WEBVTT

00:00.000 --> 00:17.680
So, hello, so I will talk about automating BGPP rings in DN42 and how you can do the same.

00:17.680 --> 00:21.000
And I hope you would want to do the same after.

00:21.000 --> 00:25.680
To start, I'm here some cartoon.

00:25.680 --> 00:32.680
I work as an HP system and we're just better at the University of Luxembourg.

00:32.680 --> 00:38.880
I've worked on two years for a long time, I contribute to small things they are in there,

00:38.880 --> 00:42.520
especially PKG-Bull in the afternoon.

00:42.520 --> 00:47.440
It's also my first time presenting that for them.

00:47.440 --> 00:53.000
So just to start, I explain what is DN42.

00:53.000 --> 01:00.600
It's a decent whereas network aimed at milling the real internet and it's an educational

01:00.600 --> 01:07.960
frequent where you can test, where you can manipulate internet technologies and protocols

01:07.960 --> 01:14.640
without in a safe environment, without any risk of breaking the real internet.

01:14.640 --> 01:22.960
It's a real world knife which means it's a novel in network and it aims also at replicating

01:23.920 --> 01:28.920
different sort of bandwidth of latencies.

01:28.920 --> 01:34.720
It's used to, mainly to Internet, it's used mainly as an encryption bring-wood.

01:34.720 --> 01:42.000
Also, at internet for interconnecting community such as the care species,

01:42.000 --> 01:49.280
omelaps sometimes some events and it's ideal for testing any internet protocols,

01:49.320 --> 01:52.360
such as BGP of course.

01:52.360 --> 01:58.360
It's completely community driven so nobody is paid to work on DN42 to my knowledge.

01:58.360 --> 02:03.000
It's completely obvious network.

02:03.000 --> 02:11.240
It's another network so it's built above the internet using mainly VPN tunnels.

02:11.240 --> 02:15.480
I've seen a lot of why you're getting two naps, especially.

02:15.520 --> 02:23.520
It's quite large scale, why not Internet scale but there's something like one thousand participants.

02:23.520 --> 02:32.440
So one thousand, one thousand to the most system numbers and I think around two thousand

02:32.440 --> 02:37.760
goods, two thousand IPv4 plus IPv6 prefixes.

02:37.760 --> 02:43.640
It's also technology-admostic so you're on-coach to use first to join, but if you want to join

02:43.680 --> 02:50.960
the moscisco switch up to you and it's used private address space for IPv4 IPv6 and

02:50.960 --> 02:55.160
private ASN numbers.

02:55.160 --> 02:59.600
So this is actually a visualization of the DN42 network.

02:59.600 --> 03:11.200
You see each dot is an AS and the links are piling, piling links.

03:11.240 --> 03:17.520
So it's a very old ecosystem in the DN42, it's a source of proof which is the registry.

03:17.520 --> 03:26.960
Basically big git repository with all the objects for ASN numbers prefixes.

03:26.960 --> 03:37.240
It's also identity services with a wiz, there's a C, there's a for native and DNS for

03:37.280 --> 03:42.480
the DN42 TLU which is only valid inside the DN42.

03:42.480 --> 03:50.120
It supports R.O.A.R.PKI, there is plenty of community services posted internally like

03:50.120 --> 03:59.120
looking glasses, IRC servers, boards, real-time maps, share servers, share servers or quite

03:59.120 --> 04:04.920
nice because you can connect to the other side of the network and see what happens to

04:04.920 --> 04:09.600
your packets and use standard Linux commands to debug your network in example.

04:09.600 --> 04:15.200
For the web pages with your server, with you are quite nice to generate some traffic.

04:15.200 --> 04:21.160
Vice gaming servers has a whole list on the DN42 website.

04:21.160 --> 04:28.240
So I have to explain a bit my part of the network, my network, experimental network on

04:28.280 --> 04:35.200
the DN42 is called flip-flap, raise my yes number in the top right corner and my

04:35.200 --> 04:36.680
prefixes.

04:36.680 --> 04:44.440
It's based on VPN servers in many geopolitical locations, it's mainly built with

04:44.440 --> 04:53.800
DBN-13 and Bird, so it's multi-home and multi-pop, so I have many routers and many

04:53.800 --> 05:02.360
pop, the point of presence which is a router and many peering.

05:02.360 --> 05:07.440
I use wire gap tunnels personally and I have a full mesh network inside my network

05:07.440 --> 05:09.280
between my servers.

05:09.280 --> 05:16.520
You can actually follow my guide, I push all my nuts on my blog and all my system configs

05:16.520 --> 05:22.480
on GitHub and it was something which was missing when I experimented with DN42 in the

05:22.480 --> 05:29.280
beginning, so all my system configs on them.

05:29.280 --> 05:38.280
This is my registry objects, so to participate to DN42, you have to make up your

05:38.280 --> 05:44.480
pull request with your objects, you need a maintenance object, yes, autonomous system

05:44.480 --> 05:52.280
object, you need of course prefixes, routes, you can have a domain name, so this is

05:52.280 --> 05:54.280
my objects.

05:54.280 --> 05:57.960
What's important is actually to define source of authentication in your maintenance

05:57.960 --> 06:07.240
and your objects, so like a GPG key and such key or both, and this is the map of my small

06:07.240 --> 06:08.240
network.

06:08.240 --> 06:15.520
We're bigger networks inside DN42, but mine is quite nice because it's an international

06:15.600 --> 06:22.280
with four countries in Europe and two in North America, so I have a real life, latencies,

06:22.280 --> 06:33.920
I go to the internet, and I make use of two main dynamic routing protocols, BGP for

06:33.920 --> 06:42.200
internal, for the external routing, so we have inter-AS routing and Babel internally, which

06:42.280 --> 06:49.280
works quite well for an other level of the network.

06:49.280 --> 06:54.320
So nice setup, but what was very, very nice in the story?

06:54.320 --> 07:03.280
No, the frame is that, after setting this up, I had like zero traffic on my network, so

07:03.280 --> 07:08.080
that was nice, but I wanted to play more, and by the main limitation is that I had just

07:08.080 --> 07:16.280
had nothing of peers and I had no transit, so I wanted to scale up my network, and I

07:16.280 --> 07:22.640
provided a lot of automatic playing service, so that people can request BGP pairing session

07:22.640 --> 07:29.880
with me, and it's configured automatically on my side.

07:29.880 --> 07:36.560
So I wrote a small tool, which is called DN42 SSDotopia, sorry for the lack of inspiration.

07:36.560 --> 07:47.920
I, it's a self-service CLI over SSH to request and setup BGP pairing sessions, it's aims to

07:47.920 --> 07:48.920
be kiss.

07:48.920 --> 07:55.640
I have one instance of the S of the Daymond pair pop, it features authentication against

07:55.640 --> 08:02.920
the DN42 Wall Street, so there's nothing to configure manually for the other participants.

08:02.920 --> 08:08.720
It's a custom SSDotable M1 using Paramico, so some of you may know Paramico, because

08:08.720 --> 08:15.760
it's a Python library to write SSH clients, but you can also use it to write SSDotable M1s.

08:15.760 --> 08:23.200
It's a custom CLI, based on the CMD class, and it generates why you're got to know and

08:23.200 --> 08:33.880
about the BGP doing configuration, and it's a mighty license, so you can just fuck on GitHub,

08:33.880 --> 08:43.480
face the link, and demo time, that's very impressive part of the talk.

08:43.480 --> 08:51.720
You can SSH to one of my pop, so here as a I impersonate another participant, you have access,

08:51.720 --> 09:04.400
you have access to my custom CI, some commands, you can use the command tier creates to

09:04.400 --> 09:13.120
give your why you're got endpoint information, and register it, plus a link local IPv6

09:13.120 --> 09:23.320
address for the internal connection, and if you use peer config, there's a summary of

09:23.320 --> 09:30.400
the configuration on both sides, plus an extract of configuration for why you're got and

09:30.400 --> 09:31.400
both.

09:31.400 --> 09:39.880
Okay, then you can just peer status, and because it's a periodic task in the background,

09:39.880 --> 09:48.760
you can generate the ping session every five minutes, so 4, 3, and 5 minutes after, the

09:48.760 --> 09:58.560
way I'll get a tunnel is done, and the BGP ping session is up, so that's it for the

09:58.560 --> 10:11.920
tool, so personally I set it up on all my pops, in a, so the user's can just set it to it,

10:11.920 --> 10:16.720
I'm important for you to find it all, and use peer create, peer config, peer list, peer

10:16.720 --> 10:26.640
remove, and peer status commands, so that I demonstrate it just before, but it's actually

10:26.640 --> 10:35.520
how it works, the user request, the ping session, the two, the demand commits to a local

10:35.520 --> 10:47.360
database, and raise a periodic task, which queries a local database and applies a config, so

10:47.360 --> 10:52.080
local database is actually a SQLite, so it's right for it, and I want it to keep it

10:52.080 --> 11:05.440
like this, so I hope now you want to try a Dien 42, and peer remove me, how to join the party,

11:05.440 --> 11:13.960
you need at least one host with a public IP, so most of Dien 42 seems to be above IPv6,

11:13.960 --> 11:18.520
which means you don't even have to pay for an IPv4, you submit a product request to the

11:18.520 --> 11:25.720
Git-based registry, then you connect with reverse, via manual or automatic pairing, so

11:25.720 --> 11:33.280
there's a lot of things happening on IRC, in the legalist, and step 3, step 3, you set up

11:33.280 --> 11:40.520
your BGP voter, personally I did it on with Dien and BIRT 2, which is the most documented way

11:40.520 --> 11:47.200
of doing it, but you can use whatever implementation you want, so that is a big getting

11:47.200 --> 11:55.280
started guide on the Dien 42 website, but you can have a look, so my advice is a start small,

11:55.280 --> 12:02.320
this was my first network actually, and yeah, I don't need two pops at the same location

12:02.320 --> 12:06.880
and five peering sessions, and actually I lost it, because it was a physical server and

12:06.880 --> 12:17.800
it died, so if I can give a few tips for people who want to try, avoid diameter, it's

12:17.800 --> 12:28.040
full west-fade, and they get the idea of it, especially, you want to try to have different

12:28.040 --> 12:36.320
geographic location, and the way you're doing it is a good service, sorry for that, try to

12:36.360 --> 12:43.920
you're going to replicate your installation several times, so if you personally, I automatically

12:43.920 --> 12:49.920
did everything with terraform and end on C-ball, and actually my own C-ball, but I linked

12:49.920 --> 12:57.560
very, just deeply in my auto-paying service, so you can have a look if you want to replicate,

12:58.480 --> 13:07.320
and other tips, if you want to keep your Dien 42 in front structure, if you want to maintain

13:07.320 --> 13:14.600
it, it should be quite low cost, so you can use ways to don't try to stay, but one of the

13:14.600 --> 13:22.440
big drawback is the latency and latency, and actually if you want to have network traffic

13:22.600 --> 13:31.320
and transit, you can abuse a public code free tiers, or promotional credits, I will not make

13:31.320 --> 13:39.000
a advertisement for crowds, you can buy low cost dedicated servers, but what I did in the beginning

13:39.000 --> 13:45.480
and what I lost some, how I lost my personal choice, or how community providers, and I want to

13:45.480 --> 14:02.360
thank a boxy BSD, which actually provide free instances, so as a conclusion, this is the progression

14:02.360 --> 14:10.200
of my AS in the past year, you see the moment I introduced Dien 42s, such the auto-paying,

14:10.200 --> 14:19.560
in April, at that moment I had a linear, linear creation of peer-wing sessions, between me,

14:19.560 --> 14:30.600
and my AS progressed in the wrong king of Dien 42 auto-paying systems to position 22, I think now I'm 18.

14:30.840 --> 14:51.320
So it's a smooth up shift mode, but it's a left work, yeah it's ranking by some traleti and now

14:51.320 --> 14:59.640
as a conclusion, so I think my auto-paying service quickly simplifies peering in Dien 42,

15:00.520 --> 15:06.920
by automating configuration exchange, it's not faster than using E-maps or IRC,

15:11.880 --> 15:17.560
for future work, I think I should really improve the configuration generation and deeper

15:18.200 --> 15:23.000
progress process, because actually at the moment, it's a bit of glue involved with bash scripts,

15:23.000 --> 15:31.000
but I like to support GPG based authentication, because I know some people don't use

15:31.320 --> 15:52.200
a, some people don't use SSH authentication in the registry, so I like to support GPG and

15:52.920 --> 15:55.720
what I would really like is to see over AS maintenance,

16:01.560 --> 16:10.200
what I would really like is to see over Dien 42 AS maintenance, trying adopt my service and trying it,

16:11.640 --> 16:16.840
as a broader vision, I think we should create more peerings between Dien 42, I think it's

16:17.720 --> 16:23.160
two-some threat at the moment and one of my initial parameters was that I have no real note

16:23.160 --> 16:30.360
transit for my AS, and I think if we had more automatic peering services, we've been the Dien 42

16:30.600 --> 16:36.520
network, when it would be less centralized and I think it's what we should aim for,

16:38.920 --> 16:44.520
and I still have some time, what I would really like to say is it's really an awesome

16:44.920 --> 16:54.200
unique environment to learn about networking, Dien 42, and if I hope you want to try now,

16:55.000 --> 17:04.440
it's a lot better than what you can do in a classroom or in our lab with services

17:05.720 --> 17:11.080
at the same place with one millisecond latency, here you will have a real

17:12.120 --> 17:16.760
something which looks like real world with flip-flopping links, packet loss,

17:17.720 --> 17:25.320
latency range, latency is an important way to choose, but what's it?

17:29.880 --> 17:35.880
So thank you for attention, left as an exercise, you can download this slide,

17:35.880 --> 17:39.800
you risk your code, but it's on Dien 42, so you have to join first,

17:39.880 --> 17:47.160
and I shall have any questions.

18:02.920 --> 18:08.040
So I have some connections with ripe, which you might know about, and an L-nog,

18:08.520 --> 18:15.320
which is the Dutch network operators group, and I've seen some interest in the Dien 42 networks

18:15.320 --> 18:21.080
already there, but do you know if there's any presence like the L-nog

18:21.080 --> 18:27.240
ring project available in Dien 42, which is a monitoring system like looking glass with shell

18:27.240 --> 18:32.440
servers, they might be interested in actually deploying there as well, do you know anything with that?

18:33.400 --> 18:38.680
Absolutely not, I'm sorry. No worries, thank you very much, but I'm interested.

18:40.680 --> 18:47.720
We can plot after the griddle. Any more questions?

18:50.920 --> 18:57.800
Okay, then that's it, thank you very much.

19:02.440 --> 19:12.440
Thank you very much, thank you very much.