• Contenu
• BGP
• Evolutions de la conf BGP
• Liens
• Configuration Toulouse
• Blackholing
  • Attaques
  • RFC3882
  • RFC1997
  • BIRD
  • Absolight
  • GIXE
  • Jaguar
  • Gitoyen
  • France-IX
  • Equinix-IX
  • TouIX
  • Hurricane Electric
  • Sfinx

BGP¶

Nous utilisons BIRD sous Linux comme routeur BGP

http://bird.network.cz/

blog bgp http://www.renesys.com/blog/
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
DFZ = Default Free Zone archive http://archive.routeviews.org/
http://www.ripe.net/data-tools/stats/ris/routing-information-service
http://pch.net/resources/data/routing-tables/archive/
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
http://www.nanog.org/meetings/archive/

http://www.ipbcop.org/
IP Best Current Operational Practices Documented best practices for Engineers by Engineers

BGP best practices ANSSI
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf

Evolutions de la conf BGP¶

• http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html

TODO:

• mise en place d'un gestionaire de version style git au moins pour documentation
• Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
• Atelier ?
  • Laurent GUERBY
  • Solarus
  • Ajouter son nom...

Alternative a MP BGP
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06

Add Path
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2

Liens¶

• http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt
• http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf
• AS4 http://www.rfc-editor.org/rfc/rfc4893.txt
• bonnes pratiques incidents BGP
  • https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf

Configuration Toulouse¶

router id 91.224.148.2;
define myas = 197422;

protocol device {
    scan time 10;
        primary "eth0" 91.224.148.3;
}

protocol static static_bgp {
    import all;
    route 91.224.148.0/23 reject;
}

protocol kernel{
    import all;
    export all;
}

function avoid_martians()
prefix set martians;
{
  martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];

  # Avoid 0.0.0.0/X
  if net.ip = 0.0.0.0 then return false;

  # Avoid too short and too long prefixes
  if (net.len < 8) || (net.len > 24) then return false;

  # Avoid RFC1918 networks
  if net ~ martians then return false;
  return true;
}

filter bgp_OUT {
    if (net ~ [91.224.148.0/23]) then accept;
    else reject;
}

protocol bgp TOUIX {
        local as myas;
        neighbor 91.213.236.1 as 47184;
        preference 200;
        import where avoid_martians();
        export filter bgp_OUT;
}

protocol bgp JAGUAR {
     local as myas;
     neighbor 31.172.233.1 as 30781;
     preference 50;
         import where avoid_martians();
         export filter bgp_OUT;
}

protocol bgp TETANEUTRAL {
    local as myas;
    neighbor 91.224.148.2 as myas;
    preference 100;
    import where avoid_martians();
    export all;
}

Blackholing¶

Attaques¶

• 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html

RFC3882¶

• http://www.ietf.org/rfc/rfc3882.txt
  community AS:666 sur annonce /32 pour balckhole par AS upstream

• doc CISCO
  http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

RFC1997¶

• http://www.ietf.org/rfc/rfc1997.txt
  BGP Communities Attribute

• doc CISCO
  http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html

BIRD¶

• http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html

Absolight¶

• communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
• test 20120703 IPv4 et IPv6, ça marche et convergence très rapide

GIXE¶

• communauté 31576:666 sur /32 => blackhole
• test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32

Jaguar¶

• https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy
• demande 20120702 : pas de communauté blackhole actuellement, en reflexion
• déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)

Gitoyen¶

• demande 20120704 sur la liste, réponse 20120717
• Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf
  • => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0
• Ielo whois AS29075 => 29075:0 Null-route/Blackhole
• https://pad.ilico.org/p/cleanup-bgp-gitoyen

France-IX¶

• community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html
• TODO tester

Equinix-IX¶

• community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo
• TODO tester

TouIX¶

• demande acces switch et route server 20120702
• TODO

Hurricane Electric¶

• http://www.he.net/adm/
• http://www.he.net/adm/blackhole.html
• TODO tester

Sfinx¶

• http://www.renater.fr/route-servers-bgp?lang=fr
• whois AS1304 =>
  remarks: 1304:65281 = Apply NO-EXPORT community
  remarks: 1304:65282 = Apply NO-ADVERTISE community