Ordering my own ASN, other internet resources and setting up BGP on VyOS

I ordered my ASN today, 25.06.2020 and now I will need to see how long it takes for it to actually be assigned from RIPE.
The first thing that I got was the EUAA (End User Assigment Agreement), which required a signature and as I ordered it for a business, I also needed to send an extract from the commercial trade register. The one thing I haven’t sent is a copy of my ID, which I hope won’t be a requirement even though when it says to send that too as I am really not sending it in a normal email.

After some time, the same day I got the assigned IPv6 subnet allocated, and now waiting on RIPE to process the ASN application.

The next day, 26.06.2020 I got a reply from the LIR that RIPE requires the ID proof, so I used G-suite’s confidential email thingy to send it, as they did not have any other option really to do it. They did not have GPG key nor probably knowledge on how to use it. They updated the RIPE ticket after I provided the requested documents, so let’s see what happens next. After some time passed, I got a new email from them. I was required to change my org name from “Sami M Tmi” to “Skyler Mantysaari trading as Sami M Tmi”, which is weird but oh well. Apparently they are required to register private traders as such for some reason.

The following Monday, 29.06.2020 I finally got my ASN and prefix allocated to my ORG object in RIPE, so now the fun begins.
I got the peering part working, kind of. I’m receiving a lot of routes from my upstream provider, and I don’t know yet how to only announce my own prefix to upstream with VyOS.

I ended up using rest of the evening after work, on routing..
End result was that the issue wasn’t my end, but rather that I did not have route6 objects (at RIPE) that specify the right origin AS, so my prefixes were filtered by the tunnel server and an upstream from that.

Changing LIRs

It has come to my attention on 30.06.2020 that the LIR I was using (at the time) was not trustworthy as they have taken resources from users and breaching contracts by doing so which made me change it, before acquiring more resources as ASN is transferable, but the prefixes I got from the previous LIR was PA (Provider Assignments), which means that those do not transfer over.

I got the new LIR to assign me a new PA while waiting on RIPE to process the request for a PI assignment (Provider Independent) which I can take with me when and if I change LIRs.

I also needed to sign two documents, one of which was the ASN transfer related, and other the actual End User Assigment Agreement which for example states how much it will cost and other terms. Funny enough, I also needed to provide the ID proof again, even when it shouldn’t be a requirement for companies but private trader is probably another story.

I got an email on 02.07.2020 from my last LIR due to the change, so that they could verify that the request was authorised and verified, so I’m not expecting RIPE to take much longer.

I got the prefix allocated on the same day, and started announcing it too (should be reachable in 48h), I have also setup both RPKI and RDNS so if those interest you, please check RIPE’s documentation on the matter as I will not be covering them in detail, but I will tell you that I’m using PowerDNS and Hurricane Eletric’s DNS servers as slaves for my Reverse DNS.

RPKI is just really simple thing to do at RIPE’s portal.

EdgeOS configuration

Unfortunately, I cannot use DHCPv6 nor DHCPv6-PD on my EdgeOS as it’s not supported on the tunnel interface, even when it’s supported on VyOS, so I cannot use it like I wanted, so I will have to do without DHCPv6.
(Source: My community post)

I will most likely just setup the addresses manually then, and call it a day so that’s nothing really new to cover here. However, if I do decide to do something more fancy, I will be either creating a new blog post or updating this one.

BGP configuration for advertising routes on VyOS

Recommended is to have a route-map and a prefix-list, and my configuration is IPv6-only.

  1. Let’s start with setting up the ASN to the system:
     set protocols bgp 65536 parameters default
  2. Next we add a prefix list and a route-map:
     set policy prefix-list6 OUT rule 10 action 'permit'
     set policy prefix-list6 OUT rule 10 prefix '<your-announced-prefix>'
     set policy route-map RMAP-IN rule 10 action 'deny'
     set policy route-map RMAP-OUT rule 10 action 'permit'
     set policy route-map RMAP-OUT rule 10 match ipv6 address prefix-list 'OUT'
  3. Let’s add the unicast network and neighbour:
     set protocols bgp 65536 ipv6-unicast network <prefix>
     set protocols bgp 65536 neighbor <neighbour-address> address-family ipv6-unicast route-map export 'RMAP-OUT'
     set protocols bgp 65536 neighbor <neighbour-address> address-family ipv6-unicast route-map import 'RMAP-IN'
     set protocols bgp 65536 neighbour <neighbour-address> remote-as 65537
     set protocols bgp 65536 neighbour <neighbour-address> update-source <your-neighbour-facing-ip>
  4. Completely optional, but allowing soft-reconfigure without the need to reestablish the full BGP session:
    set protocols bgp 65536 neighbour <neighbour-address> address-family ipv6-unicast soft-reconfiguration inbound
  5. Highly recommended, add a black hole route for your prefix:
     set protocols static route6 <prefix> blackhole distance 245

Note: That should be about it. The actual information was really hard to find, keep in mind that the RMAP-IN means that you’re not allowing any prefixes to be imported to your table so default route might not work either.

© 2018-2021 Skyler Mäntysaari