OpenBGPD, Tunnels, and rdomains
I run my own IPv6-only AS, mostly to get some real-world BGP experience, and partly so I can say I operate my own AS. In fact, IPv6 for this domain is served by my own AS uplinked through the ColoClue network.
When running your own AS, you will need to have some way of announcing your IP space through BGP. Some networks and providers, such as aforementioned ColoClue but also Vultr1 allow you to announce routes over BGP after verifying your authority over the announced prefixes. Most providers however, are not as easily persuaded.
When you want to announce your routes from a provider that does not support BGP access, you can use a tunnel to a provider that does allow you to speak BGP. One such provider is Tunnelbroker.ch.
Though I have no real need for tunneled BGP, I did want to try setting it up for testing and exercise. As most of my BGP routers are based on OpenBSD, I selected an OpenBSD VM for the tunnel as well.
First, you’ll need to register an account with the tunnelbroker. I’m using Tunnelbroker.ch, but other brokers are available, such as Freetransit. When registered, you’ll need to create a tunnel and enable BGP.
With your tunnel created, you’ll need to configure the tunnel on your router.
Tunnelbroker.ch supplies some very nice configuration examples for a number of OSes, but OpenBSD is unfortunately absent.
Fortunately, the FreeBSD example is relatively easy to translate to OpenBSD. I’ll put the example FreeBSD config below, and below that the same configuration translated to the OpenBSD hostname.if
format.
# FreeBSD example config
ifconfig gif0 create
ifconfig gif0 tunnel 192.0.2.42 198.51.100.1
ifconfig gif0 inet6 2001:db8:7362::2 2001:db8:7362::1 prefixlen 128
route -n add -inet6 default 2001:db8:7362::1
ifconfig gif0 up
# /etc/hostname.gif0
create
rdomain 1
tunnel 192.0.2.42 198.51.100.1
inet6 2001:db8:7362::2 128
dest 2001:db8:7362::1
up
Note that I have added the line rdomain 1
. This puts the tunnel interface into an alternative routing domain in order to not interfere with the machine’s native IPv6 connection.
If your machine has no native IPv6 configuration, you can leave this line out to put the interface in the default rdomain.
I have also not added a line to configure the default route. This is not necessary, as we’ll be doing BGP te learn all the routes after all!
With the interface configured and enabled with sh /etc/netstart.sh gif0
, it is time to configure our own addresses on an interface and then to announce these with bgpd
.
# /etc/hostname.lo1
create
rdomain 1
# replace below with an IP address of your own
inet6 alias 2a0e:b107:861:1337::1 64
up
Note again the presence of the rdomain 1
line. This puts the new loopback interface in the same rdomain as the previously configured tunnel, and separates it from the native IPv6 addresses in the default rdomain.
Now, we’ll need to setup bgpd
.
# Replace with your ASN
ASN="211840"
AS $ASN
# replace with an IP address on your machine
router-id 192.0.2.42
# this is the set of networks you'll be announcing
# replace this with your own networks of course
prefix-set mynetworks {
2a0e:b107:861::/48
}
prefix-set bogons {
::/8 or-longer # RFC 4291 IPv4-compatible, loopback, et al
0100::/64 or-longer # Discard-Only [RFC6666]
2001:2::/48 or-longer # BMWG [RFC5180]
2001:10::/28 or-longer # ORCHID [RFC4843]
2001:db8::/32 or-longer # docu range [RFC3849]
2002::/16 or-longer # 6to4 anycast relay [RFC7526]
3ffe::/16 or-longer # old 6bone
fc00::/7 or-longer # unique local unicast
fe80::/10 or-longer # link local unicast
fec0::/10 or-longer # old site local unicast
ff00::/8 or-longer # multicast
}
network prefix-set mynetworks set large-community $ASN:3:1
# socket for bgpctl or bgplg
socket "/var/www/run/bgpd.rsock" restricted
# the BGP neighbor you'll be interacting with
neighbor 2001:db8:7362::1 {
remote-as 58057
descr "Tunnelbroker.ch"
local-address 2001:db8:7362::2
announce IPv6 unicast
}
allow to ebgp prefix-set mynetworks large-community $ASN:3:1
# do not accept routes to prefixes announced from this machine
deny quick from ebgp prefix-set mynetworks or-longer
# do not allow overly large or small routes
allow from any inet6 prefixlen 16 - 48
# deny ranges that should not be announced as specified above
deny quick from any prefix-set bogons
# deny invalid ASes
deny quick from any AS 23456
deny quick from any AS 64496 - 131071
deny quick from any AS 4200000000 - 4294967295
# filter out too long paths
deny from any max-as-len 100
Now, we’ll need to enable the bgpd
service and assign it to the correct rdomain:
obsd# rcctl enable bgpd
obsd# rcctl set bgpd rtable 1
obsd# rcctl start bgpd
bgpd(ok)
When bgpd
is running, we can check whether it indeed does operate in the correct rdomain:
obsd# ps aux -o rtable | grep bgp
_bgpd 88238 5.5 8.3 82300 85320 ?? Sp 2:40PM 0:11.33 bgpd: route deci 1
root 3439 3.8 1.9 18248 19148 ?? S 2:40PM 0:08.79 /usr/sbin/bgpd - 1
_bgpd 51440 0.0 0.2 1456 2480 ?? Sp 2:40PM 0:00.91 bgpd: session en 1
_bgpd 20912 0.1 0.8 6776 8012 ?? Ip 2:40PM 0:01.12 bgpd: rtr engine 1
The 1 in the final column confirms that our bgpd
process is indeed operating in rdomain 1.
With everything configured and running, you can use bgpctl
to control the daemon and check its status.
obsd# bgpctl -s /var/run/bgpd.sock.1 show nei
BGP neighbor is 2001:db8:7362::1, remote AS 58057
Description: Tunnelbroker.ch
BGP version 4, remote router-id 198.51.100.1
BGP state = Established, up for 00:05:51
Last read 00:00:00, holdtime 90s, keepalive interval 30s
Last write 00:00:19
Neighbor capabilities:
Multiprotocol extensions: IPv6 unicast
Route Refresh
Graceful Restart: Timeout: 120, IPv6 unicast
4-byte AS numbers
Message statistics:
Sent Received
Opens 1 1
Notifications 0 0
Updates 2 41878
Keepalives 12 14
Route Refresh 0 0
Total 15 41893
Update statistics:
Sent Received
Prefixes 1 130195
Updates 1 132951
Withdraws 0 332
End-of-Rib 1 1
Local host: 2001:db8:7362::2, Local port: 11417
Remote host: 2001:db8:7362::1, Remote port: 179
Note you’ll have to specify the socket for bgpctl
due to the alternative rdomain.
-
This is a referral link that will get you a $100 in credit when registering a new account. ↩︎