DFRI network
- AS macro: AS-DFRI
- AS numbers: 198093
Netblocks
- IPv4
- SE-TORNET 171.25.193.0/24
- DFRI-DNS 194.0.61.0/24
- IPv6
- SE-TORNET 2001:67c:289c::/48
- DFRI-DNS 2001:67c:16b0::/48
Address plan
SE-TORNET IPv4 (171.25.193.0/24)
- 0/24 -
- 0/25 -
- 0/26 sthlm site 0 (1-62)
- 64/26 sto4-64: sthlm site 4 (65-126) was sto3
- 128/25 -
- 128/26 sto4-128: sthlm site 4 (129-190)
- 192/26 -
- 192/27 sto4-192: sthlm site 4 (193-222) not in use; TODO: remove
- 224/27 -
- 224/28 -
- 224/29 loopback (225-230)
- 232/29 sthlm site 2 tor (233-238)
- 240/28 - link networks
- 240/30 linknet5 (241,242) sto0-sto3
- 244/31 linknet4 (244,245)
- 246/31 linknet3 (246,247)
- 248/31 linknet2 (248,249) sto0-internal
- 250/31 linknet1 (250,251) sto3-sto4
- 252/30 linknet0 (253,254) sto0-sto4
SE-TORNET IPv6 (2001:67c:289c::/48)
- 2001:67c:289c::/48 -
- 2001:67c:289c:0000::/64 sto0
- 2001:67c:289c:0001::/64 sto1 TODO: remove
- 2001:67c:289c:0002::/64 sto2
- 2001:67c:289c:0003::/64 sto4-was-sto3
- 2001:67c:289c:0004::/64 sto4
- 2001:67c:289c:ffff::/64 link
- 1/112 linknet0 (sto0-sto4)
- 2/112 linknet1 (sto3-sto4)
- 3/112 linknet5 (sto0-sto3)
- 4/112 linknet2 (sto0-internal)
DFRI-DNS IPv4 (194.0.61.0/24)
- 0/24 -
- 0/25 -
- 0/26 sto1 (1-62)
- 64/26 unused (65-126)
- 128/25 -
- 128/26 unused (129-190)
- 192/26 -
- 192/27 unused (193-222)
- 224/27 -
- 224/28 unused (225-238)
- 240/28 - link networks
- 240/30 link3 sto0-sto3 (241-242)
- 244/30 unused (245-246)
- 248/30 unused (249-250)
- 252/30 link0 sto0-sto4 (253-254)
Traffic graphs
See mrtg for how to make mrtg play nicely on FreeBSD.
Operating
Blackholing, or RTBH
Info on RTBH:
- RFC 5635 -- Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF)
- RFC 3882 -- Configuring BGP to Block Denial-of-Service Attacks
- A Cisco paper
Example of how to blackhole .47 at Portlane (untested 2012-03-23):
bgpctl network add 171.25.193.47/32 community 42708:666
Remove all dynamically added announcements:
bgpctl network flush
Creating netflow data and looking at it
pmacct
pmacctd -D -c dst_port -P memory -i IF pmacct -s -c dst_port | sort -nrk 2 | head
nfcap + fprobe
Example on how to capture, collect and disseminate netflow data locally on rs0.
- rs0# nfcapd -b 127.0.0.1 -n rs0,127.0.0.1,/usr/nfcap &
- otherhost$ ssh -NfL 9995:127.0.0.1:9995 rs0.dfri.net
- otherhost$ fprobe -i em3.257 -fip localhost:9995
- Wait.
- otherhost$ nfdump -B -R /usr/nfcap/FILE1:FILEn -s record
- Don't forget to shut down nfcapd and fprobe and gshred -zu /usr/nfcap/FILE* when you're done.
TODO
- Test RTHB
- Trigger launch of fprobe on extensive ierrs or idrop (rs0)?
- Take a look at nfsen as a nfdump front end?
How to create a VLAN i/f on a router
IF=<physical interface>
VLANID =<vlan id>
Add the VLANID to rc.conf
- Add VLANID to
vlans_${IF}
(andipv6_network_interfaces
) - Add a
create_args_${IF}_${VLANID}
line for IPv4 - Add an
ifconfig_${IF}_${VLANID}_ipv6
for IPv6
Create the interface manually
- export i=
ifconfig vlan create vlan $VLANID vlandev $IF
- ifconfig $i name ${IF}.${VLANID}
Create and configure the interface automatically
- service netif restart ${IF}