decentralized network 42

Recently I've been interested in BGP and stumbled across a thread on reddit that pointed me to a community called decentralized network 42, or dn42.

If you haven't heard of dn42 it is essentially a private network that runs just like the real internet does, with BGP, peering, an Internet Registry (aka the registry), DNS root servers, and more. Joining the dn42 network usually means creating your own Autonomous System and peering with other users. There is a lot to learn from participating and it is a unique opportunity to experience BGP in a real world setting with plenty of challenges.

Links between peers are usually IPSec/GRE or OpenVPN peer-to-peer tunnels providing secure communications over the actual internet. A peering session involes the exchange of routes via BGP, including both IPv4 and IPv6.

dn42 has selected a few RFC1918 networks for IPv4 (172.20.0.0/16 and 172.22.0.0/15 as of this writing) and uses ULA addresses for IPv6.

The Registry

The dn42 registry is an important part of the network that contains listings of all subnets, autonomous systems, domains, etc,. It is typically modified using the web interface but the registry is actually a distributed monotone repository, with a few core users synchronizing with each other.

The registry is essentially the same thing as what Regional Internet Registries provide on the real internet, for example, the RIPE Database.

BGP

BGP is used to exchange routes between peers. BIRD and Quagga are common BGP daemons used on Linux. Quagga syntax is very similar to configuration on Cisco and BIRD is completely different but offers a large amount of customizability with filters. A simple configuration on BIRD with a peer looks like:

protocol bgp MYPEER from dnpeers {
        neighbor 172.20.13.35 as 4242423178;
        import where dn42_import_filter(5,24,33);
        export where dn42_export_filter(5,24,33);
}

In addition there are filters available that add BGP communities to routes imported/exported to tag things such as latency, bandwidth, and security. BGP communities are inspected and used by network operators to choose the route with the lowest latency, for example.

Route origins are secured with Route Origin Authorizations (ROA). There is a script in the registry that will generate a BIRD configuration contaning IPv4 and IPv6 ROA tables. Routes can then be filtered out that have invalid origins.

You can read more here about using BIRD on dn42.

DNS

There is an anycast DNS address available at 172.23.0.53, which can be run by anyone, that is a recursive resolver that delegates the root . zone to the group of dn42 root name servers.

For example, here is a trace of the A record for one of my dn42 domains, lg.tech9computers.dn42.

dig @172.23.0.53 lg.tech9computers.dn42 +trace
;; global options: +cmd
.                       25      IN      NS      m.root-servers.dn42.
.                       25      IN      NS      x.root-servers.dn42.
.                       25      IN      NS      a.root-servers.dn42.
.                       25      IN      NS      t.root-servers.dn42.
;; Received 158 bytes from 172.20.16.130#53(172.20.16.130) in 26 ms

dn42.                   7200    IN      NS      b.zone-servers.dn42.
dn42.                   7200    IN      NS      m.zone-servers.dn42.
dn42.                   7200    IN      NS      c.zone-servers.dn42.
dn42.                   7200    IN      NS      x.zone-servers.dn42.
;; Received 181 bytes from 172.22.141.1#53(172.22.141.1) in 1010 ms

tech9computers.dn42.    7200    IN      NS      ns1.tech9computers.dn42.
tech9computers.dn42.    7200    IN      NS      ns2.tech9computers.dn42.
;; Received 108 bytes from 172.22.128.38#53(172.22.128.38) in 301 ms

lg.tech9computers.dn42. 300     IN      CNAME   us-phx01.tech9computers.dn42.
us-phx01.tech9computers.dn42. 300 IN    A       172.20.16.130
tech9computers.dn42.    300     IN      NS      ns1.tech9computers.dn42.
tech9computers.dn42.    300     IN      NS      ns2.tech9computers.dn42.

As you can see above, the root servers delegate the dn42. zone to the zone-servers, which build their zone records directly from the dn42 registry.

Network Troubleshooting

Most of the core operators on dn42 provide a Looking Glass server that allows other users to introspect the BGP tables and perform simple network tests such as traceroute or ping.

For example, I run my own (only accessible from inside dn42) Looking Glass with bird-lg.

The screenshot below shows a traceroute from my Looking Glass's web interface:

Looking Glass Output

The Future

There are always new developments in dn42 and things keep evolving.

For example, recently a few virtual Internet Exchange Points (IXP) have been created that lower the barrier to peering with others by using a route server rather than having to establish individual BGP sessions with everyone.

Join us!

The community is open for anyone to join, so come chat with us on the #dn42 channel on hackint.

Check out the Getting Started page on the wiki for a full walkthrough of joining the dn42 network. Happy Peering!

UPDATE 05-08-2016: If you want to peer with me, see this page.

Written on December 27, 2015