Projet

Général

Profil

BGP » Historique » Version 39

Laurent GUERBY, 02/10/2012 18:55

1 20 Laurent GUERBY
{{>toc}}
2 20 Laurent GUERBY
3 1 Laurent GUERBY
h1. BGP
4 1 Laurent GUERBY
5 1 Laurent GUERBY
Nous utilisons BIRD sous Linux comme routeur BGP
6 1 Laurent GUERBY
7 1 Laurent GUERBY
http://bird.network.cz/
8 1 Laurent GUERBY
9 14 Laurent GUERBY
blog bgp http://www.renesys.com/blog/
10 15 Laurent GUERBY
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
11 16 Laurent GUERBY
DFZ = Default Free Zone archive http://archive.routeviews.org/
12 17 Laurent GUERBY
http://www.ripe.net/data-tools/stats/ris/routing-information-service
13 17 Laurent GUERBY
http://pch.net/resources/data/routing-tables/archive/
14 17 Laurent GUERBY
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
15 18 Laurent GUERBY
http://www.nanog.org/meetings/archive/
16 14 Laurent GUERBY
17 29 Laurent GUERBY
http://www.ipbcop.org/
18 29 Laurent GUERBY
IP Best Current Operational Practices Documented best practices for Engineers by Engineers
19 29 Laurent GUERBY
20 30 Laurent GUERBY
BGP best practices ANSSI
21 30 Laurent GUERBY
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf
22 30 Laurent GUERBY
23 37 Laurent GUERBY
https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers
24 37 Laurent GUERBY
25 39 Laurent GUERBY
these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600
26 39 Laurent GUERBY
27 38 Laurent GUERBY
h1. TouIX et GIX
28 38 Laurent GUERBY
29 38 Laurent GUERBY
http://touix.net
30 38 Laurent GUERBY
http://wikilulu.net/doku.php?id=articles:gix-howto
31 38 Laurent GUERBY
32 3 Laurent GUERBY
h1. Evolutions de la conf BGP
33 3 Laurent GUERBY
34 3 Laurent GUERBY
* http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html
35 3 Laurent GUERBY
36 5 Laurent GUERBY
TODO: 
37 6 Laurent GUERBY
* mise en place d'un gestionaire de version style git au moins pour documentation
38 5 Laurent GUERBY
* Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
39 5 Laurent GUERBY
* Atelier ?
40 7 Laurent GUERBY
** Laurent GUERBY
41 9 Raphaël Durand
** Solarus
42 10 Raphaël Durand
** Ajouter son nom...
43 4 Laurent GUERBY
44 13 Laurent GUERBY
Alternative a MP BGP
45 13 Laurent GUERBY
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06
46 13 Laurent GUERBY
47 31 Laurent GUERBY
Add Path
48 31 Laurent GUERBY
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
49 31 Laurent GUERBY
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2
50 31 Laurent GUERBY
51 2 Laurent GUERBY
h1. Liens
52 2 Laurent GUERBY
53 2 Laurent GUERBY
* http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt
54 11 Laurent GUERBY
* http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf
55 12 Laurent GUERBY
* AS4 http://www.rfc-editor.org/rfc/rfc4893.txt
56 19 Laurent GUERBY
* bonnes pratiques incidents BGP
57 19 Laurent GUERBY
** https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf
58 35 Laurent GUERBY
* test ping plus UDP http://www.broadband-forum.org/technical/download/TR-143.pdf
59 2 Laurent GUERBY
60 1 Laurent GUERBY
h1. Configuration Toulouse
61 1 Laurent GUERBY
62 1 Laurent GUERBY
<pre>
63 1 Laurent GUERBY
router id 91.224.148.2;
64 1 Laurent GUERBY
define myas = 197422;
65 1 Laurent GUERBY
66 1 Laurent GUERBY
67 1 Laurent GUERBY
protocol device {
68 1 Laurent GUERBY
	scan time 10;
69 1 Laurent GUERBY
        primary "eth0" 91.224.148.3;
70 1 Laurent GUERBY
}
71 1 Laurent GUERBY
72 1 Laurent GUERBY
protocol static static_bgp {
73 1 Laurent GUERBY
	import all;
74 1 Laurent GUERBY
	route 91.224.148.0/23 reject;
75 1 Laurent GUERBY
}
76 1 Laurent GUERBY
77 1 Laurent GUERBY
78 1 Laurent GUERBY
protocol kernel{
79 1 Laurent GUERBY
	import all;
80 1 Laurent GUERBY
	export all;
81 1 Laurent GUERBY
}
82 1 Laurent GUERBY
83 1 Laurent GUERBY
84 1 Laurent GUERBY
function avoid_martians()
85 1 Laurent GUERBY
prefix set martians;
86 1 Laurent GUERBY
{
87 1 Laurent GUERBY
  martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];
88 1 Laurent GUERBY
89 1 Laurent GUERBY
  # Avoid 0.0.0.0/X
90 1 Laurent GUERBY
  if net.ip = 0.0.0.0 then return false;
91 1 Laurent GUERBY
92 1 Laurent GUERBY
  # Avoid too short and too long prefixes
93 1 Laurent GUERBY
  if (net.len < 8) || (net.len > 24) then return false;
94 1 Laurent GUERBY
95 1 Laurent GUERBY
  # Avoid RFC1918 networks
96 1 Laurent GUERBY
  if net ~ martians then return false;
97 1 Laurent GUERBY
  return true;
98 1 Laurent GUERBY
}
99 1 Laurent GUERBY
100 1 Laurent GUERBY
filter bgp_OUT {
101 1 Laurent GUERBY
	if (net ~ [91.224.148.0/23]) then accept;
102 1 Laurent GUERBY
	else reject;
103 1 Laurent GUERBY
}
104 1 Laurent GUERBY
105 1 Laurent GUERBY
106 1 Laurent GUERBY
protocol bgp TOUIX {
107 1 Laurent GUERBY
        local as myas;
108 1 Laurent GUERBY
        neighbor 91.213.236.1 as 47184;
109 1 Laurent GUERBY
        preference 200;
110 1 Laurent GUERBY
        import where avoid_martians();
111 1 Laurent GUERBY
        export filter bgp_OUT;
112 1 Laurent GUERBY
}
113 1 Laurent GUERBY
114 1 Laurent GUERBY
protocol bgp JAGUAR {
115 1 Laurent GUERBY
	 local as myas;
116 1 Laurent GUERBY
	 neighbor 31.172.233.1 as 30781;
117 1 Laurent GUERBY
	 preference 50;
118 1 Laurent GUERBY
         import where avoid_martians();
119 1 Laurent GUERBY
         export filter bgp_OUT;
120 1 Laurent GUERBY
}
121 1 Laurent GUERBY
122 1 Laurent GUERBY
protocol bgp TETANEUTRAL {
123 1 Laurent GUERBY
	local as myas;
124 1 Laurent GUERBY
	neighbor 91.224.148.2 as myas;
125 1 Laurent GUERBY
	preference 100;
126 1 Laurent GUERBY
	import where avoid_martians();
127 1 Laurent GUERBY
	export all;
128 1 Laurent GUERBY
}
129 1 Laurent GUERBY
</pre>
130 20 Laurent GUERBY
131 33 Laurent GUERBY
h1. IRR
132 33 Laurent GUERBY
133 33 Laurent GUERBY
* From nanog:
134 33 Laurent GUERBY
http://www.clarksys.com/blog/2009/09/02/using-irr-with-level3/
135 33 Laurent GUERBY
whois -h filtergen.level3.net "RIPE::YOUR-AS-SET  -searchpath=RIPE;ARIN;RADB -recurseok -warnonly"
136 33 Laurent GUERBY
137 20 Laurent GUERBY
h1. Blackholing
138 20 Laurent GUERBY
139 24 Laurent GUERBY
h2. Attaques
140 24 Laurent GUERBY
141 24 Laurent GUERBY
* 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html
142 36 Laurent GUERBY
* http://blog.cloudflare.com/65gbps-ddos-no-problem
143 24 Laurent GUERBY
144 34 Laurent GUERBY
h2. URPF
145 34 Laurent GUERBY
146 34 Laurent GUERBY
blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).
147 34 Laurent GUERBY
148 34 Laurent GUERBY
http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html
149 34 Laurent GUERBY
150 20 Laurent GUERBY
h2. RFC3882 
151 1 Laurent GUERBY
152 22 Laurent GUERBY
* http://www.ietf.org/rfc/rfc3882.txt
153 1 Laurent GUERBY
community AS:666 sur annonce /32 pour balckhole par AS upstream
154 1 Laurent GUERBY
155 22 Laurent GUERBY
* doc CISCO
156 22 Laurent GUERBY
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
157 22 Laurent GUERBY
158 28 Laurent GUERBY
h2. RFC1997
159 28 Laurent GUERBY
160 28 Laurent GUERBY
* http://www.ietf.org/rfc/rfc1997.txt
161 28 Laurent GUERBY
BGP Communities Attribute
162 28 Laurent GUERBY
163 28 Laurent GUERBY
* doc CISCO
164 28 Laurent GUERBY
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html
165 28 Laurent GUERBY
166 22 Laurent GUERBY
h2. BIRD
167 22 Laurent GUERBY
168 22 Laurent GUERBY
* http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html
169 22 Laurent GUERBY
170 24 Laurent GUERBY
h2. Absolight
171 24 Laurent GUERBY
172 24 Laurent GUERBY
* communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
173 24 Laurent GUERBY
* test 20120703 IPv4 et IPv6, ça marche et convergence très rapide
174 24 Laurent GUERBY
175 22 Laurent GUERBY
h2. GIXE
176 22 Laurent GUERBY
177 1 Laurent GUERBY
* communauté 31576:666 sur /32 => blackhole
178 24 Laurent GUERBY
* test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32
179 1 Laurent GUERBY
180 1 Laurent GUERBY
h2. Jaguar 
181 22 Laurent GUERBY
182 24 Laurent GUERBY
* https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy
183 22 Laurent GUERBY
* demande 20120702 : pas de communauté blackhole actuellement, en reflexion
184 22 Laurent GUERBY
* déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)
185 22 Laurent GUERBY
186 27 Laurent GUERBY
h2. Gitoyen
187 27 Laurent GUERBY
188 1 Laurent GUERBY
* demande 20120704 sur la liste, réponse 20120717
189 28 Laurent GUERBY
* Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf
190 27 Laurent GUERBY
*** => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0
191 28 Laurent GUERBY
* Ielo  whois AS29075 => 29075:0 Null-route/Blackhole
192 32 Laurent GUERBY
* https://pad.ilico.org/p/cleanup-bgp-gitoyen
193 22 Laurent GUERBY
194 22 Laurent GUERBY
h2. France-IX
195 22 Laurent GUERBY
196 25 Laurent GUERBY
* community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html
197 26 Laurent GUERBY
* TODO tester
198 22 Laurent GUERBY
199 22 Laurent GUERBY
h2. Equinix-IX
200 1 Laurent GUERBY
201 26 Laurent GUERBY
* community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo
202 26 Laurent GUERBY
* TODO tester
203 22 Laurent GUERBY
204 1 Laurent GUERBY
h2. TouIX
205 22 Laurent GUERBY
206 26 Laurent GUERBY
* demande acces switch et route server 20120702
207 22 Laurent GUERBY
* TODO
208 1 Laurent GUERBY
209 1 Laurent GUERBY
h2. Hurricane Electric
210 1 Laurent GUERBY
211 26 Laurent GUERBY
* http://www.he.net/adm/
212 1 Laurent GUERBY
* http://www.he.net/adm/blackhole.html
213 1 Laurent GUERBY
* TODO tester
214 28 Laurent GUERBY
215 28 Laurent GUERBY
h2. Sfinx
216 28 Laurent GUERBY
217 28 Laurent GUERBY
* http://www.renater.fr/route-servers-bgp?lang=fr
218 28 Laurent GUERBY
* whois  AS1304 =>
219 28 Laurent GUERBY
remarks:        1304:65281 = Apply NO-EXPORT community
220 28 Laurent GUERBY
remarks:        1304:65282 = Apply NO-ADVERTISE community