Thursday, May 16, 2013

OpenBGPd and ipv6 peering

I'm writing  this post on my experiences with a  ipv6/OpenBGP peering setup  that I threw up  on my  VPS host.


This was done on a virtual  pfSense host,  but I had to disable my  pf filter since I had problems installing the  ipv6 pf rules.

e.g ( disable pf )

pfctl -d 

IMHO: The pf rule should have worked, but I believe pfsense 2.0.1 was removing or ignoring the rule.


Here's the bgp cfg under /usr/local/etc/ for pfsense2.0.1+openbgpd;

AS 5XXX
fib-update no
listen on 2607:f2f8:xxx::2

neighbor  2607:f2f8:xxx:1 {
descr "IPV6"
announce none
remote-as 25xxx
local address 2607:f2f8:xxx::2
softreconfig in yes
}


And here's  a few bgpctl show outputs;


-->
[2.0.1-RELEASE][admin@ares]/tmp(140): bgpctl show ip bgp inet6 memory

RDE memory statistics

     91867 IPv4 unicast network entries using 3.5M of memory

         1 IPv6 unicast network entries using 56B of memory    <-- IPv6 single prefix learn but still researching with my VPS hosting

    183734 rib entries using 11.2M of memory

    183735 prefix entries using 11.2M of memory

     15401 BGP path attribute entries using 1.8M of memory

     14065 BGP AS-PATH attribute entries using 755K of memory,

                     and holding 15401 references

      1509 BGP attributes entries using 58.9K of memory

                     and holding 2763 references

      1508 BGP attributes using 11.8K of memory

RIB using 28.5M of memory_ 


and  neighborship;


bgpctl show neighbor IPV6

BGP neighbor is 2607:f2f8:xxx::1, remote AS 25xxx

 Description: IPV6

  BGP version 4, remote router-id 10.0.1.0

  BGP state = Established, up for 00:02:40

  Last read 00:00:11, holdtime 90s, keepalive interval 30s

  Neighbor capabilities:

    Multiprotocol extensions: IPv6 unicast

    Route Refresh



  Message statistics:

                  Sent       Received 

  Opens                    1          1

  Notifications            0          0

  Updates                  0          1

  Keepalives               6          6

  Route Refresh            0          0

  Total                    7          8



  Update statistics:

                  Sent       Received 

  Updates                  0          1

  Withdraws                0          0



  Local host:     2607:f2f8:xx::2, Local port:    179

  Remote host:    2607:f2f8:xxx::1, Remote port: 39925



 and more output;


 
bgpctl show fib  inet6  bgp

flags: * = valid, B = BGP, C = Connected, S = Static

       N = BGP Nexthop reachable via this route

       r = reject route, b = blackhole route



flags prio destination          gateway



 I believe my VPS provider hasn't finished his cfg,  so my FIB does not show anything.

BTW: I'm not announcing anything to them at this time over this setup, nor do I have any Ipv6 assignments to announce as of this time.

Next project will be to get my pfsense box rebuilt & with 2.0.2. And start using  ipv6 out of my  virtual hosted environment and possible over a Ipv6 over Ipv4 tunnel terminated on the firewall.

Ken Felix
Freelance Network/Security Engineer
kfelix ----at----- hyperfeed ---dot----com

    ^     ^
=(  0 @ )=
       O
       ~




2 comments:

  1. Thanks for the information; I've been researching setting up a small business network and which type of network security architecture that would work the best for out purposes. Do you suggest anything specific if we use several cloud based services?

    ReplyDelete
  2. I'm assuming this is ipv4, for a small business network, you should determine what's your end users needs are. Some things to consider;

    Do you need any advance UTM security features
    Do you need remote access & if so, how many what type of machines ( OSX,LINUX,Windows )
    Do you have any specific security devices or methods to be deployed ( content filter, caching, email inspection,etc.......)
    Do you interface with any remote branches or vendor
    Does your business services reside 100% in the cloud or locally
    Do have a DR plan
    And how about DataStorage and backups

    Until you answered all of the above, than it hard to build a architect. Base on your site and business needs, you will have a host items to consider in your planning. If you would contact me via email, I can refer you to a business associate of mine, that caters to the SMB/Medium business segments and has a host of solutions data warehousing, cloud computing or co-lo .

    ReplyDelete