Theodore Baschak

Routing Guru. BOFH. IPv6 Advocate. Founder/Operator of Hextet Systems (AS395089) and Network Architect for Daemon Defense Systems (AS55101).

AS112 and BIRD

Tue, 06 Mar 2018 10:30:38 -0600 » Networking, Nerd Projects, CLI, IPv6, BGP, ISP, System Administration, Anycast, Programming » Estimated read time: 6 mins

AS112 provides an anycasted reverse DNS sink hole for the private addresses set aside in RFC1918 and RFC6890. Using BIRD to inject an AS112 instance into your own system is quick, easy, and painless!

This is nearly identical to using exabgp, except that in this case we’ll be installing routes to the kernel.

Requirements

  • BGP: your own autonomous system, plus we’ll be operating AS112 which will announce/service the following prefixes:
    • 192.175.48.0/24 (RFC6304)
    • 192.31.196.0/24 (RFC7534)
    • 2620:4f:8000::/48 (RFC6304)
    • 2001:4:112::/48 (RFC7534)
  • BIRD 1.6.x
  • DNS server (BIND, NSD, etc)

Applicable RFCs

Linux Configuration

As mentioned in other my blogs about Exabgp, Linux is funny about loopback type addresses. I was unable to get Debian to reliably bring up the interfaces I wanted so I ended up just putting them in rc.local which is a hack, but it works reliably at least.

The IPv4 and IPv6 interfaces for the system can be set up almost as normal, MINUS a default route. We will be installing routes from BGP to the system, and advertising the anycasted prefix outbound.

# /etc/rc.local
ip link add dev as112_dns type dummy
ip link set as112_dns up
ip addr add dev as112_dns 192.175.48.1/24
ip addr add dev as112_dns 192.175.48.6/24
ip addr add dev as112_dns 192.175.48.42/24
ip addr add dev as112_dns 192.31.196.1/24
ip addr add dev as112_dns 2620:4f:8000::1/128
ip addr add dev as112_dns 2620:4f:8000::6/128
ip addr add dev as112_dns 2620:4f:8000::42/128
ip addr add dev as112_dns 2001:4:112::1/128

# /etc/sysctl.conf
net.ipv4.conf.all.arp_filter=1
#net.ipv6.conf.all.autoconf=0
#net.ipv6.conf.all.accept_ra=0

DNS Config

RFC7534 lays out the configs in BIND style pretty well. Essentially, the most important things are:

  • Any DNS server that can host the zones will work, BIND, NSD, PowerDNS, etc will all work. The configs just come specified in the RFC for BIND.
  • host the critical zones:
    • RFC1918 reverse zones (db.dd-empty)
    • RFC6890 reverse zone (db.dd-empty)
    • hostname.as112.net (db.hostname.as112.net)
    • hostname.as112.arpa (db.hostname.as112.arpa)
    • empty.as112.arpa (dd.dr-empty)
  • Listen on the anycast addresses on V4 and V6

BIRD, configs + healthchecks

I am not healthchecking the service yet. However when the pseudointerface is downed, BGP stops advertising it so that will make it easy to react. There is existing scripts I should look at as well.

bird.conf

router id x.x.x.x;

filter as112
prefix set allnet;
{
  allnet = [
    192.175.48.0/24,
    192.31.196.0/24
  ];
  if ! (net ~ allnet) then reject;
  accept;
}

protocol device {
}

protocol direct {
    interface "as112_*";
}

protocol kernel {
	learn;
	metric 64;	# Use explicit kernel route metric to avoid collisions
			# with non-BIRD routes in the kernel routing table
	import all;
	export all;	# Actually insert routes into the kernel routing table
}

template bgp peers {
    local as 112;
    #multihop;
    hold time 30;
    startup hold time 30;
    connect retry time 120;
    connect delay time 5;             # How long do we wait before initial connect
    error forget time 0;            # ... until this timeout expires)
    #source address x.x.x.x;   # What local address we use for the TCP connection
    export filter as112;
    #gateway direct;
}

protocol bgp Private01 from peers {
    description "Private01";
    neighbor x.x.x.x as 65001;
}

bird6.conf

router id x.x.x.x;

filter as112
prefix set allnet;
{
  allnet = [
    2620:4f:8000::/48,
    2001:4:112::/48
  ];
  if ! (net ~ allnet) then reject;
  accept;
}

protocol device {
}

protocol direct {
    interface "as112_*";
}

protocol kernel {
	learn;
	metric 64;	# Use explicit kernel route metric to avoid collisions
			# with non-BIRD routes in the kernel routing table
	import all;
	export all;	# Actually insert routes into the kernel routing table
}

template bgp peers {
    local as 112;
    #multihop;
    hold time 30;
    startup hold time 30;
    connect retry time 120;
    connect delay time 5;         # How long do we wait before initial connect
    error forget time 0;          # ... until this timeout expires)
    #source address x:x:x:x::x;   # What local address we use for the TCP connection
    export filter as112;
    #gateway direct;
}

protocol bgp Private01 from peers {
    description "Private01";
    neighbor x:x:x:x::x as 65001;
}

IXP Use

If you are running an IXP, I would highly suggest using IXP Manager, or arouteserver to automate your IXP and as112 instances.

Experience so far

Everything’s worked as expected. I’ve run a bunch of dig’s to check which instance I’m talking to:

dig @192.175.48.6 hostname.as112.net. txt +short

It always returns one of my instances, either my BIRD or my exabgp one.

I expect that I’ll set up unixsurfer/anycast_healthchecker at some point soon.

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
This is a personal website. Opinions expressed are not necessarily those of his employer.