Projet

Général

Profil

BGP » Historique » Version 55

« Précédent - Version 55/192 (diff) - Suivant » - Version actuelle
Laurent GUERBY, 27/04/2013 17:41


BGP

Nous utilisons BIRD sous Linux comme routeur BGP

http://bird.network.cz/

blog bgp http://www.renesys.com/blog/
flowspec http://www.slideshare.net/sfouant/an-introduction-to-bgp-flow-spec
DFZ = Default Free Zone archive http://archive.routeviews.org/
http://www.ripe.net/data-tools/stats/ris/routing-information-service
http://pch.net/resources/data/routing-tables/archive/
http://pch.net/resources/data/routing-tables/mrt-bgp-updates/
http://www.nanog.org/meetings/archive/
http://tools.ietf.org/html/draft-lapukhov-bgp-routing-large-dc-02

http://inside.godaddy.com/inside-story-happened-godaddy-com-sept-10-2012/

http://tools.ietf.org/html/rfc4271#section-9.1 BGP route decision process

http://www.ipbcop.org/
IP Best Current Operational Practices Documented best practices for Engineers by Engineers

BGP best practices ANSSI
https://www.sstic.org/media/SSTIC2012/SSTIC-actes/influence_des_bonnes_pratiques_sur_les_incidents_b/SSTIC2012-Article-influence_des_bonnes_pratiques_sur_les_incidents_bgp-contat_valadon_nataf_2.pdf

https://www.ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers

these LAAS BGP http://www.laas.fr/1-31360-Detail-Soutenance-de-these.php?id=600
http://www.laas.fr/1-31706-Publications.php?author=7738
http://www.net.t-labs.tu-berlin.de/papers/OMUPMO-OOSICP-11.pdf
http://hal.archives-ouvertes.fr/docs/00/60/53/83/PDF/dVirt-virtual_platform.pdf
http://hal.archives-ouvertes.fr/docs/00/48/70/74/PDF/Poster_SIGCOMM2010_philippe.pdf

Le monde sur BGP http://reseaux.blog.lemonde.fr/2012/11/04/routage-enjeu-cyberstrategie/

coupure free wanadoo http://www.journaldunet.com/solutions/0301/030122_freeft.shtml

tsunami Japon 2011 et BGP : http://archive.psg.com/111206.conext-quake.pdf

Session is up on telnet:route-views.routeviews.org username rviews

BGP book http://www.bortzmeyer.org/files/bgp.html

Cyclops is able to detect several forms of route hijack attacks http://cyclops.cs.ucla.edu/
BGPmon monitors the routing of your prefixes and alerts you in case of an 'interesting' path chang http://www.bgpmon.net/

http://jointtransit.nl/prices.html

http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho

TouIX et GIX

http://touix.net
http://wikilulu.net/doku.php?id=articles:gix-howto

Evolutions de la conf BGP

TODO:
  • mise en place d'un gestionaire de version style git au moins pour documentation
  • Comment gerer les password MD5 du fichier de conf (les garder secrets tout en publiant le reste)
  • Atelier ?
    • Laurent GUERBY
    • Solarus
    • Ajouter son nom...

Alternative a MP BGP
http://tools.ietf.org/html/draft-ietf-idr-bgp-multisession-06

Add Path
http://tools.ietf.org/html/draft-ietf-idr-add-paths-07
support in bird ? http://marc.info/?l=bird-users&m=134409996129466&w=2

Liens

Configuration Toulouse

router id 91.224.148.2;
define myas = 197422;

protocol device {
    scan time 10;
        primary "eth0" 91.224.148.3;
}

protocol static static_bgp {
    import all;
    route 91.224.148.0/23 reject;
}

protocol kernel{
    import all;
    export all;
}

function avoid_martians()
prefix set martians;
{
  martians = [ 169.254.0.0/16+, 172.16.0.0/12+, 192.168.0.0/16+, 10.0.0.0/8+, 224.0.0.0/4+, 240.0.0.0/4+ ];

  # Avoid 0.0.0.0/X
  if net.ip = 0.0.0.0 then return false;

  # Avoid too short and too long prefixes
  if (net.len < 8) || (net.len > 24) then return false;

  # Avoid RFC1918 networks
  if net ~ martians then return false;
  return true;
}

filter bgp_OUT {
    if (net ~ [91.224.148.0/23]) then accept;
    else reject;
}

protocol bgp TOUIX {
        local as myas;
        neighbor 91.213.236.1 as 47184;
        preference 200;
        import where avoid_martians();
        export filter bgp_OUT;
}

protocol bgp JAGUAR {
     local as myas;
     neighbor 31.172.233.1 as 30781;
     preference 50;
         import where avoid_martians();
         export filter bgp_OUT;
}

protocol bgp TETANEUTRAL {
    local as myas;
    neighbor 91.224.148.2 as myas;
    preference 100;
    import where avoid_martians();
    export all;
}

IRR

Blackholing

Attaques

URPF

blacklister une/plusieures sources est relativement complexe à mettre en place sur une petite infrastructure car nécessite la mise en place de l'URPF (Unicast Reverse Path Forwarding).

http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

RFC3882

RFC1997

BIRD

Absolight

  • communauté 29608:65001 sur /24..32 IPv4 et /41..128 IPv6 => blackhole
  • test 20120703 IPv4 et IPv6, ça marche et convergence très rapide

GIXE

  • communauté 31576:666 sur /32 => blackhole
  • test 20120703 => marche pas encore, signalé et dev a faire coté GIXE pour autoriser les /32

Jaguar

Gitoyen

France-IX

Equinix-IX

TouIX

  • demande acces switch et route server 20120702
  • TODO

Hurricane Electric

Sfinx