feat: restructure, add lab002: route server

This commit is contained in:
s3lph 2023-12-10 12:41:41 +01:00
parent 1c2d5653a5
commit fb072a01df
Signed by: s3lph
GPG key ID: 0AA29A52FB33CFB5
16 changed files with 367 additions and 68 deletions

View file

@ -8,35 +8,15 @@ The contents of this repository are licensed under the [MIT license](LICENSE), s
> This lab environment uses IPv6 **exclusively**. > This lab environment uses IPv6 **exclusively**.
> [IPv6 support](https://docs.docker.com/config/daemon/ipv6/) **must** be enabled in Docker beforehand! > [IPv6 support](https://docs.docker.com/config/daemon/ipv6/) **must** be enabled in Docker beforehand!
## Network Architecture
- There are 3 AS: AS23, AS42 and AS1337 ## General Info
- Each pair of AS' has its own direct interconnect in a dedicated docker network.
- Exception: There are two AS23-AS42 interconnects, each in its own docker network.
- The IP range used in each interconnect is `fd00:d0ca:<ASN1><ASN2>:<IC#>::/64`, where AS1337 uses `13` instead. `<IC#>` is the interconnect ID (as there's tw between AS23 and AS42).
## eBGP - For detailed infos for each lab, check out the labs' README files.
- To get a lab environment up and running, `cd` into that directory and run `docker-compose up`.
- Each AS runs an OpenBGPD router for eBGP peering. - Unless otherwise notedf, each lab runs an [alice-lg](https://github.com/alice-lg/alice-lg) looking class on [http://localhost:7340](http://localhost:7340).
- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340).
- Each AS announces the `fd00:d0ca:<ASN>:1::/64` prefix.
Example: traceroute from AS42 eBGP router to AS23 eBGP router: When the link is taken offline, the traffic is routed via AS1337 instead: ## Labs
```shell-session 1. [eBGP Routing with OpenBGPD](lab001-openbgpd-ebgp/)
routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10 1. [eBGP Routing with an OpenBGPD Route Server](lab002-openbgpd-ix-routeserver/)
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.022 ms 0.016 ms 0.014 ms
routing-lab-as42-1:/ # bgpctl -s /run/bgpd.sock.42 neigh as23_1 down
request processed
routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 routing-lab-as1337-1.routing-lab_as42_as1337_1 (fd00:d0ca:4213:1::1337) 0.059 ms 0.016 ms 0.020 ms
2 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.031 ms 0.019 ms 0.017 ms
routing-lab-as42-1:/ # bgpctl -s /run/bgpd.sock.42 neigh as23_1 up
request processed
routing-lab-as42-1:/ # traceroute fd00:d0ca:23:1::10
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10) 0.017 ms 0.018 ms 0.018 ms
```

View file

@ -0,0 +1,8 @@
[server]
listen_http = [::]:7340
[source.as23]
name = AS 23
[source.as23.openbgpd-bgplgd]
api = http://localhost:9099/

View file

@ -0,0 +1,35 @@
# Lab 1: eBGP Routing With OpenBGPD
## Network Architecture
- There are 3 AS: AS23, AS42 and AS1337
- Each pair of AS' has its own direct interconnect in a dedicated docker network.
- The IP range used in each interconnect is `fd00:d0ca:<ASN1><ASN2>:1::/64`, where AS1337 uses `13` instead.
## eBGP
- Each AS runs an OpenBGPD router for eBGP peering.
- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340).
- Each AS announces the `fd00:d0ca:<ASN>:1::/64` prefix.
Example: traceroute from AS42 eBGP router to AS23 eBGP router: When the link is taken offline, the traffic is routed via AS1337 instead:
```shell-session
$ docker exec -it lab001-openbgpd-ebgp-as42-1 /bin/sh
/ # traceroute -n fd00:d0ca:23:1::10
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 fd00:d0ca:23:1::10 0.019 ms 0.021 ms 0.016 ms
/ # bgpctl neigh as23_1 down
request processed
/ # traceroute -n fd00:d0ca:23:1::10
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 fd00:d0ca:4213:1::1337 0.019 ms 0.019 ms 0.017 ms
2 fd00:d0ca:23:1::10 0.015 ms 0.019 ms 0.017 ms
/ # bgpctl neigh as23_1 up
request processed
/ # traceroute -n fd00:d0ca:23:1::10
traceroute to fd00:d0ca:23:1::10 (fd00:d0ca:23:1::10), 30 hops max, 72 byte packets
1 fd00:d0ca:23:1::10 0.019 ms 0.021 ms 0.016 ms
```

View file

@ -1,29 +1,33 @@
AS 1337 AS 1337
socket "/run/bgpd.sock.1337"
# The prefix originated by this router
prefix-set mynetworks { prefix-set mynetworks {
fd00:d0ca:1337:1::/64 fd00:d0ca:1337:1::/64
} }
# Actually announce the prefix
network prefix-set mynetworks network prefix-set mynetworks
# Peering with the AS23 router
neighbor fd00:d0ca:2313:1::23 { neighbor fd00:d0ca:2313:1::23 {
remote-as 23 remote-as 23
descr "as23_1" descr "as23_1"
multihop 10 multihop 10
announce IPv6 unicast
} }
# Peering with the AS1337 router
neighbor fd00:d0ca:4213:1::42 { neighbor fd00:d0ca:4213:1::42 {
remote-as 42 remote-as 42
descr "as42_1" descr "as42_1"
multihop 10 multihop 10
} }
#allow to ebgp prefix-set mynetworks # No route filtering, accept and advertise everything
allow to ebgp allow to ebgp
allow from ebgp allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd # restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -1,34 +1,33 @@
AS 23 AS 23
socket "/run/bgpd.sock.23"
# The prefix originated by this router
prefix-set mynetworks { prefix-set mynetworks {
fd00:d0ca:23:1::/64 fd00:d0ca:23:1::/64
} }
# Actually announce the prefix
network prefix-set mynetworks network prefix-set mynetworks
# Peering with the AS42 router
neighbor fd00:d0ca:2342:1::42 { neighbor fd00:d0ca:2342:1::42 {
remote-as 42 remote-as 42
descr "as42_1" descr "as42_1"
multihop 10 multihop 10
} }
#neighbor fd00:d0ca:2342:2::42 { # Peering with the AS1337 router
# remote-as 42
# descr "as42_2"
# multihop 20
#}
neighbor fd00:d0ca:2313:1::1337 { neighbor fd00:d0ca:2313:1::1337 {
remote-as 1337 remote-as 1337
descr "as1337_1" descr "as1337_1"
multihop 10 multihop 10
} }
#allow to ebgp prefix-set mynetworks # No route filtering, accept and advertise everything
allow to ebgp allow to ebgp
allow from ebgp allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd # restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -1,34 +1,33 @@
AS 42 AS 42
socket "/run/bgpd.sock.42"
# The prefix originated by this router
prefix-set mynetworks { prefix-set mynetworks {
fd00:d0ca:42:1::/64 fd00:d0ca:42:1::/64
} }
# Actually announce the prefix
network prefix-set mynetworks network prefix-set mynetworks
# Peering with the AS23 router
neighbor fd00:d0ca:2342:1::23 { neighbor fd00:d0ca:2342:1::23 {
remote-as 23 remote-as 23
descr "as23_1" descr "as23_1"
multihop 20 multihop 10
} }
#neighbor fd00:d0ca:2342:2::23 { # Peering with the AS1337 router
# remote-as 23
# descr "as23_2"
# multihop 10
#}
neighbor fd00:d0ca:4213:1::1337 { neighbor fd00:d0ca:4213:1::1337 {
remote-as 1337 remote-as 1337
descr "as1337_1" descr "as1337_1"
multihop 10 multihop 10
} }
#allow to ebgp prefix-set mynetworks # No route filtering, accept and advertise everything
allow to ebgp allow to ebgp
allow from ebgp allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd # restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -2,6 +2,9 @@
networks: networks:
# Each of these networks is connected to one of the routers.
# These are the networks originated by their corresponding BGP routers.
as23_1: as23_1:
driver: bridge driver: bridge
enable_ipv6: true enable_ipv6: true
@ -26,6 +29,8 @@ networks:
- subnet: fd00:d0ca:1337:1::/64 - subnet: fd00:d0ca:1337:1::/64
ip_range: fd00:d0ca:1337:1::/96 ip_range: fd00:d0ca:1337:1::/96
# Each of these network is used for direct peering between two AS.
as23_as42_1: as23_as42_1:
driver: bridge driver: bridge
enable_ipv6: true enable_ipv6: true
@ -34,14 +39,6 @@ networks:
- subnet: fd00:d0ca:2342:1::/64 - subnet: fd00:d0ca:2342:1::/64
ip_range: fd00:d0ca:2342:1::/96 ip_range: fd00:d0ca:2342:1::/96
as23_as42_2:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: fd00:d0ca:2342:2::/64
ip_range: fd00:d0ca:2342:2::/96
as23_as1337_1: as23_as1337_1:
driver: bridge driver: bridge
enable_ipv6: true enable_ipv6: true
@ -61,23 +58,21 @@ networks:
services: services:
# The 3 eBGP routers
as23: as23:
image: docker.io/openbgpd/openbgpd image: docker.io/openbgpd/openbgpd
volumes: volumes:
- ./as23/conf:/etc/bgpd - ./as23/conf:/etc/bgpd
- ./as23/rpki:/var/lib/rpki-client
- ./as23/run:/run/bgpd
sysctls: sysctls:
- net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.all.forwarding=1 # Required order to actually forward packets
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN # Required to add learned routes to the FIB
networks: networks:
as23_1: as23_1:
ipv6_address: fd00:d0ca:23:1::10 ipv6_address: fd00:d0ca:23:1::10
as23_as42_1: as23_as42_1:
ipv6_address: fd00:d0ca:2342:1::23 ipv6_address: fd00:d0ca:2342:1::23
as23_as42_2:
ipv6_address: fd00:d0ca:2342:2::23
as23_as1337_1: as23_as1337_1:
ipv6_address: fd00:d0ca:2313:1::23 ipv6_address: fd00:d0ca:2313:1::23
@ -85,8 +80,6 @@ services:
image: docker.io/openbgpd/openbgpd image: docker.io/openbgpd/openbgpd
volumes: volumes:
- ./as42/conf:/etc/bgpd - ./as42/conf:/etc/bgpd
- ./as42/rpki:/var/lib/rpki-client
- ./as42/run:/run/bgpd
sysctls: sysctls:
- net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.all.forwarding=1
cap_add: cap_add:
@ -96,8 +89,6 @@ services:
ipv6_address: fd00:d0ca:42:1::10 ipv6_address: fd00:d0ca:42:1::10
as23_as42_1: as23_as42_1:
ipv6_address: fd00:d0ca:2342:1::42 ipv6_address: fd00:d0ca:2342:1::42
as23_as42_2:
ipv6_address: fd00:d0ca:2342:2::42
as42_as1337_1: as42_as1337_1:
ipv6_address: fd00:d0ca:4213:1::42 ipv6_address: fd00:d0ca:4213:1::42
@ -105,8 +96,6 @@ services:
image: docker.io/openbgpd/openbgpd image: docker.io/openbgpd/openbgpd
volumes: volumes:
- ./as1337/conf:/etc/bgpd - ./as1337/conf:/etc/bgpd
- ./as1337/rpki:/var/lib/rpki-client
- ./as1337/run:/run/bgpd
sysctls: sysctls:
- net.ipv6.conf.all.forwarding=1 - net.ipv6.conf.all.forwarding=1
cap_add: cap_add:
@ -119,6 +108,11 @@ services:
as42_as1337_1: as42_as1337_1:
ipv6_address: fd00:d0ca:4213:1::1337 ipv6_address: fd00:d0ca:4213:1::1337
# The looking glass server
alice-lg: alice-lg:
build: ./alice-lg build: ../images/alice-lg
volumes:
- ./alice-lg:/etc/alice-lg
network_mode: host network_mode: host

View file

@ -0,0 +1,38 @@
# Lab 2: eBGP Routing with an OpenBGPD Route Server
## Network Architecture
- There are 3 AS: AS23, AS42 and AS1337
- All eBGP routers are connected to the same bridge (like an IX)
- There is another OpenBGPD server on the same bridge acting as an IX route server.
## eBGP
- Each AS runs an OpenBGPD router for eBGP peering.
- Each AS peers with the route server `fd00:d0ca:ffff:1::ffff`.
- An [alice-lg](https://github.com/alice-lg/alice-lg) looking class connecting to all 3 BGP routers is started on [http://localhost:7340](http://localhost:7340).
- Each AS announces the `fd00:d0ca:<ASN>:1::/64` prefix.
Example: Verify that direct routes are configured in the FIB even though the routes were learned through the route server:
```shell-session
$ docker exec -it lab002-openbgpd-ix-routeserver-as23-1 /bin/sh
/ # ip -6 r | grep 'via fd00'
fd00:d0ca:42:1::/64 via fd00:d0ca:ffff:1::42 dev eth1 metric 1024
fd00:d0ca:1337:1::/64 via fd00:d0ca:ffff:1::1337 dev eth1 metric 1024
default via fd00:d0ca:23:1::1 dev eth0 metric 1024
/ # bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
aspa validation state: ? = unknown, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags vs destination gateway lpref med aspath origin
AI*> N-? fd00:d0ca:23:1::/64 :: 100 0 i
*> N-? fd00:d0ca:42:1::/64 fd00:d0ca:ffff:1::42 100 0 65535 42 i
*> N-? fd00:d0ca:1337:1::/64 fd00:d0ca:ffff:1::1337 100 0 65535 1337 i
```
TODO: I don't yet understand why the AS 65535 (route server) is added to the AS path despite `transparent-as yes` being configured.

View file

@ -0,0 +1,31 @@
[server]
listen_http = [::]:7340
[source.as65535]
name = Route Server
[source.as65535.openbgpd-bgplgd]
api = http://[fd00:d0ca:ffff:1::ffff]:9099/
[source.as23]
name = AS 23
[source.as23.openbgpd-bgplgd]
api = http://[fd00:d0ca:23:1::10]:9099/
[source.as42]
name = AS 42
[source.as42.openbgpd-bgplgd]
api = http://[fd00:d0ca:42:1::10]:9099/
[source.as1337]
name = AS 1337
[source.as1337.openbgpd-bgplgd]
api = http://[fd00:d0ca:42:1::10]:9099/

View file

@ -0,0 +1,26 @@
AS 1337
# The prefix originated by this router
prefix-set mynetworks {
fd00:d0ca:1337:1::/64
}
# Actually announce the prefix
network prefix-set mynetworks
# Peering with the route server
neighbor fd00:d0ca:ffff:1::ffff {
remote-as 65535
descr "route server"
multihop 10
}
# No route filtering, accept and advertise everything
allow to ebgp
allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -0,0 +1,26 @@
AS 23
# The prefix originated by this router
prefix-set mynetworks {
fd00:d0ca:23:1::/64
}
# Actually announce the prefix
network prefix-set mynetworks
# Peering with the route server
neighbor fd00:d0ca:ffff:1::ffff {
remote-as 65535
descr "route server"
multihop 10
}
# No route filtering, accept and advertise everything
allow to ebgp
allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -0,0 +1,26 @@
AS 42
# The prefix originated by this router
prefix-set mynetworks {
fd00:d0ca:42:1::/64
}
# Actually announce the prefix
network prefix-set mynetworks
# Peering with the route server
neighbor fd00:d0ca:ffff:1::ffff {
remote-as 65535
descr "route server"
multihop 10
}
# No route filtering, accept and advertise everything
allow to ebgp
allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted

View file

@ -0,0 +1,108 @@
---
networks:
# Each of these networks is connected to one of the routers.
# These are the networks originated by their corresponding BGP routers.
as23_1:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: fd00:d0ca:23:1::/64
ip_range: fd00:d0ca:23:1::/96
as42_1:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: fd00:d0ca:42:1::/64
ip_range: fd00:d0ca:42:1::/96
as1337_1:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: fd00:d0ca:1337:1::/64
ip_range: fd00:d0ca:1337:1::/96
# This network is "the IX" where all the routers and the route server are plugged into
ix_1:
driver: bridge
enable_ipv6: true
ipam:
config:
- subnet: fd00:d0ca:ffff:1::/64
ip_range: fd00:d0ca:ffff:1::/96
services:
# The 3 eBGP routers
as23:
image: docker.io/openbgpd/openbgpd
volumes:
- ./as23/conf:/etc/bgpd
sysctls:
- net.ipv6.conf.all.forwarding=1 # Required order to actually forward packets
cap_add:
- NET_ADMIN # Required to add learned routes to the FIB
networks:
as23_1:
ipv6_address: fd00:d0ca:23:1::10
ix_1:
ipv6_address: fd00:d0ca:ffff:1::23
as42:
image: docker.io/openbgpd/openbgpd
volumes:
- ./as42/conf:/etc/bgpd
sysctls:
- net.ipv6.conf.all.forwarding=1
cap_add:
- NET_ADMIN
networks:
as42_1:
ipv6_address: fd00:d0ca:42:1::10
ix_1:
ipv6_address: fd00:d0ca:ffff:1::42
as1337:
image: docker.io/openbgpd/openbgpd
volumes:
- ./as1337/conf:/etc/bgpd
sysctls:
- net.ipv6.conf.all.forwarding=1
cap_add:
- NET_ADMIN
networks:
as1337_1:
ipv6_address: fd00:d0ca:1337:1::10
ix_1:
ipv6_address: fd00:d0ca:ffff:1::1337
ixrs:
image: docker.io/openbgpd/openbgpd
volumes:
- ./ixrs/conf:/etc/bgpd
# The route server should not be doing any packet forwarding or FIB manipulation
#sysctls:
# - net.ipv6.conf.all.forwarding=1
#cap_add:
# - NET_ADMIN
networks:
ix_1:
ipv6_address: fd00:d0ca:ffff:1::ffff
# The looking glass server
alice-lg:
build: ../images/alice-lg
volumes:
- ./alice-lg:/etc/alice-lg
network_mode: host

View file

@ -0,0 +1,25 @@
AS 65535
# This router does not originate any prefixes
# Peering with the 3 AS servers
neighbor fd00:d0ca:ffff:1::/96 {
descr "Route Server clients"
}
# Don't append my ASN to AS path
transparent-as yes
# Don't add learned routes to local FIB
fib-update no
# No route filtering, accept and advertise everything
allow to ebgp
allow from ebgp
# control socket used by bgpctl
socket "/run/bgpd/bgpd.sock.0"
# restricted bgpd socket for bgplgd
socket "/run/bgpd/bgpd.rsock" restricted