[dn42] AS4242420263 configuration (Part 1/5)
dn42 is a decentralized network, which employs Internet technologies (such as BGP). It is an ideal testbed to manipulate networking technologies without the pressure of running a public AS. This article is the start of my journey to dn42, from the request of my AS number and IP ranges to the monitoring of my peering links.
What’s dn42
dn42 is a big dynamic VPN, which employs Internet technologies (BGP, whois database, DNS, etc). Participants connect to each other using network tunnels (GRE, OpenVPN, WireGuard, Tinc, IPsec) and exchange routes thanks to the Border Gateway Protocol. Network addresses are assigned in the 172.20.0.0/14 range and private AS numbers are used (see registry) as well as IPv6 addresses from the ULA-Range (fd00::/8)
Requirements
Before starting:
- I’ve created two VMs on my “homelab”, namely
gw-dn42andgw2-dn42, connected to the Internet with public IPv6s - I already have a functional GnuPG set-up with a set of private and public keys
- Prior knowledge: Linux, basics of networking and git
For this experiment, I’ve used:
- Debian 12
- Bird 2 (routing daemon)
- Wireguard tunnels - to establish peering links
If you want to follow me on this journey and operate your own dn42 AS, have a first look at the wiki, and especially the Getting Started page, it will guide you up to the establishment of your first peering session. But I want to go further, that’s the purpose of this series of blog posts
Objectives
I want to create a multi-homed network with at least 2 routers, in 5 steps
- [1/5] Request an AS number and IP blocks
- [2/5] Connect to dn42, set-up the first BGP peering and access dn42 internal services
- [3/5] Multi-homing/Multi-pop - set-up internal BGP peering and use an IGP to split my internal network
- [4/5] Set-up primary and secondary DNS servers for the zone
hcartiaux.dn42, and the reverse zones of my IP blocks - [5/5] Monitor all the network links and create a functional weathermap
Along the road, I publish my configuration on github
My final network map looks like this:
Request an AS number and IPv{4,6} blocks
In lieu of requesting an ASN (Autonomous System Number) and IPs from a LIR (Local Internet Registry), we will submit a pull request to the dn42 registry git repository.
Fork and clone the “registry” git repository
Create an account on git.dn42.dev, set your SSH and GPG keys in the user settings.
Follow the instructions in the README.md file of the registry git repository:
Fork the main repository, and clone it:
git clone git@git.dn42.dev:hcartiaux/registry.git
The objects schema can be found in the directory data/schema/ or explored on https://explorer.dn42.dev.
I don’t know where to find the precise documentation for each object type, but the key names can be crossed checked from this APNIC documentation.
Create the maintainer and person objects
data/mntner/HCARTIAUX-MNT: maintainer object, describe the maintainer allowed to edit all the other objects.
mntner: HCARTIAUX-MNT
admin-c: HCARTIAUX-DN42
tech-c: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
auth: pgp-fingerprint 62C5D78FE715CF7CA974B5AF37183CEF550DF40B
auth: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICtAyNLxu6GqPOLQutasE70tPMOSF+WS9LmK6kldYwPD
source: DN42
admin-c is the NIC-handle of the on-site contact, tech-c is for the network operator. In this case, it’s the same person.
It is important to define at least one authentication method (ssh public key), but I think it’s more convenient to define both.
data/person/HCARTIAUX-DN42: NIC-handle for myself.
person: Hyacinthe Cartiaux
e-mail: hyacinthe.cartiaux@gmail.com
nic-hdl: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
source: DN42
Create the AS object
data/aut-num/AS4242420263: choose a free AS number in the rangeAS[4242420000-4242423999]. I’ve chosen the first available ASN, but you can use the DN42 registry explorer to generate a list of random free ASN.
aut-num: AS4242420263
as-name: AS-HCARTIAUX-DN42
admin-c: HCARTIAUX-DN42
tech-c: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
source: DN42
Define your IP blocks
data/inet6num/fd28:7515:7d51::_48: choose a free IPv6/48network prefix in the ULA rangefd00::/8. You can use the DN42 registry explorer to generate a list of random unused/48prefix, it is recommended to choose a random prefix to avoid potential conflicts with other networks interconnected with dn42. Define the nameservers used for reverse DNS queries.
inet6num: fd28:7515:7d51:0000:0000:0000:0000:0000 - fd28:7515:7d51:ffff:ffff:ffff:ffff:ffff
cidr: fd28:7515:7d51::/48
netname: HCARTIAUX-NETWORK
descr: Network of HCARTIAUX
country: FR
admin-c: HCARTIAUX-DN42
tech-c: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
status: ASSIGNED
nserver: ns1.hcartiaux.dn42
nserver: ns2.hcartiaux.dn42
source: DN42
data/route6/fd28:7515:7d51::_48: define a route object, this is mandatory as this information is used for Route Origin Authorization (ROA) in the BGP configuration. If this object is missing or incorrect, the adjacent routers will filter your network.
route6: fd28:7515:7d51::/48
origin: AS4242420263
max-length: 48
mnt-by: HCARTIAUX-MNT
source: DN42
data/inetnum/172.22.144.160_27: same as above, but in IPv4. For my use case, a/27is enough, it’s not justified to request more IPs. You can use the DN42 registry explorer to generate a list of unused/27prefixes.
inetnum: 172.22.144.160 - 172.22.144.191
cidr: 172.22.144.160/27
netname: HCARTIAUX-NETWORK
descr: Network of HCARTIAUX
country: FR
admin-c: HCARTIAUX-DN42
tech-c: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
status: ASSIGNED
nserver: ns1.hcartiaux.dn42
nserver: ns2.hcartiaux.dn42
source: DN42
data/route/172.22.144.160_27: same as above, ROA is also used for IPv4.
route: 172.22.144.160/27
origin: AS4242420263
max-length: 27
mnt-by: HCARTIAUX-MNT
source: DN42
Request a domain name with the .dn42 TLD.
data/dns/hcartiaux.dn42
domain: hcartiaux.dn42
admin-c: HCARTIAUX-DN42
tech-c: HCARTIAUX-DN42
mnt-by: HCARTIAUX-MNT
nserver: ns1.hcartiaux.dn42 172.22.144.161
nserver: ns1.hcartiaux.dn42 fd28:7515:7d51:a::1
nserver: ns2.hcartiaux.dn42 172.22.144.177
nserver: ns2.hcartiaux.dn42 fd28:7515:7d51:c::1
source: DN42
Commit and create your Pull Request
First, verify that your objects files are all valid.
check-my-stuff- validates all your objects against the registry schema
./check-my-stuff HCARTIAUX-MNT [NOTE] ## Scan Started at 2024-07-12 13:47:48 CHECK data/mntner/HCARTIAUX-MNT PASS MNTNERS: HCARTIAUX-MNT [NOTE] ## Scan Completed at 2024-07-12 13:47:49 [NOTE] ## Scan Started at 2024-07-12 13:47:49 [INFO] fd28:7515:7d51::/48 CHECK data/inet6num/fd28:7515:7d51::_48 PASS MNTNERS: HCARTIAUX-MNT CHECK data/route6/fd28:7515:7d51::_48 PASS MNTNERS: HCARTIAUX-MNT CHECK data/person/HCARTIAUX-DN42 PASS MNTNERS: HCARTIAUX-MNT CHECK data/mntner/HCARTIAUX-MNT PASS MNTNERS: HCARTIAUX-MNT CHECK data/aut-num/AS4242420263 PASS MNTNERS: HCARTIAUX-MNT CHECK data/inetnum/172.22.144.160_27 PASS MNTNERS: HCARTIAUX-MNT CHECK data/route/172.22.144.160_27 PASS MNTNERS: HCARTIAUX-MNT CHECK data/dns/hcartiaux.dn42 PASS MNTNERS: HCARTIAUX-MNT [NOTE] ## Scan Completed at 2024-07-12 13:47:50fmt-my-stuff- automatically fix minor formatting errors
./fmt-my-stuff HCARTIAUX-MNTCreate a single signed commit for your request, retrieve the new commits in the main repository and rebase your commit.
git add . git commit -S git remote add dn42registry git@git.dn42.dev:dn42/registry.git git fetch dn42registry master git rebase -i -S dn42registry/master git pushbis - these scripts may be useful to prepare the Pull Request
squash-my-commits -S --push- automatically rebase and squash your commitssign-my-commit- can be used to sign your commit, I’ve not used it but it must be noted that the script supports GPG keys and SSH key for the signature, which makes GnuPG is optional.
Submit your Pull Request using the gitea web interface and wait until it gets merged. For the record, I’ve submitted two PRs:
Credit where credit is due
I’ve discovered dn42 at FOSDEM 2023, while discussing with Alarig (and maybe Mike) outside of the Delirium at 3am. Btw, I wait for your peering information :)