diff --git a/README.md b/README.md index bc5c490..6b40b7e 100644 --- a/README.md +++ b/README.md @@ -8,35 +8,15 @@ The contents of this repository are licensed under the [MIT license](LICENSE), s > This lab environment uses IPv6 **exclusively**. > [IPv6 support](https://docs.docker.com/config/daemon/ipv6/) **must** be enabled in Docker beforehand! -## Network Architecture -- There are 3 AS: AS23, AS42 and AS1337 -- Each pair of AS' has its own direct interconnect in a dedicated docker network. - - Exception: There are two AS23-AS42 interconnects, each in its own docker network. - - The IP range used in each interconnect is `fd00:d0ca::::/64`, where AS1337 uses `13` instead. `` is the interconnect ID (as there's tw between AS23 and AS42). +## General Info -## eBGP - -- Each AS runs an OpenBGPD router for eBGP peering. -- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340). -- Each AS announces the `fd00:d0ca::1::/64` prefix. +- For detailed infos for each lab, check out the labs' README files. +- To get a lab environment up and running, `cd` into that directory and run `docker-compose up`. +- Unless otherwise notedf, each lab runs an [alice-lg](https://github.com/alice-lg/alice-lg) looking class on [http://localhost:7340](http://localhost:7340). -Example: traceroute from AS42 eBGP router to AS23 eBGP router: When the link is taken offline, the traffic is routed via AS1337 instead: +## Labs -```shell-session -routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10 -traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets - 1 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.022 ms 0.016 ms 0.014 ms -routing-lab-as42-1:/ # bgpctl -s /run/bgpd.sock.42 neigh as23_1 down -request processed -routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10 -traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets - 1 routing-lab-as1337-1.routing-lab_as42_as1337_1 (fd00:d0ca:4213:1::1337) 0.059 ms 0.016 ms 0.020 ms - 2 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.031 ms 0.019 ms 0.017 ms -routing-lab-as42-1:/ # bgpctl -s /run/bgpd.sock.42 neigh as23_1 up -request processed -routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10 -traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets - 1 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.017 ms 0.018 ms 0.018 ms -``` +1. [eBGP Routing with OpenBGPD](lab001-openbgpd-ebgp/) +1. [eBGP Routing with an OpenBGPD Route Server](lab002-openbgpd-ix-routeserver/) diff --git a/alice-lg/Dockerfile b/images/alice-lg/Dockerfile similarity index 100% rename from alice-lg/Dockerfile rename to images/alice-lg/Dockerfile diff --git a/images/alice-lg/alice.conf b/images/alice-lg/alice.conf new file mode 100644 index 0000000..f58aca5 --- /dev/null +++ b/images/alice-lg/alice.conf @@ -0,0 +1,8 @@ +[server] +listen_http = [::]:7340 + +[source.as23] +name = AS 23 + +[source.as23.openbgpd-bgplgd] +api = http://localhost:9099/ diff --git a/lab001-openbgpd-ebgp/README.md b/lab001-openbgpd-ebgp/README.md new file mode 100644 index 0000000..23b6bbe --- /dev/null +++ b/lab001-openbgpd-ebgp/README.md @@ -0,0 +1,35 @@ +# Lab 1: eBGP Routing With OpenBGPD + +## Network Architecture + +- There are 3 AS: AS23, AS42 and AS1337 +- Each pair of AS' has its own direct interconnect in a dedicated docker network. + - The IP range used in each interconnect is `fd00:d0ca::1::/64`, where AS1337 uses `13` instead. + +## eBGP + +- Each AS runs an OpenBGPD router for eBGP peering. +- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340). +- Each AS announces the `fd00:d0ca::1::/64` prefix. + + +Example: traceroute from AS42 eBGP router to AS23 eBGP router: When the link is taken offline, the traffic is routed via AS1337 instead: + +```shell-session +$ docker exec -it lab001-openbgpd-ebgp-as42-1 /bin/sh +/ # traceroute -n fd00:d0ca:23:1::10 +traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets + 1 fd00:d0ca:23:1::10 0.019 ms 0.021 ms 0.016 ms +/ # bgpctl neigh as23_1 down +request processed +/ # traceroute -n fd00:d0ca:23:1::10 +traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets + 1 fd00:d0ca:4213:1::1337 0.019 ms 0.019 ms 0.017 ms + 2 fd00:d0ca:23:1::10 0.015 ms 0.019 ms 0.017 ms +/ # bgpctl neigh as23_1 up +request processed +/ # traceroute -n fd00:d0ca:23:1::10 +traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets + 1 fd00:d0ca:23:1::10 0.019 ms 0.021 ms 0.016 ms +``` + diff --git a/alice-lg/alice.conf b/lab001-openbgpd-ebgp/alice-lg/alice.conf similarity index 100% rename from alice-lg/alice.conf rename to lab001-openbgpd-ebgp/alice-lg/alice.conf diff --git a/as1337/conf/bgpd.conf b/lab001-openbgpd-ebgp/as1337/conf/bgpd.conf similarity index 59% rename from as1337/conf/bgpd.conf rename to lab001-openbgpd-ebgp/as1337/conf/bgpd.conf index 8111393..b204e12 100644 --- a/as1337/conf/bgpd.conf +++ b/lab001-openbgpd-ebgp/as1337/conf/bgpd.conf @@ -1,29 +1,33 @@ AS 1337 -socket "/run/bgpd.sock.1337" +# The prefix originated by this router prefix-set mynetworks { fd00:d0ca:1337:1::/64 } +# Actually announce the prefix network prefix-set mynetworks +# Peering with the AS23 router neighbor fd00:d0ca:2313:1::23 { remote-as 23 descr "as23_1" multihop 10 - announce IPv6 unicast } +# Peering with the AS1337 router neighbor fd00:d0ca:4213:1::42 { remote-as 42 descr "as42_1" multihop 10 } -#allow to ebgp prefix-set mynetworks +# No route filtering, accept and advertise everything allow to ebgp allow from ebgp +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" # restricted bgpd socket for bgplgd socket "/run/bgpd/bgpd.rsock" restricted diff --git a/as23/conf/bgpd.conf b/lab001-openbgpd-ebgp/as23/conf/bgpd.conf similarity index 59% rename from as23/conf/bgpd.conf rename to lab001-openbgpd-ebgp/as23/conf/bgpd.conf index 9f1d4af..3d478ed 100644 --- a/as23/conf/bgpd.conf +++ b/lab001-openbgpd-ebgp/as23/conf/bgpd.conf @@ -1,34 +1,33 @@ AS 23 -socket "/run/bgpd.sock.23" +# The prefix originated by this router prefix-set mynetworks { fd00:d0ca:23:1::/64 } +# Actually announce the prefix network prefix-set mynetworks +# Peering with the AS42 router neighbor fd00:d0ca:2342:1::42 { remote-as 42 descr "as42_1" multihop 10 } -#neighbor fd00:d0ca:2342:2::42 { -# remote-as 42 -# descr "as42_2" -# multihop 20 -#} - +# Peering with the AS1337 router neighbor fd00:d0ca:2313:1::1337 { remote-as 1337 descr "as1337_1" multihop 10 } -#allow to ebgp prefix-set mynetworks +# No route filtering, accept and advertise everything allow to ebgp allow from ebgp +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" # restricted bgpd socket for bgplgd socket "/run/bgpd/bgpd.rsock" restricted diff --git a/as42/conf/bgpd.conf b/lab001-openbgpd-ebgp/as42/conf/bgpd.conf similarity index 56% rename from as42/conf/bgpd.conf rename to lab001-openbgpd-ebgp/as42/conf/bgpd.conf index 4ecfed9..8d5721e 100644 --- a/as42/conf/bgpd.conf +++ b/lab001-openbgpd-ebgp/as42/conf/bgpd.conf @@ -1,34 +1,33 @@ AS 42 -socket "/run/bgpd.sock.42" +# The prefix originated by this router prefix-set mynetworks { fd00:d0ca:42:1::/64 } +# Actually announce the prefix network prefix-set mynetworks +# Peering with the AS23 router neighbor fd00:d0ca:2342:1::23 { remote-as 23 descr "as23_1" - multihop 20 + multihop 10 } -#neighbor fd00:d0ca:2342:2::23 { -# remote-as 23 -# descr "as23_2" -# multihop 10 -#} - +# Peering with the AS1337 router neighbor fd00:d0ca:4213:1::1337 { remote-as 1337 descr "as1337_1" multihop 10 } -#allow to ebgp prefix-set mynetworks +# No route filtering, accept and advertise everything allow to ebgp allow from ebgp +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" # restricted bgpd socket for bgplgd socket "/run/bgpd/bgpd.rsock" restricted diff --git a/docker-compose.yml b/lab001-openbgpd-ebgp/docker-compose.yml similarity index 78% rename from docker-compose.yml rename to lab001-openbgpd-ebgp/docker-compose.yml index 2151783..78a6b6a 100644 --- a/docker-compose.yml +++ b/lab001-openbgpd-ebgp/docker-compose.yml @@ -2,6 +2,9 @@ networks: + # Each of these networks is connected to one of the routers. + # These are the networks originated by their corresponding BGP routers. + as23_1: driver: bridge enable_ipv6: true @@ -26,6 +29,8 @@ networks: - subnet: fd00:d0ca:1337:1::/64 ip_range: fd00:d0ca:1337:1::/96 + # Each of these network is used for direct peering between two AS. + as23_as42_1: driver: bridge enable_ipv6: true @@ -34,14 +39,6 @@ networks: - subnet: fd00:d0ca:2342:1::/64 ip_range: fd00:d0ca:2342:1::/96 - as23_as42_2: - driver: bridge - enable_ipv6: true - ipam: - config: - - subnet: fd00:d0ca:2342:2::/64 - ip_range: fd00:d0ca:2342:2::/96 - as23_as1337_1: driver: bridge enable_ipv6: true @@ -61,23 +58,21 @@ networks: services: + # The 3 eBGP routers + as23: image: docker.io/openbgpd/openbgpd volumes: - ./as23/conf:/etc/bgpd - - ./as23/rpki:/var/lib/rpki-client - - ./as23/run:/run/bgpd sysctls: - - net.ipv6.conf.all.forwarding=1 + - net.ipv6.conf.all.forwarding=1 # Required order to actually forward packets cap_add: - - NET_ADMIN + - NET_ADMIN # Required to add learned routes to the FIB networks: as23_1: ipv6_address: fd00:d0ca:23:1::10 as23_as42_1: ipv6_address: fd00:d0ca:2342:1::23 - as23_as42_2: - ipv6_address: fd00:d0ca:2342:2::23 as23_as1337_1: ipv6_address: fd00:d0ca:2313:1::23 @@ -85,8 +80,6 @@ services: image: docker.io/openbgpd/openbgpd volumes: - ./as42/conf:/etc/bgpd - - ./as42/rpki:/var/lib/rpki-client - - ./as42/run:/run/bgpd sysctls: - net.ipv6.conf.all.forwarding=1 cap_add: @@ -96,8 +89,6 @@ services: ipv6_address: fd00:d0ca:42:1::10 as23_as42_1: ipv6_address: fd00:d0ca:2342:1::42 - as23_as42_2: - ipv6_address: fd00:d0ca:2342:2::42 as42_as1337_1: ipv6_address: fd00:d0ca:4213:1::42 @@ -105,8 +96,6 @@ services: image: docker.io/openbgpd/openbgpd volumes: - ./as1337/conf:/etc/bgpd - - ./as1337/rpki:/var/lib/rpki-client - - ./as1337/run:/run/bgpd sysctls: - net.ipv6.conf.all.forwarding=1 cap_add: @@ -119,6 +108,11 @@ services: as42_as1337_1: ipv6_address: fd00:d0ca:4213:1::1337 + + # The looking glass server + alice-lg: - build: ./alice-lg + build: ../images/alice-lg + volumes: + - ./alice-lg:/etc/alice-lg network_mode: host diff --git a/lab002-openbgpd-ix-routeserver/README.md b/lab002-openbgpd-ix-routeserver/README.md new file mode 100644 index 0000000..c206147 --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/README.md @@ -0,0 +1,38 @@ +# Lab 2: eBGP Routing with an OpenBGPD Route Server + +## Network Architecture + +- There are 3 AS: AS23, AS42 and AS1337 +- All eBGP routers are connected to the same bridge (like an IX) +- There is another OpenBGPD server on the same bridge acting as an IX route server. + +## eBGP + +- Each AS runs an OpenBGPD router for eBGP peering. +- Each AS peers with the route server `fd00:d0ca:ffff:1::ffff`. +- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340). +- Each AS announces the `fd00:d0ca::1::/64` prefix. + + +Example: Verify that direct routes are configured in the FIB even though the routes were learned through the route server: + +```shell-session +$ docker exec -it lab002-openbgpd-ix-routeserver-as23-1 /bin/sh +/ # ip -6 r | grep 'via fd00' +fd00:d0ca:42:1::/64 via fd00:d0ca:ffff:1::42 dev eth1 metric 1024 +fd00:d0ca:1337:1::/64 via fd00:d0ca:ffff:1::1337 dev eth1 metric 1024 +default via fd00:d0ca:23:1::1 dev eth0 metric 1024 +/ # bgpctl show rib +flags: * = Valid, > = Selected, I = via IBGP, A = Announced, + S = Stale, E = Error +origin validation state: N = not-found, V = valid, ! = invalid +aspa validation state: ? = unknown, V = valid, ! = invalid +origin: i = IGP, e = EGP, ? = Incomplete + +flags vs destination gateway lpref med aspath origin +AI*> N-? fd00:d0ca:23:1::/64 :: 100 0 i +*> N-? fd00:d0ca:42:1::/64 fd00:d0ca:ffff:1::42 100 0 65535 42 i +*> N-? fd00:d0ca:1337:1::/64 fd00:d0ca:ffff:1::1337 100 0 65535 1337 i +``` + +TODO: I don't yet understand why the AS 65535 (route server) is added to the AS path despite `transparent-as yes` being configured. diff --git a/lab002-openbgpd-ix-routeserver/alice-lg/alice.conf b/lab002-openbgpd-ix-routeserver/alice-lg/alice.conf new file mode 100644 index 0000000..9c2ced7 --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/alice-lg/alice.conf @@ -0,0 +1,31 @@ +[server] +listen_http = [::]:7340 + + + +[source.as65535] +name = Route Server + +[source.as65535.openbgpd-bgplgd] +api = http://[fd00:d0ca:ffff:1::ffff]:9099/ + + +[source.as23] +name = AS 23 + +[source.as23.openbgpd-bgplgd] +api = http://[fd00:d0ca:23:1::10]:9099/ + + +[source.as42] +name = AS 42 + +[source.as42.openbgpd-bgplgd] +api = http://[fd00:d0ca:42:1::10]:9099/ + + +[source.as1337] +name = AS 1337 + +[source.as1337.openbgpd-bgplgd] +api = http://[fd00:d0ca:42:1::10]:9099/ \ No newline at end of file diff --git a/lab002-openbgpd-ix-routeserver/as1337/conf/bgpd.conf b/lab002-openbgpd-ix-routeserver/as1337/conf/bgpd.conf new file mode 100644 index 0000000..44c6fb6 --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/as1337/conf/bgpd.conf @@ -0,0 +1,26 @@ + +AS 1337 + +# The prefix originated by this router +prefix-set mynetworks { + fd00:d0ca:1337:1::/64 +} + +# Actually announce the prefix +network prefix-set mynetworks + +# Peering with the route server +neighbor fd00:d0ca:ffff:1::ffff { + remote-as 65535 + descr "route server" + multihop 10 +} + +# No route filtering, accept and advertise everything +allow to ebgp +allow from ebgp + +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" +# restricted bgpd socket for bgplgd +socket "/run/bgpd/bgpd.rsock" restricted diff --git a/lab002-openbgpd-ix-routeserver/as23/conf/bgpd.conf b/lab002-openbgpd-ix-routeserver/as23/conf/bgpd.conf new file mode 100644 index 0000000..1cb0cae --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/as23/conf/bgpd.conf @@ -0,0 +1,26 @@ + +AS 23 + +# The prefix originated by this router +prefix-set mynetworks { + fd00:d0ca:23:1::/64 +} + +# Actually announce the prefix +network prefix-set mynetworks + +# Peering with the route server +neighbor fd00:d0ca:ffff:1::ffff { + remote-as 65535 + descr "route server" + multihop 10 +} + +# No route filtering, accept and advertise everything +allow to ebgp +allow from ebgp + +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" +# restricted bgpd socket for bgplgd +socket "/run/bgpd/bgpd.rsock" restricted diff --git a/lab002-openbgpd-ix-routeserver/as42/conf/bgpd.conf b/lab002-openbgpd-ix-routeserver/as42/conf/bgpd.conf new file mode 100644 index 0000000..773a66d --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/as42/conf/bgpd.conf @@ -0,0 +1,26 @@ + +AS 42 + +# The prefix originated by this router +prefix-set mynetworks { + fd00:d0ca:42:1::/64 +} + +# Actually announce the prefix +network prefix-set mynetworks + +# Peering with the route server +neighbor fd00:d0ca:ffff:1::ffff { + remote-as 65535 + descr "route server" + multihop 10 +} + +# No route filtering, accept and advertise everything +allow to ebgp +allow from ebgp + +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" +# restricted bgpd socket for bgplgd +socket "/run/bgpd/bgpd.rsock" restricted diff --git a/lab002-openbgpd-ix-routeserver/docker-compose.yml b/lab002-openbgpd-ix-routeserver/docker-compose.yml new file mode 100644 index 0000000..351590a --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/docker-compose.yml @@ -0,0 +1,108 @@ +--- + +networks: + + # Each of these networks is connected to one of the routers. + # These are the networks originated by their corresponding BGP routers. + + as23_1: + driver: bridge + enable_ipv6: true + ipam: + config: + - subnet: fd00:d0ca:23:1::/64 + ip_range: fd00:d0ca:23:1::/96 + + as42_1: + driver: bridge + enable_ipv6: true + ipam: + config: + - subnet: fd00:d0ca:42:1::/64 + ip_range: fd00:d0ca:42:1::/96 + + as1337_1: + driver: bridge + enable_ipv6: true + ipam: + config: + - subnet: fd00:d0ca:1337:1::/64 + ip_range: fd00:d0ca:1337:1::/96 + + # This network is "the IX" where all the routers and the route server are plugged into + + ix_1: + driver: bridge + enable_ipv6: true + ipam: + config: + - subnet: fd00:d0ca:ffff:1::/64 + ip_range: fd00:d0ca:ffff:1::/96 + +services: + + # The 3 eBGP routers + + as23: + image: docker.io/openbgpd/openbgpd + volumes: + - ./as23/conf:/etc/bgpd + sysctls: + - net.ipv6.conf.all.forwarding=1 # Required order to actually forward packets + cap_add: + - NET_ADMIN # Required to add learned routes to the FIB + networks: + as23_1: + ipv6_address: fd00:d0ca:23:1::10 + ix_1: + ipv6_address: fd00:d0ca:ffff:1::23 + + as42: + image: docker.io/openbgpd/openbgpd + volumes: + - ./as42/conf:/etc/bgpd + sysctls: + - net.ipv6.conf.all.forwarding=1 + cap_add: + - NET_ADMIN + networks: + as42_1: + ipv6_address: fd00:d0ca:42:1::10 + ix_1: + ipv6_address: fd00:d0ca:ffff:1::42 + + as1337: + image: docker.io/openbgpd/openbgpd + volumes: + - ./as1337/conf:/etc/bgpd + sysctls: + - net.ipv6.conf.all.forwarding=1 + cap_add: + - NET_ADMIN + networks: + as1337_1: + ipv6_address: fd00:d0ca:1337:1::10 + ix_1: + ipv6_address: fd00:d0ca:ffff:1::1337 + + ixrs: + image: docker.io/openbgpd/openbgpd + volumes: + - ./ixrs/conf:/etc/bgpd + # The route server should not be doing any packet forwarding or FIB manipulation + #sysctls: + # - net.ipv6.conf.all.forwarding=1 + #cap_add: + # - NET_ADMIN + networks: + ix_1: + ipv6_address: fd00:d0ca:ffff:1::ffff + + + # The looking glass server + + alice-lg: + build: ../images/alice-lg + volumes: + - ./alice-lg:/etc/alice-lg + network_mode: host diff --git a/lab002-openbgpd-ix-routeserver/ixrs/conf/bgpd.conf b/lab002-openbgpd-ix-routeserver/ixrs/conf/bgpd.conf new file mode 100644 index 0000000..a698205 --- /dev/null +++ b/lab002-openbgpd-ix-routeserver/ixrs/conf/bgpd.conf @@ -0,0 +1,25 @@ + +AS 65535 + +# This router does not originate any prefixes + +# Peering with the 3 AS servers + +neighbor fd00:d0ca:ffff:1::/96 { + descr "Route Server clients" +} + +# Don't append my ASN to AS path +transparent-as yes + +# Don't add learned routes to local FIB +fib-update no + +# No route filtering, accept and advertise everything +allow to ebgp +allow from ebgp + +# control socket used by bgpctl +socket "/run/bgpd/bgpd.sock.0" +# restricted bgpd socket for bgplgd +socket "/run/bgpd/bgpd.rsock" restricted