Anycast IPv6 - YourSelf
How to Build your own AnyCast Network
you’re using anycast every day. all public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9) for example are anycast ip’s and hence, many servers distributed around the world which listen and announce the same ip address.
we can build a proof of concept, how to build such a network, for a few $.
Requirements
AS Number
Anycast heavily depends on BGP. So, you need a own AS Number. I got my for 15 CHF/Year from Securebit.ch. You should also keep in mind that you will not get any IPv4 addresses without buying them for the market. So, your Setup will be based on IPv6 only.
Cloud Provider with BGP
We need the possibility to spin up Virtual Machines on different Locations around the World. You can go with the Big Players (AWS, GCP, Azure, …) and waste time and money with their complexity and Tools. Or you choice a small Provider without all the fancy stuff and you just get what you need.
- Deploy VM’s Globally
- Announce your IP Space
Knowhow
You need a certain Knowhow about Networking, OpenBSD, Security … and this Blog will help you to get there …
Setup
Get your you Account on Vultr. I’m happy if you register via my Sponsor Link. I’ll get 10$ once which helps me to operate my Infrastructure for you
Build VM
you can build a VM via the Webpage, or you install “vultr-cli” for you OS and build it on the CLI. You also need an API Key.
export VULTR_API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
curl "https://api.vultr.com/v2/instances" \
-X POST \
-H "Authorization: Bearer ${VULTR_API_KEY}" \
-H "Content-Type: application/json" \
--data '{
"region": "cdg",
"plan": "vc2-1c-1gb",
"label": "bgp-paris",
"os_id": 2105,
"backups": "disabled",
"hostname": "bgp-paris"
}'
Login & Patch
basic tasks
ssh -l root 45.63.xxx.xxx
syspatch
pkg_add -Vu
Loopback
create loopback with your ip (you got from RIPE …)
cat << 'EOF' > /etc/hostname.lo1
description "Loopback 1"
inet6 2a0e:97c0:0740::1/48
up
EOF
bring up the interface
sh /etc/netstart
bgp config
cat << 'EOF' > /etc/bgpd.conf
# define our own ASN as a macro
ASN="208260"
# global configuration
AS $ASN
router-id YOUR-PUBLIC-IPV4
# list of networks that may be originated by our ASN
prefix-set mynetworks {
2a0e:97c0:0740::/48
}
# define bogon prefixes which should not be part of the DFZ
prefix-set bogons {
::/8 or-longer # RFC 4291 IPv4-compatible, loopback, et al
0100::/64 or-longer # Discard-Only [RFC6666]
2001:2::/48 or-longer # BMWG [RFC5180]
2001:10::/28 or-longer # ORCHID [RFC4843]
2001:db8::/32 or-longer # docu range [RFC3849]
2002::/16 or-longer # 6to4 anycast relay [RFC7526]
3ffe::/16 or-longer # old 6bone
fc00::/7 or-longer # unique local unicast
fe80::/10 or-longer # link local unicast
fec0::/10 or-longer # old site local unicast
ff00::/8 or-longer # multicast
}
network prefix-set mynetworks set large-community $ASN:1:1
# upstream providers
group "upstreams" {
remote-as 64515
tcp md5sig password YOUR-MD5-HASH
multihop 2
neighbor 169.254.169.254 { descr "Vultr4" }
neighbor 2001:19f0:ffff::1 { descr "Vultr6" }
}
## rules section
allow from group upstreams prefix ::/0
deny quick from group upstreams prefix 0.0.0.0/0
allow to ebgp prefix-set mynetworks large-community $ASN:1:1
match from ebgp set { large-community delete $ASN:*:* }
match from any community GRACEFUL_SHUTDOWN set { localpref 0 }
deny quick from any prefix-set bogons
deny from any max-as-len 100
EOF
replace YOUR-PUBLIC-IPV4 with your public ipv4 address (or any other address, i just must be unique within your AS Number !)
$ sed -i 's/YOUR-PUBLIC-IPV4/1.2.3.4/' /etc/bgpd.conf
replace your MD5 Hash you got from Vultr
$ sed -i 's/YOUR-MD5-HASH/xxxxxxxxxxxxxxxx/ /etc/bgpd.conf
Enable & Start BGP
rcctl enable bgpd
rcctl restart bgpd
Show BGP Neighbor
root@bgp-paris# bgpctl show sum
Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd
Vultr4 64515 0 0 0 00:00:19 Connect
Vultr6 64515 0 0 0 00:00:19 Connect
root@bgp-paris # bgpctl show sum
Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd
Vultr4 64515 8 7 0 00:02:25 1
Vultr6 64515 8 8 0 00:02:25 1
Show Outgoing Announcement
root@bgp-paris # bgpctl show ip bgp out
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
aspa validation state: ? = unknown, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags vs destination gateway lpref med aspath origin
A* N-? 2a0e:97c0:740::/48 2001:19f0:6801:80c:5400:4ff:fe68:8f0b 100 0 208260 i
TCPDump on your Range
and you should see some incoming traffic …
root@bgp-paris# tcpdump -n net 2a0e:97c0:740::/48
tcpdump: listening on vio0, link-type EN10MB
08:41:39.308613 2600:1f1e:46c:: > 2a0e:97c0:740::1: icmp6: echo request [flowlabel 0xf2153]
08:41:48.757507 2a0b:2e00:102:: > 2a0e:97c0:740::1.443: S 2702248522:2702248522(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 652969254 0,sackOK,eol> [flowlabel 0x70500]
08:41:58.848612 2001:470:1:84:: > 2a0e:97c0:740:1234::1.5900: S 4165758034:4165758034(0) win 65535
08:41:59.356166 2001:470:1:32:: > 2a0e:97c0:740:2::2.5900: S 1048268235:1048268235(0) win 65535
08:42:05.905360 2a0b:2e00:100:: > 2a0e:97c0:740::1.443: S 396612563:396612563(0) win 65535 <mss 1360,sackOK,eol> [flowlabel 0xc0000]
08:42:06.504671 2406:da11:820:: > 2a0e:97c0:740::1: icmp6: echo request [flowlabel 0xdf493]
08:42:07.714652 2a05:d011:795:: > 2a0e:97c0:740::1: icmp6: echo request [flowlabel 0x22074]
08:42:13.746368 2a05:d01c:ac2:: > 2a0e:97c0:740::1: icmp6: echo request [flowlabel 0xdc1e7]
08:42:14.690582 2a0b:2e00:102:: > 2a0e:97c0:740::1.443: SWE 3515533051:3515533051(0) win 65535 <mss 1360,nop,wscale 6,nop,nop,timestamp 3190648080 0,sackOK,eol> [flowlabel 0x80900]
Grow
that’s it basically. reproduce this step with other VM’s around the World. Setup a Webserver and you have your own, selfhosted and controlled Anycast Network
Feedback
please let me know if you tried to reproduce or have any questions. i’m happy to help. Just write in the comments or Contact me.
Any Comments ?
sha256: 251d3f4c5b2ff32619270f6eb7646b23472521ee07c98d29cb43ca44fef6b21d