A week or two ago I became aware of DN42, a private network run to teach people how to use BGP. DN42 users connect to each other using site-site VPNs and then use BGP to exchange routing information. As someone who learns best from hands-on activity I simply couldn’t resist.

This blog post will discuss getting connected to the DN42 network using a Cisco router, be it physical or in a virtualisation solution such as GNS3/VIRL. At a high level there are three main steps:

  1. Create a number of “objects” in order to allocate a network address that you advertise in BGP;
  2. Configure your router so it can access the internet;
  3. Locate a suitable network to establish a VPN with and then form a BGP adjacency;

I&’ll try and cover off the various DN42 specifics, but do not plan on covering basic router configuration tasks.

Creating DN42 registry objects

As with the real-world, we need to create a number of objects in a database so people know who we are. These objects are administrative, but with DN42 are used to manage allocation of autonomous system numbers (ASNs) and IP address information.

There are five records you need to create before configuring any devices, a process that should take about ten minutes to complete.

You should begin be choosing the names you will use, you will need to decide on:

  • Organisation name. For example NWTRADERS;
  • Contact name. For example JBLOGGS;
  • Maintainer name. Typically the organisation name with “-MNT”; appended. For example NWTRADERS-MNT;
  • NIC Handle (nic-hdl). The name of a specific person or role. For example JBLOGGS-DN42;

Once you’ve decided you can head over to the DN42 Registry and create the records as described below.

Maintainer object

The maintainer (mntner) object is the most important object you’ll create. It’s a set of credentials that you will use in creating and maintaining all other objects. The password you enter is the plain-text version, it will be encrypted and stored.

Create your maintainer object, appending “-MNT” to the organisation name you chose earlier.

Mntner:		NWTRADERS-MNT
Desc:
sha512-pw:	this is a password you will use, so save it!
admin-c:	DUMMY-DN42
tech-c:		DUMMY-DN42
mnt-by:		NWTRADERS-MNT

Person object

This will be a contact record containing information about you as an individual. It’ll be used to refer to a technical and administrative contact so people know how to reach you.

When creating your object append “-DN42” to the contact name you’ve chosen and specify it as the nic-hdl.

person:		Joe Bloggs
contact:	twitter:DaveHope
bitcoin:
nic-hdl:	JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

By specifying the mnt-by as your mntner object you’ll be able to update this person object at a later date.

Once the person object is created, go back to your maintainer object and update the admin-c and tech-c to the nic-hdl you’ve created.

Organisation object

The organisation object provides some information about the group creating these records and running the network. It’s fairly basic so create it as follows:

organisation:	ORG-NWTRADERS
org-name:	damn.technology
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

aut-num object

Finally we’re getting onto the interesting records! The autonomous system number is a globally unique identifier for your network. This will be used in configuring BGP.

As at April 2015 the autonomous system number (aut-num) you create should be in the range 4242420000-4242423999. Choose a number and prepend “AS” to the start of it:

aut-num:	AS4242422222
as-name:	NWTRADERS
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT

netnum object

The final record you need to create is the netnum object, this will allocate address space to you. To find available space use the DN42 Open Netblocks site. Once you’ve found a network find out the range rather than just the prefix length, you’ll use that for the inetnum record.

You should also specify the country you’ll announce this from and a name for the network.

inetnum:	172.23.220.128 - 172.23.220.255
netname:	NET-NWTRADERS-000
country:	GB
admin-c:	JBLOGGS-DN42
tech-c:		JBLOGGS-DN42
mnt-by:		NWTRADERS-MNT
nserver:	dummy.dn42
status:		ASSIGNED

Router configuration

As someone who predominantly uses Cisco equipment I’ll be using a Cisco router in my example, the DN42 network doesn’t have a particularly large routing table so you shouldn’t need much processing power or memory.

Configure your router as you would any other, assigning a hostname, domain-name and giving it an IP address on an interface that can reach the internet. Once that’s done the next step will be to forward ipsec traffic to the router so that it can deal with the ipsec/gre tunnels required to connect to other networks.

Once your router is able to reach the internet and the relevant ports forwarded (if required), proceed to find a peer and get connected.

IPsec configuration

To get connectivity to the DN42 network you will need at least one peer who is willing to provide transit in the form of a tunnel and a BGP adjacency. The best way to go about it is to either use the DN42 peer finder or ask in the IRC channel.

I use ipsec and gre for my peerings and find the following config works well:

router(config)#crypto isakmp policy 10
 encr aes
 hash md5
 group 5
 lifetime 28800
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set TSET_DN42 esp-aes esp-sha-hmac
 mode transport
crypto ipsec profile PROF_DN42
 set security-association lifetime kilobytes disable
 set transform-set TSET_DN42

Once you’ve found a peer you should configure the router to use public keys for ipsec authentication. First generate yourself an RSA keypair, the “exportable” flag is optional but useful it you expect to need to change your network at a later date:

router(config)#crypto key generate rsa general-keys modulus 2048 exportable
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be exportable...

Once created, send your newly found peer the public key part:

router#sh crypto key mypubkey rsa
% Key pair was generated at: 14:25:20 BST Apr 11 2015
Key name: router.local
Key type: RSA KEYS
 Storage Device: private-config
 Usage: General Purpose Key
 Key is exportable.
 Key Data:
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  00000000 DBDBDBDB 8A8A8A8A F7F7F7F7 FDFDFDFD 34343434 EBEBEBEB 79797979
  DEADBEEF 0001
% Key pair was generated at: 08:25:12 BST Apr 12 2015

You will receive a key (hopefully in a similar format) from your peer, to import it do the following:

router(config)#crypto key pubkey-chain rsa
 addressed-key PEERS-PUBLIC-IP
  key-string
   PASTE-PEERS-KEY-STRING-HERE
   quit

The final step in establishing connectivity is to create a GRE tunnel interface. For your first peer it’s easiest if your peer can provide the addressing for the transit network.

router(config)#interface Tunnel0
 ip address TUNNEL-ENDPOINT-IP TUNNEL-NETMASK
  tunnel source EXTERNAL-INTERFACE-NAME
  tunnel destination PEERS-PUBLIC-IP
  tunnel protection ipsec profile PROF_DN42

Assuming your peer has matched the local & remote ids and phase1+phase2 parameters your tunnel should come up:

router#sh crypto ses br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
        K - No IKE
ivrf = (none)
           Peer     I/F        Username          Group/Phase1_id   Uptime Status
PEERS-PUBLIC-IP     Tu0                          PEERS-PUBLIC-IP 03:40:47    UA

If this doesn’t come up, one thing you may need to tweak is the phase 1 ID, especially so if one end of the network is behind a NAT device.

The next step is to configure BGP.

BGP configuration

A basic BGP configuration is straightforward, you need to configure the BGP process with your AS number (the one you created in the registry) and the network you will be advertising:

router(config)#router bgp YOUR-AS-NUMBER
  address-family ipv4
    network YOUR-NETWORK-ID YOUR-NETWORK-NETMASK

You also need to specify a neighbor statement so BGP knows who it should exchange routing information with. You will also need to know the AS number of your peers network. In most cases this will be the other end of end of the transit network. It’s best to ask your peer to be sure.

router(config)#router bgp YOUR-AS-NUMBER
 neighbor PEERS-BGP-IP remote-as PEERS-AS-NUMBER

Once your peer has completed this you should see a BGP adjacency:

router#sh ip bgp sum | beg Nei
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
PEERS-BGP-IP    4   XXXXXXXXXX   18309    2030    13903    0    0 23:34:03      365

As this point you should be able to reach most of the DN42 network, including the IPv4 anycast DNS resolver (172.23.0.53).