      ripe_admin@itelco123.net 19990921 changed:      adamc@telco123.net 20011014 source:       RIPE role:         RIPE NCC Operations address:      OP Centre address:      BigCity address:      EC-Country phone:        +11 21 545 4321 fax-no:       +11 21 545 4323 e-mail:       operationsnet@ripe.net admin-c:      JMSD1-RIPE admin-c:      DEL132-RIPE tech-c:       DEL132-RIPE tech-c:       LX627-RIPE tech-c:       GM8331-RIPE tech-c:       MBLI3-RIPE tech-c:       DL785-RIPE tech-c:       EQ4727-RIPE tech-c:       DN11627-RIPE tech-c:       MDS4-RIPE tech-c:       PW3458-RIPE tech-c:       JLSE2-RIPE tech-c:       LI2176-RIPE nic-hdl:      OPT5-RIPE mnt-by:       RIPE-NCC-MNT changed:      ob@ripe.net 19991208 changed:      mk@ripe.net 20000803 changed:      gd@ripe.net 20001101 changed:      le@ripe.net 20010308 changed:      ja@ripe.net 20010622 source:       RIPE person:       Adam Contact address:      Telco 123 address:      3rd Floor address:      Unit 30a address:      A street, Little Town address:      Ireland phone:        +353 11 21 8917 4621 fax-no:       +353 11 20 8917 4623 e-mail:       adamc@telco123.net nic-hdl:      ADAM1-RIPE notify:       ap@telco123.net changed:      adamc@tc.NET 20000519 changed:      adamc@telco123.net 20010329 source:       RIPE person:       RIPE  Engineer address:      RIPE Network Coordination Centre (NCC) address:      OP Centre address:      BigCity address:      EC-Country phone:        +11 21 545 4321 fax-no:       +11 21 545 4323 nic-hdl:      MM43-RIPE mnt-by:       RIPE-NCC-HM-MNT changed:      hostman@ripe.net 20000805 changed:      hostman@ripe.net 20010615 source:       RIPE 

In the example shown, a whois query is performed on AS 65535. Remember that this ASN belongs to INET. Most of the fields contained in the output from the previous whois command are present here again.

The main fields we are concerned with here are the as-block , aut-num , as-name , import , and export fields. The as-block field tells us that AS 65535 belongs to a block of ASNs ranging from 64,512 to 65,535. The aut-num field is the ASN that we queried. In this case, the AS is not named as the as-name field has returned a value of UNSPECIFIED .

The import and export fields display the policies applied by AS 65535 on incoming and outgoing routes, respectively. In the first set of import and export fields, you can see that AS 65535 has a policy in place to accept any route from AS 65534 as long as it is not a default route:

 import:       from AS65534                action pref=100;               accept ANY AND NOT {0.0.0.0/0} export:       to AS65534 

The above excerpt describes the policy rules that AS 65535 has set for its peering interaction with AS 65534. We see that on the import side from AS 65534, AS 65535 sets the preference value to 100. AS 65535 will accept all routes, except the default 0.0.0.0/0 route. On the outgoing side, the export policy merely states that AS 65535 is to announce its presence to AS 65534. This is an example of a typical policy entry in the RADB.

RFC 2650 [3], "Using RPSL in Practice," is an informational RFC that fully describes the IRR and RPSL. There are a number of tools available today to enable a routing configuration to be developed from information stored in the IRR. One collection of tools is RAToolSet , which includes a configuration generator called Rtconfig that supports configuration generation for Cisco, Juniper Networks, Nortel, Gated, and RSd routers with BGP policies. More information on the RAToolSet can be found on the University of California Web site at www.isi.edu/ra/RAToolSet.