13 Feb 2018

AS112 and Exabgp

AS112 provides an anycasted reverse DNS sink hole for the private addresses set aside in RFC1918 and RFC6890. Using exabgp to inject an AS112 instance into your own system is quick, easy, and painless!

Requirements

BGP: your own autonomous system, plus we’ll be operating AS112 which will announce/service the following prefixes:
- 192.175.48.0/24 (RFC6304)
- 192.31.196.0/24 (RFC7534)
- 2620:4f:8000::/48 (RFC6304)
- 2001:4:112::/48 (RFC7534)
exabgp 3.4.x
DNS server (BIND, NSD, etc)

Applicable RFCs

RFC 6304: AS112 Nameserver Operations Historical, Obseleted by RFC 7534
RFC 6305: I’m Being Attacked by PRISONER.IANA.ORG!
RFC 7534: AS112 Nameserver Operations
RFC 7535: AS112 Redirection Using DNAME

Linux Configuration

As mentioned in other my blogs about Exabgp, Linux is funny about loopback type addresses. I was unable to get Debian to reliably bring up the interfaces I wanted so I ended up just putting them in rc.local which is a hack, but it works reliably at least.

The IPv4 and IPv6 interfaces for the system can be set up as normal, including adding a default route. We won’t be installing any routes from BGP to the system, only advertising the anycasted prefix outbound.

# /etc/rc.local
ip link add dev as112_dns type dummy
ip link set as112_dns up
ip addr add dev as112_dns 192.175.48.1/24
ip addr add dev as112_dns 192.175.48.6/24
ip addr add dev as112_dns 192.175.48.42/24
ip addr add dev as112_dns 192.31.196.1/24
ip addr add dev as112_dns 2620:4f:8000::1/128
ip addr add dev as112_dns 2620:4f:8000::6/128
ip addr add dev as112_dns 2620:4f:8000::42/128
ip addr add dev as112_dns 2001:4:112::1/128

# /etc/sysctl.conf
net.ipv4.conf.all.arp_filter=1

DNS Config

RFC7534 lays out the configs in BIND style pretty well. Essentially, the most important things are:

Any DNS server that can host the zones will work, BIND, NSD, PowerDNS, etc will all work. The configs just come specified in the RFC for BIND.
host the critical zones:
- RFC1918 reverse zones (db.dd-empty)
- RFC6890 reverse zone (db.dd-empty)
- hostname.as112.net (db.hostname.as112.net)
- hostname.as112.arpa (db.hostname.as112.arpa)
- empty.as112.arpa (dd.dr-empty)
Listen on the anycast addresses on V4 and V6

exabgp + healthchecks

This uses the excellent exabgp-healthcheck script. It is part of the recommendations made in the RFC that the prefixes not be advertised if they can not be serviced.

# /etc/exabgp/healthcheck.conf
[as112v4]
nexthop=192.0.2.2
metric=50
command="dig @192.175.48.6 hostname.as112.net. txt +short +norec"
ip=192.175.48.0/24
ip=192.31.196.0/24
disable=/etc/exabgp/healthcheck_as112v4.disable

[as112v6]
nexthop=2001:db8::2
metric=50
command="dig @2620:4f:8000::6 hostname.as112.net. txt +short +norec"
ip=2620:4f:8000::/48
ip=2001:4:112::/48
disable=/etc/exabgp/healthcheck_as112v6.disable

The command= line is the health check, any command which returns non-zero when it fails will work. Touching the file listed in the disable= line will cause the prefixes to be withdrawn and not advertised until the file is removed (handy for maintenance, reboots, etc).

Experience so far

I continue to have issues with IPv6 and next-hop addresses. I’m still doing fe80 next-hop’s to solve that. Other than that, working as designed.

Theodore Baschak - Theo is a network engineer with experience operating core internet technologies like HTTP, HTTPS and DNS. He has extensive experience running service provider networks with OSPF, MPLS, and BGP.

BGP.guru