AS112 and Exabgp
AS112 provides an anycasted reverse DNS sink hole for the private addresses set aside in RFC1918 and RFC6890. Using exabgp to inject an AS112 instance into your own system is quick, easy, and painless!
- BGP: your own autonomous system, plus we’ll be operating AS112 which will announce/service the following prefixes:
- exabgp 3.4.x
- DNS server (BIND, NSD, etc)
- RFC 6304: AS112 Nameserver Operations Historical, Obseleted by RFC 7534
- RFC 6305: I’m Being Attacked by PRISONER.IANA.ORG!
- RFC 7534: AS112 Nameserver Operations
- RFC 7535: AS112 Redirection Using DNAME
As mentioned in other my blogs about Exabgp, Linux is funny about loopback type addresses. I was unable to get Debian to reliably bring up the interfaces I wanted so I ended up just putting them in
rc.local which is a hack, but it works reliably at least.
The IPv4 and IPv6 interfaces for the system can be set up as normal, including adding a default route. We won’t be installing any routes from BGP to the system, only advertising the anycasted prefix outbound.
# /etc/rc.local ip link add dev as112_dns type dummy ip link set as112_dns up ip addr add dev as112_dns 126.96.36.199/24 ip addr add dev as112_dns 188.8.131.52/24 ip addr add dev as112_dns 184.108.40.206/24 ip addr add dev as112_dns 220.127.116.11/24 ip addr add dev as112_dns 2620:4f:8000::1/128 ip addr add dev as112_dns 2620:4f:8000::6/128 ip addr add dev as112_dns 2620:4f:8000::42/128 ip addr add dev as112_dns 2001:4:112::1/128 # /etc/sysctl.conf net.ipv4.conf.all.arp_filter=1
RFC7534 lays out the configs in BIND style pretty well. Essentially, the most important things are:
- Any DNS server that can host the zones will work, BIND, NSD, PowerDNS, etc will all work. The configs just come specified in the RFC for BIND.
- host the critical zones:
- RFC1918 reverse zones (db.dd-empty)
- RFC6890 reverse zone (db.dd-empty)
- hostname.as112.net (db.hostname.as112.net)
- hostname.as112.arpa (db.hostname.as112.arpa)
- empty.as112.arpa (dd.dr-empty)
- Listen on the anycast addresses on V4 and V6
exabgp + healthchecks
This uses the excellent exabgp-healthcheck script. It is part of the recommendations made in the RFC that the prefixes not be advertised if they can not be serviced.
# /etc/exabgp/healthcheck.conf [as112v4] nexthop=192.0.2.2 metric=50 command="dig @18.104.22.168 hostname.as112.net. txt +short +norec" ip=22.214.171.124/24 ip=126.96.36.199/24 disable=/etc/exabgp/healthcheck_as112v4.disable [as112v6] nexthop=2001:db8::2 metric=50 command="dig @2620:4f:8000::6 hostname.as112.net. txt +short +norec" ip=2620:4f:8000::/48 ip=2001:4:112::/48 disable=/etc/exabgp/healthcheck_as112v6.disable
The command= line is the health check, any command which returns non-zero when it fails will work. Touching the file listed in the disable= line will cause the prefixes to be withdrawn and not advertised until the file is removed (handy for maintenance, reboots, etc).
Experience so far
I continue to have issues with IPv6 and next-hop addresses. I’m still doing fe80 next-hop’s to solve that. Other than that, working as designed.