BGP » Historique » Version 190
Version 189 (Laurent GUERBY, 19/08/2017 10:15) → Version 190/192 (Laurent GUERBY, 26/01/2018 23:16)
{{>toc}}
h1. BGP
h2. Liens
Nous utilisons BIRD sous Linux comme routeur BGP
http://bird.network.cz/
simulation de l'internet
https://www.nsec.io/
https://github.com/nsec/the-internet
https://www.nanog.org/meetings/nanog40/presentations/BGPcommunities.pdf
https://www.franceix.net/fr/technical/blackholing/
BLACKHOLE Community https://tools.ietf.org/html/rfc7999
blog bgp http://www.renesys.com/blog/
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
DFZ = Default Free Zone archive http://archive.routeviews.org/
http://www.ripe.net/data-tools/stats/ris/routing-information-service
https://stat.ripe.net/widget/announced-prefixes
http://pch.net/resources/data/routing-tables/archive/
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
http://www.nanog.org/meetings/archive/
http://tools.ietf.org/html/draft-lapukhov-bgp-routing-large-dc-02
http://inside.godaddy.com/inside-story-happened-godaddy-com-sept-10-2012/
liste des communautés des opérateurs http://onesc.net/communities/ via http://www.bortzmeyer.org/7153.html
http://tools.ietf.org/html/rfc4271#section-9.1 BGP route decision process
http://www.ipbcop.org/
IP Best Current Operational Practices Documented best practices for Engineers by Engineers
BGP best practices ANSSI
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf
http://www.ssi.gouv.fr/fr/bonnes-pratiques/recommandations-et-guides/securite-des-reseaux/le-guide-des-bonnes-pratiques-de-configuration-de-bgp.html
http://tools.ietf.org/html/draft-ietf-opsec-bgp-security-01
http://www.ssi.gouv.fr/uploads/2014/10/rapport_observatoire_2015.pdf
https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers
these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600
http://www.laas.fr/1-31706-Publications.php?author=7738
http://www.net.t-labs.tu-berlin.de/papers/OMUPMO-OOSICP-11.pdf
http://hal.archives-ouvertes.fr/docs/00/60/53/83/PDF/dVirt-virtual_platform.pdf
http://hal.archives-ouvertes.fr/docs/00/48/70/74/PDF/Poster_SIGCOMM2010_philippe.pdf
Le monde sur BGP http://reseaux.blog.lemonde.fr/2012/11/04/routage-enjeu-cyberstrategie/
coupure free wanadoo http://www.journaldunet.com/solutions/0301/030122_freeft.shtml
tsunami Japon 2011 et BGP : http://archive.psg.com/111206.conext-quake.pdf
Session is up on telnet:route-views.routeviews.org username rviews
BGP book http://www.bortzmeyer.org/files/bgp.html
Cyclops is able to detect several forms of route hijack attacks http://cyclops.cs.ucla.edu/
BGPmon monitors the routing of your prefixes and alerts you in case of an 'interesting' path chang http://www.bgpmon.net/
http://jointtransit.nl/prices.html
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
* taille table de routage http://bgp.potaroo.net/
* BGP in 2011 Geoff Huston APNIC http://iepg.org/2011-11-ietf82/2011-11-13-bgp2011.pdf
* http://pages.cs.wisc.edu/~plonka/netgear-sntp/
* http://www.afnic.fr/fr/l-afnic-en-bref/actualites/actualites-generales/7114/show/l-observatoire-sur-la-resilience-de-l-internet-francais-publie-son-rapport-2012.html
* http://www.ris.ripe.net/dashboard/2a01:6600:8000::/40
* http://www.bortzmeyer.org/6996.html
** RFC 6996 : Autonomous System (AS) Reservation for Private Use
** http://www.iana.org/assignments/as-numbers
* Look for TRACEROUTE by SRCGUARDIAN in the Play Store. It needs network access only... Doesn't do TCP but does ICMP and UDP traceroutes and displays ASN as well ...
* http://www.team-cymru.org/Services/Bogons/bgp.html
** http://www.team-cymru.org/Services/Bogons/bgp-examples.html#bird-full
* 3D looking glass http://as2914.net/#/
* https://labs.ripe.net/Members/emileaben/has-the-routability-of-longer-than-24-prefixes-changed
* https://github.com/pavel-odintsov/fastnetmon
** FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).
** What can we do? We can detect hosts in our networks sending or receiving large volumes of packets/bytes/flows per second. We can call an external script to notify you, switch off a server, or blackhole the client.
* https://www.redpill-linpro.com/sysadvent/2016/12/09/slimming-routing-table.html
* http://www.bortzmeyer.org/1997.html sur les communautés BGP
* https://radar.qrator.net/as-rating#connectivity/1
** https://radar.qrator.net/as197422
h2. Baker-s Dozen
* Baker's Dozen BGP transit players
** http://research.dyn.com/2008/12/winners-and-losers-for-2008/
** http://research.dyn.com/2009/12/a-bakers-dozen-in-2009/
** http://research.dyn.com/2011/01/a-bakers-dozen-2010-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2011-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2012-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2013-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2014-edition/
** http://research.dyn.com/2016/04/a-bakers-dozen-2015-edition/
*** https://cdn.vpls.com/wp-content/uploads/WP033-Bakers-Dozen-2015.pdf
* https://www.princeton.edu/~pmittal/publications/bgp-tls-hotpets17
** Using BGP to Acquire Bogus TLS Certificates
h1. Bird
h2. Link local IPv6 static route
<pre>
protocol direct {
interface "eth0";
}
protocol static {
route 2001:db8::/32 via fe80::1%eth0;
}
</pre>
h2. Gitoyen BIRD config
https://code.ffdn.org/gitoyen/bird-config/
Et autres outils dont le blackholing automatique : https://code.ffdn.org/org/gitoyen
h2. Misc BIRD Links
* zeromq integration https://github.com/samrussell/bird/tree/zmqintegration
* https://www.netdev01.org/docs/prabhu-linux_ipv4_ipv6_inconsistencies_talk_slides.pdf
h1. mrtdump
mrtdump est un format standard pour représenter et stocker des données BGP (table de routage, messages BGP) : https://tools.ietf.org/html/rfc6396
h2. Dump mrtdump avec Bird
h3. Dump de tous les messages BGP échangés avec les pairs
<pre>
mrtdump "/tmp/mrtdump-messages";
mrtdump protocols {messages};
</pre>
Cf. doc bird : http://bird.network.cz/?get_doc&f=bird-3.html#ss3.2
Pour "rotate" le fichier de dump, changer le nom du fichier dans la configuration bird et faire `birdc configure`.
h3. Dump de la table de routage BGP
Ce n'est pas encore possible mais en développement dans Bird, cf. branche *mrtdump* upstream.
Doc : https://gitlab.labs.nic.cz/labs/bird/commit/11fabd2d6b8bc3d6ca86acd3b62fe4deeb4b91b7
h2. Sources de données mrtdump publiques
* RIS (Routing Information Service) :
* routes BGP collectées par le RIPE depuis plusieurs points d'échanges (16 collecteurs en tout)
* données collectées et archivées depuis 2001
* https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/routing-information-service-ris
* données en libre accès https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ris-raw-data
* Routeviews :
* même idée, mais moins centré sur l'Europe (projet mené par des américains)
* http://www.routeviews.org/
* données en libre accès ftp://archive.routeviews.org/
h2. Exploitation des données mrtdump
* outil historique : *bgpdump* https://bitbucket.org/ripencc/bgpdump/wiki/Home
* plus récent : *bgpstream* https://bgpstream.caida.org/ https://github.com/CAIDA/bgpstream https://pypi.python.org/pypi/pybgpstream
bgpstream est plutôt fait pour récupérer automatiquement les données de RIS et Routeviews (d'ailleurs parfois ça ne marche pas super bien...). C'est aussi possible de lire des fichiers mrtdump locaux, par exemple avec les bindings python :
<pre>
from _pybgpstream import BGPStream, BGPRecord, BGPElem
record = BGPRecord()
stream = BGPStream()
stream.set_data_interface("singlefile")
stream.set_data_interface_option("singlefile", "rib-file", myfilename)
# Add additional filters here
stream.start()
# etc (cf. tutorial bgpstream)
</pre>
h1. TouIX et GIX
http://touix.net
http://wikilulu.net/doku.php?id=articles:gix-howto
h1. Evolutions de la conf BGP
* http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html
TODO:
* mise en place d'un gestionaire de version style git au moins pour documentation
* Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
* Atelier ?
** Laurent GUERBY
** Solarus
** Ajouter son nom...
Alternative a MP BGP
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06
Add Path
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2
h1. Liens
* http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt
* http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf
* AS4 http://www.rfc-editor.org/rfc/rfc4893.txt
* bonnes pratiques incidents BGP
** https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf
* test ping plus UDP http://www.broadband-forum.org/technical/download/TR-143.pdf
h1. Configuration Toulouse
<pre>
router id 91.224.148.2;
define myas = 197422;
protocol device {
scan time 10;
primary "eth0" 91.224.148.3;
}
protocol static static_bgp {
import all;
route 91.224.148.0/23 reject;
}
protocol kernel{
import all;
export all;
}
function avoid_martians()
prefix set martians;
{
martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];
# Avoid 0.0.0.0/X
if net.ip = 0.0.0.0 then return false;
# Avoid too short and too long prefixes
if (net.len < 8) || (net.len > 24) then return false;
# Avoid RFC1918 networks
if net ~ martians then return false;
return true;
}
filter bgp_OUT {
if (net ~ [91.224.148.0/23]) then accept;
else reject;
}
protocol bgp TOUIX {
local as myas;
neighbor 91.213.236.1 as 47184;
preference 200;
import where avoid_martians();
export filter bgp_OUT;
}
protocol bgp JAGUAR {
local as myas;
neighbor 31.172.233.1 as 30781;
preference 50;
import where avoid_martians();
export filter bgp_OUT;
}
protocol bgp TETANEUTRAL {
local as myas;
neighbor 91.224.148.2 as myas;
preference 100;
import where avoid_martians();
export all;
}
</pre>
h1. IRR
* From nanog:
http://www.clarksys.com/blog/2009/09/02/using-irr-with-level3/
whois -h filtergen.level3.net "RIPE::YOUR-AS-SET -searchpath=RIPE;ARIN;RADB -recurseok -warnonly"
h1. Blackholing
h2. DECIX
http://de-cix.net/products-services/de-cix-frankfurt/blackholing/
h2. Attaques
* 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html
* http://blog.cloudflare.com/65gbps-ddos-no-problem
h2. URPF
blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).
http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html
h2. RFC3882
* http://www.ietf.org/rfc/rfc3882.txt
community AS:666 sur annonce /32 pour balckhole par AS upstream
* doc CISCO
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
h2. RFC1997
* http://www.ietf.org/rfc/rfc1997.txt
BGP Communities Attribute
* doc CISCO
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html
h2. BIRD
* http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html
h2. Absolight
* communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
* test 20120703 IPv4 et IPv6, ça marche et convergence très rapide
h2. GIXE
* communauté 31576:666 sur /32 => blackhole
* test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32
h2. Jaguar
* https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy
* demande 20120702 : pas de communauté blackhole actuellement, en reflexion
* déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)
h2. Gitoyen
* demande 20120704 sur la liste, réponse 20120717
* Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf
*** => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0
* Ielo whois AS29075 => 29075:0 Null-route/Blackhole
* https://pad.ilico.org/p/cleanup-bgp-gitoyen
h2. France-IX
* community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html
* TODO tester
h2. Equinix-IX
* community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo
* TODO tester
h2. TouIX
* demande acces switch et route server 20120702
* TODO
h2. Hurricane Electric
* http://www.he.net/adm/
* http://www.he.net/adm/blackhole.html
* TODO tester
h2. Sfinx
* http://www.renater.fr/route-servers-bgp?lang=fr
* whois AS1304 =>
remarks: 1304:65281 = Apply NO-EXPORT community
remarks: 1304:65282 = Apply NO-ADVERTISE community
h2. Cogent
h3. Docs
* http://www.cogentco.com/files/docs/customer_service/guide/global_cogent_customer_user_guide.pdf
** communautés page 21-22
* http://www.onesc.net/communities/as174/
* https://www.nanog.org/mailinglist/mailarchives/old_archive/2005-03/msg00465.html
* https://www.nanog.org/meetings/nanog45/presentations/Sunday/RAS_traceroute_N45.pdf
France / Benelux:
+33 1 49 03 1818 (Hotline)
+33 1 49 03 1803 (fax)
fr-support@cogentco.com (maintenance and repair)
bnl-support@cogentco.com (maintenance and repair))
billingeu@cogentco.com (billing, customer care)
All Customers in Europe can also contact the European Cogent Customer Support team
using the generic email address for Europe: eu-support@cogentco.com
Livré comme demandé sur rocade optique Fullsave :
Livré sur TLS01.CB.KD-05/A.To02.03&04 (tiroir optique N°2, fibre 03&04).
Cogent physical port te0/0/2/3-rcr11.tls01
Order ID/Service ID: 1-166108500
Service Type: EU_L3_ON_10GE_BURST
Commitment: 1000.0 MBps
Service Address: 125 bis ch du Sang de Serp
livraison dans baie Fullsave / salle LAP Te0/0/2/3 rcr01.tls01 -- > TLS01.CB.KD-05/A.To02.03&04
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
Order ID/Service ID: 1-166108524
Service Type: EU_L3_ON_IPV6DSTACK_FLAT
Commitment: 0.0 MBps
Service Address: 125 bis ch du Sang de Serp
IPv6s fort port order 1-166108500
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
Order ID/Service ID: 1-166108512
Service Type: EU_L0_ON_XCFIBER_FLAT
Commitment: 0.0 MBps
Service Address: 125 bis ch du Sang de Serp
Te0/0/2/3 rcr01.tls01 -- > TLS01.CB.KD-05/A.To02.03&04 port order 1-166108500
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
h3. Config initiale BGP Cogent
<pre>
root@h7:~# cat /etc/bird/bird.conf
router id 149.11.58.74;
define myas = 197422;
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;
log "/var/log/bird/bird-20140527.log" all;
debug commands 2;
debug protocols { states, events };
protocol device {
scan time 10;
}
protocol kernel {
import all;
export all;
learn;
}
filter bgp_OUT {
if (net ~ [91.224.148.0/23, 80.67.182.0/24, 89.234.156.0/23]) then {
accept;
}
reject;
}
filter bgp_IN_PEERING {
accept;
}
protocol bgp COGENT_TLS00 {
local as myas;
neighbor 149.11.58.73 as 174;
import filter bgp_IN_PEERING;
export filter bgp_OUT;
}
root@h7:~# cat /etc/bird/bird6.conf
router id 149.11.58.74;
define myas = 197422;
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;
log "/var/log/bird/bird6-20140527.log" all;
debug commands 2;
debug protocols { states, events };
listen bgp v6only;
protocol device {
scan time 10;
}
protocol kernel {
import all;
export all;
learn;
}
filter bgp_OUT_6 {
if (net ~ [2a01:6600:8000::/40]) then {
accept;
}
reject;
}
filter bgp_IN_PEERING_6 {
accept;
}
protocol bgp COGENT_TLS00_6 {
local as myas;
neighbor 2001:978:2:68::8:1 as 174;
import filter bgp_IN_PEERING_6;
export filter bgp_OUT_6;
}
</pre>
h1. BGP
h2. Liens
Nous utilisons BIRD sous Linux comme routeur BGP
http://bird.network.cz/
simulation de l'internet
https://www.nsec.io/
https://github.com/nsec/the-internet
https://www.nanog.org/meetings/nanog40/presentations/BGPcommunities.pdf
https://www.franceix.net/fr/technical/blackholing/
BLACKHOLE Community https://tools.ietf.org/html/rfc7999
blog bgp http://www.renesys.com/blog/
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
DFZ = Default Free Zone archive http://archive.routeviews.org/
http://www.ripe.net/data-tools/stats/ris/routing-information-service
https://stat.ripe.net/widget/announced-prefixes
http://pch.net/resources/data/routing-tables/archive/
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
http://www.nanog.org/meetings/archive/
http://tools.ietf.org/html/draft-lapukhov-bgp-routing-large-dc-02
http://inside.godaddy.com/inside-story-happened-godaddy-com-sept-10-2012/
liste des communautés des opérateurs http://onesc.net/communities/ via http://www.bortzmeyer.org/7153.html
http://tools.ietf.org/html/rfc4271#section-9.1 BGP route decision process
http://www.ipbcop.org/
IP Best Current Operational Practices Documented best practices for Engineers by Engineers
BGP best practices ANSSI
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf
http://www.ssi.gouv.fr/fr/bonnes-pratiques/recommandations-et-guides/securite-des-reseaux/le-guide-des-bonnes-pratiques-de-configuration-de-bgp.html
http://tools.ietf.org/html/draft-ietf-opsec-bgp-security-01
http://www.ssi.gouv.fr/uploads/2014/10/rapport_observatoire_2015.pdf
https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers
these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600
http://www.laas.fr/1-31706-Publications.php?author=7738
http://www.net.t-labs.tu-berlin.de/papers/OMUPMO-OOSICP-11.pdf
http://hal.archives-ouvertes.fr/docs/00/60/53/83/PDF/dVirt-virtual_platform.pdf
http://hal.archives-ouvertes.fr/docs/00/48/70/74/PDF/Poster_SIGCOMM2010_philippe.pdf
Le monde sur BGP http://reseaux.blog.lemonde.fr/2012/11/04/routage-enjeu-cyberstrategie/
coupure free wanadoo http://www.journaldunet.com/solutions/0301/030122_freeft.shtml
tsunami Japon 2011 et BGP : http://archive.psg.com/111206.conext-quake.pdf
Session is up on telnet:route-views.routeviews.org username rviews
BGP book http://www.bortzmeyer.org/files/bgp.html
Cyclops is able to detect several forms of route hijack attacks http://cyclops.cs.ucla.edu/
BGPmon monitors the routing of your prefixes and alerts you in case of an 'interesting' path chang http://www.bgpmon.net/
http://jointtransit.nl/prices.html
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
* taille table de routage http://bgp.potaroo.net/
* BGP in 2011 Geoff Huston APNIC http://iepg.org/2011-11-ietf82/2011-11-13-bgp2011.pdf
* http://pages.cs.wisc.edu/~plonka/netgear-sntp/
* http://www.afnic.fr/fr/l-afnic-en-bref/actualites/actualites-generales/7114/show/l-observatoire-sur-la-resilience-de-l-internet-francais-publie-son-rapport-2012.html
* http://www.ris.ripe.net/dashboard/2a01:6600:8000::/40
* http://www.bortzmeyer.org/6996.html
** RFC 6996 : Autonomous System (AS) Reservation for Private Use
** http://www.iana.org/assignments/as-numbers
* Look for TRACEROUTE by SRCGUARDIAN in the Play Store. It needs network access only... Doesn't do TCP but does ICMP and UDP traceroutes and displays ASN as well ...
* http://www.team-cymru.org/Services/Bogons/bgp.html
** http://www.team-cymru.org/Services/Bogons/bgp-examples.html#bird-full
* 3D looking glass http://as2914.net/#/
* https://labs.ripe.net/Members/emileaben/has-the-routability-of-longer-than-24-prefixes-changed
* https://github.com/pavel-odintsov/fastnetmon
** FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).
** What can we do? We can detect hosts in our networks sending or receiving large volumes of packets/bytes/flows per second. We can call an external script to notify you, switch off a server, or blackhole the client.
* https://www.redpill-linpro.com/sysadvent/2016/12/09/slimming-routing-table.html
* http://www.bortzmeyer.org/1997.html sur les communautés BGP
* https://radar.qrator.net/as-rating#connectivity/1
** https://radar.qrator.net/as197422
h2. Baker-s Dozen
* Baker's Dozen BGP transit players
** http://research.dyn.com/2008/12/winners-and-losers-for-2008/
** http://research.dyn.com/2009/12/a-bakers-dozen-in-2009/
** http://research.dyn.com/2011/01/a-bakers-dozen-2010-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2011-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2012-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2013-edition/
** http://research.dyn.com/2012/02/a-bakers-dozen-2014-edition/
** http://research.dyn.com/2016/04/a-bakers-dozen-2015-edition/
*** https://cdn.vpls.com/wp-content/uploads/WP033-Bakers-Dozen-2015.pdf
* https://www.princeton.edu/~pmittal/publications/bgp-tls-hotpets17
** Using BGP to Acquire Bogus TLS Certificates
h1. Bird
h2. Link local IPv6 static route
<pre>
protocol direct {
interface "eth0";
}
protocol static {
route 2001:db8::/32 via fe80::1%eth0;
}
</pre>
h2. Gitoyen BIRD config
https://code.ffdn.org/gitoyen/bird-config/
Et autres outils dont le blackholing automatique : https://code.ffdn.org/org/gitoyen
h2. Misc BIRD Links
* zeromq integration https://github.com/samrussell/bird/tree/zmqintegration
* https://www.netdev01.org/docs/prabhu-linux_ipv4_ipv6_inconsistencies_talk_slides.pdf
h1. mrtdump
mrtdump est un format standard pour représenter et stocker des données BGP (table de routage, messages BGP) : https://tools.ietf.org/html/rfc6396
h2. Dump mrtdump avec Bird
h3. Dump de tous les messages BGP échangés avec les pairs
<pre>
mrtdump "/tmp/mrtdump-messages";
mrtdump protocols {messages};
</pre>
Cf. doc bird : http://bird.network.cz/?get_doc&f=bird-3.html#ss3.2
Pour "rotate" le fichier de dump, changer le nom du fichier dans la configuration bird et faire `birdc configure`.
h3. Dump de la table de routage BGP
Ce n'est pas encore possible mais en développement dans Bird, cf. branche *mrtdump* upstream.
Doc : https://gitlab.labs.nic.cz/labs/bird/commit/11fabd2d6b8bc3d6ca86acd3b62fe4deeb4b91b7
h2. Sources de données mrtdump publiques
* RIS (Routing Information Service) :
* routes BGP collectées par le RIPE depuis plusieurs points d'échanges (16 collecteurs en tout)
* données collectées et archivées depuis 2001
* https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/routing-information-service-ris
* données en libre accès https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ris-raw-data
* Routeviews :
* même idée, mais moins centré sur l'Europe (projet mené par des américains)
* http://www.routeviews.org/
* données en libre accès ftp://archive.routeviews.org/
h2. Exploitation des données mrtdump
* outil historique : *bgpdump* https://bitbucket.org/ripencc/bgpdump/wiki/Home
* plus récent : *bgpstream* https://bgpstream.caida.org/ https://github.com/CAIDA/bgpstream https://pypi.python.org/pypi/pybgpstream
bgpstream est plutôt fait pour récupérer automatiquement les données de RIS et Routeviews (d'ailleurs parfois ça ne marche pas super bien...). C'est aussi possible de lire des fichiers mrtdump locaux, par exemple avec les bindings python :
<pre>
from _pybgpstream import BGPStream, BGPRecord, BGPElem
record = BGPRecord()
stream = BGPStream()
stream.set_data_interface("singlefile")
stream.set_data_interface_option("singlefile", "rib-file", myfilename)
# Add additional filters here
stream.start()
# etc (cf. tutorial bgpstream)
</pre>
h1. TouIX et GIX
http://touix.net
http://wikilulu.net/doku.php?id=articles:gix-howto
h1. Evolutions de la conf BGP
* http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html
TODO:
* mise en place d'un gestionaire de version style git au moins pour documentation
* Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
* Atelier ?
** Laurent GUERBY
** Solarus
** Ajouter son nom...
Alternative a MP BGP
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06
Add Path
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2
h1. Liens
* http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt
* http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf
* AS4 http://www.rfc-editor.org/rfc/rfc4893.txt
* bonnes pratiques incidents BGP
** https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf
* test ping plus UDP http://www.broadband-forum.org/technical/download/TR-143.pdf
h1. Configuration Toulouse
<pre>
router id 91.224.148.2;
define myas = 197422;
protocol device {
scan time 10;
primary "eth0" 91.224.148.3;
}
protocol static static_bgp {
import all;
route 91.224.148.0/23 reject;
}
protocol kernel{
import all;
export all;
}
function avoid_martians()
prefix set martians;
{
martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];
# Avoid 0.0.0.0/X
if net.ip = 0.0.0.0 then return false;
# Avoid too short and too long prefixes
if (net.len < 8) || (net.len > 24) then return false;
# Avoid RFC1918 networks
if net ~ martians then return false;
return true;
}
filter bgp_OUT {
if (net ~ [91.224.148.0/23]) then accept;
else reject;
}
protocol bgp TOUIX {
local as myas;
neighbor 91.213.236.1 as 47184;
preference 200;
import where avoid_martians();
export filter bgp_OUT;
}
protocol bgp JAGUAR {
local as myas;
neighbor 31.172.233.1 as 30781;
preference 50;
import where avoid_martians();
export filter bgp_OUT;
}
protocol bgp TETANEUTRAL {
local as myas;
neighbor 91.224.148.2 as myas;
preference 100;
import where avoid_martians();
export all;
}
</pre>
h1. IRR
* From nanog:
http://www.clarksys.com/blog/2009/09/02/using-irr-with-level3/
whois -h filtergen.level3.net "RIPE::YOUR-AS-SET -searchpath=RIPE;ARIN;RADB -recurseok -warnonly"
h1. Blackholing
h2. DECIX
http://de-cix.net/products-services/de-cix-frankfurt/blackholing/
h2. Attaques
* 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html
* http://blog.cloudflare.com/65gbps-ddos-no-problem
h2. URPF
blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).
http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html
h2. RFC3882
* http://www.ietf.org/rfc/rfc3882.txt
community AS:666 sur annonce /32 pour balckhole par AS upstream
* doc CISCO
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
h2. RFC1997
* http://www.ietf.org/rfc/rfc1997.txt
BGP Communities Attribute
* doc CISCO
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html
h2. BIRD
* http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html
h2. Absolight
* communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
* test 20120703 IPv4 et IPv6, ça marche et convergence très rapide
h2. GIXE
* communauté 31576:666 sur /32 => blackhole
* test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32
h2. Jaguar
* https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy
* demande 20120702 : pas de communauté blackhole actuellement, en reflexion
* déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)
h2. Gitoyen
* demande 20120704 sur la liste, réponse 20120717
* Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf
*** => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0
* Ielo whois AS29075 => 29075:0 Null-route/Blackhole
* https://pad.ilico.org/p/cleanup-bgp-gitoyen
h2. France-IX
* community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html
* TODO tester
h2. Equinix-IX
* community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo
* TODO tester
h2. TouIX
* demande acces switch et route server 20120702
* TODO
h2. Hurricane Electric
* http://www.he.net/adm/
* http://www.he.net/adm/blackhole.html
* TODO tester
h2. Sfinx
* http://www.renater.fr/route-servers-bgp?lang=fr
* whois AS1304 =>
remarks: 1304:65281 = Apply NO-EXPORT community
remarks: 1304:65282 = Apply NO-ADVERTISE community
h2. Cogent
h3. Docs
* http://www.cogentco.com/files/docs/customer_service/guide/global_cogent_customer_user_guide.pdf
** communautés page 21-22
* http://www.onesc.net/communities/as174/
* https://www.nanog.org/mailinglist/mailarchives/old_archive/2005-03/msg00465.html
* https://www.nanog.org/meetings/nanog45/presentations/Sunday/RAS_traceroute_N45.pdf
France / Benelux:
+33 1 49 03 1818 (Hotline)
+33 1 49 03 1803 (fax)
fr-support@cogentco.com (maintenance and repair)
bnl-support@cogentco.com (maintenance and repair))
billingeu@cogentco.com (billing, customer care)
All Customers in Europe can also contact the European Cogent Customer Support team
using the generic email address for Europe: eu-support@cogentco.com
Livré comme demandé sur rocade optique Fullsave :
Livré sur TLS01.CB.KD-05/A.To02.03&04 (tiroir optique N°2, fibre 03&04).
Cogent physical port te0/0/2/3-rcr11.tls01
Order ID/Service ID: 1-166108500
Service Type: EU_L3_ON_10GE_BURST
Commitment: 1000.0 MBps
Service Address: 125 bis ch du Sang de Serp
livraison dans baie Fullsave / salle LAP Te0/0/2/3 rcr01.tls01 -- > TLS01.CB.KD-05/A.To02.03&04
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
Order ID/Service ID: 1-166108524
Service Type: EU_L3_ON_IPV6DSTACK_FLAT
Commitment: 0.0 MBps
Service Address: 125 bis ch du Sang de Serp
IPv6s fort port order 1-166108500
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
Order ID/Service ID: 1-166108512
Service Type: EU_L0_ON_XCFIBER_FLAT
Commitment: 0.0 MBps
Service Address: 125 bis ch du Sang de Serp
Te0/0/2/3 rcr01.tls01 -- > TLS01.CB.KD-05/A.To02.03&04 port order 1-166108500
Toulouse, FR France 31000
Your service acceptance date is 27-May-2014 and your billing start date is 27-May-2014
h3. Config initiale BGP Cogent
<pre>
root@h7:~# cat /etc/bird/bird.conf
router id 149.11.58.74;
define myas = 197422;
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;
log "/var/log/bird/bird-20140527.log" all;
debug commands 2;
debug protocols { states, events };
protocol device {
scan time 10;
}
protocol kernel {
import all;
export all;
learn;
}
filter bgp_OUT {
if (net ~ [91.224.148.0/23, 80.67.182.0/24, 89.234.156.0/23]) then {
accept;
}
reject;
}
filter bgp_IN_PEERING {
accept;
}
protocol bgp COGENT_TLS00 {
local as myas;
neighbor 149.11.58.73 as 174;
import filter bgp_IN_PEERING;
export filter bgp_OUT;
}
root@h7:~# cat /etc/bird/bird6.conf
router id 149.11.58.74;
define myas = 197422;
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;
log "/var/log/bird/bird6-20140527.log" all;
debug commands 2;
debug protocols { states, events };
listen bgp v6only;
protocol device {
scan time 10;
}
protocol kernel {
import all;
export all;
learn;
}
filter bgp_OUT_6 {
if (net ~ [2a01:6600:8000::/40]) then {
accept;
}
reject;
}
filter bgp_IN_PEERING_6 {
accept;
}
protocol bgp COGENT_TLS00_6 {
local as myas;
neighbor 2001:978:2:68::8:1 as 174;
import filter bgp_IN_PEERING_6;
export filter bgp_OUT_6;
}
</pre>