AS112 and BIRD
AS112 provides an anycasted reverse DNS sink hole for the private addresses set aside in RFC1918 and RFC6890. Using BIRD to inject an AS112 instance into your own system is quick, easy, and painless!
This is nearly identical to using exabgp, except that in this case we’ll be installing routes to the kernel.
Requirements
- BGP: your own autonomous system, plus we’ll be operating AS112 which will announce/service the following prefixes:
192.175.48.0/24
(RFC6304)192.31.196.0/24
(RFC7534)2620:4f:8000::/48
(RFC6304)2001:4:112::/48
(RFC7534)
- BIRD 1.6.x
- DNS server (BIND, NSD, etc)
Applicable RFCs
- RFC 6304: AS112 Nameserver Operations Historical, Obseleted by RFC 7534
- RFC 6305: I’m Being Attacked by PRISONER.IANA.ORG!
- RFC 7534: AS112 Nameserver Operations
- RFC 7535: AS112 Redirection Using DNAME
Linux Configuration
As mentioned in other my blogs about Exabgp, Linux is funny about loopback type addresses. I was unable to get Debian to reliably bring up the interfaces I wanted so I ended up just putting them in rc.local
which is a hack, but it works reliably at least.
The IPv4 and IPv6 interfaces for the system can be set up almost as normal, MINUS a default route. We will be installing routes from BGP to the system, and advertising the anycasted prefix outbound.
# /etc/rc.local
ip link add dev as112_dns type dummy
ip link set as112_dns up
ip addr add dev as112_dns 192.175.48.1/24
ip addr add dev as112_dns 192.175.48.6/24
ip addr add dev as112_dns 192.175.48.42/24
ip addr add dev as112_dns 192.31.196.1/24
ip addr add dev as112_dns 2620:4f:8000::1/128
ip addr add dev as112_dns 2620:4f:8000::6/128
ip addr add dev as112_dns 2620:4f:8000::42/128
ip addr add dev as112_dns 2001:4:112::1/128
# /etc/sysctl.conf
net.ipv4.conf.all.arp_filter=1
#net.ipv6.conf.all.autoconf=0
#net.ipv6.conf.all.accept_ra=0
DNS Config
RFC7534 lays out the configs in BIND style pretty well. Essentially, the most important things are:
- Any DNS server that can host the zones will work, BIND, NSD, PowerDNS, etc will all work. The configs just come specified in the RFC for BIND.
- host the critical zones:
- RFC1918 reverse zones (db.dd-empty)
- RFC6890 reverse zone (db.dd-empty)
- hostname.as112.net (db.hostname.as112.net)
- hostname.as112.arpa (db.hostname.as112.arpa)
- empty.as112.arpa (dd.dr-empty)
- Listen on the anycast addresses on V4 and V6
BIRD, configs + healthchecks
I am not healthchecking the service yet. However when the pseudointerface is downed, BGP stops advertising it so that will make it easy to react. There is existing scripts I should look at as well.
bird.conf
router id x.x.x.x;
filter as112
prefix set allnet;
{
allnet = [
192.175.48.0/24,
192.31.196.0/24
];
if ! (net ~ allnet) then reject;
accept;
}
protocol device {
}
protocol direct {
interface "as112_*";
}
protocol kernel {
learn;
metric 64; # Use explicit kernel route metric to avoid collisions
# with non-BIRD routes in the kernel routing table
import all;
export all; # Actually insert routes into the kernel routing table
}
template bgp peers {
local as 112;
#multihop;
hold time 30;
startup hold time 30;
connect retry time 120;
connect delay time 5; # How long do we wait before initial connect
error forget time 0; # ... until this timeout expires)
#source address x.x.x.x; # What local address we use for the TCP connection
export filter as112;
#gateway direct;
}
protocol bgp Private01 from peers {
description "Private01";
neighbor x.x.x.x as 65001;
}
bird6.conf
router id x.x.x.x;
filter as112
prefix set allnet;
{
allnet = [
2620:4f:8000::/48,
2001:4:112::/48
];
if ! (net ~ allnet) then reject;
accept;
}
protocol device {
}
protocol direct {
interface "as112_*";
}
protocol kernel {
learn;
metric 64; # Use explicit kernel route metric to avoid collisions
# with non-BIRD routes in the kernel routing table
import all;
export all; # Actually insert routes into the kernel routing table
}
template bgp peers {
local as 112;
#multihop;
hold time 30;
startup hold time 30;
connect retry time 120;
connect delay time 5; # How long do we wait before initial connect
error forget time 0; # ... until this timeout expires)
#source address 2001:db8::x; # What local address we use for the TCP connection
export filter as112;
#gateway direct;
}
protocol bgp Private01 from peers {
description "Private01";
neighbor 2001:db8::xy as 65001;
}
IXP Use
If you are running an IXP, I would highly suggest using arouteserver to automate your IXP and as112 instances.
Experience so far
Everything’s worked as expected. I’ve run a bunch of dig
’s to check which instance I’m talking to:
dig @192.175.48.6 hostname.as112.net. txt +short
It always returns one of my instances, either my BIRD or my exabgp one.
I expect that I’ll set up unixsurfer/anycast_healthchecker at some point soon.