Re: [44net] BGP - What am I to do ??

HI Angelo, I can explain my journey, and hopefully it will help with your situation. There are a lot of barriers to this process, and some make sense. While there are some network providers that will announce the netblock, some of the issue stems from what the end goal is. If one of those goals is to 'learn a life skill', you've hit a jackpot, there is a lot to learn. If it's simply to just have a few static IPs for your own use, cloud providers are a much easier and cheaper option. The benefits of 'leasing' and announcing a netblock is mostly around portability of your IPs. For me, I wanted to setup a service where I can use the same IP address anywhere for time services. The idea is that if you're on AREDN (or another service), NTP can be setup on an IP address like 44.4.53.2, and anybody with a time server can create a time server with the IP 40.4.53.2. It's 'anycast' with some RF added for fun. Think of using 8.8.8.8 for DNS, we could use something like 44.4.4.4 for NTP/time. That aside, there is likely a better mechanism than NTP to do this over the air, and that's where the experimentation and fun happens. I will go forward with the idea that you would like these IPs to be portable somehow for the project you're using this block for. The Internet is built on BGP, and a major part of that is the autonomous system number (AS or ASN). This number is unique on the internet for BGP services to learn how to get from one IP to another. For example, if your IP is 10.0.0.1, and trying to reach 10.10.0.1, will probably go through multiple autonomous systems to get there. Usually the shortest path wins. 10.0.0.1 (AS65536) -> (AS65537) -> 10.10.0.1 (AS65551) There might be multiple routes to get there, which is where BGP comes in. 10.0.0.1 (AS65536) -> AS65538 -> AS65539 -> AS65551 etc.. This is a longer AS path, it becomes the less ideal path to send traffic. This way, if a path fails, there are 5 more paths left to get to me. For visual representation of all the routes to my AS and path, check out https://bit.ly/3sggrKj - packets can go multiple different paths to get to me like Level3 and NTT but the shortest path wins. To acquire an AS number, you need a business entity. For me, I already had a business entity called "I am a Bad Actor, LLC" for another project I had in the past for pen testing. I registered it in Wyoming using wyomingagents.com, which pretty much took about a day to receive the articles of incorporation. Cost here was $25 for a 'Registered Agent' + $102 for compliance filing. We're up to $127 so far. With the articles of incorporation, you can request an AS number. These are manually approved by various authorities (ARIN, RIPE, etc) but assuming you're in the US, ARIN is where you go (www.arin.net) You'll need to submit 'sample documentation' for why you need an AS number. It will look something like this: ┌────────────────────────────────────────────────────────┐ │ │ │┌───────────────┐ ┌─────────┐ ┌────────────────────┐ │ ││ │ │ │ │ ARIX │ │ ││ Packet │ │ Choopa │ │ Amateur Radio │ │ ││ │ │ │ │ Exchange │ │ ││ │ │ │ │ │ │ │└───────────────┘ └─────────┘ └────────────────────┘ │ │ ▲ ▲ ▲ │ │ │ │ │ │ │ └────────────────┼──────────────────┘ │ │ │ │ │ │ │ │ │ │ │ ┌──────────────────────────┐ │ │ │ │ │ │ │ │ │ │ │ MY ASN │ │ │ │ ┌─────┴───────┐ │ │ │ │ Hurricane │ │ │ └────────────────────┤Electric FRE2│ │ │ └─────────────┘ │ └────────────────────────────────────────────────────────┘ Something like that. Make it pretty. Basically, you need the ASN to connect to multiple providers, including our very own internet exchange ARIX based in Hurricane Electric in Fremont. This step will cost $550 for this ASN -, plus $150 per year. So far we're up to $677 + 150 yearly. Once you have the AS number, you will now be taken slightly more seriously with the ISPs and NSPs of the world. You've paid your dues to be part of an exclusive club. Mind you, there are as many AS numbers as there are IPv4 addresses, so there is no shortage of AS numbers, just additional barriers to entry for a reason (will go into this later) For a list of providers that are willing to announce your new ASN with your IP range, head over to https://bgp.services and you can find a good list there. Vultr/Choopa is on the list, as well as many others. I would recommend a small shop called FreeRangeCloud (freerangecloud.com), as the contacts there are really nice. It's not a big operation so you're not just a number. Also, be patient with them. :) You have a few options at this point, but at first it involves getting a linux system up and running with BGP access. I personally use a Raspberry Pi 4 with 8GB of memory so I can hold full BGP feed in memory. I sent it to FRC to be installed in the rack within Hurricane Electric in Fremont. Raspberry pi was $75, plus a case, memory card, and an NTP shield for my use-case. All said and done, about $110 + ntp sheild. You can get a VM that has similar specs for $8 or $10/mo. It's probably cheaper to do the VM path, but I needed the additional hardware. Now we're up to $752 + $270/year. You might want to also pick up a IPv6 IP range from freerangecloud while you're at it - a /48 (the minimum you can announce over BGP) goes for $5 setup, plus $5 a year. The steps below will be similar, but not exact for IPv6. After your linux box is provisioned for your new IP range, we'll just add a dummy interface to accept the new IP range # ip link add dummy0 type dummy # ip addr add <44-IP>/24 dev dummy0 44-IP is a real IP, not just network IP There are a few services that can talk BGP on Unix, and the major one is called BIRD. I still use 1.6, but you can use any you'd like. BIRD is a bit overkill, but works well. install it with your favorite package manager. I use apt. apt-get -y bird vi /etc/bird/bird.conf to get started. here is a sample config: # something unique here on the network. Helps avoid routing loops in certain iBGP configs router id 10.0.0.1; # This pseudo-protocol watches all interface up/down events. protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol kernel { export all; scan time 20; } protocol direct { interface "dummy0"; import all; } # Setup an outbound filter to ONLY announce the /24 assigned to you filter my_route { if net = <my netblock>/24 then accept; else reject; } protocol bgp bgp_uplink { export filter my_route; import all; local as <your new ASN>; direct; neighbor <NSP BGP router> as <NSP ASN>; } Save configs, start bird (service bird start) and check on it with "birdc" birdc show protocol all After this is complete, you'll need to get routes into the IRR (Internet Routing Registry) for your ASN. IRR is a group of registries loosely used to validate you own the netblock you are announcing with your AS. Not only that, but it also lists your uplink transit providers so they can re-announce your block. This is as an attempt to avoid someone hijacking your IP range and saying "this is mine". The IRR through ARIN was free and easy through their email interface. Since they've moved to web-based, they now validate the routes with blocks that are ARIN-owned, of which 44.x.x.x addresses are not. The other options available are RADb, which currently costs $425/year for non-profit. There was talk about AMPR opening up an account, but that will require using the API for people with an ASN can update the DB themselves with authentication. I'm assuming this is in the works already. But for now, this is the only way I know to update the IRR now ARIN is no longer accepting email-based updates. So we're up to $1177 to start, and $575 per year to announce the IP. There is a chance you can bypass a lot of the above ASN malarkey, but you will be met with mixed results. If you use a small provider like Free Range Cloud (freerangecloud.com) or Neptune Networks (neptunenetworks.org) they can announce using their own ASN, and provide you a 'private ASN' that you can announce your route, and it will be passed on. You'll still need BIRD, but it gives you control over which network provider gets your traffic (which is, after all, the whole purpose, right? :) Why is this so difficult, you say? Well, the short answer is that the internet providers as a whole don't want more ASNs on the network. It means their route tables get bigger, requires more memory/cpu, and routers get more expensive over time. I went for a 8GB raspberry pi, and that should give me some wiggle room for a while. Most routers have much less memory than that. Each additional route adds a little bit extra step for routers to do. ARIN also has bills to pay themselves. Now for options - If we can get IP addresses registered as "legacy" status in RIPE, we can use their IRR to avoid the RADb step above (saves $425/year). Also, if RIPE announces the IPs as legacy, it would be possible to take a chunk of IPs and announce them via AWS via AWS Global Accelerator and utilize cloud resources using the IPs. Instead of IPIP, we can hand out world-wide VPN endpoints. We can also create our own VPCs for different projects. This would give amateur radio a huge boost of bandwidth in places like Europe, Australia, South America, and India, and Africa. For those of us who wish to keep our racks/cages/routers at datacenters, that's completely cool. We could maybe setup AWS Direct Connect in popular datacenters for direct connectivity to other AMPRnet nodes. I learned a lot about BGP in the last 8 months doing it myself. It's also an expensive lesson to learn. Worth it? Maybe. But not everyone wants to learn BGP just to get a network IP block for a project. ' Anyway - got a little soapbox-ey for a minute. I hope this helps. For anybody doing this for the first time, freerangecloud.com and neptunenetworks.org are the nicest and most willing to help NSPs out there. 73, KF6DMA On Wed, Feb 17, 2021 at 9:24 AM Angelo via 44Net &lt;44net(a)mailman.ampr.org&gt; wrote: