Thomas' ramblings - a site with no purpose

My name is Thomas Mangin
You can find more professional information about me [[here|http://www.linkedin.com/in/thomasmangin]]
My PGP key is available [[here|http://thomas.mangin.com/pgp/index.html]]
You can email me at firstname @ surname dot com

Should you want to link to this site please use the domain thomas.mangin.com and use the  link_ tags created on the page, for example this pages can be linked as [[http://thomas.mangin.com/#tag:link_about|http://thomas.mangin.com/#tag:link_about]]

''If you just followed a link and did not land on the page you expected, this is normal, just continue reading''

This site is went from using [[Templeet|http://www.templeet.org]] to [[MiniTiddlyServer|http://www.minitiddlyserver.com/]] (a wiki server extension for [[TiddlyWiki|http://www.tiddlywiki.com/]]) to simply [[TiddlyWiki|http://www.tiddlywiki.com/]]. This mean that all the site in now self contained in one html document ..

Using the ''search box'' on the top right, or using the ''tags'' on the bottom right you should be able to bring the page you are looking in no time.

You can take a full offline copy of this site by right clicking [[here|http://thomas.mangin.com/index.html]] and saving the document.

This configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.

Route damping was left in but should really not be used as recomended by [[ripe-378|http://www.ripe.net/ripe/docs/routeflap-damping.html]] which obsoletes ripe-229, ripe-210 and ripe-178

The IP address are allocated following this [[Topology]]

{{{
! Undocumented command to improve the speed at which BGP routes are learned
spd headroom 1000

interface Loopback0
 ip address 10.2.3.14 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 no ip unreachables

interface FastEthernet0/0
 description "ISP Backbone"
 ip address 10.0.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 ip route-cache flow
 speed 100
 ip route-cache same-interface
 full-duplex

interface FastEthernet1/0
 description "Primary Exchange Connection"
 ip address 172.16.0.100 255.255.254.0
 ip access-group network_isp_in in
 ip access-group network_isp_out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 no ip mask-reply 
 ip verify unicast reverse-path
 rate-limit input access-group 110 2048000 8000 8000 \
 conform-action transmit exceed-action drop
 ip route-cache flow
 speed 100
 full-duplex
 no cdp enable
 ! Improve the speed at which we learn BGP routes
 hold-queue 1500 in

interface FastEthernet1/1
 description "Secondary Exchange Connection"
 ip address 172.16.2.100 255.255.254.0
 ip access-group network_isp_in in
 ip access-group network_isp_out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 no ip mask-reply 
 ip verify unicast reverse-path
 rate-limit input access-group 110 2048000 8000 8000 \
 conform-action transmit exceed-action drop
 ip route-cache flow
 speed 100
 full-duplex
 no cdp enable
 hold-queue 1500 in

router eigrp 65200
 redistribute connected
 redistribute static
 passive-interface FastEthernet1/0
 passive-interface FastEthernet1/1
 network 10.2.2.0
 distribute-list 10 out
 no auto-summary
 eigrp log-neighbor-changes

router bgp 65200
 no synchronization
 no bgp fast-external-fallover
 bgp log-neighbor-changes
 bgp dampening route-map graded-flap-dampening
 maximum-paths 2

 aggregate-address 10.0.0.0 255.254.0.0 summary-only
 network 10.2.3.0
 
 neighbor peer-ibgp peer-group
 neighbor peer-ibgp remote-as 65200
 neighbor peer-ibgp update-source Loopback0
 neighbor peer-ibgp version 4
 neighbor peer-ibgp send-community
 neighbor peer-ibgp soft-reconfiguration inbound
 
 neighbor peer-nap-high peer-group
 neighbor peer-nap-high description "Peering (High Preference)"
 neighbor peer-nap-high version 4
 neighbor peer-nap-high next-hop-self
 neighbor peer-nap-high send-community
 neighbor peer-nap-high soft-reconfiguration inbound
 neighbor peer-nap-high route-map peer-nap-high-in in
 neighbor peer-nap-high route-map peer-nap-out out
 neighbor peer-nap-high maximum-prefix 100

 neighbor peer-nap-low peer-group
 neighbor peer-nap-low description "Peering (Low Preference)"
 neighbor peer-nap-low version 4
 neighbor peer-nap-low next-hop-self
 neighbor peer-nap-low send-community
 neighbor peer-nap-low soft-reconfiguration inbound
 neighbor peer-nap-low route-map peer-nap-low-in in
 neighbor peer-nap-low route-map peer-nap-out out
 neighbor peer-nap-low maximum-prefix 100

 neighbor 10.2.3.10 peer-group peer-ibgp
 neighbor 10.2.3.11 peer-group peer-ibgp
 neighbor 10.2.3.12 peer-group peer-ibgp
 neighbor 10.2.3.13 peer-group peer-ibgp
 neighbor 10.2.3.15 peer-group peer-ibgp
 neighbor 10.2.3.16 peer-group peer-ibgp
 neighbor 10.2.3.17 peer-group peer-ibgp
 neighbor 10.2.3.18 peer-group peer-ibgp
 
 neighbor 172.16.0.10 remote-as 65300
 neighbor 172.16.0.10 peer-group peer-nap-high
 neighbor 172.16.0.10 description "ISP One Primary"
 neighbor 172.16.0.10 maximum-prefix 1000
 
 neighbor 172.16.2.10 remote-as 65300
 neighbor 172.16.2.10 peer-group peer-nap-high
 neighbor 172.16.2.10 description "ISP One Secondary"
 neighbor 172.16.2.10 maximum-prefix 1000
 
 neighbor 172.16.0.20 remote-as 65310
 neighbor 172.16.0.20 peer-group peer-nap-low
 neighbor 172.16.0.20 description "ISP Two Primary"
 
 neighbor 172.16.2.20 remote-as 65310
 neighbor 172.16.2.20 peer-group peer-nap-low
 neighbor 172.16.2.20 description "ISP Two Secondary"

 distribute-list prefix bogon-external out FastEthernet0/0
 distribute-list prefix bogon-internal in FastEthernet0/0
 
 distribute-list prefix bogon-internal out FastEthernet1/0
 distribute-list prefix bogon-external in FastEthernet1/0
 distribute-list prefix bogon-internal out FastEthernet1/1
 distribute-list prefix bogon-external in FastEthernet1/1
 no auto-summary

ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination 10.2.3.205 2055

ip bgp-community new-format
ip as-path access-list 60 permit ^$
ip as-path access-list 50 permit .*
ip as-path access-list 70 permit ^$
ip as-path access-list 70 permit ^65350_
ip as-path access-list 70 permit ^65360_
ip as-path access-list 100 permit ^65350_
ip as-path access-list 105 permit ^65360_
ip pim bidir-enable


ip as-path access-list 10 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|
 65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 10 permit .*

ip prefix-list bogon-external seq 1 deny 0.0.0.0/0
ip prefix-list bogon-external seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-external seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-external seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-external seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-external seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-external seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-external seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-external seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-external seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-external seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-external seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-external seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-external seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-external seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-external seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-external seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-external seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-external seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-external seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-external seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-external seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-external seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-external seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-external seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-external seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-external seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-external seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-external seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-external seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-external seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-external seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-external seq 500 deny 159.101.0.0/16 le 32
ip prefix-list bogon-external seq 510 deny 10.0.0.0/16 le 32
ip prefix-list bogon-external seq 520 deny 10.1.0.0/16 le 32
ip prefix-list bogon-external seq 900 permit 0.0.0.0/0 le 24

ip prefix-list bogon-internal seq 1 deny 0.0.0.0/0
ip prefix-list bogon-internal seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-internal seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-internal seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-internal seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-internal seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-internal seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-internal seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-internal seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-internal seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-internal seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-internal seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-internal seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-internal seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-internal seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-internal seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-internal seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-internal seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-internal seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-internal seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-internal seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-internal seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-internal seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-internal seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-internal seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-internal seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-internal seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-internal seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-internal seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-internal seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-internal seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-internal seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-internal seq 900 permit 0.0.0.0/0 le 24

ip prefix-list golden-networks description "root DNS server networks"
ip prefix-list golden-networks seq 100 permit 198.41.0.0/24
ip prefix-list golden-networks seq 105 permit 128.9.0.0/16
ip prefix-list golden-networks seq 110 permit 192.33.4.0/24
ip prefix-list golden-networks seq 115 permit 128.8.0.0/16
ip prefix-list golden-networks seq 120 permit 192.203.230.0/24
ip prefix-list golden-networks seq 125 permit 192.5.5.0/24
ip prefix-list golden-networks seq 130 permit 192.112.36.0/24
ip prefix-list golden-networks seq 135 permit 128.63.0.0/16
ip prefix-list golden-networks seq 140 permit 192.36.148.0/24
ip prefix-list golden-networks seq 145 permit 192.58.128.0/24
ip prefix-list golden-networks seq 150 permit 193.0.14.0/24
ip prefix-list golden-networks seq 155 permit 198.32.64.0/24
ip prefix-list golden-networks seq 160 permit 202.12.27.0/24
ip prefix-list golden-networks seq 165 permit 192.5.6.0/24
ip prefix-list golden-networks seq 170 permit 192.33.14.0/24
ip prefix-list golden-networks seq 175 permit 192.26.92.0/24
ip prefix-list golden-networks seq 180 permit 192.31.80.0/24
ip prefix-list golden-networks seq 185 permit 192.12.94.0/24
ip prefix-list golden-networks seq 190 permit 192.35.51.0/24
ip prefix-list golden-networks seq 195 permit 192.42.93.0/24
ip prefix-list golden-networks seq 200 permit 192.54.112.0/24
ip prefix-list golden-networks seq 205 permit 192.43.172.0/24
ip prefix-list golden-networks seq 210 permit 192.48.79.0/24
ip prefix-list golden-networks seq 215 permit 192.52.178.0/24
ip prefix-list golden-networks seq 220 permit 192.41.162.0/24
ip prefix-list golden-networks seq 225 permit 192.55.83.0/24

ip prefix-list max22-23 description Apply to /22 and /23 prefixes
ip prefix-list max22-23 seq 5 permit 0.0.0.0/0 ge 22 le 23

ip prefix-list min24 description Apply to /24 and longer prefixes
ip prefix-list min24 seq 5 permit 0.0.0.0/0 ge 24

ip access-list standard network_isp_in
 deny 10.2.3.0 0.0.0.255 log
 deny 10.0.0.0 0.0.255.255
 deny 10.1.0.0 0.0.255.255
 permit any

ip access-list standard network_isp_out
 permit 10.2.3.0 0.0.0.255 log
 permit 10.0.0.0 0.0.255.255
 permit 10.1.0.0 0.0.255.255

 permit 192.168.0.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
 deny any

access-list 10 deny 0.0.0.0
access-list 10 permit any
access-list 11 permit 0.0.0.0
access-list 11 deny any
access-list 20 permit 10.2.3.200
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

route-map peer-nap-high-in permit 10
 set ip next-hop peer-address
 set local-preference 150
 set community 65200:65400

route-map peer-nap-low-in permit 10
 set ip next-hop peer-address
 set local-preference 145
 set community 65200:65400

route-map peer-nap-out permit 10
 match as-path 70
 set community 65200:65200


route-map graded-flap-dampening deny 10
 match ip address prefix-list golden-networks

route-map graded-flap-dampening permit 20
 match ip address prefix-list min24
 set dampening 30 820 3000 60

route-map graded-flap-dampening permit 30
 match ip address prefix-list max22-23
 set dampening 15 750 3000 45

route-map graded-flap-dampening permit 40
 set dampening 10 1500 3000 30
}}}

his configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.

The IP address are allocated following this [[Topology]]

{{{
interface Loopback0
 ip address 10.2.3.14 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 no ip unreachables

interface FastEthernet0/0
 description "ISP Backbone"
 ip address 10.0.0.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip directed-broadcast
 ip route-cache flow
 speed 100
 ip route-cache same-interface
 full-duplex

router eigrp 65200
 redistribute connected
 redistribute static
 passive-interface FastEthernet1/0
 passive-interface FastEthernet1/1
 network 10.2.2.0
 distribute-list 10 out
 no auto-summary
 eigrp log-neighbor-changes

router bgp 65200
 no synchronization
 no bgp fast-external-fallover
 bgp log-neighbor-changes
 maximum-paths 2

 ! relation with other router in the same AS
 neighbor peer-ibgp peer-group
 neighbor peer-ibgp remote-as 65200
 neighbor peer-ibgp update-source Loopback0
 neighbor peer-ibgp version 4
 neighbor peer-ibgp send-community
 neighbor peer-ibgp soft-reconfiguration inbound
 
 ! This customer only want a default route
 neighbor client-reliable-connection description "..."
 neighbor client-reliable-connection ebgp-multihop 2
 neighbor client-reliable-connection version 4
 neighbor client-reliable-connection send-community
 neighbor client-reliable-connection soft-reconfiguration inbound
 neighbor client-reliable-connection route-map client-reliable-in in
 neighbor client-reliable-connection route-map client-reliable-out out
 neighbor client-reliable-connection default-originate
 
 ! This customer have a full feed, and have an unreliable connection
 neighbor client-unreliable-connection description "..."
 neighbor client-unreliable-connection ebgp-multihop 2
 neighbor client-unreliable-connection version 4
 neighbor client-unreliable-connection send-community
 neighbor client-unreliable-connection soft-reconfiguration inbound
 neighbor client-unreliable-connection route-map client-unreliable-in in
 neighbor client-unreliable-connection route-map client-unreliable-out out
 neighbor client-unreliable-connection timers 10 

 neighbor 10.2.3.10 peer-group peer-ibgp
 neighbor 10.2.3.11 peer-group peer-ibgp
 neighbor 10.2.3.12 peer-group peer-ibgp
 neighbor 10.2.3.13 peer-group peer-ibgp
 neighbor 10.2.3.15 peer-group peer-ibgp
 neighbor 10.2.3.16 peer-group peer-ibgp
 neighbor 10.2.3.17 peer-group peer-ibgp
 neighbor 10.2.3.18 peer-group peer-ibgp
 
 neighbor 192.168.0.254 remote-as 65350
 neighbor 192.168.0.254 peer-group client-reliable-connection
 neighbor 192.168.0.254 description "Client One"
 
 neighbor 192.168.1.254 remote-as 65360
 neighbor 192.168.1.254 peer-group client-unreliable-connection
 neighbor 192.168.1.254 description "Client Two"

 distribute-list prefix bogon-external out FastEthernet0/0
 distribute-list prefix bogon-internal in FastEthernet0/0
 
 no auto-summary

ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination 10.2.3.205 2055

ip bgp-community new-format
ip as-path access-list 60 permit ^$
ip as-path access-list 50 permit .*
ip as-path access-list 70 permit ^$
ip as-path access-list 70 permit ^65350_
ip as-path access-list 70 permit ^65360_
ip as-path access-list 100 permit ^65350_
ip as-path access-list 105 permit ^65360_
ip pim bidir-enable

ip as-path access-list 10 deny _(6451[2-9]|645[2-9][0-9]|64[6-9][0-9][0-9]|
                                 65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5])_
ip as-path access-list 10 permit .*

ip prefix-list bogon-external seq 1 deny 0.0.0.0/0
ip prefix-list bogon-external seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-external seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-external seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-external seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-external seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-external seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-external seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-external seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-external seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-external seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-external seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-external seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-external seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-external seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-external seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-external seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-external seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-external seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-external seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-external seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-external seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-external seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-external seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-external seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-external seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-external seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-external seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-external seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-external seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-external seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-external seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-external seq 500 deny 159.101.0.0/16 le 32
ip prefix-list bogon-external seq 510 deny 10.0.0.0/16 le 32
ip prefix-list bogon-external seq 520 deny 10.1.0.0/16 le 32
ip prefix-list bogon-external seq 900 permit 0.0.0.0/0 le 24

ip prefix-list bogon-internal seq 1 deny 0.0.0.0/0
ip prefix-list bogon-internal seq 10 deny 0.0.0.0/7 le 32
ip prefix-list bogon-internal seq 20 deny 2.0.0.0/8 le 32
ip prefix-list bogon-internal seq 30 deny 5.0.0.0/8 le 32
ip prefix-list bogon-internal seq 40 deny 7.0.0.0/8 le 32
ip prefix-list bogon-internal seq 50 deny 10.0.0.0/8 le 32
ip prefix-list bogon-internal seq 60 deny 23.0.0.0/8 le 32
ip prefix-list bogon-internal seq 70 deny 27.0.0.0/8 le 32
ip prefix-list bogon-internal seq 80 deny 31.0.0.0/8 le 32
ip prefix-list bogon-internal seq 90 deny 36.0.0.0/7 le 32
ip prefix-list bogon-internal seq 100 deny 39.0.0.0/8 le 32
ip prefix-list bogon-internal seq 110 deny 41.0.0.0/8 le 32
ip prefix-list bogon-internal seq 120 deny 42.0.0.0/8 le 32
ip prefix-list bogon-internal seq 130 deny 49.0.0.0/8 le 32
ip prefix-list bogon-internal seq 140 deny 50.0.0.0/8 le 32
ip prefix-list bogon-internal seq 150 deny 58.0.0.0/7 le 32
ip prefix-list bogon-internal seq 160 deny 60.0.0.0/8 le 32
ip prefix-list bogon-internal seq 170 deny 70.0.0.0/7 le 32
ip prefix-list bogon-internal seq 180 deny 72.0.0.0/5 le 32
ip prefix-list bogon-internal seq 190 deny 83.0.0.0/8 le 32
ip prefix-list bogon-internal seq 200 deny 84.0.0.0/6 le 32
ip prefix-list bogon-internal seq 210 deny 88.0.0.0/5 le 32
ip prefix-list bogon-internal seq 220 deny 96.0.0.0/3 le 32
ip prefix-list bogon-internal seq 230 deny 169.254.0.0/16 le 32
ip prefix-list bogon-internal seq 240 deny 172.16.0.0/12 le 32
ip prefix-list bogon-internal seq 250 deny 192.0.2.0/24 le 32
ip prefix-list bogon-internal seq 260 deny 192.168.0.0/16 le 32
ip prefix-list bogon-internal seq 270 deny 197.0.0.0/8 le 32
ip prefix-list bogon-internal seq 280 deny 198.18.0.0/15 le 32
ip prefix-list bogon-internal seq 290 deny 201.0.0.0/8 le 32
ip prefix-list bogon-internal seq 300 deny 222.0.0.0/7 le 32
ip prefix-list bogon-internal seq 310 deny 224.0.0.0/3 le 32
ip prefix-list bogon-internal seq 900 permit 0.0.0.0/0 le 24

! Not used
ip access-list standard network_isp_in
 deny   10.2.3.0 0.0.0.255 log
 deny   10.0.0.0 0.0.255.255
 deny   10.1.0.0 0.0.255.255
 permit any

! Not used
ip access-list standard network_isp_out
 permit 10.2.3.0 0.0.0.255 log
 permit 10.0.0.0 0.0.255.255
 permit 10.1.0.0 0.0.255.255

 permit 192.168.0.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255
 deny   any

access-list 10 deny   0.0.0.0
access-list 10 permit any
access-list 11 permit 0.0.0.0
access-list 11 deny   any
access-list 20 permit 10.2.3.200
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

route-map client-reliable-in permit 10
 match as-path 100
 set local-preference 150

route-map client-reliable-out deny 10
 match ip address 11


route-map client-unreliable-in permit 10
 match as-path 105
 set local-preference 150

route-map client-unreliable-out deny 10
 match as-path 50
}}}

This configuration is quite old (as I do not use Cisco for EBGP anymore), in particular the bogon list contains ~IPs which have since have allocated to LIR. As well, RIPE Best Practice document does not recommend route dampening anymore.

The IP address are allocated following this [[Topology]]

This template is incomplete (written quite a few year ago - it may be a IOS 12.1 syntax) but still useful.

{{{
! Help telnet connection
service nagle
no service pad

! Deal with dead connections gracefully
service tcp-keepalives-in
service tcp-keepalives-out

! Logging information structure
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

service slave-log
service password-encryption

! Remove all useless services
no service compress-config
no service udp-small-servers
no service tcp-small-servers

no service config
no service dhcp

no ip bootp server

no ip finger
no ip identd

! _Only_ use if you are really concerned about the router physical security
! no service password-recovery

! Router name
hostname my_router

! Log in memory and not to console
logging buffered 16384 errors
no logging console

! create user (for telnet and console login)
username the_login_name password 0 the_password

! set a password for the priviledged mode
enable secret 0 the_enable_password

! Set time for UK
clock timezone GMT 0
clock summer-time BST recurring

! Allow use of all subnet
ip subnet-zero

! Do not allow packet to specify their own route
no ip source-route

! Enable Cisco Express Forwarding technology
ip cef

! Do not do any host lookup but configure it should we want it
no ip domain-lookup
ip domain-list isp.net.uk
ip domain-list .
ip domain-name isp.net.uk
ip name-server 10.0.0.1
ip name-server 10.1.0.1

! Always use loopback for management and logging
interface Loopback0
description "Management Interface"
ip address xxx.xxx.xxx.xxx 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no ip unreachables

interface FastEthernet0/0
description "ISP Backbone"
no ip address
shutdown
! Please look the cisco website for each of the option
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
! Force speed and duplex
speed 100
full-duplex
! optimise routing for traffic entering and leaving the same interface
ip route-cache same-interface

! Should you want to use EIGRP as IGP
router eigrp 65200
! let the other router know what we know
redistribute connected
redistribute static
! but any default route
distribute-list 10 out
! EIGRP perform automatic summarisation per default
no auto-summary
! Log neibourg flapping
eigrp log-neighbor-changes

! Allow any netmask size
ip classless

! Should we not know a route send it to the EIGRP router which have a route for 10.0.1.0
ip default-network 10.0.1.0

! Do not allow http management
no ip http server

! Log all the information to a remote syslog server
logging trap debugging
logging facility local6
logging source-interface Loopback0
logging 10.2.3.201

! All but default route
access-list 10 deny 0.0.0.0
access-list 10 permit any

! Only the snmp server IP
access-list 20 permit 10.2.3.200

! Match ICMP traffic
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply

! Allow snmp monitoring from the snmp server only
snmp-server community snmp_community_password RO 20
snmp-server host 10.2.3.200 snmp_community_password

! Welcome banner when telneting to the router
banner login ^C
*******************************************************************************
NOTICE TO USERS

This equipment is for authorized use only. Users (authorized or unauthorized)
have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be intercepted,
monitored, recorded, copied, audited, inspected, anddisclosed to authorized
site and law enforcement personnel.

By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion of
authorized site.

Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use.

LOG OFF NOW if you do not agree to the conditions stated in this warning.

ISP - noc@isp.net.uk - Phone number : 00 44 ..........

*******************************************************************************
^C

! Protect our router asking for username and password and then enable password
line con 0
login local

line aux 0
login local
transport input all
transport output none

line vty 0 4
! One hour timeout is not very secure but much practical ..
exec-timeout 60 0
login local
! Keep a higher command history
history size 256

! Keep the router time correct
ntp server 10.2.3.202
}}}

This patch was ''not'' created for load balancing web request.

If you want to achieve this kind of things, try looking at [[LVS|http://www.linuxvirtualserver.org/]], [[Ultra Monkey|http://www.ultramonkey.org/]] [[wackamole|http://www.backhand.org/wackamole/]] and [[spread|http://www.spread.org/]], which is surely what you want to do. An explanation of the why and how can be found on [[Jonathan de Boyne Pollard site|http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-round-robin-is-useless.html]].

This patch was created to help balance traffic between a cluster of MX frontend and a farm of virus scanners. A connection to a scanner part of the round-robin group failing would cause the next email delivery attempt to go to another machine allowing to remove scanners from the farm with minimal impact on mail transit time.

The patch for the djbdns caching application (not the authoritative nameserver - tinydns) can be downloaded [[here|/data/source/djbdns-round-robin.patch.bz2]].

!Todo

I wrote it ages ago, this document do not present the problems associated with:

* reverse zone
* secondary problems
* zone transfert from ISP to ISP.

!Prelude

DNS is the service on which Internet is based, however, quite strangely it is often overlooked.

In order to provide the best possible reliability, a lot of energy is placed on the hosting. All major e-commerce sites are load-balanced with redundant database back-ends, etc.

Without a resilient and reliable DNS server, no one can hope to smoothly run any Internet services. However, lots of highly redundant web servers are based on weak DNS foundations.

DNS is often misunderstood and it is assumed to be resistant to failure "by design". Those who think like this will probably suffer a DNS outage sooner or later, however this could have easily been avoided by just taking a little care.

DNS resilience should be the second concern after routing resilience. According to experience (at least mine) lots of ISP and big accounts do not have reliable DNS
Getting more Information

This document is not intended to explain DNS basics but to provide good practical advise. If you want to learn more about DNS and understand which DNS is good for you please consult the very good DJBDNS FAQ. located at http://cr.yp.to/djbdns/faq.html

You will probably find theses pages very interesting as well:

* http://www.djbdns.org/
* http://www.lifewithdjbdns.org/
* http://homepages.tesco.net/~J.deBoynePollard/FGA/
* http://www.fefe.de/djbdns
* http://www.bgpdns.org/
* http://www.ripe.net/ripencc/pub-services/db/whois/whois.html
* http://nms.lcs.mit.edu/projects/dns/
* http://www.cymru.com/Documents/secure-bind-template.html

Please, do not contact me to fix your DNS. Even so I am litterate with both DJBDNS and BIND, I do not wish to spend my time supporting it. Please refer to your ISP support department, read the ~FAQs, read newsgroups, Most BIND questions have already been answered numerous times.

However, please free to report any fault or inexactitude about this document

!Good DNS record

Having a reliable and resilient DNS server is only the first step to secure DNS informtation. Hosting valid and well formed DNS information is crutial as well.

Lots of good books such as "DNS and BIND" will provide your with all the information you need to configure BIND. However, a well formed BIND file is only the start for good DNS management.
Used DNS example

The following domains will be used as examples within this document:
/var/named/domain.net on ns0.domain.net
domain.net, the firm main domain name ie: bbc.co.uk, cnn.com, isp.net
{{{
$ORIGIN domain.net.
domain.net. 86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002020819 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
MX 10 mx
MX 20 secondary

mx A 10.0.0.25
A 10.0.0.26
A 10.0.0.27
A 10.0.0.27

secondary A 169.254.0.25
A 169.254.0.26
A 169.254.0.27
A 169.254.0.28

ns0 A 10.0.0.1
ns1 A 10.0.0.2
ns2 A 10.0.0.3
ns-secondary0 A 10.0.0.4
ns-cache0 A 10.0.0.5
ns-cache1 A 10.0.0.6

ns-staff0 A 192.168.0.254

smtp A 10.0.0.25
pop CNAME pop3
pop3 A 10.0.0.110
imap CNAME imap4
imap4 A 10.0.0.143
webmail A 10.0.0.443

www A 10.0.0.80

staff NS ns-staff0
NS ns-secondary0
}}}

/var/named/staff.domain.net on ns0-staff.domain.net
staff.domain.net, a delegated domain used by the employee for their own site.

{{{
$ORIGIN staff.domain.net.
staff.domain.net.
86400 IN SOA
ns-staff0.domain.net. hostmaster.domain.net. (
2002021312 28800 7200 604800 86400 )
NS ns-staff0.domain.net.
A 192.168.0.80
MX 10 mx.domain.net.
MX 20 secondary.domain.net.
firewall A 192.168.0.254
smtp A 192.168.0.25
www CNAME firewall
* CNAME www
www.* CNAME www
}}}

/var/named/customer.com on ns0.domain.net
customer.com, a domain managed by domain.net owned by one of its customer.

{{{
$ORIGIN customer.com.
customer.com. 86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002020819 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
MX 10 mx.domain.net.
MX 20 secondary.domain.net.

smtp CNAME smtp.domain.net.
pop CNAME pop.domain.net
imap CNAME imap.domain.net.
www CNAME www.domain.net.
}}}

/var/named/0.168.192.in-addr.arpa on ns0.domain.net
0.168.192.in-addr.arpais the domain which allow IP to Name DNS

{{{
$ORIGIN 0.168.192.in-addr.arpa.
0.168.192.in-addr.arpa.
86400 IN SOA
ns0.domain.net. hostmaster.domain.net. (
2002021415 28800 7200 604800 86400 )
NS ns0.domain.net.
NS ns1.domain.net.
NS ns2.domain.net.
0 A 255.255.255.0
PTR domain.net.
1 PTR server-at-ip-1.domain.net.
PTR another-server-at-ip-1.domain.net.
25 PTR smtp.staff.domain.net.
254 PTR firewall.staff.domain.net.
}}}

!DNS records context

domain.net is an isp or firm domain. The DNS server ns0, ns1 and ns2 for domain.net. are known from the DNS root server (ie: have glue records).

This domain contains all the services that the user of the domain needs to access, such as:

* pop
* smtp
* www

The domain staff.domain.net. is a delegation controlled by the employee and customer.com is the customer domain. it is used for the staff web server

The staff.domain.net only has one DNS server as it is a non-important service. In this example, the DNS is provided by the same server which provides mail and web. This is the only case where you should allow a zone (and with reticence) to only have one DNS server as SOA.

!DNS code of conduct

As a genaral rule, all services which are going to be used by an end-user (understand everyone outside the firm IT department) should always be on different IP address, even if all services are provided by single computers.

Whenever possible try to use reserved class C to preserve the pool of real world address.

This is important to make sure that you can migrate any service from the server at any time without disturbing end-users. Using FQDN is not sufficient as you can not be sure that end-users have not misconfigured their computers.

As a golden rule, it is important to not use any mail records for SMTP, POP, IMAP service as this limits your scalability options. There is no such thing such as a mail service.

Also, keep the SMTP and MX record separated. It allows to use simple round-robin for the MX service. Ultimately you could have to have all customer accessible services, such as SMTP, POP, IMAP and HTTP behind load balancers to provide the highest availibility possible.

In the case of SMTP, you can probably use the same server as for MX. However, the secondary MX server will most probably be situated outside your network to avoid mail bouncing in case of network outage.

Whenever possible try to use reserved class C to to preserve the pool of real world addresses. Reserved class C are IP addresses you can not find in the internet reserved for office and private network use. The most frequently used range are:

* 10.0.0.0/8
* 192.168.0.0/16
* 172.16.0.0/16
* 169.254.0.0/16 (for transfer networks)

Within the domain.net network, customers will use the IP of ns-cache0 and ns-cache1 as their resolving DNS. ns0 and ns1.domain.net should only be queried by other DNS servers for authoritative answers.

The staff.domain.net domain make use of wildcards (star) to catch all DNS name not already present in the list.

As a consequence, the employee will be able to use surname-name.staff.domain.net and www.surname-name.staff.domain.net as names for their web site. No DNS change will be necessary when new staff start or leave the firm.

Be reminded that the use of CNAME record with MX information is not allowed.

As well, if a customer is using your own mail servers, you should never redefine the MX service. Just use your own mx record in their zone file.

Finally, do not redefine customer services pointing to your server per IP but always alias them with CNAME records.

As DNS is a caching system, changes that need quick propagation change must be prepared. To do so you can change the TTL (Time To Live) of a record which represents how long a DNS will keep DNS information. The TTL is expressed in second and is placed just after the name.

Please bear in mind that the first changes performed on the DNS zone file will take up to the previous TTL to be known by all the internet. Restarting your own cache DNS server can speed-up local updates.

For example, if you are planning to move your web server of room and IP.

Initial record

{{{
www A 10.0.0.80
}}}

Make sure you have low TTL on your www record. Then wait for the information to propagate.
TTL change to 5 minutes

{{{
# www A 10.0.0.80
www 300 A 10.0.0.80
}}}

You can move the web server to the new IP as if there are problems you can change the IP address to the previous one in less than 5 minutes.

New information

{{{
# www A 10.0.0.80
www A 10.0.0.60
}}}

Do not forget to restore the default TTL once everything is fine.
Built in failover limitation

Unlike the web, DNS was designed with service failure in mind. As it is a crucial service, it is possible to have more than one DNS server answering authoritatively for a domain. However, a common mistake is to think that having two DNS means you are safe. You should make sure that your DNS are on different networks.

In order to achieve the best possible reliability, ISP often have peering agreements to host each others DNS servers.

For example, serious ISP often have one of their Authoritative DNS servers located on another backbone. It provides them protection against BGP problems and Telco faults.

This is very important for mail servers which are performing reverse DNS looking, whithout this precaution any serious outage would cause mail bouncing.

As well, additional protection against malicious plannified Deny Of Service can be deployed to insure the highest DNS uptime possible.
Number of DNS

For example, a small/medium ISP will have:

* Two authoritative DNS servers in its network
* One authoritative DNS servers located remotely
* One secondary DNS server for its customers wanting control of their zone
* Four caching DNS servers for customers

DNS servers should be presented to the customer classed by proximity depending on their location (for obvious performance reason, DNS is mostly UDP).

Hopefully, DNS can be allocated dynamicly per customer at connection time for most DSL, ISDN or Modem like connection making it easy to change and scale.
Local DNS

Every service relies heavily on DNS such as SMTP servers should use its own DNS server and have local resolv.conf like:
/etc/resolv.conf
{{{
search mydomain.com
domain mydomain.com
nameserver 127.0.0.1
nameserver 10.0.0.1
nameserver 10.0.1.1
}}}

Where 10.0.0.1 and 10.0.1.1 are trusted DNS for the server to use should the local DNS server fail.
Delegation

Delegation can typically be used when you feel the need to register a new domain name such as : domain-forum.com, domain-resellers.com, domain-users.com, domain-staff.com, etc.

As well, it allows content filter application (such as ~N2H2, ~WebSense or ~SurfControl) to block sub-site without affecting the main site. Ie: webnews.firm.com is better than www.site.com/webnews (Some NewsGroups can provide adult material which may be unsuitable for young surfers).

Delegation allows you to create new domains, independant of your master domain name. These domains are real domains and as such can have different DNS servers as well as different mail or web servers.

The previous example names can be changed as follows:
delegated name

One obvious advantage is that you do not have to pay for a new domain name.

In addition, it is nearly impossible for a firm to market and advertise more than one domain name and network identity. By using delegation, end users feel secure as they recognise a known domain name.

Delegation can also be used to manage your DNS record. For example, if you provide DSL or a similar kind of connectivity, you may have in your DNS something like:

* dsl-10-0-0-1.domain.com
* dsl-10-0-0-2.domain.com
* ...
* dsl-10-0-0-253.domain.com

This will make the DNS zone file to fill quickly, which is both bad for management and performance. This can be avoided with the creation of a dsl.domain.com zone:

* 10-0-0-1.dsl.domain.com
* 10-0-0-2.dsl.domain.com
* ...
* 10-0-0-253.dsl.domain.com

This is only possible if you have DNS management tools with easy front-end. and remember to add these delegations to your /etc/resolv.conf to not have to tape the FQDN (Fully Qualified Domain Name)

Zone delegation works quite well with split horizon, you can have a delegated domain for each office like london.domain.com and paris.domain.com, these domains are invisible outside the offices' firewalls.

Used in conjonction with the web, it is very handy to manage localisation: www.uk.domain.com can be situated within the uk firm isp when www.fr.domain.com can be hosted in france.
Whois and Zone Transfer

Whois is a tool to find information for a domain. It will return the authoritative DNS servers as well as well as some information regarding the registar.

For example the output of "whois bind.com" is:
{{{
Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BIND.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.DNS.WEBACT.COM
Name Server: NS2.DNS.WEBACT.COM
Name Server: NS3.DNS.WEBACT.COM
Name Server: NS4.DNS.WEBACT.COM
Updated Date: 07-jan-2002

>>> Last update of whois database: Tue, 5 Mar 2002 05:19:23 EST <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Found InterNIC referral to whois.networksolutions.com.

The Data in the VeriSign Registrar WHOIS database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information about
or related to a domain name registration record. VeriSign does not guarantee
its accuracy. Additionally, the data may not reflect updates to billing contact
information. By submitting a WHOIS query, you agree to use this Data only
for lawful purposes and that under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via e-mail, telephone, or facsimile; or
(2) enable high volume, automated, electronic processes that apply to VeriSign
(or its computer systems). The compilation, repackaging, dissemination or
other use of this Data is expressly prohibited without the prior written
consent of VeriSign. VeriSign reserves the right to terminate your access to
the VeriSign Registrar WHOIS database in its sole discretion, including
without limitation, for excessive querying of the WHOIS database or for failure
to otherwise abide by this policy. VeriSign reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by this policy.

Registrant:
Quest Technologies, Inc (BIND2-DOM)
2107 O St. NW
Washington, DC 20037
US

Domain Name: BIND.COM

Administrative Contact:
WebAct Administration (HFJTVUVSUO) abuse@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163
Technical Contact:
WebAct Network Operations Center (DWOHKUSAGO) noc@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163
Billing Contact:
WebAct Accounts Payable (XYYGBUVAFO) billing@WEBACT.COM
WebAct
2107 O St. NW
Washington, DC 20037
US
202-872-0883
Fax- 208-460-8163

Record last updated on 07-Jan-2002.
Record expires on 24-Aug-2002.
Record created on 23-Aug-1996.
Database last updated on 5-Mar-2002 03:30:00 EST.

Domain servers in listed order:

NS1.DNS.WEBACT.COM 207.76.173.19
NS2.DNS.WEBACT.COM 207.76.173.20
NS3.DNS.WEBACT.COM 207.76.173.128
NS4.DNS.WEBACT.COM 207.76.173.129
}}}

Zone transfer is a way to get a carbon copy of a zone file from a DNS. Some ISP are blocking this feature to pervent massive security weakness scan (security through obscurity).

!Software

Misconfigured DNS servers can cause very hard to debug problems. These problems can remain undetected for month.

If you are serious about DNS you have four options:

* To not use BIND 4.x
* To not use BIND 8.x
* To not use BIND 9.x
* To use a software to manage your BIND files

It should be obvious for the reader that I do like D. J. Bernstein's DJBDNS.

But if after have spent some time reading the DJBDNS site you still want to use BIND, you should use management software for BIND. BIND configuration files are confusing and mistake prone. A badly placed character in a configuration file could cause BIND to refuse reloading or starting.

I am very pleased with a web software called [[NameSurfer|http://www.nixusoftware.com/]] I advise you to take a look at it (it is however far from free).

!Conclusion

When you manage your DNS:

* have at least one authoritative DNS outside your network
* have a clear zone file template for your customers
* splitting service on different IP to force customer to use the right FQDN
* differenciate MX, SECONDARY MX, and SMTP to be able to scale your mail
* use subdelegation
* use some tools to keep your reverse DNS correct

!Glossary

A reserved class C IP is an IP address you can not find on the internet. it is reserved for office and private network use. The available ranges are listed at: http://again.net/cidr. You can as well consult the rfc1918.
Authoritative DNS

An authoritative DNS, a abuse of language for DNS servers containing authoritative DNS records, is a DNS which contains the source information for a domain and is registered as such within Internet and answers as such when asked.
Glue Record

A glue record is an IP kept by a DNS in order to be able to locate another DNS server. This is used when a DNS is is authoritative for its own domain name.

IE: if ns0.domain.net is authoritative for domain.net, the DNS servers in charge of the .net record need to record the IP of ns0.domain.net in order for other DNS servers to contact it.
SOA

NS: DNS record which indicates to the DNS server which server should act authoritatively.

A: DNS record which indicates to the DNS server which server contains DNS information for a given zone

PTR: DNS record which indicates the IP address for a given name

Split horizon, DNS record which indicates the name of a server given its IP. This is not managed automagically by DNS from the A and CNAME record. As a consequence the information can be missing or wrong.

Split horizon DNS are used in conjunction with NAT and firewalls. It means that the DNS answers to the internal DNS queries for local hosts and that it can figure out the IP of external hosts as well.

FQDN: Fully Qualified Domain Name, the name used to name a computer with DNS including the full domain name. Ie: smtp.cnn.com is a FQDN, www or cnn.com are not

The DNS root servers, www.domain.net is in fact an abreviation for www.domain.net. which last dot represent the root DNS server of the Internet (Internet DNS server are a tree structure).

[[About]]
[[OpenSource]]
[[Broken Link]]

This page is based on diffs done on our configurations before and after some work on our network (mostly by Richard). This is not a step by step how-to but enough information to give you an overview of the work performed to enable ipv6 (and an idea of the complexity).

add some ipv6 loopback to your machine (for BGP, etc.)
{{{
[edit interfaces lo0 unit 0]
family inet6 {
   address 2a02:b80::4:0:1/128;
   address 2a02:b80::4:0:B3/128;
}
}}}
make sure your tunnel interface are not using ethernet (it does not support ipv6) and use frame-relay instead.
We use logical-routers and it is needed to connect them using ipv6.
{{{
[edit interfaces lt-1/2/0 unit 0]
- encapsulation ethernet;
+ encapsulation frame-relay;
+ dlci 201;
}}}
add the transfer network you need on your interfaces (we use some /80 part of one /64 allocated for transfer net only).
{{{
[edit interfaces ge-0/3/0 unit 1]
family inet6 {
    address 2a02:b80:0:2:F:0:6:1/80;
}
}}}
where in IPv4 we were using /24 to connect servers, we now use some IPv6 /64, 
{{{
[edit interfaces ge-0/3/0 unit 2]
family inet6 {
    address 2a02:b80:0:90::1/64;
}
}}}
allows autoconfiguration of your hosts (the MAC address is used for the end part of the IP) - if you want it
{{{
[edit protocols]
router-advertisement {
    interface ge-0/3/0.2 {
        prefix 2a02:b80:0:90::/64;
    }
}
}}}
updating our rib groups to include ipv6 rib to complement the already existing IPv4
{{{
[edit routing-options]
rib-groups {        
    if6-rib {       
        import-rib inet6.0;
    }               
    isis6-rib {     
        export-rib inet6.0;
        import-rib inet6.0;
}                   
}}}
routing table groups for interface routes
{{{
[edit routing-options]
interface-routes {
rib-group {
    inet6 if6-rib;
}
}}}
enable ipv6 routing for your IGP
{{{
[edit protocol isis]
- no-ipv6-routing;
}}}
{{{
[edit protocol isis]
rib-group {
    inet isis-rib;
    inet6 isis6-rib;
}
}}}
we are filtering the static route getting into isis, update the policy-statement to be IPv6 aware
{{{
[edit protocol isis]
export static-to-isis;
}}}
{{{
[edit policy-options]
policy-statement static-to-isis {
    term from-v4 {
        from {
            protocol static;
            family inet;
            prefix-list static-to-isis;
        }
        to protocol isis;
        then accept;
    }
    term from-v6 {
        from {
            protocol static;
            family inet6;
            prefix-list static6-to-isis;
        }
        to protocol isis;
        then accept;
    }               
}                   
}}}
{{{
prefix-list static6-to-isis {
    2a02:b80:0:6:7b::1/128;
}
}}}
the matching static route would be something like
{{{
[edit routing-options rib inet6.0]
rib inet6.0 {
    static {
        route 2a02:b80:0:6:7b::1/128 {
            next-hop 2a02:b80:0:100:0:0:0:1;
            resolve;
        }
}
}}}
We are using communities to define our bgp export policies, add our network to the community needed for ebgp to let our peer/transit know about our RIPE allocation
{{{
[edit protocol bgp]
group ibgp-v6 {
    type internal;
    local-address 2a02:b80::4:0:b3;
    import blackhole;
    family inet6 {
        any;
    }
    authentication-key ""; ## SECRET-DATA
    export [ v6-only originate-community originate-customer export-ibgp next-hop-self ];
    peer-as 30740;
    neighbor 2a02:b80::7:0:b3;
    neighbor 2a02:b80::5:0:b3;
}
}}}
{{{
[edit policy-options]
policy-statement v6-only {
    from family inet;
    then reject;
}
}}}
{{{
[edit policy-options]
policy-statement originate-community {
    from community originate;
    then {
        next-hop self;
        accept;
    }
}
}}}
{{{
community originate members 30740:30740;
}}}
{{{
[edit routing-options rib inet6.0]
aggregate {
    route 2a02:b80::/32 {
        community 30740:30740;
        as-path {
            origin igp;
        }
    }
}
}}}
source a default route (if you want/need it)
{{{
[edit routing-options rib inet6.0]
generate {
    route ::/0 discard;
}
}}}
if all works you want to peer :)
{{{
[edit protocol bgp]
group linx-v6 {
    type external;
    description "LINX IPv6 Peers";
    local-preference 175;
    local-address 2001:7f8:4::7814:1;
    log-updown;
    import [ v6-only no-ix no-bogons-v6 no-small-prefixes-v6 no-leak tag-peering tag-linx damping local-preference-linx local-preference-peer no-community-import ];
    family inet6 {
        unicast;
    }
    export [ v6-only originate-community originate-customer no-transit no-small-prefixes-v6 export-peering export-linx no-community-export next-hop-self ];
    remove-private; 
    neighbor 2001:7f8:4:0::1b1b:1 {
        apply-macro inet6 {
            prefix-limit 10000;
        }
        description "AS-HURRICANE | Hurricane Electric | noc@he.net | ";
        peer-as 6939;
    }
}
}}}
{{{
[edit policy-options]
policy-statement no-bogons-v6 {
    term default-route {
        from {
            family inet6;
            route-filter ::/0 exact;
        }
        then reject;
    }
    term general-badness {
        from {
            family inet6;
            /* Old 6bone */
            route-filter 3ffe::/16 orlonger;
            /* Loopback, unspecified, v4-mapped */
            route-filter ::/8 orlonger;
            /* Documentation Prefix */
            route-filter 2001:db8::/32 orlonger;
            /* Teredo - No more or less specifics */
            route-filter 2001::/32 exact next policy;
            route-filter 2001::/31 longer;
            /* 6to4 - allow exact /16 */
            route-filter 2002::/16 exact next policy;
            route-filter 2002::/16 longer;
            /* multicast ranges, RFC3513 */
            route-filter fe00::/9 orlonger;
            route-filter ff00::/8 orlonger;
        }
        then reject;
    }
}
}}}
{{{
policy-statement no-small-prefixes-v6 {
    from {
        family inet6;
        route-filter ::/0 prefix-length-range /49-/128 reject;
    }
    then reject;
}
}}}
eh ! we missed v6 in that one :D
{{{
policy-statement no-ix {
    from {
        /* Enlix */
        route-filter 193.189.130.0/24 orlonger reject;
        /* LINX */
        route-filter 195.66.224.0/22 orlonger reject;
        /* AMS-IX */
        route-filter 195.69.144.0/23 orlonger reject;
    }
    then reject;
}
}}}
That is more or less it.. just need to update my RIPE tools now :(

[[TINYDNS|http://cr.yp.to/djbdns/tinydns.html]] is a good DNS server, however [[tinydns-data|http://cr.yp.to/djbdns/tinydns-data.html]] is missing some builtin syntax for the generation of NAPTR and SRV record.

Anders Brownworth wrote a nice web page on which generate those record using the [[tinydns|http://cr.yp.to/djbdns/tinydns.html]] generic record syntax [[here|http://www.anders.com/projects/sysadmin/djbdnsRecordBuilder/]].

However I needed to be able to generate those record for the configuration of IENUM (technically ENUM on private DNS) from some of our python code.
As a result I wrote the following "[[library|http://thomas.mangin.com/data/source/sipdns.py]]" to generate some domain SIP NAPTR and SRV records.

Hopefully it may save someone the time to reverse engineering Anders' page output.

A bug was fixed on the 8th of october 2008

To get started with this blank ~TiddlyWiki, you'll need to modify the following tiddlers:
* SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
* MainMenu: The menu (usually on the left)
* DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the ~TiddlyWiki is opened
You'll also need to enter your username for signing your edits: <<option txtUserName>>

* [[Software]] related stuff
* [[Network]] related stuff
* [[About]] this site and me

Should you want to contact me feel free to email me here.
My public PGP key is here.

Should you want to link to this site please use http://thomas.mangin.com/ as hostname

This code went through a rewrite which result is available at [[http://network.exa.org.uk|http://network.exa.org.uk]]

Should you be looking at using a Juniper router for an EBGP connection, I hope the following Junos configuration will prove useful.

I have tried to keep it short removing community based firewalling (as you can read about it [[here|http://thomas.mangin.com/#tag:link_rib_firewall]], class-of-service, logical-routers, event-options, snmp, and god knows what more to try to keep the resulting configuration short.

A basic ISIS section was left to show how to routes can be originated on the router itself.

A skeleton of firewall filters was left to give a taste of what can be done to protect the core from spoofed traffic, ICMP flooding,etc.
Should it be something of interrest please consider reading [[The Junos secure template|http://www.cymru.com/gillsr/documents/junos-template.pdf]]

Route damping was left in but is inactive as recomended by [[ripe-378|http://www.ripe.net/ripe/docs/routeflap-damping.html]] which obsoletes ripe-229, ripe-210 and ripe-178

A lot is still present tho like community controlled route announcement, communitiy triggered route blackholing and bgp leak mitigation using as-path.

I am pretty sure that in the fury of cut, paste and replace done, I must have broken enough of the configuration to make it unadviseable to try to use it "as it" but it should give you a good head start if you never done it before.

The configuration is not yet commented (or split in part) but I will try to fix this at some point (as well as fix the formating which this wiki likes to remove)

Use at your own risk and feel free to let me know if something is wrong (I never had the opportunity to test the bgp triggered route black blackhole yet).

{{{
version 8.2R3.6;
}}}
{{{
/* Template for all the interface on the router */
groups {
 peering-interface {
 interfaces {
 <*> {
 unit <*> {
 family inet {
 filter {
 input external-incoming-peer;
 }
 }
 }
 }
 }
 }
 physical-interface {
 interfaces {
 traceoptions {
 file interfaces size 1m files 5;
 flag change-events;
 }
 <ge-*> {
 traps;
 vlan-tagging;
 link-mode full-duplex;
 gigether-options {
 flow-control;
 }
 unit <*> {
 family inet {
 no-redirects;
 }
 }
 }
 }
 }
 core-interface {
 interfaces {
 <*> {
 unit <*> {
 family inet {
 no-redirects;
 }
 }
 }
 }
 }
 transit-interface {
 interfaces {
 <*> {
 unit <*> {
 family inet {
 rpf-check {
 mode loose;
 }
 filter {
 input-list [ sample-netflow external-incoming-transit ];
 }
 }
 }
 }
 }
 }
 customer-interface {
 interfaces {
 <*> {
 unit <*> {
 family inet {
 rpf-check {
 mode loose;
 }
 filter {
 input external-incoming-customer;
 }
 }
 }
 }
 }
 }
}
}}}

{{{
/* System Configuration */
system {
 host-name m7i;
 domain-name business.net.uk;
 domain-search [ business.net.uk ];
 time-zone Europe/London;
 no-redirects;
 authentication-order tacplus;
 location {
 country-code UK;
 postal-code "";
 building "Telehouse";
 rack 123;
 }
 ports {
 console type vt100;
 }
 root-authentication {
 encrypted-password "$"; ## SECRET-DATA
 }
 name-server {
 ip;
 ip;
 }
 tacplus-server {
 ip {
 secret "$"; ## SECRET-DATA
 timeout 5;
 }
 }
 accounting {
 events [ login change-log interactive-commands ];
 destination {
 tacplus {
 server {
 ip secret "$"; ## SECRET-DATA
 }
 }
 }
 }
 scripts {
 /* See juniper.cluepon.net */
 }
 login {
 message "******************************************************************************\n NOTICE TO USERS\n\nThis equipment is for authorized use only. Users (authorized or unauthorized)\nhave no explicit or implicit expectation of privacy.\n\nAny or all uses of this system and all files on this system may be intercepted,\nmonitored, recorded, copied, audited, inspected, and disclosed to authorized\nsite and law enforcement personnel.\n\nBy using this system, the user consents to such interception, monitoring,\nrecording, copying, auditing, inspection, and disclosure at the discretion of\nauthorized site.\n\nUnauthorized or improper use of this system may result in administrative\ndisciplinary action and civil and criminal penalties. By continuing to use\nthis system you indicate your awareness of and consent to these terms and\nconditions of use.\n\nLOG OFF NOW if you do not agree to the conditions stated in this warning.\n\nBusiness Limited - noc@business.co.uk - +44 \n*****************************************************************************\n\n";
 class administrator {
 idle-timeout 60;
 permissions all;
 }
 class linx {
 permissions [ field interface routing trace view view-configuration ];
 }
 user admin {
 full-name "Admin";
 uid 1000;
 class administrator;
 authentication {
 encrypted-password "$"; ## SECRET-DATA
 }
 }
 user linx {
 full-name "Linx Staff Access";
 uid 1001;
 class linx;
 authentication {
 encrypted-password "$"; ## SECRET-DATA
 }
 }
 }
 static-host-mapping {
 tacplus inet ip;
 syslog inet ip;
 localhost inet 127.0.0.1;
 m7i-4.u3.tcw.uk {
 inet ip;
 sysid 0822.1900.0068;
 }
 }
 services {
 ssh {
 root-login deny-password;
 protocol-version v2;
 connection-limit 5;
 rate-limit 10;
 }
 telnet {
 connection-limit 5;
 rate-limit 10;
 }
 }
 syslog {
 archive size 1m files 10;
 user * {
 any error;
 }
 host ip {
 /* none, info, notice, warning, error, critical, alert, emmergency */
 any notice;
 facility-override local6;
 }
 file messages {
 any notice;
 authorization info;
 }
 file interactive-commands {
 interactive-commands any;
 }
 file system {
 daemon any;
 kernel any;
 }
 file firewall {
 firewall any;
 }
 file security {
 authorization any;
 interactive-commands any;
 }
 file user-comand {
 interactive-commands info;
 }
 console {
 any error;
 }
 source-address ip;
 }
 no-compress-configuration-files;
 archival {
 configuration {
 transfer-on-commit;
 archive-sites {
 "ftp://user:pass@ip/text/router-name/";
 }
 }
 }
 ntp {
 boot-server ip;
 server ip;
 server ip;
 }
}
}}}

{{{
/* Prevent an alarm if nothing is plugged on the console */
chassis {
 no-source-route;
 alarm {
 management-ethernet {
 link-down ignore;
 }
 }
}
}}}

{{{
/* Interfaces Configuration */
interfaces {
 apply-groups physical-interface;
 ge-0/3/0 {
 description "LAN";
 unit A-VLAN {
 apply-groups core-interface;
 description "Internal Switches";
 vlan-id THE-VLAN-NUMBER;
 family inet {
 address range/netmask;
 }
 }
 unit A-VLAN {
 apply-groups core-interface;
 description "to Elsewhere";
 bandwidth 40;
 vlan-id THE-VLAN-NUMBER;
 family inet {
 filter {
 /* Filter ddos on output as it seems to cause issue on input on internal interface */
 output ddos-protect;
 }
 address ip/30;
 }
 family iso;
 }
 }
 ge-1/3/0 {
 description "Upstream Interface";
 unit 123 {
 apply-groups peering-interface;
 description Linx;
 vlan-id THE-VLAN-NUMBER;
 family inet {
 address 195.66.224.---/23;
 }
 }
 }
 fxp0 {
 description "Management Interface";
 unit 0 {
 family inet {
 no-redirects;
 filter {
 input protect-management;
 }
 }
 }
 }
 lo0 {
 unit 0 {
 description Loopback;
 family inet {
 no-redirects;
 address ip/32;
 }
 family iso {
 address 49.0001.0822.1900.0071.00;
 }
 }
 }
}
}}}
{{{
forwarding-options {
 sampling {
 input {
 family inet {
 rate 1000;
 inactive: run-length 4;
 max-packets-per-second 7000;
 }
 }
 output {
 cflowd ip {
 port 2055;
 source-address ip;
 version 8;
 no-local-dump;
 autonomous-system-type origin;
 aggregation {
 autonomous-system;
 }
 }
 }
 }
 hash-key {
 family inet {
 layer-4;
 }
 }
}
}}}

{{{
routing-options {
 options {
 syslog {
 level debug;
 }
 }
 graceful-restart;
 interface-routes {
 rib-group inet if-rib;
 }
 /* Black Hole route */
 route 127.0.0.2/32 {
 discard;
 retain;
 no-readvertise;
 }
 aggregate {
 route your-network/range {
 community 54321:54321;
 as-path {
 origin igp;
 }
 }
 }
 rib-groups {
 if-rib {
 import-rib [ inet.0 inet.2 ];
 }
 isis-rib {
 export-rib inet.0;
 import-rib [ inet.0 inet.2 ];
 }
 mcast-rib {
 export-rib inet.2;
 import-rib inet.2;
 }
 }
 router-id ip;
 autonomous-system 54321;
 forwarding-table {
 export [ load-balancing ];
 unicast-reverse-path feasible-paths;
 }
}
}}}

{{{
protocols {
 bgp {
 path-selection always-compare-med;
 log-updown;
 inactive: damping;
 graceful-restart;
 group ibgp {
 type internal;
 traceoptions {
 file bgp-ibgp size 1m files 5;
 }
 local-address ip;
 import blackhole;
 authentication-key "$"; ## SECRET-DATA
 export [ originate-community originate-customer export-ibgp next-hop-self ];
 peer-as 54321;
 neighbor ip;
 }
 group transit {
 type external;
 local-preference 75;
 remove-private;
 neighbor IP {
 inactive: traceoptions {
 file bgp-transit1 size 1m files 5;
 }
 description "ANY | Transit 1 | myfault@transit1 |";
 local-address ip;
 import [ no-ix no-bogons no-small-prefixes tag-transit tag-transit1 damping local-preference-transit no-community-import ];
 export [ originate-community originate-customer no-transit no-small-prefixes export-transit export-transit1 no-community-export next-hop-self ];
 peer-as 1234;
 }
 }
 group linx-collector {
 type external;
 inactive: traceoptions {
 file bgp-linx-collector size 1m files 5;
 flag all;
 }
 description "Linx Route Collector";
 local-preference 150;
 local-address 195.66.224.---;
 import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping local-preference-peer no-community-import ];
 export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
 remove-private;
 neighbor 195.66.224.254 {
 /* See cluepon.juniper.net for the op script which transform this */
 apply-macro inet {
 prefix-limit 500;
 }
 description "NOT ANY | Linx Route Collector | |";
 family inet {
 unicast {
 prefix-limit {
 maximum 500;
 }
 }
 }
 authentication-key "$"; ## SECRET-DATA
 peer-as 5459;
 }
 }
 group linx-route-server {
 type external;
 inactive: traceoptions {
 file bgp-linx-rs size 1m files 5;
 flag all;
 }
 description "LINX Route Servers";
 local-preference 125;
 local-address 195.66.224.---;
 import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping no-community-import ];
 export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
 remove-private;
 neighbor 195.66.225.230 {
 apply-macro inet {
 prefix-limit 19534;
 }
 description "ANY | Linx route server | | AS-EXA";
 authentication-key "$"; ## SECRET-DATA
 peer-as 8714;
 }
 neighbor 195.66.225.231 {
 apply-macro inet {
 prefix-limit 19229;
 }
 description "ANY | Linx route server | | AS-EXA";
 authentication-key "$"; ## SECRET-DATA
 peer-as 8714;
 }
 }
 group renesys {
 type external;
 inactive: traceoptions {
 file bgp-renesys size 1m files 5;
 }
 description "A full routing table for Renesys at Linx";
 local-address 195.66.224.---;
 import deny-all;
 export [ originate-community originate-customer no-small-prefixes no-community-export next-hop-self ];
 remove-private;
 neighbor 195.66.225.--- {
 peer-as 64---;
 }
 }
 group linx {
 type external;
 traceoptions {
 file bgp-linx size 1m files 5;
 flag state;
 flag route;
 flag general;
 flag normal;
 flag open;
 flag policy;
 }
 local-preference 150;
 local-address 195.66.224.---;
 import [ no-ix no-bogons no-small-prefixes no-leak tag-peering tag-linx damping local-preference-peer no-community-import ];
 export [ originate-community originate-customer no-transit no-small-prefixes export-peering export-linx no-community-export next-hop-self ];
 remove-private;
 neighbor ip {
 apply-macro inet {
 prefix-limit 500;
 }
 description "AS-MACRO | Name | noc@isp |";
 peer-as 65555;
 }
 }
 }
}
}}}

{{{
protocols {
 isis {
 traceoptions {
 file isis size 1m files 5;
 flag normal;
 flag error;
 }
 export static-to-isis;
 loose-authentication-check;
 no-ipv6-routing;
 rib-group inet isis-rib;
 level 1 {
 authentication-key "$"; ## SECRET-DATA
 authentication-type simple; ## SECRET-DATA
 }
 level 2 {
 authentication-key "$"; ## SECRET-DATA
 authentication-type simple; ## SECRET-DATA
 }
 interface ge-0/3/0.VLAN-1 {
 lsp-interval 33;
 checksum;
 level 1 {
 hello-interval 10;
 hold-time 30;
 }
 level 2 {
 hello-interval 10;
 hold-time 30;
 }
 }
 interface ge-1/3/0.VLAN-2 {
 passive;
 }
 interface all {
 level 1 disable;
 }
 interface fxp0.0 {
 disable;
 }
 interface lo0.0 {
 passive;
 }
 }
}
}}}

{{{
policy-options {
 prefix-list root-servers {
 /* Add routes servers here : see www.cymru.com */
 }
 prefix-list rfc1918-reserved {
 /* RFC 1918 addresses */
 10.0.0.0/8;
 172.16.0.0/12;
 192.168.0.0/16;
 }
 prefix-list protected-address {
 /* IP ADDRESS The internet should not be able to reach within your network */
 }
 prefix-list business-external {
 /* Part of your ip space used for interconnect to customers (so to be allowed in the network) */
 }
 prefix-list ssh-address {
 /* What IPs can SSH/telnet in */
 }
 prefix-list bgp-address {
 /* Your BGP peers */
 }
 prefix-list dns-address {
 /* Your DNS servers */
 }
 prefix-list ntp-address {
 /* Your NTP servers */
 }
 prefix-list snmp-address {
 /* Your SNMP server - pulling and trap .. */
 }
 prefix-list radius-address {
 /* Your radius server */
 }
 prefix-list tacacs-address {
 /* The ip of the tacacs */
 }
 prefix-list isis-address {
 /* The ranges you are running ISIS on */
 }
 prefix-list management-address {
 /* The IP you want to allow management to */
 }
 prefix-list static-to-isis {
 /* Range to redistribute from static to ISIS (so they diseapar if the link goes down) */
 }
 policy-statement blackhole {
 term rewrite-next-hop {
 from {
 protocol bgp;
 community blackhole-here;
 }
 then {
 community add no-export;
 next-hop 127.0.0.2;
 accept;
 }
 }
 }
 policy-statement damping {
 term 1 {
 from {
 prefix-list root-servers;
 }
 then {
 damping damp-none;
 next policy;
 }
 }
 term 2 {
 from {
 route-filter 0.0.0.0/0 upto /21 damping damp-short;
 route-filter 0.0.0.0/0 upto /23 damping damp-medium;
 route-filter 0.0.0.0/0 orlonger damping damp-long;
 }
 then next policy;
 }
 }
 policy-statement deny-all {
 then reject;
 }
 policy-statement export-customer {
 term remove {
 from {
 protocol bgp;
 community withdraw-customer;
 }
 then reject;
 }
 term prepend-one-time {
 from {
 protocol bgp;
 community prepend1-customer;
 }
 then as-path-prepend 54321;
 }
 term prepend-two-times {
 from {
 protocol bgp;
 community prepend2-customer;
 }
 then as-path-prepend "54321 54321";
 }
 term prepend-four-times {
 from {
 protocol bgp;
 community prepend4-customer;
 }
 then as-path-prepend "54321 54321 54321 54321";
 }
 }
 policy-statement export-ibgp {
 term remove-community {
 from {
 protocol bgp;
 community withdraw-ibgp;
 }
 then reject;
 }
 }
 policy-statement export-linx {
 term remove {
 from {
 protocol bgp;
 community withdraw-linx;
 }
 then reject;
 }
 term prepend-one-time {
 from {
 protocol bgp;
 community prepend1-linx;
 }
 then as-path-prepend 54321;
 }
 term prepend-two-times {
 from {
 protocol bgp;
 community prepend2-linx;
 }
 then as-path-prepend "54321 54321";
 }
 term prepend-four-times {
 from {
 protocol bgp;
 community prepend4-linx;
 }
 then as-path-prepend "54321 54321 54321 54321";
 }
 }
 policy-statement export-peering {
 term remove-peering {
 from {
 protocol bgp;
 community route-peering;
 }
 then reject;
 }
 term remove-transit {
 from {
 protocol bgp;
 community route-transit;
 }
 then reject;
 }
 term remove-community {
 from {
 protocol bgp;
 community withdraw-peering;
 }
 then reject;
 }
 term prepend-one-time {
 from {
 protocol bgp;
 community prepend1-peering;
 }
 then as-path-prepend 54321;
 }
 term prepend-two-times {
 from {
 protocol bgp;
 community prepend2-peering;
 }
 then as-path-prepend "54321 54321";
 }
 term prepend-four-times {
 from {
 protocol bgp;
 community prepend4-peering;
 }
 then as-path-prepend "54321 54321 54321 54321";
 }
 }
 policy-statement export-transit {
 term remove-peering {
 from {
 protocol bgp;
 community route-peering;
 }
 then reject;
 }
 term remove-transit {
 from {
 protocol bgp;
 community route-transit;
 }
 then reject;
 }
 term remove-community {
 from {
 protocol bgp;
 community withdraw-transit;
 }
 then reject;
 }
 term prepend-one-time {
 from {
 protocol bgp;
 community prepend1-transit;
 }
 then as-path-prepend 54321;
 }
 term prepend-two-times {
 from {
 protocol bgp;
 community prepend2-transit;
 }
 then as-path-prepend "54321 54321";
 }
 term prepend-four-times {
 from {
 protocol bgp;
 community prepend4-transit;
 }
 then as-path-prepend "54321 54321 54321 54321";
 }
 }
 policy-statement export-transit1 {
 term remove {
 from {
 protocol bgp;
 community withdraw-transit1;
 }
 then reject;
 }
 term prepend-one-time {
 from {
 protocol bgp;
 community prepend1-transit1;
 }
 then as-path-prepend 54321;
 }
 term prepend-two-times {
 from {
 protocol bgp;
 community prepend2-transit1;
 }
 then as-path-prepend "54321 54321";
 }
 term prepend-four-times {
 from {
 protocol bgp;
 community prepend4-transit1;
 }
 then as-path-prepend "54321 54321 54321 54321";
 }
 }
 /* Load balance packet through all possible routes */
 policy-statement load-balancing {
 then {
 load-balance per-packet;
 }
 }
 policy-statement local-preference-customer {
 term more {
 from {
 protocol bgp;
 community local_preference_12;
 }
 then {
 local-preference 300;
 }
 }
 term normal {
 from {
 protocol bgp;
 community local_preference_11;
 }
 then {
 local-preference 275;
 }
 }
 term less {
 from {
 protocol bgp;
 community local_preference_10;
 }
 then {
 local-preference 250;
 }
 }
 }
 policy-statement local-preference-peer {
 term default {
 from protocol bgp;
 then {
 local-preference 175;
 }
 }
 term more {
 from {
 protocol bgp;
 community local_preference_08;
 }
 then {
 local-preference 200;
 }
 }
 term normal {
 from {
 protocol bgp;
 community local_preference_07;
 }
 then {
 local-preference 175;
 }
 }
 term less {
 from {
 protocol bgp;
 community local_preference_06;
 }
 then {
 local-preference 150;
 }
 }
 }
 policy-statement local-preference-transit {
 term default {
 from protocol bgp;
 then {
 local-preference 75;
 }
 }
 }
 policy-statement next-hop-self {
 then {
 next-hop self;
 }
 }
 policy-statement no-bogons {
 term default-route {
 from {
 route-filter 0.0.0.0/0 businessct;
 }
 then reject;
 }
 term reserved {
 from {
 route-filter 10.0.0.0/8 orlonger;
 route-filter 172.16.0.0/12 orlonger;
 route-filter 192.168.0.0/16 orlonger;
 route-filter 169.254.0.0/16 orlonger;
 route-filter 192.0.2.0/24 orlonger;
 route-filter 240.0.0.0/4 orlonger;
 route-filter 192.42.172.0/24 orlonger;
 route-filter 198.18.0.0/15 orlonger;
 route-filter 127.0.0.0/8 orlonger;
 }
 then reject;
 }
 term multicast {
 from {
 route-filter 224.0.0.0/4 orlonger;
 }
 then reject;
 }
 term too-short {
 from {
 route-filter 0.0.0.0/0 prefix-length-range /0-/5;
 }
 then reject;
 }
 }
 policy-statement no-community-export {
 then {
 community delete blackhole-everywhere;
 community delete originate;
 community delete originate-customer;
 community delete internal;
 }
 }
 policy-statement no-community-import {
 then {
 community delete originate;
 community delete originate-customer;
 community delete route-customer;
 community delete internal;
 }
 }
 policy-statement no-export {
 then {
 community add no-export;
 }
 }
 policy-statement no-ix {
 from {
 /* Enlix */
 route-filter 193.189.130.0/24 orlonger reject;
 /* LINX */
 route-filter 195.66.224.0/22 orlonger reject;
 }
 then reject;
 }
 policy-statement no-leak {
 term remove-path {
 from {
 protocol bgp;
 as-path [ leaked-quest leaked-verizon-na leaked-verizon-eu leaked-verizon-ap leaked-sprint leaked-telia leaked-atdn leaked-tiscali leaked-deutsche-telekom leaked-level3 leaked-savvis leaked-france-telecom leaked-telecom-italia leaked-att leaked-ntt leaked-global-crossing leaked-vsnl leaked-cogent ];
 }
 then reject;
 }
 }
 policy-statement no-small-prefixes {
 from {
 route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
 }
 then reject;
 }
 policy-statement no-transit {
 term remove-path {
 from {
 protocol bgp;
 as-path [ transit1-routes ];
 }
 then reject;
 }
 }
 policy-statement originate-community {
 from community originate;
 then {
 next-hop self;
 accept;
 }
 }
 policy-statement originate-customer {
 from community originate-customer;
 then {
 next-hop self;
 accept;
 }
 }
 policy-statement originate-default {
 from {
 route-filter 0.0.0.0/0 businessct;
 }
 then accept;
 }
 policy-statement static-to-isis {
 from {
 protocol static;
 prefix-list static-to-isis;
 }
 to protocol isis;
 then accept;
 }
 policy-statement tag-customer {
 then {
 community add route-customer;
 }
 }
 policy-statement tag-linx {
 then {
 community add route-linx;
 }
 }
 policy-statement tag-peering {
 then {
 community add route-peering;
 }
 }
 policy-statement tag-transit {
 then {
 community add route-transit;
 }
 }
 policy-statement tag-transit1 {
 then {
 community add route-transit1;
 }
 }
 community blackhole-customer members 65100:65004;
 community blackhole-everywhere members [ 65100:65001 65100:65002 65100:65003 65100:65004 ];
 community blackhole-here members [ 65100:65001 65100:65002 65100:65003 65100:65004 ];
 community blackhole-ibgp members 65100:65001;
 community blackhole-peering members 65100:65002;
 community blackhole-transit members 65100:65003;
 /* Cymru communities */
 community internal members [ 65000:* 65001:* 65002:* 65003:* 65004:* 65100:* ];
 community local_preference_01 members 65005:65201;
 community local_preference_02 members 65005:65202;
 community local_preference_03 members 65005:65203;
 community local_preference_04 members 65005:65204;
 community local_preference_05 members 65005:65205;
 community local_preference_06 members 65005:65206;
 community local_preference_07 members 65005:65207;
 community local_preference_08 members 65005:65208;
 community local_preference_09 members 65005:65209;
 community local_preference_10 members 65005:65210;
 community local_preference_11 members 65005:65211;
 community local_preference_12 members 65005:65212;
 community local_preference_13 members 65005:65213;
 community no-export members no-export;
 community originate members 54321:54321;
 community originate-customer members 54321:0;
 community prepend1-customer members 65001:65004;
 community prepend1-linx members 65001:5459;
 community prepend1-peering members 65001:65002;
 community prepend1-transit members 65001:65003;
 community prepend1-transit1 members 65001:1234;
 community prepend2-customer members 65002:65004;
 community prepend2-linx members 65002:5459;
 community prepend2-peering members 65002:65002;
 community prepend2-transit members 65002:65003;
 community prepend2-transit1 members 65002:1234;
 community prepend4-customer members 65004:65004;
 community prepend4-linx members 65004:5459;
 community prepend4-peering members 65004:65002;
 community prepend4-transit members 65004:65003;
 community prepend4-transit1 members 65004:1234;
 community route-customer members 54321:65004;
 community route-ibgp members 54321:65001;
 community route-linx members 54321:5459;
 community route-peering members 54321:65002;
 community route-transit members 54321:65003;
 community route-transit1 members 54321:1234;
 community routes-dsl members 54321:65101;
 community routes-mpls members 54321:65102;
 community routes-transit1 members 54321:1234;
 community withdraw-customer members 65000:65004;
 community withdraw-everywhere members [ 65000:65001 65000:65002 65000:65003 65000:65004 ];
 community withdraw-ibgp members 65000:65001;
 community withdraw-linx members 65000:5459;
 community withdraw-peering members 65000:65002;
 community withdraw-transit members 65000:65003;
 community withdraw-transit1 members 65000:1234;
 as-path private-asn-range 64512-65535;
 as-path leaked-quest ".{1,}209.*";
 as-path leaked-verizon-na ".{1,}701.*";
 as-path leaked-verizon-eu ".{1,}702.*";
 as-path leaked-verizon-ap ".{1,}703.*";
 as-path leaked-sprint ".{1,}1239.*";
 as-path leaked-telia ".{1,}1299.*";
 as-path leaked-atdn ".{1,}1668.*";
 as-path leaked-tiscali ".{1,}3257.*";
 as-path leaked-deutsche-telekom ".{1,}3320.*";
 as-path leaked-level3 ".{1,}3356.*";
 as-path leaked-savvis ".{1,}3561.*";
 as-path leaked-france-telecom ".{1,}5511.*";
 as-path leaked-telecom-italia ".{1,}6762.*";
 as-path leaked-att ".{1,}7018.*";
 as-path leaked-ntt ".{1,}1914.*";
 as-path leaked-global-crossing ".{1,}3549.*";
 as-path leaked-vsnl ".{1,}6453.*";
 as-path leaked-cogent ".{1,}174.*";
 as-path transit1-routes 1234.*;
 /* Min: 30 min, Max: 60 min, dampen at 3 flaps */
 damping damp-long {
 half-life 30;
 reuse 1640;
 suppress 6000;
 max-suppress 60;
 }
 /* Min: 15 min, Max: 45 min, dampen at 3 flaps */
 damping damp-medium {
 half-life 15;
 reuse 1500;
 suppress 6000;
 max-suppress 45;
 }
 /* Min: 10 min, Max: 30 min, dampen at 3 flaps */
 damping damp-short {
 half-life 10;
 reuse 3000;
 suppress 6000;
 max-suppress 30;
 }
 /* Do not dampen */
 damping damp-none {
 disable;
 }
}
}}}

{{{
firewall {
 filter external-outgoing {
 term valid-outgoing-traffic { }
 term log-spoofing { }
 }
 filter flood-detect {
 term tcp-syn-count { }
 term tcp-rst-count { }
 term tcp-fin-count { }
 term tcp-allow { }
 term udp-allow { }
 }
 filter protect-bgp {
 term bgp-connection-limit { }
 term bgp-allow { }
 term default-deny { }
 }
 filter protect-management {
 term icmp-limit { }
 term trace-route-limit { }
 term ssh-connection-limit { }
 term ssh-limit { }
 term dns-limit { }
 term ntp-limit { }
 term snmp-limit { }
 term auth-limit { }
 term telnet-limit { }
 term default-deny { }
 }
 filter protect-icmp {
 term icmp-allow { }
 term default-deny { }
 }
 filter protect-isis {
 term isis-connection-limit { }
 term isis-allow { }
 term default-deny { }
 }
 filter external-incoming-customer {
 term transfer-allow { }
 term originate-deny { }
 term peer-deny { }
 term transit-deny { }
 term rfc1918-deny { }
 term manangement-allow { }
 term infrastructure-icmp-allow { }
 term infrastructure-deny { }
 term icmp-limit { }
 term multicast-limit { }
 term default-allow { }
 }
 filter external-incoming-transit {
 term transfer-allow { }
 term originate-deny { }
 term peer-deny { }
 term customer-deny { }
 term free-transit-deny { }
 term rfc1918-deny { }
 term manangement-allow { }
 term infrastructure-icmp-allow { }
 term infrastructure-deny { }
 term icmp-limit { }
 term multicast-limit { }
 term default-allow { }
 }
 filter external-incoming-peer {
 term transfer-allow { }
 term originate-deny { }
 term customer-deny { }
 term transit-deny { }
 term free-transit-deny { }
 term rfc1918-deny { }
 term manangement-allow { }
 term infrastructure-icmp-allow { }
 term infrastructure-deny { }
 term icmp-limit { }
 term multicast-limit { }
 term default-allow { }
 }
 filter sample-netflow { }
 filter ddos-protect { }
}
}}}

[[Network]]
[[Software]]
[[Rambling]]

''Use the patch provided here at your own risk : do not use if you are not able to understand the code provided''

Before using this patch, you may want to read this [[thread|http://tech.groups.yahoo.com/group/postfix-users/message/230005]] on the postfix-user mailing list where I was told:
* that I am ill advised to want such a patch in postfix as its ''//approach is fundamentally flawed//''
* that this patch is too resource intensive

In order to address the last point, I made sure that :
* the feature is turned off by default
* the maximum among of memory available to the feature can be set.

With the default values :
smtpd_client_connection_count_limit (default: 50)
smtpd_recipient_limit (default: 1000)
line_length_limit (default: 2048)

The worse case memory utilisation for the feature is around 2Mb per smtpd instance which is 40Mb with the default settings - which are exceptionally large for the recipient limit. Limiting mails to 50 recipients makes the worse case overhead per smtpd 100kb.

40 Mb is indeed a lot for an old machine but on recent hardware it will not even be noticed (and this memory will only be allocated if the mails received have lots of recipients).

The other way to get all the recipients of a mail would be to track the "recipient" sent to the policy server at each RCPT using the "instance" attribute and use the result at the DATA state.

With this approach the policy server need :
* to be called at each RCPT (and not only at DATA)
* keep track of the recipients for each mail
* to perform some cleaning should the connection close between the RCPT and DATA state

The patch provides two new configuration options:
* a boolean : access_delegation_recipients, which need to be turned on to use the feature
* an integer : smtpd_recipients_length_limit, which limit the among of memory the list of recipients can take, it is set to zero by default meaning that no limitation will be performed. Should its value be under "line_length_limit", the value will be changed at run time to this default.

It changes the [[SMTPD POLICY Protocol|http://www.postfix.org/SMTPD_POLICY_README.html]] adding a line starting with "recipients=". The key contains a "\r" separated list of the mail recipients (or the single recipient, exactly as the recipient key).
The list is only set during the ~DATA and ~END_OF_DATA state and __only__ if the lenght of the string is under the value set in smtpd_recipients_lenght_limit.

This patch/feature _is_ useful for :
* boucing spam to a list of forged inexistent email addresses (especially when your MX and storage servers are not on the same machines).
* to allow per domain policies, ie per domain white-listing, etc.
* you tell me

You can download the ''fourth'' version (released the 26th of November 2007) of this patch
[[here for postfix 2.6 20071111|http://thomas.mangin.com/data/source/postfix-all_recipients-4-20071111.patch]]

I have updated the patch to apply cleanly on a more recent version of postfix
[[here for postfix 2.6 20080201|http://thomas.mangin.com/data/source/postfix-all_recipients-4-20080201.patch]] (which applies cleanly on postfix-2.5.1-rc1)

Should you have downloaded any previous version, please update as the third contain a memory leak which cause the memory utilisation to be up to two times what it should and any version before should simply not be used.

All the documents related to networking are tagged with 'Network', you can find them using the search feature or the 'Tags' tab.

Some old code form Uni .. 

|Description|Simple code to create C++ plugin using dynamic linking library|
|Operating System |Linux|
|Language |C++|
|Building |Autoconf / Automake|
|Finished |My conclusion about what was possible/impossible are wrong|
|Known bugs |none|
|Download |[[Here|/data/source/plugin.tar.bz2]]|

|Description|An Image deformation program based on recursively coded Bezier Curves|
|Operating System |Linux|
|Language |C|
|Building |Makefile|
|Finished |yes|
|Known bugs |Somewhere Sub-optimal recursion stopping test (Possible speedup 4x)|
|Download |[[Here|/data/source/bezier.tar.bz2]]|

|Description|Simple Ftp like client and server (UDP and TCP)|
|Operating System |Linux|
|Language |C++|
|Building |Makefile|
|Finished |yes|
|Known bugs |Nasty OO interface, UDP code buggy in vicious case|
|Download |Here|

|Description|A simple TEX to HTML converter using Lex|
|Operating System |Linux|
|Language |Lex and C|
|Building |Compile it yourself|
|Finished |only handle _very_ few HTML tags ...|
|Known bugs |none|
|Download |[[Here|/data/source/ftp.tar.bz2]]|

|Description|A really minimal compilator that generate a pseudo assembler code|
|Operating System |Linux|
|Language |Lex, Yacc and C|
|Building |Makefile for Debian 2.1|
|Finished |Does what it is supposed to ...|
|Known bugs |(DAG not created after parsing the tree)|
|Download |[[Here|/data/source/compil.tar.bz2]]|

|Description|The base of a virtual machine which run assembler ascii file|
|Operating System |Linux|
|Language |C++|
|Building |Makefile|
|Finished |no, Core completed but you have to write yourself your instructions|
|Know bugs |None, but the code could be improved|
|Download |[[Here|/data/source/emule.tar.bz2]]|

|Description|A Flat, Gouraud and Phong renderer of 3D Sudio 4 files|
|Operating System |~DOS with ~DOS4GW (VESA 2.0 video card Needed)|
|Language |C++|
|Building |Watcom Makefile|
|Finished |yes|
|Know bugs |3DS File reading assume correctly sized and centered object , ''slow''|
|Download |[[Here|/data/source/phong.tar.bz2]]|

|Description|Simple fractal (julia and mandelbrot) drawers|
|Operating System |DOS and Linux (needs GGI)|
|Language |C|
|Building |Just do it|
|Finished |yes|
|Know bugs |none|
|Download |[[Here|/data/source/fractal.tar.bz2]]|

Google seems to have reacted to the menace Phorm is creating to their business model with [[Obfuscated TCP|http://code.google.com/p/obstcp/]]. It is interesting to see someone of Google stature pushing forward some of the [[idea|http://cr.yp.to/talks/2004.04.28/slides.pdf]] presented Daniel Bernstein.

My most recent work related OSS like a BGP route injector, or network tools can be find at [[http://wiki.exa.org.uk/|http://wiki.exa.org.uk/]].

<!--{{{-->
<div class='header' macro="gradient vert #5c4894 #6b69ad">
    <div>
       <span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;
       <span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
    </div>
    <div id='topMenu'>
       <span refresh='content' tiddler='MainMenu'></span>
    </div>
</div> 
<div id='sidebar'>
	<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>
	<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>
</div>
<div id='displayArea'>
	<div id='messageArea'></div>
	<div id='tiddlerDisplay'></div>
</div>
<!--}}}-->

This fixes bug number 1 "Clamd protocol change introduced in version 0.95" ! 
See https://secure.thrallingpenguin.com/redmine/issues/show/1
The ticket system for proftpd mod_clamav module does not allow me to add a patch. So here it is.
This is the daftest patch I ever wrote. It is one hour of my life I will never get back !!

Do not forget that on most recent Linux distro, you need to setup apparmor and let clamd read/write the files to scan.

{{{

root@750-11:~/install/mod_clamav-0.10# diff -u mod_clamav.c.org mod_clamav.c
--- mod_clamav.c.org	2010-03-25 11:02:36.000000000 +0000
+++ mod_clamav.c	2010-03-25 13:28:24.000000000 +0000
@@ -107,7 +107,7 @@
  * Start a session with Clamavd.
  */
 int clamavd_session_start(int sockd) {
-	if (sockd != -1 && write(sockd, "SESSION\n", 8) <= 0) {
+	if (sockd != -1 && write(sockd, "nIDSESSION\n", 11) <= 0) {
 		pr_log_pri(PR_LOG_ERR, 
 				MOD_CLAMAV_VERSION ": error: Clamd didn't accept the session request.");
 		return -1;
@@ -119,7 +119,7 @@
  * End session.
  */
 int clamavd_session_stop(int sockd) {
-	if (sockd != -1 && write(sockd, "END\n", 4) <= 0) {
+	if (sockd != -1 && write(sockd, "nEND\n", 5) <= 0) {
 		pr_log_pri(PR_LOG_INFO, 
 				MOD_CLAMAV_VERSION ": info: Clamd didn't accept the session end request.");
 		return -1;
@@ -183,7 +183,7 @@
 		return -1;
 	}
 	
-	sprintf(scancmd, "SCAN %s\n", abs_filename);
+	sprintf(scancmd, "nSCAN %s\n", abs_filename);
 	
 	if (!clamavd_connect_check(sockd)) {
 		if ((clamd_sockd = clamavd_connect()) < 0) {
}}}

Up to recently, ISP felt that they had the same status as traditional telcommunication provider and were protected from prosecution for the traffic going through their network. It was then none of their business to police the information flowing through their network.

The situation became hazier when BT decided to deploy [[cleanfeed|http://en.wikipedia.org/wiki/Cleanfeed_(content_blocking_system)|cleanfeed]]. Up to that point ISP had been transproxying web traffic in order to cache the web page requested and save on bandwidth cost but had never actively interfered with the data passing through their network.

More recently [[threat of legislation|http://news.bbc.co.uk/1/hi/technology/7258437.stm]] pushed by the [[IFPI|http://www.ifpi.org/]], [[children protection lobby|http://www.law.ed.ac.uk/ahrc/SCRIPT-ed/vol3-3/editorial.asp]], and [[government|http://www.theregister.co.uk/2007/11/16/isps_brown_terror/]] (all ignoring that transproxying can be easily evaded) seems to be changing the landscape for ISP, which are now under increased pressure to police their traffic for the benefit of who can afford to lobby them.

Deploying large scale filtering/transproxying solution is expensive, and with little chance of seeing the cost paid the either the end user or the legislator, It is only natural for ISP to seek some kind of form or remineration of the cost of deploying such possibly soon legally required solutions.

In that context it is not that strange to see the UK largest ISP [[sell their customer web traffic|http://www.nytimes.com/2008/02/18/technology/18target.html]] (not protect by any data protection law) to an organisation selling targeted advertising.

Up to now, advertiser had to rely on [[cookies|http://en.wikipedia.org/wiki/HTTP_cookie]] to track surfing habit, making it possible for customers to protect their privacy (refusing them or using [[anomymisers|http://www.google.co.uk/search?q=anonymizer]]).

With this [[new system|http://www.phorm.com/]] (described [[here|http://www.theregister.co.uk/2008/02/29/phorm_documents/]]) our average UK broadband users can only hope that the ISP marketing firm will honor its promise to not monitor their traffic.

The most interesting part seems to be that even once 'unsubscribed' the traffic may still go through the advertiser 'anomyser proxies'.
One can only wonder if those proxies role will not block cookies from competitors giving Phorm a quasi monopoly for advertising in the UK.

Leaking BGP routes is a common sport among the ISP community. I done a (apauling) presentation on my personal experience at [[Linx  57|http://www.linx.net/]].

!Background

If you are joining an exchange you should assume that other member will leak, and be prepared.
Please consider those methode as non-exclusive, the more you filter the less likely you are to leak.

!Things noone should announce or accept

!!Small Prefixes

Many ISP carry their customer routes (DSL, etc.) in iBGP as the IGP should remain stable and small to converge quickly.

Should an ISP leask those route, you could see thousands of /32-/2x routes, as the smaller prefix routeable over the internet is a /24, make sure to not accept very small prefixes

{{{
/* match and refuse any route smaller/longer than a /24 */

[edit policy-options]
policy-statement no-small-prefixes {
    from {
        route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
    }
    then reject;
}
}}}

!!BOGONS

As well, make sure you do not accept (or announce) reserved ranges and non-routable ones.

{{{
/* bogon, rfc1918, etc. */

[edit policy-options]
policy-statement no-bogons {
    from {
        route-filter 224.0.0.0/4 orlonger reject;
        ......
    }
}
}}}

!!Things obviously wrong ..

Only you can know what you can not learn from your peers but the transfer lan of an IX may look like something you would only learn from a mis-configuration

{{{
/* Linx LAN */

[edit policy-options]
policy-statement no-ix {
    from {
        route-filter 195.66.224.0/22 orlonger reject;
    }
    then reject;
}
}}}

And then make sure you never see it .. or announce it

{{{
/* should never get in or out */

[edit protocols bgp group linx]
export [ no-small-prefixes no-ix no-bogons ];
import [ no-small-prefixes no-ix no-bogons ];
}}}

!Protect yourself

!!Max Prefix

The quickest and simplest way to get some form of protection is a max-prefix limit, ie to put an upper bound to the number of routes you will accept from your peers

The router will prefix then will shutdown a session should the ebgp speaker send you more than a predefined number of routes (was it necessary to say it ?)

{{{
neighbor 195.66.224.xxx {
    description "AS-ACCEPTED | Peer name | noc@peer.co.uk | AS-SENT";
    family inet {
        unicast {
            prefix-limit {
                maximum 150;
                teardown 80 idle-timeout 5;
            }
        }
    }
    peer-as 1234;
}
}}}

!! Max Prefix Limitations

On cisco this works great as the count is performed on prefix accepted. On juniper not as good the counting is done on prefix received (before any kind of filtering) which is much less useful.
For the clueful

Go and thanks RAS for his excelent max-prefix auto-tuning work at http://juniper.cluepon.net/index.php/OS_Auto_Tuning_Prefix_Limits

Please push for this feature to your SE.

!!Peers are not your transit providers

As an ISP you know who your transit providers are and their ASN. You should filter from your annoucement any route with an AS-PATH which contain them

Here is an example for Juniper (assuming your transit is from Level3 and Sprint)

{{{
/* define the routes we have learned from transit (example) */
as-path routes-level3 3356.*;
as-path routes-sprint 1239.*;

/* create a policy blocking their distribution */
[edit policy-options]
policy-statement no-transit {
    term remove-path {
        from {
            protocol bgp;
            as-path [ routes-level3 route-sprint ];
        }
        then reject;
    }
}

/* make sure that no linx peer will ever get them again */
[edit protocols bgp group linx]
export [ no-transit ];
}}}

!!Peers are not your customers

You should never see your customers routes from your peers neither.
Peers should know better

Your peers should not neither leak routes with reserved ASN, mainly when they can be filtered with one line.

{{{
[edit protocol bgp group linx]
remove-private;
}}}

!Protect your reputation

!!Filtering routes using communities

First you must tag your route to know what is what

It is in every book, your tag your route inbound and filter them outbound.

{{{
/* define a communtiy to identify routes learned from transit */
community route-transit members 1234:1239;

/* create a policy to apply this community to a route */
policy-statement tag-transit {
    then {
        community add route-transit;
    }               
}

/* make sure all routes from transit have that community */
[edit protocols bgp group transit]
import [ tag-transit tag-transit-provider-specific ];

(repeat with peers)
}}}

Then your use this to stop the annoucement to your peers

{{{
/* define a policy rejecting routes identified as transit */
[edit policy-options]
policy-statement export-transit {
    term remove-peering {
        from {      
            protocol bgp;
            community route-transit;
        }           
        then reject;
    }               
    term remove-peering ...
    term remove-community ...
    term prepend-one-time ...
}

/* and make sure no linx peer sees it */
[edit protocols bgp group linx]
export [ export-peering export-linx ];
}}}

Don't make a typo with your community definition without filtering on as-path as it hurts.

!!Filter using AS-PATH

Most large networks have very "private" peering policies and it is unlikely that you should ever learn any of their route via peering (otherwise it would be called transit).

{{{
/* define the routes you will never see through peers */
as-path leaked-sprint ".{1,}1239.*";
as-path leaked-telia ".{1,}1299.*";

/* create a policy blocking their distribution */
[edit policy-options]
policy-statement no-leak {
    term remove-path {
        from {
            protocol bgp;
            as-path [ leaked-telia leaked-sprint ];
        }
        then reject;
    }
}

/* make sure that no linx peer will ever get them again */
[edit protocols bgp group linx]
import [ no-leak ];
}}}

!!Filtering using the registry DB

Some tools exist to help with the generation of filter based on the content of the IRR DB (RIPE, ARIN, etc.) http://irrpt.sourceforce.net/ Gather and Track prefix within AS-Macro.

The program implement most of the file (see man 4 magic) program in python.

This code does not recognise the whole magic definition, as I concluded that the magic format was way too limited for my needs. It is however able to classify most file as well as the file program does. Things missing are binaries operators, string compaction and like, which are not used by most rules. Feel free to submit patches.

The magic definition does not permit recursively refered data extraction and reference (which is needed to extract information from MPEG for example). 

Download it [[here|/data/source/magic.tar.bz2]]

! What is greylisting ?

If you landed on this page without knowning what is greylisting click [[here|http://projects.puremagic.com/greylisting/]] or [[here|http://www.greylisting.org/]]

!Overview

Recently, I decided that it was time for me to use [[greylisting|http://projects.puremagic.com/greylisting/]] with my [[qmail|http://www.qmail.org]] servers. As I wanted something lightweight (ie without database), I started to code a simple application, but before putting more work into it, I decided to have a look around (just in case someone else had already done the work for me) and found that I was not the first one to have implemented greylisting the way I wanted it.

http://www.jonatkins.com/page/software/qgreylist,
http://www.datenklause.de/en/software/qgreylistrbl.html,
http://oss.albawaba.com/cqgreylist.html

had released simple greylisting code well before I did.

However, the code on those alternatives is more complicated that it need to be as [[rblsmtpd|http://cr.yp.to/ucspi-tcp/rblsmtpd.html]] is already designed to handle limited SMTP conversation and return 451 messages.

The result of my work is the following [[python|http://www.python.org]] [[code|/data/source/qmail-greyd]].

This script should cut most of spam and is easy to install as it does not need to have qmail patched in any way or form, so it can be used with "plain" or "net" qmail (or in my case qmail-ldap).

!The code

You can download the code [[here|/data/source/qmail-greyd]] (tested on python 2.4)

It seems to do what it says on the tin and is running on a group of MX servers in charge for over 1,000 busy domains.

I do not have a fancy versioning scheme, the version on my private svn repository for this download is 16 - updated on the 21st of April 2006.

!And how to use it

You will need to have a qmail-smtpd calling the qmail-greyd application like

example of qmail-smtp/run

{{{
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`head -1 /var/qmail/control/concurrencyincoming`
SMTPD="/var/qmail/bin/qmail-smtpd"
GREYD="/var/qmail/bin/internal/qmail-greyd"
RBLSMTPD="/usr/bin/rblsmtpd"
BLACKLIST=`cat /var/qmail/control/blacklists|grep -v '^#'`

exec /usr/bin/softlimit -m 15000000 \
        /usr/bin/tcpserver \
                        -v \
                        -R \
                        -p \
                        -x /var/qmail/control/tcprules/qmail-smtpd.cdb \
                        -c "$MAXSMTPD" \
                        -u $QMAILDUID -g $NOFILESGID \
                        0 smtp \
			$GREYD \
	                        $RBLSMTPD \
        	                        $BLACKLIST \
                	                $SMTPD \
2>&1
}}}

create a folder called /var/qmail/grey

{{{
mkdir -p /var/qmail/grey
chown  qmaild:nofiles /var/qmail/grey
}}}

A empty /var/qmail/control/blacklists file would look like this :

{{{
# you can add RBL sites to this file by using -r[host] (refer to rblsmtpd)
#-rbl.spamcop.net
}}}

and enable it for the range you want with the GREY environment variable.
example of tcpserver file for qmail-smtpd

{{{
192.168.:allow,RELAYCLIENT=""
:allow,GREY=""
}}}

!Final notes ...

Obviously you may have to run two instances of qmail-smtpd on the same box if you use things like SMTPAUTH, one for your MX record and one as your SMTP with SMTPAUTH

This code does not include whitelisting as it is not necessary (I said I was minimalist :p). To whitelist some hosts or ranges, generate some entries for them without the GREY environment value set in your tcpserver configuration file.

Should you want to share the greylisting information between several servers, feel free to mount the qmail-greyd folder from NFS, it should just work but it is untested (afaik).

! What is this page all about ?

This document will explain how to rewrite domain name to use the first part of the name as a user within the rest of the name
The same technique can be used to perform arbitrary rewrite.

!Not clear enough ? So let see use a small example:

Let's say you are running a firm which have a support department. you want people to send an email to name@support.firm.com, where name can be any name but where the mail arrives at support@firm.com.
How does it work ?

It rewrite the email address from name@support.firm.com to support@firm.com or support-name@firm.com depending on how you want to use it.

You can then decide to use a qmail file to send the mail away or use a catch-all deliver the mail of previous employee to someone else.

!How is it possible ?

Qmail comes with a powerful user management backend. This backend is already well used by software such as vpopmail which allows to create virtual domain on the mail server under the control of one independant administrator

This is just a simple example using the power of this backend

!Qmail configuration

The following Qmail file presentation assume that you want the mail to be ultimately delivered to a local system user (having a entry in the /etc/password file and a valid Maildir directory).

You can alternatively deliver the domain through the virtualdomains or qmail user file, but only local user delivery will be explained.

We should already have a entry for the domain in the locals files
/var/qmail/control/locals
{{{
domain.com
}}}

Then, the master domain and all subdomains should be accepted by the mail server.
/var/qmail/control/rcpthosts
{{{
domain.com
.domain.com
}}}

then we indicate to Qmail that we want the mail to be delivered to the alias user, with a name extenstion of domain.com so we can manipulate like we can manipulate the root account using the /var/qmail/alias/.qmail-root

/var/qmail/control/virtualdomains
{{{
.domain.com:alias-domain.com
}}}

Instead of performing a delivery in a Maildir, the mail is passed through an application. This is similar to a Maildrop delivery.

Maildrop is an application which allow mail to be filtered before delivery

You will have to remember to replace the dot in the qmail file name with a colon. (See Qmail documentation)

You do not have to worry if your domain contain some hyphen as the mail is not passing through the virtualdomains file.

/var/qmail/alias/.qmail-domain:com-default
{{{
|./virtual/handler
}}}

This script will extract the first part of the domain name and re-send the mail to the new address
/var/qmail/alias/virtual/handler

{{{
#!/bin/sh

rcpt_to_user=${EXT2}

dest_user=`expr ${HOST} : '\([^\.]*\)[.].*'`
dest_domain=`expr ${HOST} : '[^.]*[.]\(.*\)'`

email=${dest_user}-${rcpt_to_user}@${dest_domain}
#email=${dest_user}-noone@${dest_domain}

( echo "X-Rcpt-To: <${rcpt_to_user}@${HOST}>"; cat ) \
| forward "${email}";
}}}

!Conclusion

This is just a quick hack which shows you how flexible Qmail is. When using those feature, just keep in mind that the value you are using are received from the net and could contain malicious data.

! What is this page all about ?

if you landed on this page and are using qmail without the qmail-ldap patch and/or vmailmgr on a single machine (ie, your smtp/mx machine is as well your pop/imap one) then this page unlikely to be of interrest for you.

!Overview

Our setup has multiple scanners behind some smtp frontenend to be able to throw more virus/spam scanner machines to get rid of spam mails. However the cost of hardware means that I care about making sure that obvious spam is bounced at smtp level.

We are running both qmail-ldap and vmailmgr in our cluster and as a result our smtp servers speak to a vmailmgr proxy and one of our ldap server for smtp_auth, but we never performed email verification until recently.

Ideally, spam for unexistant users would be bounced the mail during the RCPT TO conversation but this would have meant that I needed to parse the smtp conversation, ie write a qmail-smtpd replacement, or patch qmail which I prefer not to (there is already enough patch for it). One may use qmail-spp, but the only vmailmgr implementation require suid-root (chill). My solution differs from the qmail-ssp module as I do use the vmailmgr deamon through qmail-qfilter and do not access the cdb file directly or to run suid code within qmail.

Lazy, I decided to accept the mail and process it at qmail-queue level, which as it own set of issues. qmail-queue can only indicated the following failure to qmail-smtpd :
return 99 : drop the mail and pretend delivery (no bounce generated).
return 31 : generate a generic qmail-queue delivery refusal bouce.

For that reason the solution below allows to generate an 'home made' bounce message, and pretend delivery. However be warned that lots of abuse team see this a a bad practice as it cause blocked bots to generate a lot of back scatter. Only use this feature instead of exiting with a error code 31 with the knowledge that it will sure get you on some blacklist at some point.

!The code

You can download the code [[here|/data/source/qmail-user]]

I do not have a fancy versioning scheme, this is the second public release (the only change being to return with an exit code 31 instead of generating the bounce). This code was created with python 2.4 (and may or may not work with previous versions).

!And how to use it

You will need to have qmail-qfilter installed as you qmail-queue (I will not explain how to do this here, please look the qmail-qfilter manual) but the content of the qmail-queue replacement should look like this:

example of qmail-queue replacement

{{{
#!/bin/sh
/var/qmail/bin/qmail-qfilter /var/qmail/bin/internal/qmail-user
}}}

!Final notes ...

This code is obviously NOT plug and play and will need to be adapted to your need. Please do not ask me to do it for you. If you are not able to figure out how it works on your own, then you should consider another alternative/mta. Postfix with ppolicyd offer some great anti-spam features.

The current code holds an entire copy of the email in memory while generating the bounce message. Please ensure that you limit the maximum size of a mail to avoid problems caused by memory exhaustion.

! What is this page all about ?

If you are running qmail-ldap and need to be able to mix ldap and vmailmgr domains with pop, imap and smtp_auth then this page is for you.

!Overview

This code comes as is, it has been running for over 3 years without issues, but if you do not understand what it does and how, it may not be for you.

It provides replacements for qmail-ldap auth_pop and auth_imap as well as a checkpassword which validates users against both the vmailmgr checkpassword and your ldap database.

!The code

    * [[auth_smtp_multi|/data/source/auth_smtp_multi]] is the replacement for auth_smtp.
    * [[auth_pop_multi|/data/source/auth_pop_multi]] is the replacement for auth_pop (you will still need a vmailmgr proxy to use multiple backend).
    * [[checkpassword_multi|/data/source/checkpassword_multi]] is the checkpassword replacement.

Just archive auth_smtp in /var/qmail/bin and replace it with the python script.

To use auth_pop_multi, do something like :

example of qmail-pop3d/run

{{{
#!/bin/sh
PASSPROG="/var/qmail/bin/auth_pop_multi"
HOSTNAME=`hostname --fqdn`
MAXPOP3D=`head -1 /var/qmail/control/concurrencypop3d`

exec /usr/bin/softlimit \
        -m 32000000 \
        /usr/bin/tcpserver \
                -v \
                -R \
                -x /var/qmail/control/tcprules/qmail-pop3d.cdb \
                -c "$MAXPOP3D" \
                0 pop3 \
                        /var/qmail/bin/qmail-popup \
                                $HOSTNAME \
                                $PASSPROG \
                                /var/qmail/bin/qmail-pop3d \
                                        Maildir \
2>&1
}}}

!Final notes ...

Should you have more than one vmailmgr server, you will as well need a proxy to forward your request to the right vmailmrg daemon, I shall make the code of that proxy available soon

If you are protecting your network from packet with spoofed source IP, it is likely that you have to update your routers ACL each time the route you learn from your customers are changing.

Such ACL can be autogenerated from the content of the Registry Database, which is likely to be out of date, but it is as well possible to use the content of your RIB to auto-generate those filters.

Juniper has a feature called SCU/DCU (which from what I can read on their side seems to be mainly used for traffic accounting) which can be (ab)used to create some kind of dynamic prefix-list based the the communities taged on your BGP route.

The example below uses SCU to create a firewall blocking packet entering your network with invalid source ~IPs.

In order to do so we :
* tag all routes with communities depending on their source (transit,customer,peer)
* create a policy statement based on those communities
* apply this policy statement to our RIB to create the classes
* use those classes as filtering term of firewalls

{{{
[edit policy-options]
policy-statement community-to-class {
 term is-peering { ... }
 term is-transit { ... }
 term is-customer {
 from community [ route-customer originate-customer ];
 then {
 destination-class customer;
 source-class customer;
 }
 }
 term is-orginated-here {
 from community originate;
 then {
 destination-class originate;
 source-class originate;
 }
 }
}
}}}

Then we tell the Juniper to build the SCU from our routing table.

{{{
[edit routing-options]
forwarding-table {
 export [ community-to-class load-balancing ];
 unicast-reverse-path feasible-paths;
}
}}}

We then create a firewall saying that we intended to use this SCU as a match close.

{{{
[edit firewall]
filter external-incoming-transit {
 ...
 term originate-deny {
 from { 
 source-class originate;
 } 
 then { 
 count deny-spoof-originate;
 discard;
 } 
 } 
}
}}}

And finally apply it to the interface ..

{{{
[edit interface .... }
unit 123 {
 description "a peer/transit interface";
 vlan-id 123;
 family inet {
 rpf-check {
 mode loose;
 }
 no-redirects;
 filter {
 input external-incoming-transit;
 }
 address 1.2.3.4/30;
 }
}
}}}

The route will have been tagged with an import statement on your bgp peers or sourced within your network

{{{
[edit policy-options]
community originate members 30740:30740

[edit routing-options]
aggregate {
 route 82.219.0.0/16 {
 community 30740:30740;
 as-path {
 origin igp;
 }
 }
}
}}}

Finally do not forget to remove those communities from the routes you are receiving from ebgp.

Once uppon a time, I used to ramble a lot about various ISP/technical related matters (mainly Phorm and ISP 'hidden' traffic shaping). I removed most of the documents as I was not updating them often enough to keep them accurate and provided a summary on traffic shaping and Phorm.

The last few weeks I have been actively working on a new anti-spam software now named [[ScavengerEXA|http://scavenger.exa.org.uk]]. 

[[ScavengerEXA|http://scavenger.exa.org.uk]] differentiates itself from other solutions by analysing the mail leaving a network and not entering a mail server and can be run mail infrastructure, making it useful to a different audience in the Internet infrastructure community (Hosting providers and Cloud services as well as ISP's, for example).

a site with no purpose

Thomas' ramblings

http://thomas.mangin.com/

All the documents related to software I wrote are tagged with 'Software', you can find them using the search feature or the 'Tags' tab.

/*{{{*/
.headerForeground { display: none;}
#sidebar {width: 170px; background: #efefef;border-left: solid 2px #b8b9c7;border-top: solid 2px #d7d8e8;}
#sidebarTabs .tabContents {width: 158px; background: #eae9ee;font-weight: bold; color: #333 ;}
#sidebarOptions input { border: solid 2px #b8b9c7; }
#sidebarOptions .sliderPanel { background: #eee;}
#sidebarOptions a {;border: none;}
#sidebarOptions .sliderPanel a {border: none;color: #5c4894;}
#displayArea {background: #fff;margin: 1em 15.7em 0em 1em;border-left: solid 2px #b8b9c7;}
.viewer {line-height: 1.4em;padding-bottom: 1em;border-bottom:solid 1px #b8b9c7;}
.viewer th, thead td {background: #5d4b97;border: 1px solid #666;color: #fff;}
.title {color: #000}
h1,h2,h3,h4,h5 {color: #fff;background: #6b69ad;}
a{ color: #700126;}
a:hover{ background: #6b69ad; color: #fff;font-weight: bold;}
.externalLink {	text-decoration: underline; color: #000083;}
body {	background: #d7d8e8;}
.popup { background: #6b69ad; border: 1px solid #04b;}
.popup li a:hover {background: #d7d8e8;color: #000;border: none;}
.popup li.disabled {color: #000;}
.button:hover {color: #fff;background: #6b69ad;
	border: 1px solid #d7d8e8;}
#topMenu { background: transparent; padding: 6px;margin-left: -5px;border-bottom: solid 3px  #5c4894;}
#topMenu .button,  #topMenu .tiddlyLink, tiddlyLinkExisting, #topMenu .externalLink
{
	color: #fff;
	text-align: center;
	font-weight: bold;
	font-size: 1.1em;
	text-decoration: none;
	letter-spacing: 1.5px;
	background: transparent;
	border-right: solid 1px #fff;
        padding: 5px 15px 8px 15px;
}
#topMenu a:hover {
	color: #700126;
	background: #d7d8e8;
}
#topMenu br {display: none; padding-right: 1em;}
#topMenu span .tiddlyLinkNonExisting {font-style:normal;}

/*}}}*/

This is a implementation of the ~TextCat algorithm, the text categorisation algorithm based on n-gram frequency.

The code does not include the ngram files which you will have to download from the original textcat tarball.

The n-gram classification code can be downloaded [[here|/data/source/ngram.py]]

Should you read [[Slashdot|http://slashdot.org/]], you must have already seen its readers complaining about their ISP traffic shaping policies.
When working in the ISP industry it is painful to see the lack of understanding those 'techies' are displaying.

In the UK, if anything ~ISPs are guilty of bad advertising misleading customers with 'up to' speeds and obscure fair usage policies and trying to market their product on price instead of quality (but Internet is a commodity market nowdays, so it is to be expected)

Customers should be clearly told that DSL product sold are contended. Previously dialup products were as well, but the impact with dialup was much more noticeable with the inability to get online.

The recent increase in content (video even more than ~P2P) has recently caused many of them to realise that they had oversubscribed their infrastructure to the point they could not deliver to their customers what they came to expect.
Once down to the wall, ~ISPs had only a few options :
 * raise price to reflect the cost of running the service at a low contention (and we all know that it is impossible) 
 * apply traffic policing globally (everyone is slowed down the same way to modem speed).
 * apply targeted traffic policy (~P2P users here you are)

As it is hard to tell a customer, who may cancel its contract returning a then useless free router, that he can no longer have fast email and web surfing, the path of least resistance is to throttle ~P2P traffic which is an important part (but not all) of an ISP traffic, freeing capacity for other services and allowing to delay infrastructure upgrade.
(The cost of implementing traffic shaping is recovered if it allows to delay a network upgrade if only for a month!)

For information, an ISP for a DSL service can be simplified as:
 * the 'last mile' cost from the home to the exchange
 * the cost of the space used, power consumed and hardware located at the exchange
 * the cost of moving the traffic within the country (fiber, etc.)
 * the cost of the space used, power consumed and hardware located at national point of presence
 * the cost of moving the traffic to other ~ISPs
 * the cost of supporting the customer (ie: taking unrelated calls about their virus or other issues)
 * the cost of collection the client payment
 * all other generic business

For quite few small/medium ~ISPs, the transit cost (the cost an ISP will pay for another bigger ISP to take its traffic somewhere worldwide) is more than the income that the customer provides. Most ~ISPs are making a loss trying to become big enough to be acquired.
~P2P being notably known to not really care about locality, one can see why it is the target of shaping (with the fact that the biggest torrent are often providing copyrighted material for which end users may or may not have a license to see/use).
 
In that context it is not surprising that the industry is facing issues and trying to find more income streams (see my rant on Phorm).

The bgp articles on this site are using based on the following virtual network. The router are owned by an ISP with its own AS number. The IGP is EIGRP as it is the protocol I am most familiar with at the time of writing (it could be OSPF or IS-IS).

!Servers

The following server are present on the network:
10.0.0.1 		Primary caching DNS
10.1.0.1 		Secondary caching DNS
10.2.3.200 		SNMP Monitoring station
10.2.3.201 		SYSLOG loging server
10.2.3.202 		NTP server
10.2.3.205 		Netflow monitoring server

!IP Range

The ISP internal range is:
10.0.0.0/16 		AS 65200
10.1.0.0/16 		AS 65200
10.2.3.0/24 		AS 65200

The ISP provides transit to:
192.168.0.0/24 		AS 65350
192.168.1.0/24 		AS 65360

!The Internet Exchange

The exchange Information is running a dual ring topology with a separate /23 for each
172.16.0.0/23 		AS 65400
172.16.2.0/23 		AS 65400

!Internal routing

It is assumed that the 192.168.0.0/24 and 192.168.1.0/24 are available through the IGP. The client eBGP connection is configured to pass through another internal routers (multi-hop), which will have a directly connected interface or a static route to the networks advertised.

No encryption is used between BGP peers, no access list is in place to protect EIGRP, BGP and NTP traffic to the router.

The local preference used are beetween 100 and 200. To calculate the RIPE preference, apply the following rule : ripe_pref = 200 - local_pref

In order to horizontally scale our mail cluster, I have developed a [[vmailmgr|http://www.vmailmgr.org]] proxy using [[twisted|http://www.twistedmatrix.com]].

The code has been running without issue for a few months in our network, and I am not aware of any issues (I would still recommend that you do not let this proxy unfirewalled).

You can download the code [[here|http://thomas.mangin.com/data/source/vmailmgr-proxy.tgz]]

As this is an adaptation of our code which removes all dependencies on our own internal library, it is not as polished as it should be, but should still "just work".

It is possible to force a reload of the configuration file sending an HUP signal to the server.

Ideally the twistd daemon should be supervised.

I noticed that the smtp server used for email notification is hardcoded in one of library, do not forget to change it if you want the feature to work.