4620 OpenBGPD - Telecomix Crypto Munitions Bureau

OpenBGPD

From Telecomix Crypto Munitions Bureau

Jump to: navigation, search

OpenBGPD is a nice program that comes with OpenBSD, and can be installed in FreeBSD. Maybe some other operating systems also support it.

It can be used to do nice dynamic routing in a darknet :) The BGP protocol is used by ISPs and other network providers to exchange routes with each other. Each BGP router has its own Autonomous System Number (ASN) and each ISP is its own Autonomous System (AS).

Contents

[edit] Why use OpenBGP?

  • Atomic reload of config files (Cisco and Quagga does not support this, afaik, they might flip the fuck out from normal usage)
  • Hm, i think it is rather secure. The OpenBSD people are good at this lol :)
  • It scales well with large networks (but who cares, as long as we do not build a trillion-node-large network this will not affect us.)

[edit] Be paranoid lol?

Make sure that only the BGP routers you trust can contact you. Use pf to firewall tcp port 179. If you fail at this others might be able to change stuff in your routing table, which means that you fail. Do not send the traffic in clear text. Use OpenVPN or IPsec.

[edit] Example script to exchange routes with a single AS

The config is saved in /etc/bgpd.conf and the daemon can be controlled with bgpctl. If you make changes in the config you can make the daemon reload its config file by typing bgpctl reload.

For more information:

man bgpd.conf

What this does:

  • You have ASN 9999
  • Peers with AS 12345, that is located at 9.9.9.9
  • Does only accept routes belonging to 1.0.0.0/8
  • You are broadcasting that you have networks 1.2.3.0/24 and 1.2.4.0/24
  • It will update your routing table automagically (type "route -n show -inet" to see your IPv4 routing table)
AS 9999                             # your ASN
router-id 1.2.4.1                   # your router ID should be an IP address you own
holdtime 30                         # default is 180 sec, this will make your router drop routes quicker
#listen on 1.2.4.1                  # which IP address you are listening on (commented out - use pf to block instead?)

network 1.2.3.0/24                  # you own two networks, 1.2.3.0/24 and 1.2.4.0/24
network 1.2.4.0/24

depend on tun0                      # the daemon should only do stuff when tun0 is up
                                    # (do not try to contact your peer if the darknet link goes down)

remote-as 12345                     # you want to connect to AS 12345
neighbor 9.9.9.9 {                  # you want to connect to 9.9.9.9
   descr your-frind-in-cipherspace  # description lol
   announce all                     # send all your networks to your friend (1.2.3.0/24 and 1.2.4.0/24)
   }

deny from any                                           # deny everything
allow from any prefix 1.0.0.0/8 prefixlen 10 - 30       # allow everyone to send you routes belonging to 1.0.0.0/8
                                                        # prefixlen 10-32 means that CIDR numbers 10-30 are allowed
                                                        # (CIDR is the number after the slash, i.e. blabla/19 is allowed)

# I dont think these are need, but their presence makes me feel safe :)
deny from any prefix 10.0.0.0/8 prefixlen >= 8          # Local LAN addresses
deny from any prefix 172.16.0.0/12 prefixlen >= 12      # Local LAN addresses
deny from any prefix 192.168.0.0/16 prefixlen >= 16     # Local LAN addresses
deny from any prefix 169.254.0.0/16 prefixlen >= 16     # Autoconfiguration stuff
deny from any prefix 192.0.2.0/24 prefixlen >= 24       # i have no idea
deny from any prefix 224.0.0.0/4 prefixlen >= 4         # broadcast
deny from any prefix 240.0.0.0/4 prefixlen >= 4         # should not be used anywhere, reserved

[edit] bgpctl

bgpctl is a nice program that can be used to control your BGP router.

bgpctl reload                 - atomic reload of bgpd.conf without taking your node offline, does not load the file if errors are found
bgpctl show                   - shows simple statistics from your connected AS friends
bgpctl network show           - shows all networks that has been announced (this can be a loooooooooooooong list)
bgpctl network show inet6     - shows IPv6 networks (yeah, OpenBGP should be able to handle IPv6 routing too.)
bgpctl show interfaces        - lists your interfaces

man bgpctl for more info :)?

Personal tools
0