At INX we work hard to explain to our community why IRR objects are important, and help them to keep these up to date. When a new peer comes onboard, we work with them to explain specifically, why every network should have an AS-SET, and how you can use tools like bgpq3 to simplify the operations and maintenance of your network. Look out for our IRR training classes, or feel free to write to our Ops team for assistance!
By now you are aware that INX performs strict BGP filtering, and hopefully, you are here to understand how to to use this for your own network. Let's start with : What does an AS-SET do? Well, simply put, an AS-SET describes the set of all the ASNs that your network is willing to provide IP transit for (ie. the list of all your customer ASNs). By iterating through this list of ASNs, we are able to build a complete filter list that will describe all the prefixes that should be permitted for a particular BGP peer. If you're saying: "Hold on, I don't have BGP customers" then, you should know that you already do! Your network (ASN) is already your first customer! We always advise peers to start to create and build their AS-SETs as early as they start building their networks. Putting in the work to do this, on day-1 means that when you get a BGP speaking client later down the line, it would be trivial to add them to an existing AS-SET with no impact to your network operations. That is a lot safer (and easier) than trying to change your network (which may not yet have an AS-SET but is running production traffic) at a later date. Once an AS-SET is created adding to this is super easy, and you can then extend and build your network (and client base) in a scalable manner.
By definition, an AS-SET always starts with "AS-" (see RFC2622). Over the years, convention has caused network operators to register AS-SETs to have easy to remember names; like AS-INX-OPS, which is the AS-SET that we at INX use to describe our operations networks. We suggest you choose a similar, easy to remember name. The caveat is that this should not already exist in the IRR database (normally, the database will warn you), but, also, as an extra check, you might want to ensure that this doesn't exist in any IRR database!
Pictorially, this is quite easy to explain. In our example above, the AS-SET AS-EXAMPLE, consists of two ASNs namely AS 64512 and AS 65000. As the AS-EXAMPLE network grows, and gains more BGP speaking clients, they simply need to add in additional networks, or members to their AS-SET. Each member can be their own ASN (if they are a smaller, end user network) or an AS-SET in its own right. For now, our AS-SET if queried in the IRR, would read something like:
as-set: AS-EXAMPLE
admin-c: nic-hdl-AFRINIC
tech-c: nic-hdl-AFRINIC
descr: Example AS-SET
mnt-by: nic-hdl-MNT
source: AFRINIC # Filtered
members: AS64512, AS65000
Of course that's a very simple representation. Over time (and looking from further away) a larger AS-SET might look like :
as-set: AS-BIGGER-NETWORK
admin-c: nic-hdl-AFRINIC
tech-c: nic-hdl-AFRINIC
descr: Example AS-SET
mnt-by: nic-hdl-MNT
source: AFRINIC # Filtered
members: AS-EXAMPLE, AS-ANOTHER
You can start to see how much easier it becomes to relate to a network; by simply looking up AS-BIGGER-NETWORK, using tools built for querying the IRR system, you can get information about four different networks, as in our example. This scales much better!
So, now that you know what an AS-SET, how is this used to build/create filters for networks?
Running a tool like bgpq3 against an AS-SET, queries the IRR database for the members of that AS-SET and from those members, then queries which IRR route and router[6] objects exist for that AS member.
Let's work by example, for an AS-SET that has 2 members; here's what the ZANOG AS-SET looks like:
whois -h whois.afrinic.net AS-ZANOG
% Information related to 'AS-ZANOG'
as-set: AS-ZANOG
descr: ZANOG
members: AS328365, AS112
tech-c: ZNOG-AFRINIC
admin-c: ZNOG-AFRINIC
mnt-by: ZANOG-MNT
source: AFRINIC # Filtered
Now, we'd like to know what prefixes need to go into our access-list. For that, we can simply issue a query like:
# bgpq3 AS-ZANOG
no ip prefix-list NN
ip prefix-list NN permit 102.222.100.0/22
ip prefix-list NN permit 102.222.100.0/23
ip prefix-list NN permit 102.222.100.0/24
ip prefix-list NN permit 102.222.102.0/23
ip prefix-list NN permit 102.222.102.0/24
ip prefix-list NN permit 192.31.196.0/24
ip prefix-list NN permit 192.175.48.0/24
This builds a list of 7 prefixes. With further WHOIS looksup, you'll be able to confirm that the first 5 are from AS328365 and the last 2 are from AS112. The important part is that this is something that you can run on demand (eg. in a script) and use the results to create filters that you can use for your network!
What if you wanted to build a list of the ASNs that fall under this AS-SET? You could run a query like:
# bgpq3 -3f1 AS-ZANOG
no ip as-path access-list NN
ip as-path access-list NN permit ^1(_[0-9]+)*_(112|328365)$
You can do a lot more with various tools; bgpq3 is the current tool of choice at INX, but there's already bgpq4, and others that are equally useful. Additionally, https://irrexplorer.nlnog.net/ is a great tool/website to query an as-set across multiple WHOIS database.
Be sure to read our article on "How to create / edit an AS-SET using the AFRINIC member portal" as well!
