BGP

OpenBGPD - Upgrade Looking Glass

Categories

I’m running a BGP Looking Glass Server on https://bgp.stoege.net, where can get some view about BGP running on the Global Internet.

Upgrade to 7.2

Did an Upgrade to the latest Version with my Script.

Upgrade was sucessful, but the BGP Service needs some Fix. Website show as “500 Internal Server Error”, and the Logs got a few messages like this:

tail -f /var/log/messages

Oct 21 11:38:07 bapi slowcgi[62677]: execve /cgi-bin/bgplg: Permission denied
Oct 21 11:38:07 bapi slowcgi[93993]: caught exit of unknown child 62677
Oct 21 11:38:12 bapi slowcgi[45500]: execve /cgi-bin/bgplg: Permission denied

Reapply the Permission

chmod 0550 /var/www/cgi-bin/bgplg
chown www:daemon /var/www/cgi-bin/bgplg

chmod 0555 /var/www/bin/bgpctl
chmod 4555 /var/www/bin/ping* /var/www/bin/traceroute*

Check Service

$ curl --head "https://bgp.stoege.net/cgi-bin/bgplg"
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: keep-alive
Content-Type: text/html
Date: Fri, 21 Oct 2022 09:45:38 GMT
Server: OpenBSD httpd
Transfer-Encoding: chunked

and we’re back again …

OpenBGPD Looking Glass

Network, OpenBSD

BGP Looking Glass with OpenBSD

something I’ve wanted to do for a long time and never got around to it …

Just give a try, it’s public available: https://bgp.stoege.net/

Prerequisite

  • OpenBSD VM (at least 2G RAM)
  • Public IPv4 / IPv6
  • DNS Record / Static IP
  • Full BGP Feed (don’t worry, you can get it for free)

httpd config

OpenBSD got their own HTTP Daemon in Base System. Let’s enable and configure it.

Aslo - AS Lookup

OpenBSD

ASLO

AS Lookup Helper Script. It’s written for OpenBSD and need’s some modification for Linux. It basically depends on Python, PIP Installer and Python Package “aslookup”. Have Fun !

Download

wget https://blog.stoege.net/scripts/aslo
chmod 755 aslo
./aslo 1.1.1.1

Script

… and the Content himelf. It basically check’s if pip is installed, if as-lookup is installed, and then does the as lookup for the given IP Adress

#!/usr/bin/env bash

# AS Lookup for IP Address

install_pip() {
  echo -e "\npip not found, install ?\n"
  read -rsp $'Press any key to continue...\n' -n1 key
  pkg_add py3-pip--
  ln -sf /usr/local/bin/pip3.9 /usr/local/bin/pip
  echo -e "\npip installed ...\n"
}

install_aslookup() {
  echo -e "\nas-lookup not found, install ?\n"
  read -rsp $'Press any key to continue...\n' -n1 key
  pip install aslookup
  echo -e "\naslookup installed ...\n"
}

aslo() {
  as-lookup -s cymru `getent hosts $1 |awk '!/:/{ print $1}'`
}

which pip &>/dev/null || install_pip
which as-lookup &>/dev/null || install_aslookup
aslo $1

exit 0

Usage

you can simply ask one ip …

Projects

OpenBSD

as many of you, i’ve got different kind of stuff running, mostly internally, but also some public things.

Hamsterwheel Counter

my Daughter got a Hamster and he’s running every night in his Weel.. I built a small Wheel-Counter so we can see the Daily Stats an Performance of Cookie :). Website is in German and reachable via IPv6 only …

the Hamster died just before XMAS 2022 :( RIP Cookie !

RPKI for Home Usage

OpenBSD

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

FullBGP at Home

OpenBSD

did you always wanted to have a fullbgp table at home once ? Over your DSL / CM / LTE or whatever connection ? here a little howto :)

Setup VM

Install a VM with OpenBSD. Add 1 CPU, 1 GB RAM, 20 GB Disk, nothing special

Check our Upstream Provider

Check the Page from Lukasz and spend him a Beer if you ever meet him. He also mentioned my Post in his Slides (Thanks Lukas)

ScionLab

Network

Install Doku

Upgrade Fresh Debian

apt-get -y update
apt-get -y upgrade
apt-get -y distupgrade
apt-get -y install vim

Scion

apt-get install apt-transport-https
echo "deb [trusted=yes] https://packages.netsec.inf.ethz.ch/debian all main" | tee /etc/apt/sources.list.d/scionlab.list
apt-get update
apt-get install scionlab

Config

scionlab-config --host-id=1fcf8axxxxxxxxxxxxxxxxxxxxxxxxxx --host-secret=4ef93cxxxxxxxxxxxxxxxxxxxxxxxxxx

Check Services

root@scionlab:~# ip address show dev tun0
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.1.1.52/16 brd 10.1.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::aa8a:c135:f627:bcff/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

root@scionlab:~# grep Interfaces -A15 /etc/scion/gen/ISD*/AS*/endhost/topology.json
      "Interfaces": {
        "1": {
          "Bandwidth": 1000,
          "ISD_AS": "17-ffaa:0:1107",
          "LinkTo": "PARENT",
          "MTU": 1472,
          "Overlay": "UDP/IPv4",
          "PublicOverlay": {
            "Addr": "10.1.1.52",
            "OverlayPort": 50000
          },
          "RemoteOverlay": {
            "Addr": "10.1.0.1",
            "OverlayPort": 50229
          }
        }

root@scionlab:~# systemctl list-dependencies scionlab.target
scionlab.target
● ├─scion-border-router@17-ffaa_1_d85-1.service
● ├─scion-control-service@17-ffaa_1_d85-1.service
● ├─scion-daemon@17-ffaa_1_d85.service
● └─scion-dispatcher.service

root@scionlab:~# scmp echo -remote 20-ffaa:0:1404,[0.0.0.0]
Using path:
  Hops: [17-ffaa:1:d85 1>230 17-ffaa:0:1107 1>4 17-ffaa:0:1102 3>4 17-ffaa:0:1108 2>8 17-ffaa:0:1101 3>2 20-ffaa:0:1401 6>1 20-ffaa:0:1402 2>1 20-ffaa:0:1404] MTU: 1472, NextHop: 127.0.0.1:30042

176 bytes from 20-ffaa:0:1404,[0.0.0.0] scmp_seq=0 time=258.282ms
176 bytes from 20-ffaa:0:1404,[0.0.0.0] scmp_seq=1 time=259.515ms
176 bytes from 20-ffaa:0:1404,[0.0.0.0] scmp_seq=2 time=264.142ms
176 bytes from 20-ffaa:0:1404,[0.0.0.0] scmp_seq=3 time=257.675ms

root@scionlab:~# scmp tr -remote 21-ffaa:0:1501,[0.0.0.0]
Using path:
  Hops: [17-ffaa:1:d85 1>230 17-ffaa:0:1107 1>4 17-ffaa:0:1102 3>4 17-ffaa:0:1108 2>8 17-ffaa:0:1101 3>2 20-ffaa:0:1401 4>3 21-ffaa:0:1501] MTU: 1472, NextHop: 127.0.0.1:30042
0  17-ffaa:1:d85,[127.0.0.1] IfID=1  474µs 460µs 303µs
1  17-ffaa:0:1107,[192.33.93.195] IfID=230  9.533ms 10.099ms 9.75ms
2  17-ffaa:0:1107,[192.33.93.195] IfID=1  10.152ms 10.12ms 9.651ms
3  17-ffaa:0:1102,[129.132.121.164] IfID=4  11.151ms 11.874ms 9.675ms
4  17-ffaa:0:1102,[192.33.92.68] IfID=3  10.419ms 11.829ms 11.886ms
5  17-ffaa:0:1108,[195.176.0.11] IfID=4  14.57ms 11.859ms 11.739ms
6  17-ffaa:0:1108,[195.176.28.157] IfID=2  16.276ms 15.704ms 15.417ms
7  17-ffaa:0:1101,[193.247.172.154] IfID=8  15.862ms 16.496ms 16.473ms
8  17-ffaa:0:1101,[193.247.172.130] IfID=3  22.882ms 23.789ms 22.081ms
9  20-ffaa:0:1401,[134.75.250.114] IfID=2  252.212ms 252.403ms 253.067ms
10  20-ffaa:0:1401,[134.75.250.114] IfID=4  253.937ms 251.94ms 251.649ms
11  21-ffaa:0:1501,[202.255.44.48] IfID=3  314.05ms 313.705ms 313.292ms
12  21-ffaa:0:1501,[0.0.0.0]  314.419ms 313.534ms 314.605ms
Any Comments ?

sha256: 0719a8bbc818ec97a796c90b7de0027ee6905fd5d889d6eb6b500b519b968dcc