9fa13b1d0c238dfcadb25a9873691eb4e2ddb15a
howto/Address-Space.md
... | ... | @@ -15,7 +15,7 @@ grep -r ^policy data/inet{,6}num/ |
15 | 15 | |
16 | 16 | The [filter.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter.txt) and [filter6.txt](https://git.dn42.dev/dn42/registry/src/master/data/filter6.txt) files within the registry detail the network wide constraints on what address ranges are in use together with the global limits on what can be announced. |
17 | 17 | |
18 | -`inetnum` and `inet6num` objects within the registry are used to describe the allocation of address space to users. `route` and `route6` objects in the registry are used to validate routing announcements through [ROA](/howto/Bird#route-origin-authorization). |
|
18 | +`inetnum` and `inet6num` objects within the registry are used to describe the allocation of address space to users. `route` and `route6` objects in the registry are used to validate routing announcements through [ROA](/howto/Bird2#route-origin-authorization). |
|
19 | 19 | |
20 | 20 | In addition to the native DN42 address ranges, the registry also contains allocations for the address space used by affiliate networks. These are updated by a regular [sync script](https://git.dn42.dev/dn42/registry-sync). |
21 | 21 |
howto/Bird2.md
... | ... | @@ -1,4 +1,4 @@ |
1 | -This guide is similar to the normal [Bird](/howto/Bird) guide in that it provides you with help setting up the BIRD routing daemon, with the difference that this page is dedicated to versions 2.x. |
|
1 | +This guide is similar to the normal [Bird](/historical/Bird) guide in that it provides you with help setting up the BIRD routing daemon, with the difference that this page is dedicated to versions 2.x. |
|
2 | 2 | |
3 | 3 | # Arch Linux |
4 | 4 | |
... | ... | @@ -174,11 +174,42 @@ template bgp dnpeers { |
174 | 174 | include "/etc/bird/peers/*"; |
175 | 175 | ``` |
176 | 176 | |
177 | +# Setting up peers |
|
178 | + |
|
179 | +Please note: This section assumes that you've already got a tunnel to your peering partner setup. |
|
180 | + |
|
181 | +First, make sure the /etc/bird/peers directory exists: |
|
182 | + |
|
183 | +```sh |
|
184 | +# mkdir -p /etc/bird/peers |
|
185 | +``` |
|
186 | + |
|
187 | +Then for each peer, create a configuration file similar to this one: |
|
188 | + |
|
189 | +`/etc/bird/peers/<NEIGHBOR_NAME>.conf`: |
|
190 | + |
|
191 | +```conf |
|
192 | +protocol bgp <NEIGHBOR_NAME> from dnpeers { |
|
193 | + neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>; |
|
194 | +} |
|
195 | + |
|
196 | +protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers { |
|
197 | + neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>; |
|
198 | +} |
|
199 | +``` |
|
200 | + |
|
201 | +Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended) |
|
202 | + |
|
203 | +# BGP communities |
|
204 | + |
|
205 | +Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing. |
|
206 | +More information can be found [here](/howto/BGP-communities). |
|
207 | + |
|
177 | 208 | # Route Origin Authorization |
178 | 209 | |
179 | -The example config above relies on ROA configuration files in `/etc/bird/roa_dn42{,_v6}.conf`. These should be automatically downloaded and updated every so often to prevent BGP highjacking, [see the bird1 page](/howto/Bird#route-origin-authorization) for more details and links to the ROA files. Note: edit the links to replace roa_bird1 to say roa_bird2 if using the cron jobs listed on that page. |
|
210 | +Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix. |
|
180 | 211 | |
181 | -# RPKI / RTR for ROA |
|
212 | +## RPKI / RTR for ROA |
|
182 | 213 | |
183 | 214 | To use an RTR server for ROA information, replace this config in your bird2 configuration file: |
184 | 215 | |
... | ... | @@ -222,41 +253,6 @@ template bgp dnpeers { |
222 | 253 | } |
223 | 254 | ``` |
224 | 255 | |
225 | -# Setting up peers |
|
226 | - |
|
227 | -Please note: This section assumes that you've already got a tunnel to your peering partner setup. |
|
228 | - |
|
229 | -First, make sure the /etc/bird/peers directory exists: |
|
230 | - |
|
231 | -```sh |
|
232 | -# mkdir -p /etc/bird/peers |
|
233 | -``` |
|
234 | - |
|
235 | -Then for each peer, create a configuration file similar to this one: |
|
236 | - |
|
237 | -`/etc/bird/peers/<NEIGHBOR_NAME>.conf`: |
|
238 | - |
|
239 | -```conf |
|
240 | -protocol bgp <NEIGHBOR_NAME> from dnpeers { |
|
241 | - neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>; |
|
242 | -} |
|
243 | - |
|
244 | -protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers { |
|
245 | - neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>; |
|
246 | -} |
|
247 | -``` |
|
248 | - |
|
249 | -Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended) |
|
250 | - |
|
251 | -# BGP communities |
|
252 | - |
|
253 | -Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing. |
|
254 | -More information can be found [here](/howto/BGP-communities). |
|
255 | - |
|
256 | -# Route Origin Authorization |
|
257 | - |
|
258 | -Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix. |
|
259 | - |
|
260 | 256 | ## ROA Tables |
261 | 257 | |
262 | 258 | The ROA table can be generated from the registry directly or you can use the following pre-built ROA tables for BIRD: |
... | ... | @@ -411,13 +407,3 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { |
411 | 407 | reject; |
412 | 408 | } |
413 | 409 | ``` |
414 | - |
|
415 | -Also, define your ROA table with: |
|
416 | - |
|
417 | -```conf |
|
418 | -roa table dn42_roa { |
|
419 | - include "/var/lib/bird/bird_roa_dn42.conf"; |
|
420 | -}; |
|
421 | -``` |
|
422 | - |
|
423 | -**NOTE**: Make sure you setup ROA checks for both IPv4 and IPv6. |
howto/Getting-Started.md
... | ... | @@ -303,7 +303,7 @@ source: DN42 |
303 | 303 | |
304 | 304 | # Get some peers |
305 | 305 | |
306 | -In dn42, there is no real distinction between peering and transit: in most cases, everybody serves as an upstream provider to all its peers. Note that if you have very slow connectivity to the Internet, you may want to avoid providing transit between your peers, which can be done by filtering or prepending your ASN. For the sake of sane routing, try to peer with people on the same continent to avoid inefficient routing, <50ms is a good rule of thumb. You can also look into Bird communities if you are using Bird to mark the latency for the [link](/howto/Bird-communities). |
|
306 | +In dn42, there is no real distinction between peering and transit: in most cases, everybody serves as an upstream provider to all its peers. Note that if you have very slow connectivity to the Internet, you may want to avoid providing transit between your peers, which can be done by filtering or prepending your ASN. For the sake of sane routing, try to peer with people on the same continent to avoid inefficient routing, <50ms is a good rule of thumb. You can also look into Bird communities if you are using Bird to mark the latency for the [link](/howto/BGP-communities). |
|
307 | 307 | |
308 | 308 | You can use the peerfinder to help you find potential peers close to you: <https://dn42.us/peers> |
309 | 309 | |
... | ... | @@ -319,7 +319,7 @@ There is some documentation in this wiki, like [gre-plus-ipsec](/howto/GRE-plus- |
319 | 319 | |
320 | 320 | You need a routing daemon to speak BGP with your peers. People usually run Bird or FRR, but you may use anything (OpenBGPD, XORP, somebody even used an old [hardware router](BGP-on-Extreme-Summit1i) ). See the relevant [FAQ entry](/FAQ#frequently-asked-questions_what-bgp-daemon-should-i-use). |
321 | 321 | |
322 | -You can find [configuration examples for Bird here](/howto/Bird). |
|
322 | +You can find [configuration examples for Bird here](/howto/Bird2). |
|
323 | 323 | |
324 | 324 | ## Configuration Examples |
325 | 325 | |
... | ... | @@ -331,7 +331,7 @@ You can find [configuration examples for Bird here](/howto/Bird). |
331 | 331 | * [Tinc](/howto/tinc) |
332 | 332 | * [IPsec with public key authentication](/howto/IPsec-with-PublicKeys) |
333 | 333 | * BGP: |
334 | - * [Bird](/howto/Bird) |
|
334 | + * [Bird](/howto/Bird2) |
|
335 | 335 | * [Quagga](/howto/Quagga) |
336 | 336 | * Router specific: |
337 | 337 | * [dn42 on OpenWRT](/howto/OpenWRT) |
howto/wireguard.md
... | ... | @@ -60,7 +60,7 @@ ping fe80::<your_peers_suffix>%<interface_name> |
60 | 60 | |
61 | 61 | (For older iputils, use `ping6`.) |
62 | 62 | |
63 | -Afterwards configure your [BGP session](/howto/Bird) as usual |
|
63 | +Afterwards configure your [BGP session](/howto/Bird2) as usual |
|
64 | 64 | |
65 | 65 | ## Debugging |
66 | 66 |