{{>toc}}

h1. BGP

Nous utilisons BIRD sous Linux comme routeur BGP

http://bird.network.cz/

blog bgp http://www.renesys.com/blog/

flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec

DFZ = Default Free Zone archive http://archive.routeviews.org/

http://www.ripe.net/data-tools/stats/ris/routing-information-service

http://pch.net/resources/data/routing-tables/archive/

http://pch.net/resources/data/routing-tables/mrt-bgp-updates/

http://www.nanog.org/meetings/archive/

http://www.ipbcop.org/

IP Best Current Operational Practices Documented best practices for Engineers by Engineers

BGP best practices ANSSI

https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf

https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers

these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600

h1. TouIX et GIX

http://touix.net

http://wikilulu.net/doku.php?id=articles:gix-howto

h1. Evolutions de la conf BGP

* http://lists.tetaneutral.net/pipermail/technique/2011-December/000118.html

TODO: 

* mise en place d'un gestionaire de version style git au moins pour documentation

* Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)

* Atelier ?

** Laurent GUERBY

** Solarus

** Ajouter son nom...

Alternative a MP BGP

http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06

Add Path

http://tools.ietf.org/html/draft-ietf-idr-add-paths-07

support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2

h1. Liens

* http://www.cl.cam.ac.uk/~tgg22/talks/BGP_TUTORIAL_ICNP_2002.ppt

* http://www.menog.net/menog-meetings/menog5/presentations/smith-32bit-asn-update.pdf

* AS4 http://www.rfc-editor.org/rfc/rfc4893.txt

* bonnes pratiques incidents BGP

** https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Slides-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf.pdf

* test ping plus UDP http://www.broadband-forum.org/technical/download/TR-143.pdf

h1. Configuration Toulouse

<pre>

router id 91.224.148.2;

define myas = 197422;

protocol device {

	scan time 10;

        primary "eth0" 91.224.148.3;

}

protocol static static_bgp {

	import all;

	route 91.224.148.0/23 reject;

}

protocol kernel{

	import all;

	export all;

}

function avoid_martians()

prefix set martians;

{

  martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];

  # Avoid 0.0.0.0/X

  if net.ip = 0.0.0.0 then return false;

  # Avoid too short and too long prefixes

  if (net.len < 8) || (net.len > 24) then return false;

  # Avoid RFC1918 networks

  if net ~ martians then return false;

  return true;

}

filter bgp_OUT {

	if (net ~ [91.224.148.0/23]) then accept;

	else reject;

}

protocol bgp TOUIX {

        local as myas;

        neighbor 91.213.236.1 as 47184;

        preference 200;

        import where avoid_martians();

        export filter bgp_OUT;

}

protocol bgp JAGUAR {

	 local as myas;

	 neighbor 31.172.233.1 as 30781;

	 preference 50;

         import where avoid_martians();

         export filter bgp_OUT;

}

protocol bgp TETANEUTRAL {

	local as myas;

	neighbor 91.224.148.2 as myas;

	preference 100;

	import where avoid_martians();

	export all;

}

</pre>

h1. IRR

* From nanog:

http://www.clarksys.com/blog/2009/09/02/using-irr-with-level3/

whois -h filtergen.level3.net "RIPE::YOUR-AS-SET  -searchpath=RIPE;ARIN;RADB -recurseok -warnonly"

h1. Blackholing

h2. Attaques

* 20120629 http://lists.tetaneutral.net/pipermail/technique/2012-July/000406.html

* http://blog.cloudflare.com/65gbps-ddos-no-problem

h2. URPF

blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).

http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

h2. RFC3882 

* http://www.ietf.org/rfc/rfc3882.txt

community AS:666 sur annonce /32 pour balckhole par AS upstream

* doc CISCO

http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

h2. RFC1997

* http://www.ietf.org/rfc/rfc1997.txt

BGP Communities Attribute

* doc CISCO

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_6-2/bgp_communities.html

h2. BIRD

* http://www.mail-archive.com/bird-users@atrey.karlin.mff.cuni.cz/msg01998.html

h2. Absolight

* communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole

* test 20120703 IPv4 et IPv6, ça marche et convergence très rapide

h2. GIXE

* communauté 31576:666 sur /32 => blackhole

* test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32

h2. Jaguar 

* https://extranet.jaguar-network.com/app/public/index.php?cmd=bgp-policy

* demande 20120702 : pas de communauté blackhole actuellement, en reflexion

* déploiement de matériel arbor networks, reglage a affiner (pas de detection d'attaque)

h2. Gitoyen

* demande 20120704 sur la liste, réponse 20120717

* Tata http://noc.easycolocate.nl/Teleglobe_bgp_comm.pdf

*** => black-hole route (host route or shorter prefix within customer’s RIR registred assignment) 64999:0

* Ielo  whois AS29075 => 29075:0 Null-route/Blackhole

* https://pad.ilico.org/p/cleanup-bgp-gitoyen

h2. France-IX

* community plan : https://apps.db.ripe.net/whois/lookup/ripe/aut-num/AS51706.html

* TODO tester

h2. Equinix-IX

* community plan : https://ix.equinix.com/ixp/mlpeCommunityInfo

* TODO tester

h2. TouIX

* demande acces switch et route server 20120702

* TODO

h2. Hurricane Electric

* http://www.he.net/adm/

* http://www.he.net/adm/blackhole.html

* TODO tester

h2. Sfinx

* http://www.renater.fr/route-servers-bgp?lang=fr

* whois  AS1304 =>

remarks:        1304:65281 = Apply NO-EXPORT community

remarks:        1304:65282 = Apply NO-ADVERTISE community