Routing Registry Tutorial

1. Create Maintainer object

About the Maintainer Object

The maintainer object is your primary Point of Contact to describe your network's architecture. Your maintainer object is used to authorize any object creations, modifications, or deletions as well as being operational point of contact for operational issues with your network. In other words, if your network does not have a maintainer object, it cannot be maintained on the registry.

With the dn42 whois there are two methods of authorization available: PGP and CRYPT-PW. The use of the PGP authentication is encouraged as it does not depend on a secure channel to the whois service, though your new maintainer object will have only the CRYPT-PW method registered and you will have to enable PGP later.

Register a Maintainer

Maintainer objects specify the persons who are allowed to execute updates to the registry, and how they are authenticated. When an information about your network such as AS or route information object is submitted, a Maintainer object is referenced in the submitted object using the mnt-by attribute. If a Maintainer object is not referenced, the submission will be rejected. So, in order to register information about your network to the registry, you must register a Maintainer object first.

To register your maintainer object, first you need to determine the names and e-mail addresses of persons from your organization who are allowed to update and/or submit network information objects such as Route and AS objects. Use the maintainer object template below to fill in the fields with appropriate information. The value of mnt-by attribute should be the same value of the mntner attribute. Later, you will find out that all objects must be signed with mnt-by attribute, which registers the object being submitted under your maintainer. Feel free to take a look at the example below.

Then copy the maintainer object template you just completed into an e-mail message and send it off to db-adm@whois.dn42.net. All maintainer object registrations must be reviewed by a human and are then added to the registy. It may take up to several days as dn42 is a volunteer based project and everyone is busy, but we will try our best to complete it early as possible.

Note: You should only send Maintainer object templates to db-adm@whois.dn42.net. Other network information objects including AS, Route, AS-SET, etc must be sent to auto-dbm@whois.dn42.net. Maintainer objects are subject to human intervention before being committed to the registry. Other network information objects are instantly committed to the registry upon successful update sent to auto-dbm@whois.dn42.net. If your Maintainer object is already created, but you wish to make changes, you may send modification of Maintainer object to auto-dbm@whois.dn42.net for instantaneous modification.
Listing: MAINTAINER Example
mntner:     MNT-WEISHAUPT                 # Maintainer ID, any not yet taken name is ok, though it should begin with MNT-
descr:      weishaupt connection          # suprise: a description
admin-c:    WEISHAUPT-DN42                # Handle of your admin-c, the object can be created later
upd-to:     adam@weishaupt.de             # Email address to notify on failed updates
notify:     adam@weishaupt.de             # Email address to notify on any updates
auth:       CRYPT-PW 4Likx.7ZwAi2         # Encrypted password, generated using crypt.c
mnt-by:     MNT-WEISHAUPT                 # same as mntner:
changed:    adam@weishaupt.de 20100516    # email address and date (YYYYMMDD) of last change
source:     dn42                          # name of the registry, is always dn42 here

You find crypt.c here. It uses the crypt(3) method to calculate a password for usage with CRYPT-PW. To compile it, you need to issue someting like gcc -o crypt crypt.c -lcrypt on GNU/Linux and something similar but without "-lcrypt" on most other unices. Simply run it with ./crypt then, the rest should be straight forward.

2. Extend Maintainer object

Adding a person to your handle

Now that you have your Maintainer object installed into the registry, you may want to extend it by contact information abount your roles. To do so, you need to add a person object. For this, formulate a request similar to the example below and send it to auto-dbm@whois.dn42.net.

For using the CRYPT-PW authorization, you will need to put your password into the registered object's password: attribute. See the example below to see how it is done.

Listing: PERSON Example
person:     Adam Weishaupt
address:    Theresienstr. 23
address:    Ingoldstadt 85049
phone:      +49 841 305 1090
e-mail:     adam@weishaupt.de
notify:     adam@weishaupt.de
nic-hdl:    WEISHAUPT-DN42
mnt-by:     MNT-WEISHAUPT
changed:    adam@weishaupt.de 20100516
source:     dn42
password:   foo

Adding a PGP-Key

As you have seen, you need to send you password in plaintext over a channel which is more or less not under your control, which is obviously a security risk. Let's make it our next task to fix this.

As a more secure way we will use the PGP authentication method. A prerequisite for this is adding your PGP-Key to the whois database system. To do so we add a key-cert object to store the public key. As you will probably notice, multiline syntax is used.

Listing: KEY-CERT Example
key-cert: PGPKEY-4CE97164
method:   PGP
certif:
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.13 (GNU/Fnord)
+ 
 mQMuBEvvLYURCACwMkVWps9vOhiCagbmtqTeT9NcOrB3DEYlVyUnbywADwL+oBB6
 z8AFyYV9QiPqOxpHRARWw2i9OEBrsAo59jszMkCO1shmvA0mOnkmrcTTTsmnDNu2
 7+Ne3/voar2GIqPjI8iU0yOfP5aMjTdgwtfqQ955hXLmhAfI7wt94faHYHcJn8cM
 /yBcKUW8aHyNM5UmuAb4gkcQQrdqSFeBVpvuWhCXZxwhBQxRdx8SwlwvOj/GYRxa
 a/WHhh0LEfl5DwIh9eehsmk5Xkwl5eVcW4StnTGorNuhqJur6rpFlevL3gcgcS7Y
 JGV7MVFHePnl/vodtbBIakpTYGgtdHqiekKzAQDZGGLOnKJyduBr2hpaMJFvVFp/
 tyt9wvjHFrfEXe2WFwf+JDcSehDjsk+51vyuRcq7n0Z2VLX3S356wUzmEo9PkQk6
 69IEZ5mZwsPpGeS0Hm4z4OS2pYc21QPUo25O2g9rZeA1dc7yDK98/yu0vZ4r8HRi
 xUmCouJJhxjUK7LV8Val1lujS5wAp9HFH/8VKEMQfiGKEL7E6V3uSOR7/OLUVI+e
 Wo4nJmoD+2ut4Yym7l00L87fP+Sxah7O9hE2ZwedAt2ft7XDyFHDxj76v6P1K/x+
 9BhswaoWeeClQK/6ondBBGdqRIAxw8GguyA9yLjso3QB2wdxfBuhYIfaxYgQTEsQ
 qSRfRHBen8WxpodpfIPbfAoKpP/YcSpuzg7t2D54MwgAgkqsadDZ4i7R4OwlePFn
 A9Ri3kKBcIuIsfYAFOGEjTPUiCqMo+suRo2PfrL+flkF9vEUY7wF3QYSk1h+X/kf
 FLx/lqGVRUnvf7sfzzOqhsoK2jX1imfydKZ5mk1pc3KAHm+nhQg/iEdr+FYpI9Bd
 b51uGR4n+z3RiFguHWzHUxEeJcwR3sL7RiaAjBWQIl5uT2QHvU7nWJw1KS+opmN+
 HogG/w519xdswmJJcOtyQNgJ+OdLH0rIje7FLspkP2Sok7yDPWTum4XbCn8B49Y9
 /wFKFV42KfRloiKixpLcaBWrFmIF8bemRdKDmexylXpnH+mmmMRx4N1DBz3fOK0K
 abQiQWRhbSBXZWlzaGF1cHQgPG5vYm9keUBub3doZXJlLndzPoh6BBMRCAAiBQJL
 7y2FAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAakMkTTOlxZDQ6AQCN
 2CyHPEYFRpW3leZBypy6EAdvnUIaEizAbet0M6rj2AEAmfIy/0xJKpvJ6T1kD3kR
 w3tNFw3SaXWl+4GZzlNfT4k=
 =TSmz
 -----END PGP PUBLIC KEY BLOCK-----
notify:   adam@weishaupt.de
mnt-by:   MNT-WEISHAUPT
changed:  adam@weishaupt.de 20100516
source:   dn42
password: foo

Actually using your PGP-Key for authentication

Now that the key is stored in the system, the maintainer object has to be linked to it. This is achieved by updating the maintainer object and adding a new authentication method.

For updating an object, we simply get its recent version from the database (whois -h whois.dn42.net MNT-WEISHAUPT in this case), make our changes to it, update the changed: attribute and send it to auto-dbm@whois.dn42.net. The old version is replaced with the new one. Of course we need to add the correct password: attribute when using CRYPT-PW.

Listing: MAINTAINER object example with PGP auth added
mntner:     MNT-WEISHAUPT
descr:      weishaupt connection
admin-c:    WEISHAUPT-DN42
upd-to:     adam@weishaupt.de
notify:     adam@weishaupt.de
auth:       CRYPT-PW 4Likx.7ZwAi2
auth:       PGPKEY-4CE97164
mnt-by:     MNT-WEISHAUPT
changed:    adam@weishaupt.de 20100516
source:     dn42
password:   foo
Note: Though it is possible to remove the CRYPT-PW method while adding the PGPKEY, this is definetly not recommended as you would lock yourself out if something does not work out as intended. You should test the PGPKEY method first and then remove your CRYPT-PW in a new request.

3. Register AS

Registering the aut-num object

Now that you have Maintainer object installed into the registry, you need to register an object that details your AS's routing policy, such as how you are connected to the rest of the world.

This might be a good time to test your PGPKEY authentication. Sign the next request with your key. Make sure to use inline formatting and not PGP/MIME.

Listing: AUT-NUM Example
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

aut-num:    AS64623
as-name:    minerva
descr:      minerva's as
admin-c:    WEISHAUPT-DN42
tech-c:     WEISHAUPT-DN42
notify:     adam@weishaupt.de
mnt-by:     MNT-WEISHAUPT
changed:    adam@weishaupt.de 20100516
source:     dn42
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (GNU/Fnord)

iF4EAREJAAYFAkvvNHYACgkQGpDJE0zpcWTQlgEAoJjQv3sksD4jYz08kR9+Xz+j
jGUUkMs4Vj4I+ou/K+wA/3ojunSikE199VCKxGxQUWqttY7WDKCRWxaVEq4gtP+B
=1Fq0
-----END PGP SIGNATURE-----

Last modified: 2010-05-17


Summary:
This document guide you through the process of creating the necessary objects for registering your person, AS and network with the dn42 whois system.


Christian Franke
Author

Table of Contents:

1. Create Maintainer object

2. Extend Maintainer object

3. Register AS