burble.dn42/www
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

Updates

Browse Source
This commit is contained in:
Simon Marsh 2020-01-19 10:23:39 +00:00
parent 89d9f152e2
commit 6c4c1935f0
Signed by: burble
GPG Key ID: 7B9FE8780CFB6593
9 changed files with 187 additions and 73 deletions
pages
01.home
bgp-communities
default.md
burble-dn42-services
default.md
certificate-authority
default.md
dns
default.md
routing-policy
default.md
things-to-do
default.md
04.about
DN42 Map 190728.pngburble.dn42.200110.pngdefault.md

19
pages/01.home/bgp-communities/default.md

@ -31,7 +31,7 @@ Details of the BGP communities supported by the burble.dn42 network.
### Well Known BGP Communities
The following well known communities are implemented in the network.
The following well known communities are implemented.
|Community  |Description|Action|
|:---|:---|:---|
@ -47,25 +47,8 @@ burble.dn42 implements [large BGP communities](http://largebgpcommunities.net/),
|Community  |Description|
|:---|:---|
| ( 4242422601 : 100 : _country code_ )   | Route learned in this country |
| ( 4242422601 : 110 : _region code_ )   | Route learned in this region |
| ( 4242422601 : 120 : _host code_ )   | Route learned on this host |
| ( 4242422601 : 130 : 1 )   | Route is a direct peer |
| ( 4242422601 : 140 : _DN42 region_ )   | Route learned in this DN42 region |
| ( 4242422601 : 150 : _AS-NUM_ )   | Route learned in this burble.dn42 sub-AS |
 
#### Host Index Table
|Host  |Index|
|:---|:---|
|dn42-fr-rbx1   | 22 |
|dn42-uk-lon1   | 21 |
|dn42-lt-vil1   | 29 |
|dn42-ru-mos1   | 2 |
|dn42-us-dal1   | 31 |
|dn42-us-mia1   | 28 |
|dn42-us-sea1   | 18 |
|dn42-us-lax1   | 30 |
|dn42-sg-sig1   | 27 |
|dn42-au-syd1   | 24 |

38
pages/01.home/burble-dn42-services/default.md

@ -14,8 +14,11 @@ List of public services provided by the burble.dn42 network.
[burble.dn42](http://burble.dn42/) (dn42 link)
[dn42.burble.com](https://dn42.burble.com/) (public internet link)
This website is built using [GRAV](https://getgrav.org/) and currently hosted on dn42-fr-rbx1. The public internet version is protected by [CloudFlare](https://www.cloudflare.com).
Longer term, regional replicas of the DN42 site may be provided however this is not currently configured.
This website is built using [GRAV](https://getgrav.org/) and currently
hosted on dn42-fr-sbg1. The public internet version is protected by
[CloudFlare](https://www.cloudflare.com).
Longer term, regional replicas of the DN42 site may be provided however
this is not currently configured.
## Looking Glass
@ -31,11 +34,7 @@ A fork of sileht/bird-lg that includes all of our fixes is available on [GitHub]
DN42 registry data in the BGP Map part of the looking glass uses [lgregmapper](https://git.dn42.us/burble/lgregmapper)
to interface with [dn42regsrv](https://git.dn42.us/burble/dn42regsrv).
[collector.burble.com](https://collector.burble.com) (public internet link)
The collector summarises routes from each of the burble.dn42 regions, providing a global view of network connectivity. Generally the collector will be quicker and easier to query when looking for global connectivity to an AS or network, however some functions are not supported (e.g. bgpmap functionality).
Both looking glass are hosted behind [CloudFlare](https://www.cloudflare.com).
The looking glass is hosted on fr-sbg1 behind [CloudFlare](https://www.cloudflare.com).
## DNS
@ -47,6 +46,12 @@ Both looking glass are hosted behind [CloudFlare](https://www.cloudflare.com).
|:--|:--|
| dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
<br/>
**DNS over HTTPs (DoH)**
* https://dns.burble.dn42/dns-query
* https://[fd42:4242:2601:ac53::53]/dns-query
* https://172.20.129.2/dns-query
burble.dn42 provides a local, anycast, authoritative and recursive DNS service.
The [DNS Service](/home/dns) has it's own page.
@ -74,10 +79,10 @@ operate as long as at least one proxy and mirror is available. The maximum laten
across the network is &lt;80ms.
Mirrors are located in the following locations:
* dn42-fr-rbx1
* dn42-fr-sbg1
* dn42-ca-bhs2
* dn42-us-dal1
* dn42-sg-sin2
* dn42-sg-sin1
## Pingable IP address
@ -143,6 +148,15 @@ in the DN42 Wiki ([Bird1](https://dn42.net/howto/Bird) / [Bird2](https://dn42.ne
|[https://dn42.burble.com/roa/dn42_roa_bird2_4.conf](https://dn42.burble.com/roa/dn42_roa_bird2_4.conf) &nbsp; | &nbsp;IPv4 Only&nbsp; | &nbsp; DN42 ROA data for use with Bird2 |
|[https://dn42.burble.com/roa/dn42_roa_bird2_6.conf](https://dn42.burble.com/roa/dn42_roa_bird2_6.conf) &nbsp; | &nbsp;IPv6 Only&nbsp; | &nbsp; DN42 ROA data for use with Bird2 |
## NTP Service
All servers in burble.dn42 are part of the [NTP Pool Project](https://www.ntppool.org/) and provide a stable, high
stratum NTP service using [chrony](https://chrony.tuxfamily.org). You can see my pool status in my
[NTP Pool Profile Page](https://www.ntppool.org/user/buovss4oiceotdj2o3mb).
The NTP service is exposed over DN42, and users are welcome to use any server in the burble.dn42 network as an
NTP time server on either the public or DN42 networks.
## Lounge IRC Gateway
[lounge.burble.dn42](http://lounge.burble.dn42/) (dn42 link)
@ -168,6 +182,12 @@ Whilst primarily a restricted service, with the intent of making burble.dn42
configuration and code publically available, user accounts can be created on request.
Please mail [dn42@burble.com](mailto:dn42@burble.com) for further details.
## DN42 Hosting Service
Contact dn42@burble.com if you have a DN42 service that you would like
to host on burble.dn42
## Network Status and Reporting
### Hosted Grafana Service

14
pages/01.home/certificate-authority/default.md

@ -9,16 +9,7 @@ burble.dn42 certificate authority details.
# Certificate Authority
The burble.dn42 network maintains a self-signed certificate authority to generate X.509 certificates for peers who are unable to use un-signed keys because of restrictions with their router implementations.
Please submit key signing requests to dn42@burble.com, emails should be signed with your PGP identity.
**Certificates are valid for 1 year, and if your certificate expires your peering will be removed.**
Peering using X.509 certificates is supported with the following tunnel types:
* OpenVPN
* IPSec/GRE
The burble.dn42 network maintains a self-signed certificate authority for burble.dn42 services.
## burble.dn42 CA details
@ -61,6 +52,3 @@ gGwJMRLy1L5Bd0p63in5SNX9LXVsY+8YiA7sa3yAhWc=
-----END CERTIFICATE-----
```
## Host Certificates
See the [Peering](/peering) page for signed host certificates.

19
pages/01.home/dns/default.md

@ -61,7 +61,7 @@ The root zone also includes stubs for resolving domains in networks associated t
|---|---|
| dns.burble.dn42<br/>b.recursive-servers.dn42| 172.20.129.2<br/>fd42:4242:2601:ac53::53 |
<br/>
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 and clearnet domains. By issuing parallel queries across five regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.
dns.burble.dn42 is a caching, recursive DNS service that returns results for both DN42 and clearnet domains. By issuing parallel queries across four regional masters, the recursive service takes advantage of the burble.dn42 global scale to reduce latency and avoid local connectivity problems.
The recursor is DNSSEC enabled and validates all queries.
@ -81,15 +81,12 @@ Aliases:
recursive-servers.dn42 name server a.recursive-servers.dn42.
recursive-servers.dn42 name server b.recursive-servers.dn42.
recursive-servers.dn42 name server j.recursive-servers.dn42.
recursive-servers.dn42 name server y.recursive-servers.dn42.
a.recursive-servers.dn42 has address 172.20.0.53
a.recursive-servers.dn42 has IPv6 address fd42:d42:d42:54::1
b.recursive-servers.dn42 has address 172.20.129.2
b.recursive-servers.dn42 has IPv6 address fd42:4242:2601:ac53::53
j.recursive-servers.dn42 has address 172.20.1.19
j.recursive-servers.dn42 has IPv6 address fd42:5d71:219:0:1::43
y.recursive-servers.dn42 has address 172.20.20.65
y.recursive-servers.dn42 has IPv6 address fd42:c01d:beef::2
```
Example resolv.conf using IPv6 with IPv4 fallback
@ -103,10 +100,7 @@ search dn42
nameserver fd42:4242:2601:ac53::53
# j.recursive-servers.dn42
nameserver fd42:5d71:219:0:1::43
# y.recursive-servers.dn42
nameserver 172.20.20.65
nameserver 172.20.1.19
```
#### DNS over HTTPS (DoH)
@ -131,7 +125,7 @@ AAAA: fd42:4242:2601:ac80:0000:0000:0000:0001
## Implementation
The DNS service is implemented as a tiered, anycast service with each node
in the network providing a local cache in front of five, regional, master nodes.
in the network providing a local cache in front of four, regional, master nodes.
#### Edge Nodes
@ -162,11 +156,10 @@ Anycast routes to the DNS servers are advertised to the main Bird2 instance usin
| Region | Host | Location |
|:--|:--|:--|
| Europe | dns-master.fr-rbx1.burble.dn42 | OVH, Roubaix, France |
| Eastern Europe | dns-master.lt-vil1.burble.dn42 | Time4VPS, Vilnius, Lithuania |
| Europe | dns-master.fr-sbg1.burble.dn42 | OVH, Strasbourg, France |
| Americas (East) | dns-master.ca-bhs2.burble.dn42 | OVH, Beauharnois, Canada |
| Americas (Mid & West) | dns-master.us-dal3.burble.dn42 | HostDoc, Dallas, USA |
| Asia and Oceania | dns-master.sg-sin2.burble.dn42 | OVH, Singapore |
| Americas (Mid & West) &nbsp; | dns-master.us-dal1.burble.dn42 | DrServer, Dallas, USA |
| Asia and Oceania | dns-master.sg-sin1.burble.dn42 | ITLDC, Singapore |
<br/>
The master nodes are implemented using [PowerDNS](https://www.powerdns.com/).

20
pages/01.home/routing-policy/default.md

@ -26,20 +26,30 @@ With a global network and multiple peers, the burble.dn42 network typically has
#### bgp local_pref
The local_pref for routes is set on entry, and then propogated across the whole network (including across regions). This forces the network to prefer routes that, where possible, send traffic through the burble.dn42 network to a local peer, rather than sending cross regional traffic through external peers (aka [Cold Potato Routing](https://en.wikipedia.org/wiki/Hot-potato_and_cold-potato_routing)).
The local_pref for routes is set on entry, and then propogated across the whole network. This forces the
network to prefer routes that, where possible, send traffic through the burble.dn42 network to a local peer,
rather than sending cross regional traffic through external peers (aka
[Cold Potato Routing](https://en.wikipedia.org/wiki/Hot-potato_and_cold-potato_routing)).
|Local Pref &nbsp; | Route Class |
|:---|:---|
| 3000 &nbsp; | burble.dn42 dynamic / anycast routes |
| 2000 &nbsp; | burble.dn42 internal networks |
| 1000 &nbsp; | Peer networks (AS path len = 1) |
| 900 &nbsp; | Prioritised routes for well known anycast prefixes |
| 500 &nbsp; | Route received in same DN42 region as it originated |
| 100 &nbsp; | Default |
#### bgp med
The med attribute is set _per host_ and not propogated through the network.
The use of med is intended to pursuade the host to choose the lowest latency route to a prefix, in the case where the local_pref and AS path lengths are equal. Routes that originate in a different burble.dn42 region also get an additional med penalty.
The med attribute is used to implement a latency based metric across the network. Scripts are used
to gather the latency between nodes (using ping) and this is then incorporated in to the ansible
scripting that generates the peer configuration for the internal mesh. The peer configuration
sets the med to be the latency in ms between nodes (in milliseconds * 10). A penalty of 500 is added
for each hop to encourange direct routing between nodes.
```
med = 10 + 4 if cross region + DN42 maxmimum latency via 65411 community (1 to 9)
med = (latency between nodes in ms * 10) + (500 per hop)
```
The med metric is exported to external peers to help them decide how to route traffic to the burble.dn42
network.

124
pages/01.home/things-to-do/default.md Normal file

@ -0,0 +1,124 @@
---
title: Things to do
published: true
visible: true
---
Things to do in DN42
===
What can you do in DN42 ? Ultimately, you'll get out of DN42 what you put in to it,
but I've listed here a few ideas that may serve as inspiration and the spark an idea.
This is deliberately not a set of instructions or a guide and it's not a checklist of stuff you
must do.
If you are interested in something there is plenty of public information available on
all these topics.
#### Getting Started
- Read up on how Internet peering works, and the tools and protocols that are used
- Register your details in the DN42 registry
- Do read the DN42 getting started guide
- Do browse through the registry itself and use what other people did as examples
- Do look through recent Pull Requests to see what is required and how to do it
- Join the mailing list and #dn42 on hackint
- DN42 is a great community with many knowledgable members. You can learn a lot from what other
people are doing, or the problems they have, as well as getting your own network working
- Get your first peer
- use the peerfinder to find peers close to you, or ask on IRC
- ping something on DN42
- use a DN42 service
Congratulations, you're connected to DN42 !
#### The Basics
- Get more peers
- Add 4 or 5 different peers
- having several peers prevents having a dependency on a single peer and adds redundancy
- provides you with a variety of different routes
- learn how different peers manage their networks
- How do you see which routes are being advertised and selected ?
- Change route metrics and see how this influences selected routes
- Optimise your routes across your peers
- What is an optimal route anyway ?
- How is your network being distributed across DN42 ?
- How do you find out ?
- Change how your routes are advertised to peers to influence the routing to your network across DN42
- Set up DNS and resolve a host in the .dn42 hierarchy
- Set up your own DNS server
- Register a domain; set up forward and reverse DNS
- Set up a blog/wiki and document your network
- Make the pages available over DN42 and the Internet
- Add your network to the peerfinder
- Learn something new and add it to the DN42 Wiki
#### Intermediate
- Secure your network
- Distribute DN42 routes to another, internal node
- Learn how to use an IGP and iBGP
- Add two or more nodes to DN42 and peer with multiple AS
- Distribute routes from all peers across the nodes in your network
- How do you decide which routes are 'best' across the network ?
- Optimise your routes to DN42
- How do you manage multiple entry points to your network ?
- What do other networks see ?
- How do other networks decide which node to route to ?
- Configure your network so that one node is preferred
- Optimise how DN42 sees your network
- Add two or more nodes in different continents
- Why is that different ?
- How do you optimise your network now ?
- Implement ROA
- Implement BGP communities
- Help a new joiner connect to DN42
- Resolve someone elses DN42 problem
- Set up a looking glass
- Set up a service that can be used by the rest of the DN42 community
- Make it a 'production' service, add HA, monitoring and alerting
- Secure your service
- Use the DN42 CA
- Add it to the wiki
#### Complex
- Connect multiple nodes to the same peer AS in different geographic locations
- Optimise the routes to the AS
- Optimise the routes that the peer AS has to you
- Monitor your network
- How do you know it's working well ?
- (what does 'working well' mean ?)
- provide public metrics
- Create a virtual environmment to test changes
- How do you make your virtual environment representative of DN42 ?
- Volunteer to help with DN42 core services
- System administration and automation
- Patching and maintenance
- Implement backups and DR
- Automate the set up and configuration of your nodes
- Automate adding peers
#### Even more
- Make something new
- What's the latest software or network trend ?
- implement it and learn how to use it
- Make something experimental
- Try out a cutting edge service or network technology and see if you can get it to work
- What are the current challenges faced by the Internet ? How are they being solved ?
- Can you replicate the problem and potential solutions in DN42 ?
- Make something social
- Create and share a community resource
- Make something stable
- Fine tune your network and nodes
- DN42 changes all the time, how do you protect your network from other people breaking things ?
- Make something small
- Take something huge (DNS, CDNs, gmail, distributed computing, serverless, AI ...)
and shrink it down to your network, but using the same techniques as the global players to manage things
- scale it up, and down
- Make something corporate
- Replicate a multi-datacentre corporate/organisation design
- Grab your next job based on your experience ;)

BIN
pages/04.about/DN42 Map 190728.png

Binary file not shown.
Side by Side

Before

(image error) Size: 609 KiB

BIN
pages/04.about/burble.dn42.200110.png Normal file

Binary file not shown.
Side by Side

After

(image error) Size: 98 KiB

26
pages/04.about/default.md

@ -5,32 +5,28 @@ media_order: 'DN42 Map 181224.2.png'
#burble.dn42
burble.dn42 is an experimental global network, part of [dn42](https://dn42.us/)
By active peer count, burble.dn42 is currently the largest network in dn42.
burble.dn42 is an experimental global network, and is currently the largest network wthin
[dn42](https://dn42.us/).
#####Background
I manage a number of virtual and dedicated servers that provide high quality time services for the [NTP Pool Project](https://www.ntppool.org/").
I manage a number of virtual and dedicated servers that provide high quality time services for the [NTP Pool Project](https://www.ntppool.org/).
burble.dn42 is a project to integrate these servers with dn42, creating a globally connected set of POPs that are well connected to the dn42 network.
My [NTP Pool Profile Page](https://www.ntppool.org/user/buovss4oiceotdj2o3mb) shows the status of each of my servers in the pool.
#####Topology
All nodes in the burble.dn42 network are directly meshed with wireguard tunnels. A VXLAN, layer 2, overlay sits on
top of the wireguard mesh, providing separation of DN42 traffic from internal traffic. The internal routing protocols
used are OSPF and iBGP for the regional anycast services.
All nodes in the burble.dn42 network are fully meshed with wireguard tunnels. iBGP together with
[BGP Confederations](https://en.wikipedia.org/wiki/BGP_confederation) are used as the routing protocol
between nodes. iBGP is also fully meshed, and the configuration for both iBGP and wireguard tunnels
is built using a number of [Ansible](https://www.ansible.com/) scripts.
#####DN42 Routing
The current network design was introduced in December 2019; previous designs for the network have included a
VXLAN overlay over the wireguard mesh to create a single layer 2 network, together with the use of OSPF as the
IGP. Other variations have included using BABEL, and tinc.
To simplify the number of iBGP sessions, the network is configured as a number of sub-AS regions within a single [BGP Confederation](https://en.wikipedia.org/wiki/BGP_confederation).
The sub-AS regions, together with tagging using [large BGP communities](http://largebgpcommunities.net/), are used to implement a regional [Routing Policy](/home/routing-policy).
* Europe (region AS4226010150)
* North America (region AS4226010021)
* Asia and Oceania (region AS4226010009)
![Network Map](DN42%20Map%20191026.png)
![Network Map](burble.dn42.200110.png)
####Network Status