A week or two ago I became aware of DN42, a private network run to teach people how to use BGP. DN42 users connect to each other using site-site VPNs and then use BGP to exchange routing information. As someone who learns best from hands-on activity I simply couldn’t resist.
This blog post will discuss getting connected to the DN42 network using a Cisco router, be it physical or in a virtualisation solution such as GNS3/VIRL. At a high level there are three main steps:
- Create a number of “objects” in order to allocate a network address that you advertise in BGP;
- Configure your router so it can access the internet;
- Locate a suitable network to establish a VPN with and then form a BGP adjacency;
I&’ll try and cover off the various DN42 specifics, but do not plan on covering basic router configuration tasks.
Creating DN42 registry objects
As with the real-world, we need to create a number of objects in a database so people know who we are. These objects are administrative, but with DN42 are used to manage allocation of autonomous system numbers (ASNs) and IP address information.
There are five records you need to create before configuring any devices, a process that should take about ten minutes to complete.
You should begin be choosing the names you will use, you will need to decide on:
- Organisation name. For example NWTRADERS;
- Contact name. For example JBLOGGS;
- Maintainer name. Typically the organisation name with “-MNT”; appended. For example NWTRADERS-MNT;
- NIC Handle (nic-hdl). The name of a specific person or role. For example JBLOGGS-DN42;
Once you’ve decided you can head over to the DN42 Registry and create the records as described below.
The maintainer (mntner) object is the most important object you’ll create. It’s a set of credentials that you will use in creating and maintaining all other objects. The password you enter is the plain-text version, it will be encrypted and stored.
Create your maintainer object, appending “-MNT” to the organisation name you chose earlier.
Mntner: NWTRADERS-MNT Desc: sha512-pw: this is a password you will use, so save it! admin-c: DUMMY-DN42 tech-c: DUMMY-DN42 mnt-by: NWTRADERS-MNT
This will be a contact record containing information about you as an individual. It’ll be used to refer to a technical and administrative contact so people know how to reach you.
When creating your object append “-DN42” to the contact name you’ve chosen and specify it as the nic-hdl.
person: Joe Bloggs contact: twitter:DaveHope bitcoin: nic-hdl: JBLOGGS-DN42 mnt-by: NWTRADERS-MNT
By specifying the mnt-by as your mntner object you’ll be able to update this person object at a later date.
Once the person object is created, go back to your maintainer object and update the admin-c and tech-c to the nic-hdl you’ve created.
The organisation object provides some information about the group creating these records and running the network. It’s fairly basic so create it as follows:
organisation: ORG-NWTRADERS org-name: damn.technology admin-c: JBLOGGS-DN42 tech-c: JBLOGGS-DN42 mnt-by: NWTRADERS-MNT
Finally we’re getting onto the interesting records! The autonomous system number is a globally unique identifier for your network. This will be used in configuring BGP.
As at April 2015 the autonomous system number (aut-num) you create should be in the range 4242420000-4242423999. Choose a number and prepend “AS” to the start of it:
aut-num: AS4242422222 as-name: NWTRADERS admin-c: JBLOGGS-DN42 tech-c: JBLOGGS-DN42 mnt-by: NWTRADERS-MNT
The final record you need to create is the netnum object, this will allocate address space to you. To find available space use the DN42 Open Netblocks site. Once you’ve found a network find out the range rather than just the prefix length, you’ll use that for the inetnum record.
You should also specify the country you’ll announce this from and a name for the network.
inetnum: 172.23.220.128 - 172.23.220.255 netname: NET-NWTRADERS-000 country: GB admin-c: JBLOGGS-DN42 tech-c: JBLOGGS-DN42 mnt-by: NWTRADERS-MNT nserver: dummy.dn42 status: ASSIGNED
As someone who predominantly uses Cisco equipment I’ll be using a Cisco router in my example, the DN42 network doesn’t have a particularly large routing table so you shouldn’t need much processing power or memory.
Configure your router as you would any other, assigning a hostname, domain-name and giving it an IP address on an interface that can reach the internet. Once that’s done the next step will be to forward ipsec traffic to the router so that it can deal with the ipsec/gre tunnels required to connect to other networks.
Once your router is able to reach the internet and the relevant ports forwarded (if required), proceed to find a peer and get connected.
To get connectivity to the DN42 network you will need at least one peer who is willing to provide transit in the form of a tunnel and a BGP adjacency. The best way to go about it is to either use the DN42 peer finder or ask in the IRC channel.
I use ipsec and gre for my peerings and find the following config works well:
router(config)#crypto isakmp policy 10 encr aes hash md5 group 5 lifetime 28800 crypto isakmp keepalive 30 periodic crypto ipsec transform-set TSET_DN42 esp-aes esp-sha-hmac mode transport crypto ipsec profile PROF_DN42 set security-association lifetime kilobytes disable set transform-set TSET_DN42
Once you’ve found a peer you should configure the router to use public keys for ipsec authentication. First generate yourself an RSA keypair, the “exportable” flag is optional but useful it you expect to need to change your network at a later date:
router(config)#crypto key generate rsa general-keys modulus 2048 exportable % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be exportable...
Once created, send your newly found peer the public key part:
router#sh crypto key mypubkey rsa % Key pair was generated at: 14:25:20 BST Apr 11 2015 Key name: router.local Key type: RSA KEYS Storage Device: private-config Usage: General Purpose Key Key is exportable. Key Data: 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979 DEADBEEF 0001 % Key pair was generated at: 08:25:12 BST Apr 12 2015
You will receive a key (hopefully in a similar format) from your peer, to import it do the following:
router(config)#crypto key pubkey-chain rsa addressed-key PEERS-PUBLIC-IP key-string PASTE-PEERS-KEY-STRING-HERE quit
The final step in establishing connectivity is to create a GRE tunnel interface. For your first peer it’s easiest if your peer can provide the addressing for the transit network.
router(config)#interface Tunnel0 ip address TUNNEL-ENDPOINT-IP TUNNEL-NETMASK tunnel source EXTERNAL-INTERFACE-NAME tunnel destination PEERS-PUBLIC-IP tunnel protection ipsec profile PROF_DN42
Assuming your peer has matched the local & remote ids and phase1+phase2 parameters your tunnel should come up:
router#sh crypto ses br Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating K - No IKE ivrf = (none) Peer I/F Username Group/Phase1_id Uptime Status PEERS-PUBLIC-IP Tu0 PEERS-PUBLIC-IP 03:40:47 UA
If this doesn’t come up, one thing you may need to tweak is the phase 1 ID, especially so if one end of the network is behind a NAT device.
The next step is to configure BGP.
A basic BGP configuration is straightforward, you need to configure the BGP process with your AS number (the one you created in the registry) and the network you will be advertising:
router(config)#router bgp YOUR-AS-NUMBER address-family ipv4 network YOUR-NETWORK-ID YOUR-NETWORK-NETMASK
You also need to specify a neighbor statement so BGP knows who it should exchange routing information with. You will also need to know the AS number of your peers network. In most cases this will be the other end of end of the transit network. It’s best to ask your peer to be sure.
router(config)#router bgp YOUR-AS-NUMBER neighbor PEERS-BGP-IP remote-as PEERS-AS-NUMBER
Once your peer has completed this you should see a BGP adjacency:
router#sh ip bgp sum | beg Nei Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PEERS-BGP-IP 4 XXXXXXXXXX 18309 2030 13903 0 0 23:34:03 365
As this point you should be able to reach most of the DN42 network, including the IPv4 anycast DNS resolver (172.23.0.53).