DFRI network

• AS macro: AS-DFRI
• AS numbers: 198093

Netblocks

• IPv4
  • SE-TORNET 171.25.193.0/24
  • DFRI-DNS 194.0.61.0/24
• IPv6
  • SE-TORNET 2001:67c:289c::/48
  • DFRI-DNS 2001:67c:16b0::/48

Address plan

SE-TORNET IPv4 (171.25.193.0/24)

- 0/24 -
  - 0/25 -
    - 0/26 sthlm site 0 (1-62)
    - 64/26 sto4-64: sthlm site 4 (65-126) was sto3
  - 128/25 -
    - 128/26 sto4-128: sthlm site 4 (129-190)
    - 192/26 -
      - 192/27 sto4-192: sthlm site 4 (193-222) not in use; TODO: remove
      - 224/27 -
        - 224/28 -
          - 224/29 loopback (225-230)
          - 232/29 sthlm site 2 tor (233-238)
        - 240/28 - link networks
          - 240/30 linknet5 (241,242) sto0-sto3
          - 244/31 linknet4 (244,245)
          - 246/31 linknet3 (246,247)
          - 248/31 linknet2 (248,249) sto0-internal
          - 250/31 linknet1 (250,251) sto3-sto4
          - 252/30 linknet0 (253,254) sto0-sto4

SE-TORNET IPv6 (2001:67c:289c::/48)

- 2001:67c:289c::/48 -
  - 2001:67c:289c:0000::/64 sto0
  - 2001:67c:289c:0001::/64 sto1 TODO: remove
  - 2001:67c:289c:0002::/64 sto2
  - 2001:67c:289c:0003::/64 sto4-was-sto3
  - 2001:67c:289c:0004::/64 sto4
  - 2001:67c:289c:ffff::/64 link
    - 1/112 linknet0 (sto0-sto4)
    - 2/112 linknet1 (sto3-sto4)
    - 3/112 linknet5 (sto0-sto3)
    - 4/112 linknet2 (sto0-internal)

DFRI-DNS IPv4 (194.0.61.0/24)

- 0/24 -
  - 0/25 -
    - 0/26 sto1 (1-62)
    - 64/26 unused (65-126)
  - 128/25 -
    - 128/26 unused (129-190)
    - 192/26 -
      - 192/27 unused (193-222)
      - 224/27 -
        - 224/28 unused (225-238)
        - 240/28 - link networks
          - 240/30 link3 sto0-sto3 (241-242)
          - 244/30 unused (245-246)
          - 248/30 unused (249-250)
          - 252/30 link0 sto0-sto4 (253-254)

Traffic graphs

• STHIX KN7
• STHIX OBE
• SOLIX
• rs0-1, rs3, rs4: mrtg producing HTML and PNG in /usr/local/www/mrtg/

See mrtg for how to make mrtg play nicely on FreeBSD.

Operating

Blackholing, or RTBH

Info on RTBH:

• RFC 5635 -- Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)
• RFC 3882 -- Configuring BGP to Block Denial-of-Service Attacks
• A Cisco paper

Example of how to blackhole .47 at Portlane (untested 2012-03-23):

bgpctl network add 171.25.193.47/32 community 42708:666

Remove all dynamically added announcements:

bgpctl network flush

Creating netflow data and looking at it

pmacct

pmacctd -D -c dst_port -P memory -i IF pmacct -s -c dst_port | sort -nrk 2 | head

nfcap + fprobe

Example on how to capture, collect and disseminate netflow data locally on rs0.

• rs0# nfcapd -b 127.0.0.1 -n rs0,127.0.0.1,/usr/nfcap &
• otherhost$ ssh -NfL 9995:127.0.0.1:9995 rs0.dfri.net
• otherhost$ fprobe -i em3.257 -fip localhost:9995
• Wait.
• otherhost$ nfdump -B -R /usr/nfcap/FILE1:FILEn -s record
• Don't forget to shut down nfcapd and fprobe and gshred -zu /usr/nfcap/FILE* when you're done.

TODO

• Test RTHB
• Trigger launch of fprobe on extensive ierrs or idrop (rs0)?
• Take a look at nfsen as a nfdump front end?

How to create a VLAN i/f on a router

IF=<physical interface>
VLANID =<vlan id>

Add the VLANID to rc.conf

• Add VLANID to vlans_${IF} (and ipv6_network_interfaces)
• Add a create_args_${IF}_${VLANID} line for IPv4
• Add an ifconfig_${IF}_${VLANID}_ipv6 for IPv6

Create the interface manually

• export i=ifconfig vlan create vlan $VLANID vlandev $IF
• ifconfig $i name ${IF}.${VLANID}

Create and configure the interface automatically

• service netif restart ${IF}