July 18, 2003
Japan Network Information Center
IRR-Planning Team
JPNIC IRR (JPIRR) Operation Policies and User Guideline
Table of Contents
1. Introduction
2. Definitions
3. Background of JPIRR
4. Positioning of JPIRR
5. Notes on the use of trial service
6. Definitions and hierarchical structure of IRR
6.1 IRR categories
6.2 IRR system mirroring structure
6.3 Access policies
6.4 JPIRR access policies
6.5 Access policy for IRRs maintained by JPNIC IP address management agents
7. IRR Objects
7.1 Maintainer Object
7.2 Aut-num Object
7.3 Route Object
7.4 AS-Set Object
7.5 Route-Set Object
7.6 Person Object
7.7 Role Object
8. Retrieval, registration, change and deletion of objects
8.1 Retrieval from JPIRR
8.2 Registration and deletion of maintainer object
8.3 Registration, change, and deletion of other objects
9. Inquiries about JPIRR
10. References
11. Acknowledgements
1. Introduction
This document describes the operation policies and usage of the
Internet Routing Registry (IRR) maintained by JPNIC on a trial basis.
Since JPNIC IRR (hereafter JPIRR) is maintained in cooperation with
APNIC IRR and other IRRs, the contents of this document may be changed
without prior notice in accordance with any change in the operation
policies of other IRRs or JPNIC itself. If any modification is made in
this document, it shall be in any case superseded by the new modified
document.
2. Definitions
(1) IR (Internet Registry)
An Internet Registry (IR) is an organization that is responsible for
distributing and managing Internet resources such as IP addresses and
AS numbers. IRs are classified into Regional Internet Registries
(RIRs), National Internet Registries (NIRs), and Local Internet
Registries (LIRs) within the hierarchical structure shown in Figure
1.1
(2) RIR (Regional Internet Registry)
Regional Internet Registries (RIRs) allocate and assign IP addresses
within their respective regions. Currently, there are four RIRs:
APNIC (Asia Pacific region), ARIN (North American region), LANCIC (South
American region) and RIPE-NCC (European region).
(3) NIR (National Internet Registry)
National Internet Registries (NIRs) are organized at a national level.
NIRs receive address space distributions from RIRs and then further
distribute address space to subordinate LIRs. JPNIC acts as an NIR.
(4) LIR (Local Internet Registry)
A Local Internet Registry (LIR) is generally an Internet Service
Provider (ISP) that primarily distributes IP addresses to the users of
the network services it provides. JPNIC IP address management agents
act as LIRs.
(5) IRR (Internet Routing Registry)
An Internet Routing Registry (IRR) is a database system for
accumulating Internet routing policies handled by BGP4. An IRR is also
called RR (Routing Registry).
(6) Public IRR data
Public IRR data refers to IRR data publicized by IRRs incorporated in
the IRR system structure described in this guideline.
(7) Private IRR data
Private IRR data refers to IRR data not publicized (i.e., users are
restricted) by IRRs maintained by LIRs for commercial purposes.
+--------+ IANA : The Internet Assigned
| IANA | Numbers Authority
+--------+
|
+-----------+-----------+...........+.............+
| | | : :
+--------+ +--------+ +--------+ +--------+ +...........+
| ARIN | |RIPE NCC| | APNIC | | LACNIC | : Potential :
+--------+ +--------+ +--------+ +--------+ :future RIRs:
| +...........+
+-----------+--+--------+
| | |
+------+ +-------+ |
| NIR | | JPNIC | | National Internet
+------+ +-------+ | Registries
| | (NIR) |
+------+--+ | |
| | | |
+------+ | +------+ +------+ Local Internet
| LIR | | | LIR | | LIR | Registries
+------+ | +------+ +------+
| | | |
+-----+ | | |
| | | | |
| | | | |
+----+ +----+ +----+ +----+ +----+
| EU | | EU | | EU | | EU | | EU | End-users
+----+ +----+ +----+ +----+ +----+
[Figure 1.1 Hierarchical Structure of Internet Registries]
3. Background of JPIRR
JPNIC starts a trial JPIRR service for users in Japan in light of
global changes in the IRR situation.
In the current IRR system, data is distributed widely and sometimes
lacks integrity due to widespread IRR servers, making it difficult for
the system to meet the goals of storing routing information and
policies and providing information needed for the operation of the
Internet. For this reason, JPNIC has been monitoring changes in IRR
environment since 2000 and studying optimum solutions to IRR
operation, mainly with its JPNIC IRR Research Group. As a result of
these studies, JPNIC has come up with a model in which an IR
contributes to the Internet operation by maintaining an IRR that
stores IRR data for public view (public IRR data) and provides
information to its own region.
This model has been discussed and agreed on at APNIC and NANOG
meetings. The communities of ARIN, RIPE, and APNIC have also reached a
consensus.
JPNIC has decided to start a trial JPIRR service for IP address
management agents and people engaged in the Internet operation and to
promote the use of the IRR widely in Japan.
4. Positioning of JPIRR
JPIRR is a trial service provided by JPNIC to evaluate the effects of
maintaining an IRR on the Internet operation in Japan.
The quality and continuity of the trial service are not guaranteed.
The trial service was initially planned for an 7-months period from
Oct 23, 2002 to the end of March 2003. However,The term of trial
service has expanded to the end of March 2004.
At the completion of this period, JPNIC will evaluate the necessity of
this service, and decide how this service is provided.
5. Notes on the use of trial service
In principle, the trial service is provided for JPNIC IP address
management agents. Refer to Section "6.4 JPIRR access policies" for
service access criteria.
In no event shall JPNIC be responsible or liable for any damage that
might result from the use of this trial service. Users are asked to
use this service at their own responsibility.
6. Definitions and hierarchical structure of IRR
6.1 IRR categories
(1) RIR's IRR
RIR's IRR is the IRR maintained by an RIR (Regional Internet
Registry). RIR's IRR has a repository(*) that records the
information of direct members of the RIR and the address blocks
and AS numbers allocated to its subordinate NIRs. When an NIR has
its own repository, the RIR does not store information of this
NIR.
This type of IRR provides two services: one is to accept
registrations of and changes in the information of RIR's direct
members, who are the owners of the registered information, and the
other is to provide information for public users.
(*) Repository:
There are multiple IRRs on the Internet, such as RADB and APNIC
IRR. When data is stored in an IRR, the "Source" field is added
to all objects to identify which IRR the data belongs to. The
name written in this field is called "repository name." The word
"Repository" refers to a database for stockpiling IRR data.
(2) NIR's IRR
NIR's IRR is the IRR maintained by an NIR (National Internet
Registry). NIR's IRR has a repository that stores direct member
information of the NIR and the address blocks and AS blocks
allocated to its subordinate LIRs.
This type of IRR provides two services: one is to accept
registrations of and changes in the information of NIR's direct
members, who are the owners of the registered information, and the
other is to provide information for public users.
JPIRR falls into this category..
(3) LIR's IRR
LIR's IRR is the IRR maintained by an LIR (Local Internet
Registry). LIR's IRR does not have a repository of public IRR
data. Accordingly, it does not provide information registration
and change services for general users. LIR's IRR mirrors data
stored in NIRs and RIRs and provides only the information access
service.
LIR's IRR may store its own private IRR data. As the need arises,
the LIR may provide registration and change services of private
IRR data. However, the private IRR data should not be reflected on
the IRRs of superordinate NIRs and RIRs.
(4) IRR user
IRR users generally do not have their IRR system. IRR users can
retrieve IRR data using Whois commands or other IRR tools.
To register or change information, IRR users must apply to the
repository where their objects are registered.
6.2 IRR system mirroring structure
The IRR system mirroring structure is shown in Figure 6.2
+- +----------------------------------+
| | |
(*1) +----------+ +----------+ +----------+
| | APNIC |-----| RIPE/NCC |-----| ARIN |
+- +----------+ +----------+ +----------+
| |
(*2) +--+--------------+----------------+
| | | |
+- +----------+ +----------+ |
| JPNIC | | NIRs | |
+- +----------+ +----------+ |
| | |
(*3) +-+--------------+---------..... |
| | | |
+- +----------+ +----------+ +----------+
| LIRs | | LIRs |...... | LIRs |
+----------+ +----------+ +----------+
(*1) Inter-RIR Mirroring
(*2) Inter-IR Mirroring
(*3) Member Mirroring
[Figure 6.2 IRR system mirroring structure]
Shown in the figure above is the ideal IRR mirroring structure
recommended by the JPNIC IRR Research Group for IRR data
mirroring. The hierarchical structure is divided into three layers to
which different mirroring policies are applied.
(*1) Inter-RIR mirroring
Inter-RIR mirroring refers to bi-directional mirroring among
RIR's IRRs, which are placed at the top of the IRR system
hierarchy.
Inter-RIR mirroring includes exchanges of information replicated
from inter-IR mirroring described below. Full-Mesh topology is
required for mirroring between RIR's IRRs.
(*2) Inter-IR mirroring
Inter-IR mirroring refers to bi-directional mirroring between
RIR's IRR and NIR's IRR.
NIR's IRR mirrors all public IRR data from its superordinate
RIR's IRR. IRR data registered in NIR's IRR is mirrored by its
superordinate RIR's IRR. In other words, data registered in the
IRR of another NIR is mirrored through the IRR of its
superordinate RIR.
(*3) Member mirroring
Member mirroring refers to the mirroring between LIR's IRR and
the IRR of its subordinate RIR/NIR. As defined in Section 6.1,
LIR's IRR does not have a repository of public IRR data. Member
mirroring is unidirectional; an LIR only receives information
from its superordinate IRR.
6.3 Access policies
(1) RIR's IRR
An access policy for RIR's IRR is defined by each RIR. For
example, the access policy for APIRR, which is maintained by
APNIC, is defined by APNIC.
(2) NIR's IRR
An access policy for NIR's IRR is defined by each NIR. For
example, the access policy for JPIRR, which is maintained by
JPNIC, is defined by JPNIC. Refer to Section 6.4 for more details.
(3) LIR's IRR
An access policy for NIR's IRR is defined by each LIR. For
example, the access policy for an IRR ,which is maintained by a
JPNIC IP address management agent, is defined by that agent. Refer
to Section 6.4 for more details.
6.4 JPIRR access policies
JPIRR access policies consist of "registration access policy," "mirror
access policy," and "search access policy." Each policy is detailed in
the following:
A. Registration access policy
The registration access policy defines a policy for users to access
JPIRR when they wish to register, update or delete IRR objects
maintained by JPIRR.
In principle, registration access is allowed only when the
following condition is met:
1) A maintainer object is registered in JPIRR, and access is
obtained by the authentication method specified in the object.
B. Mirror access policy
The mirror access policy defines an access policy for other
organizations to install IRR servers and for these servers to
mirror JPIRR data.
In principle, read-only access to JPIRR alone is allowed in mirror
access. JPIRR will not accept any requests for registration,
update, and deletion from mirroring IRR servers. Mirror access is
allowed only when the following condition is met.
1) The organization is actually using address blocks or AS numbers
maintained by JPNIC.
C. Search access policy
The search access policy defines an access policy for search in
JPIRR.
In principle, no restrictions are placed on search access. However,
if search access is found to adversely affect other access
services, JPNIC may give preference to registration access and
mirror access and thereby restrict search access without prior notice.
6.5 Access policy for IRRs maintained by JPNIC IP address management
agents
An access policy for LIR's IRR that mirrors JPIRR data, namely an IRR
maintained by a JPNIC IP address management agent, is defined by the
agent organization.
Users of these IRRs must follow the access policy defined by each LIR.
7. IRR objects
JPIRR manages the following IRR objects:
Maintainer Object
Aut-num Object
Route Object
AS-Set Object
Route-Set Object
Person Object
Role Object
Each object is described in the following:
7.1 Maintainer Object
A maintainer object specifies the maintainer authorized to register or
change all IRR objects of an organization. This object must be
registered first before any other object managed by the organization
can be registered. The JPIRR administrator registers and deletes
maintainer objects.
Maintainer objects are registered in the units of organization. In the
case of JPIRR, organizations refer to JPNIC IP address management
agents or organizations that receive AS number assignments.
The maintainer object also describes authentication attributes
required to register each object, such as NONE, MAIL-FROM, CRYPT-PW,
and PGP.
The following authentication method is recommended for JPIRR to ensure
security.
- PGP :PGP Public Key
This authentication method realizes safer registration, change and
deletion of objects.
7.2 Aut-num Object
An aut-num object represents an AS (Autonomous System).This object
describes AS information and policies for routing information
reception and advertisements.
7.3 Route Object
A route object represents a route advertised by an AS (i.e. a
prefix.). The object describes the IP address, its subnet mask, and
"Origin" of the AS from which the route originates.
7.4 AS-Set Object
An AS-Set object represents a set of multiple ASes. For example, this
object is used when a policy is applied not only to a transit AS but
also to other ASes.
The object has the "members" attribute, in which multiple ASes are
described. Other AS-Set objects can be included in "members."
The name of an AS-Set object must always start with "as-" and must be
unique within the repository.
7.5 Route-Set Object
A Route-Set object represents a set of multiple prefixes. The object
has the "members" attribute, in which multiple prefixes are described.
Other Route-Set objects can be included in "members."
The name of a Route-Set object must always start with "rs-" and must
be unique within the repository.
7.6 Person Object
A person object describes operator's personal information. All objects
described above can make reference to the person object, which is used
to represent a contact person for the information of these objects.
7.7 Role Object
The role object is similar to the person object, but it describes
information on the contact role performed by one or more persons.
When an organization appoints a person to a network administrator or
to take care of IRR registration, this person may be changed due to
personnel transfer.
Instead of describing the personal information of a person, the role
object can be used to register more general information on
organization's contact. The role object is useful since it need not be
changed each time the person appointed to the contact role is changed.
8. Retrieval, registration, change and deletion of objects
This section describes how to retrieve, register, change, and delete
IRR objects that can be accessed in JPIRR.
8.1 Retrieval from JPIRR
Use the following JPIRR server to retrieve objects from JPIRR.
Server name : jpirr.nic.ad.jp
Port No. : 43
Objects can be retrieved with Whois commands that come standard with
FreeBSD, Solaris, etc.
8.2 Registration and deletion of maintainer object
The IRR administrator judges whether application for the registration
of a maintainer object is valid. Refer to Section 7.1 "JPIRR access
policy" for the registration criteria.
After checking the above registration criteria, applicants for the
registration of maintainer objects in JPIRR are asked to fill in the
following application form and send it to the contact address listed
below.
When ending the use of JPIRR, be sure to send a notification to the
following contact address.
- Registration contact: irr-admin@nic.ad.jp
- Application form
======================================================================
Applicant's information:
1) Name of IP address management agent:
2) Name of AS number administrator:
( Enter name in either 1) or 2). )
----------------------------------------------------------------------
mntner:
descr:
admin-c:
tech-c:
upd-to:
mnt-nfy:
auth:
mnt-by:
changed:
source: JPIRR
======================================================================
*The 'changed' field may be left blank.
*MAIL-FROM is initially registered in the 'auth' field. Change the
field after registration is completed.
8.3 Registration, change, and deletion of other objects
All JPIRR objects can be freely registered, changed, or deleted by the
method defined in the 'auth' field of the maintainer object on all
occasions except for the initial registration and deletion of
maintainer objects.
IRRd distributed by Merit is used as the IRR software of JPIRR so that
users can follow the registration, change, and deletion procedures of
the software. When registering, changing, or deleting JPIRR objects,
refer to information at the following URLs:
- RADB site http://www.radb.net/
- IRRd site http://www.irrd.net/
Just keep the following differences in mind when you register, change,
or delete JPIRR objects.
- Registration contact
Fill in the form for registering, changing, or deleting an object
and send the form to the contact address listed below. All
applications will be processed automatically.
auto-dbm@nic.ad.jp
- Repository name
Each object handled by JPIRR has the "Source" field. This field
describes the name of the repository in which the object is
registered. Accordingly, the repository name of JPIRR is
necessary for registering, changing, or deleting objects in JPIRR.
JPIRR's repository name is "JPIRR". Be sure to use the correct
name.
9. Inquiries about JPIRR
Direct your inquiries about JPIRR to the following contact addresses:
- About JPNIC IRR: irr-query@nic.ad.jp
- About mirroring: irr-mirror@nic.ad.jp
10. References
1. C. Villamizar, C. Alaettinoglu, D. Meyer and S. Murphy "Routing
Policy System Security", RFC2725, December 1999
2. C. Villamizar, C. Alaettinoglu and D. Meyer "Routing Policy System
Replication", RFC2769, February 2000
11. Acknowledgements
This document was developed jointly by all members of the JPNIC IRR
Planning Team. The members are listed below for the acknowledgement of
their effort.
JPNIC IRR Planning Team
Co-Chairs : Kuniaki KONDO (Intec NetCore, Inc.)
Tomoya YOSHIDA (NTT Communications Corporation)
Members : Masashi ETO (Graduate School of Information Science, Nara Institute of Science and Technology)
Junichi MATSUMOTO (JAPAN TELECOM CO., LTD.)
Kengo NAGAHASHI (Graduate School of Information Science and Technology, The University of Tokyo)