VPN Routing

We can setup Quagga to do some routing between VPN nodes.

First, some initial setup. Choose the routers you want in /etc/quagga/daemons.conf

ln --symbolic /dev/null /etc/quagga/ripngd.conf
ln --symbolic /dev/null /etc/quagga/ospf6d.conf
ln --symbolic /dev/null /etc/quagga/bgpd.conf
ln --symbolic /dev/null /etc/quagga/zebra.conf
cp /usr/share/doc/quagga/examples/vtysh.conf.sample /etc/quagga/vtysh.conf

We do not need the ospf6d.conf or zebra.conf files to contain any settings, as that will just be confusing, though they do need to exist. We will symlink them to /dev/null

You can add your user accounts to the quaggavty group, and you can then administer quagga by running vtysh

The actual settings then go in /etc/quagga/Quagga.conf

RIPng

For an easy start between a few nodes, your nodes can try RIPng

router ripng
 network free0
 network free1
 network free2
 route-map vpn in free0
 route-map vpn out free0
 route-map vpn in free1
 route-map vpn out free1
 route-map vpn in free2
 route-map vpn out free2
!
ipv6 prefix-list vpn permit fd00::/8 ge 48
ipv6 prefix-list vpn deny any
!
route-map vpn permit 10
 match ipv6 address prefix-list vpn

It would be a good idea to limit routes to within fd00::/8 and accept a minimum prefix length of 48 as the bit before is meant to be random. The maximum can be the complete 128 bits.

OSPF

OSPF uses more data in its default configuration, but can handle a larger network, and also propogates MTU info which RIPng does not do.

For /etc/quagga/Quagga.conf, in principle it is this, replacing router-id 0.0.0.0 with some 4-octet number unique amongst the OSPF nodes.

Choosing a unique number from only 32 bits might seem much more of a problem than the 40-bits of RFC4193, though if OSPF communities are separated by another routing system, then the numbers only have to be unique amongst the nodes in a single OSPF island.

router ospf6
 router-id 0.0.0.0
 area 0.0.0.0 range fd00::/8
 interface free0 area 0.0.0.0
 interface free1 area 0.0.0.0
!

BGP4

There is an even smaller number space in BGP than OSPF. This is called the Autonomous System Number, and we may use any private number from 64512 to 65535, which is only 1024 numbers, a tiny proportion of this 32-bit number. Several nodes may share the same number.

In hexadecimal this range is FC00 through FFFF, which is very similar to the first chunk of the IPv6 addresses used here.

router bgp 65152
 no bgp default ipv4-unicast
 neighbor fe80::fdff:ffff:feff:ffff remote-as 65152
 neighbor fe80::fdff:ffff:feff:ffff interface free0
!
 address-family ipv6
 redistribute connected
 neighbor fe80::fdff:ffff:feff:ffff activate
 neighbor fe80::fdff:ffff:feff:ffff route-map vpn out
 neighbor fe80::fdff:ffff:feff:ffff route-map free0 in
 neighbor fe80::fdff:ffff:feff:ffff soft-reconfiguration inbound
 exit-address-family
!
ipv6 prefix-list vpn permit fd00::/8 ge 48
ipv6 prefix-list vpn deny any
!
route-map vpn permit 10
 match ipv6 address prefix-list vpn
!
route-map free0 permit 10
 match ipv6 address prefix-list vpn
 set ipv6 next-hop local fe80::fdff:ffff:feff:ffff

The XORP router can be used for BGP if patched to allow IPv6 linklocal addresses

--- xorp-1.6/libxorp/ipvx.cc	2009-01-05 18:30:58.000000000 +0000
+++ xorp-1.6/libxorp/ipvx.cc	2011-01-20 20:27:38.390106591 +0000
@@ -120 +120 @@
-IPvX::IPvX(char const *from_cstring) throw (InvalidString)
+IPvX::IPvX(char const *from_c2string) throw (InvalidString)
@@ -121,0 +122,8 @@
+	char* from_cstring;
+	char* from_cstring2;
+	if (from_c2string == NULL) {
+		xorp_throw(InvalidString, "Passed a null pointer");
+	}
+	from_cstring = strdup(from_c2string);
+	from_cstring2 = from_cstring;
+	strsep(&from_cstring2,"%");
@@ -125,0 +134 @@
+	free(from_cstring);
@@ -127,0 +137 @@
+	free(from_cstring);
--- xorp-1.6/bgp/bgp.cc	2009-01-05 18:30:43.000000000 +0000
+++ xorp-1.6/bgp/bgp.cc	2011-01-20 22:17:44.075271639 +0000
@@ -919,0 +920,6 @@
+    for (int i = 0; i < MAXHOSTNAMELEN; i++) {
+        if (peer_hostname[i] == '%') {
+            peer_hostname[i] = 0;
+        }
+    }
+