Versions Compared

Old Version 2

changes.mady.by.user The Force

Saved on

compared with

New Version 3

changes.mady.by.user The Force

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 7.4.0

Create LIRs

Info
titleBefore You Begin

Before you begin, determine who in your organization has access to the RIR API Keys related to the ASNs used by your organization and gather the following data:

For ARIN, you will need to gather data for the ASN, Org ID, Admin/Tech/Abuse POCs, Name Prefix, and API Keys for each ASN. 

For all other RIRs, you will need information for the Maintainer, Password, and Admin/Tech Contacts per ASN.

(1) First, go and set up an LIR for TDS Telecom (or whatever branch of TDS is doing this):

/admin/admin-lir.php

from Admin → IPAM Admin.

Click "Add / Edit / Update LIRs"

Image Added

Complicated or large organizations will likely need many.

Start by Adding a new LIR by clicking "Add LIR" at the bottom of the LIRs List:

Image Added

At this point, you should have data collected for each RIR/ASN combination used in your organization. 

Select the RIR, enter the Name and ASN, and then enter the relevant Org ID / POC / API Key (or Password) for the LIR. Entering the ARIN API Keys for ARIN LIRs An organization of TDS's complexity will likely need many. Someone in your organization knows the ARIN API keys relevant to the different AS-numbers TDS Telecom will be using. This step is critical for every SWIP action. The API Key contained within an LIR object will be used to authenticate against ARIN's systems when you want to update them. I do not know how you can hunt this individual down. If you can give the IP block you want to work with I can query the ARIN database perhaps we can find out some clues 

When you are done, click "Update" to save, and continue to add other LIRs as needed.

An example of how this should look from my own organization:

Image RemovedImage Added


We can verify this information by querying the ARIN database, like so:

https://whois.arin.net/rest/org/CONNE-81/pft?s=conne-81 https://whois.arin.net/rest/poc/6CONN-ARIN?s=6conn-arin
So when something goes wrong with a 6connect IP block, people know who to yell at. When you are doing a *Simple* re-assign, you posting a notice that when something goes wrong with a particular block of IP space, people should yell at the contact listed in the LIR. Which is to say: you. When you are doing a *Detailed* re-assign you are supplying a different set of contacts, and posting them to receive the aformentioned yelling.

Once you have an LIR in ProVision, it is trivial to query the API of its resource from the ProVision database . The above is resource id# 451 in our local database, but it will undoubtably be something different in yours.

(2) Setup. I'm going to assume you have entered IP space, and have entered some sample Contacts, and have built an example Resource. Further, I'm going to assume you have associated those Contacts with the Resource, and have Assigned some IP space to that Resource. So we need to have a Resource with an IP Block and some Contacts.

There are many dangers here.

using the resource Id number.

Set up IP Associations

From here, ensure that IP space has been entered into ProVision, along with necessary Contacts and Resources. Associate Contacts with the Resources, and assign IP space to the necessary Resources.  See: Working with ResourcesWorking with EntriesContact Manager, and Working with IP Blocks.

Ensure that you have followed the following guidelines:

(3) Danger #1: Make sure you own the IP space in question. ARIN knows who is supposed to be administering every bit of IP space under its domain. If ARIN doesn't think that the IP block you are using is administered by the LIR you have set up, you will get nowhere with them. , and you will run into issues if you do not actually own the IP space according to the RIR.

(4) Danger #2: Make sure the IP space is actually assignable with ARIN. This is where a whole lot of problems happen.  


Info
titleAn example of why SWIPs might fail

Lets imagine that 10 years ago some network administrator did a simple assignment with ARIN which noted that a certain /26 was under management by Company A. Since then, that administrator has been fired, the company he worked for has been acquired, that company was then itself acquired, and Company A has gone bankrupt and dissolved.

Today, nobody knows about all this. But ARIN remembers that a certain /26 has been delegated to Company A, and nobody has informed them otherwise.

...

This is a not-uncommon issue.

So today, you come along and you are doing your tests with a /28 which happens to be a sub-block of the /26. You can configure everything correctly and despite that, ARIN will completely refuse to SWIP the /28, because ARIN thinks that the /28 is part of a /26 which is already SWIP'd.

To make matters worse, ARIN won't tell you why it is refusing to

...

SWIP the /28 -- it will just tell you its invalid.

...

The only way to debug

...

this situation is manually probe the ARIN database until you find the already-SWIP'd block, construct

...

this block in ProVision, try to SWIP it (and fail, because it is already SWIP'd), then de-SWIP it, clearing the erroneous state both from ProVision and from ARIN.

...

Due to a lack of access to the ARIN database, ProVision is limited in its methods of handling situations such as these.


SWIP

 We

This situation is something we've given a lot of thought to and the primary reason why we can't do this better is that ARIN does *not* enjoy people casually probing their database.

If we had access to that data we could do some wonderful things, but we don't. Its a mess.

(5) Ok. We've got everything together so lets let's do some SWIP'ing. Our happy candidate is 67.221.244.160/27, which is a slice of 6connect's very own domain. Screenshot from ARIN:

...

The story of this block is theforetherefore: "ARIN was given this IP Block by ICANN, then ARIN did a Direct Allocation of a /20 to 6connect." And in a bit here, 6connect will do a detailed re-assign to MedaTeckle, a made-up company whose headquarters is the birthplace of Genghis Khan.

...

So I open up the wrench menu for the IP block right here on the Resource page and I get this screen:

I select the LIR in the upper-left (currently selected: 6connect), the Net Name is automatically generated from the LIR + netblock, and we are using the "CONNE-81" organization within the 6connect LIR. This will supply the ARIN API Key to make this all happen. I hit Detailed Reassign and after a few minutes of waiting for ARIN to catch up, here are the results:

...

https://whois.arin.net/rest/org/MEDAT-1/pocs

I will go clean this up later, but most people don't so the ARIN database is highly polluted.

This lets everyone know that if issues arise with This is how SWIP'ing works. Now if anyone has a problem with the behavior of that / 27, they 'll know to call up Test Jonny at MedaTeckle to yell at them, and not mewho to contact to resolve the issue.