Rearrainge stuff

+# Internal services

+

+You are asked to show some creativity in terms of network usage and content. ;)

+

+More ideas inspiration is collected on another [page](/ideas).

+

+[[_TOC_]]

+

+## Internal SSL CA

+

+Internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses. If you would like to trust the certificate import the following:

+

+```

+-----BEGIN CERTIFICATE-----

+MIIDhzCCAm+gAwIBAgIJALhBYKXcLej6MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV

+BAMTHURONDIgSW50ZXJuYWwgQ0EgKFVOVkVSSUZJRUQpMB4XDTE0MTIyMDE4NDAw

+NVoXDTI0MTIxNzE4NDAwNVowKDEmMCQGA1UEAxMdRE40MiBJbnRlcm5hbCBDQSAo

+VU5WRVJJRklFRCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDViXIb

+VcWw+tnZCbZuy3ME4vQJsiX5ik5WkqkBaj5vk7zt+Ca8XvaM8cqppb8kEOCkC+MV

+/qp5R2BAukKAAcmACQ9FHx6XYGxMQztU9tTMUuAqWH8JihWjBSoEfBQ9UpJHbgvo

+7AAY382rcaLQJs3QgxtNiUjeblPlAy6AE3TUBEiNwa7MTZ7f2YHbVF/9DpvUZee6

+KytOalzgbKcuFsquf4vIBtcKav1Qwmdr8eehQHdo8Nxv32uZqd272Q+EInFmzDPu

+KpJdhwc/7S/+ohL/fs6RQphnJvLR572cXTzwEIkFAGqym3Fx30Q7Keoq6Cx46yez

+lwL2k7C82bE4c+//AgMBAAGjgbMwgbAwHQYDVR0OBBYEFNeJoQrHPqh2SMplqb1V

+ac9OWmkiMFgGA1UdIwRRME+AFNeJoQrHPqh2SMplqb1Vac9OWmkioSykKjAoMSYw

+JAYDVQQDEx1ETjQyIEludGVybmFsIENBIChVTlZFUklGSUVEKYIJALhBYKXcLej6

+MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBQGA1UdHgQNMAugCTAH

+ggUuZG40MjANBgkqhkiG9w0BAQsFAAOCAQEAMqVN55ruWA70znyWMB9+A4BcsFgI

+uFVZIOnJEy72Nsz0VvfEEW/3rxKs0UnLcnfBHlx2WHdD2zUJLiTAf6ziRhXpFPXY

+Ys3RJFE/8ZDVH3+dGOBekJusDX0YQcwXA/NVO2ogM6WIRIz7QabvOIJBaYXu71ZB

+ci29iKFLJ4dsUG69hoeDghwkij2mCR2G/tP+xbrb7xGM73tDjuzmESYlUAVgKtlH

+gfcWBU6anZMFJV9Y2lkNhxw5G7JMDSYsfONskzPet9HeHrmu67EnXMapELCjZL3O

+X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw==

+-----END CERTIFICATE-----

+```

+

+If you would like to have a certificate signed by this CA send a CSR to [email protected]

+

+

+

+## Network-related

+

+ * Polynome has some nice scripts and visualizations here: http://dataviz.polynome.dn42

+ * http://172.23.174.1

+ * See [[Looking Glasses]] for more network diagnostic tools

+

+### DNS tunnel

+

+This DNS tunnel service uses [Iodine](http://code.kryo.se/iodine/), and provides access to the dn42 network. Useful when you're on a shitty network (airport, train station) that still allows DNS.

+

+Use the anycast DNS servers (172.22.0.53) inside your tunnel.

+

+| Hostname / IP | Password |

+|:------------------------------------------------- |:-------- |

+| t.polyno.me (172.23.185.193) | dn42 |

+

+### DNS Tools

+

+This tool allows you to lookup your dn42 domain name and check to see if your name servers are all working and have the correct information.

+

+Select "Disable Recursion" to check only entries found in the registry or leave it off to check all (both are useful tests).

+

+Currently this system only supports IPv4.

+

+http://mwd.dn42/dns.php

+

+MWD will also provide a secondary DNS server and/or cacti monitoring of your devices. Just ask on IRC. More info: http://mwd.dn42

+

+## IRC

+

+| Hostname / IP | Remarks |

+|:------------------------------------------------- |:--------- |

+| irc://irc.hackint.dn42/dn42 (172.22.24.1) | DN42 |

+| irc://irc.hackint.hack/dn42 (172.31.0.30) | ChaosVPN |

+

+## Search engines

+

+ * [Web search engine](http://search.dn42) (172.23.184.1) - a few chosen HTTP domains are crawled (taken from the wiki). The previous method, "crawl everything available from the wiki", generated too much data because of FTPs.

+ * [YaCy search engine](http://yacy.dn42) - Indexing local nets

+

+## Images and Media

+

+| Hostname / IP | Remarks |

+|:------------------------------------------------- |:-------------------------------------------------------- |

+| http://img.dn42 | Imagehoster |

+| http://chan.dn42 | DN42-Chan, an imageboard |

+| http://media.dn42 | A Mediagoblin instance (Login: dn42:dn42dn42) |

+| https://dev.0l.dn42/tvheadend/ | Digital Video Recorder (TVHeadend frontend) |

+| ftp://dev.0l.dn42/Videos/Recordings/ | Digital Video Recorder (Recorded files) |

+

+## Radio and Video Streaming

+

+| Hostname / IP | Remarks |

+|:------------------------------------------------- |:-------------------------------------------------------- |

+| http://10.11.10.30:8000 | Freimusik |

+| http://stream.laxu.dn42:8000 | [xenim Streams](http://streams.xenim.de) |

+| http://sprawl.smrsh.dn42:8000/ | [smrsh radio](http://smrsh.net/radio) |

+| http://10.112.0.6:8000/mpd.ogg, http://radio.ffhh:8000/mpd.ogg | Freifunk Hamburg radio, yeay 8bit music! |

+| http://172.23.136.65:8000/ | haxMPD |

+

+## File sharing

+

+**FIXME**: Please add info about (approximate) bandwidth of the servers.

+

+### FTP / HTTP

+

+| Hostname / IP | Space | Speed | Remarks |

+|:------------------------------------------------- |:----- |:----------- |:----------------------------------------------- |

+| ftp://dev.0l.dn42 | 10 TB | max 5MBit/s | writable incoming |

+| http://filer.nihilus.dn42, http://172.22.92.2 | | ~60kbps | mostly up |

+| ftp://cochimetl.tim.dn42, nfs://cochimetl.tim.dn42/data/ftp | ~3TB | ~700kbps | |

+| http://seafile.dn42 | | | Opensource Dropbox, yay! |

+| http://files.feuerrot.dn42 | 6TB | 1Gbit | http, ftp, nfs, rsync |

+| ftp://vsynology.dev.ffc (10.8.6.13) | 150G | 20Mbit/s | just drop your nzb/torrent file and be patient |

+| http://filer1.grmml.dn42 (172.23.149.21) | 4TB | 200Mbit/s | download only |

+| sftp://anonsftp:[email protected]:2212/ | 12TB | 1Gb/s | incoming writable |

+| http://172.23.136.33 | | 100Mbit/s | some mediafiles/software |

+| http://files.martin89.dn42/ | | max 2Mbit/s | download only |

+

+#### Down?

+

+| Hostname / IP | Space | Speed | Remarks | Down Since |

+|:------------------------------------------------- |:------ |:-------- |:------------------------------- |:---------- |

+| http://turing.il.maxx.dn42, http://172.22.42.2 | ~6.5TB | ~400kbit | WebDAV enabled, up 24/7z | 01.01.2015 |

+| ftp://descent.derf.dn42 (172.23.225.35) | 3TB | 60kbit/s | download only | 01.01.2015 |

+

+## Proxies

+

+ See http://wiki.hamburg.ccc.de/ChaosVPN:Proxy

+

+### Tor

+

+| Hostname / IP | Bandwidth | Nickname |

+| ------------------------------------------------- | ----------- | ------------ |

+| socks5://lian.0l.dn42:9050 | 600 kb/s | [nulll](https://atlas.torproject.org/#details/84F41A116AD7F1E038781413E0B4ADE4494BA38A)

+

+### Hochschulbibliothekszentrum des Landes Nordrhein-Westfalen

+Bodems (AS76124) is announcing 193.30.112.0/24 via his DFN-Node, so you can access the "[Digibib](http://www.digibib.net/jumpto?LOCATION=Bi10&D_SERVICE=TEMPLATE&D_SUBSERVICE=DIGILINK_BROWSE&DP_FUNC=CategoryView&DP_FILTER=All&DP_CID=14211)" through DN42 with a valid IP. For some parts (like VDE norms) you will need Citrix Receiver.

+

+## NTP

+

+| Hostname / IP | Remarks |

+|:------------------------------------------------- |:----------------------------------- |

+| ntp.e-utp.dn42 (172.22.165.50) | Stratum 1, GPS+NMEA |

+| ntp1.nixnodes.dn42 (172.22.177.123) | |

+| ntp2.nixnodes.dn42 (172.22.177.124) | |

+| ntp.martin89.dn42 | more than one A records/server |

+

+## Crypto coins

+

+| Hostname / IP | Remarks |

+|:------------------------------------------------- |:----------------------------------- |

+| bitcoin.e-utp.dn42 (172.22.165.50, 172.22.165.34) | 8333 for Bitcoin, 9333 for Litecoin |

+

+## Gaming

+

+| Hostname / IP | Game | Remarks |

+|:------------------------------------------------- |:---------------------- |:-------------------------- |

+| cs.nixnodes.dn42 (172.22.177.179) | Counter-Strike 1.6 | v48 Non-Steam [Deathmatch] |

+

+## Misc

+

+| Hostname / IP | Remarks |

+| ------------------------------------------------- | ------------------------------------------------------------------------------ |

+| http://nowhere.ws/dn42 | Some random stuff concerning dn42, packages for Debian, e.g. Quagga |

+| https://paste.synhacx.dn42 | AES-encrypted pastebin-like ([zerobin](https://github.com/sebsauvage/ZeroBin)) |

+| http://ip.synhacx.dn42 | Basic "whatismyip" service ([description](http://synhacx.dn42/showmyip)) |

+| http://tor.mirror.martin89.dn42 | Tor Project Homepage mirror |

+| http://tor.e-utp.dn42 | Tor Project Homepage mirror |

+| http://freebsd.e-utp.dn42 | FreeBSD Homepage mirror |

+| http://debian.mirror.martin89.dn42 | Debian Wheezy mirror |

+| nntp://news.blacksheep.dn42 | Martin's newsgroup server (ping MB-DN42 for a rw account or a nntp/uucp feed) |

+| mumble://shard.smrsh.dn42:64738 | [Mumble](http://mumble.sourceforge.net/) Voice Chat |

+| http://wiki.dn42, http://internal.dn42 | This wiki! Web Hosted by [xuu](https://xuu.dn42). Git Repo hosted by welterde |

+

+# Other networks

+

+## Public Internet

+

+ * https://mirror.frubar.net 100MBit

+ * https://frucman.frubar.net

+

+## AnoNet

+

+A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet

+

+## ChaosVPN

+

+ * Anybody can add services to this list, which will be monitored for uptime: http://10.100.44.1

+ * Check your IP and reverse lookup: [ifconfig.hack](http://ifconfig.hack)

+ * View of the network: http://vpnhub1-intern.hamburg.ccc.de/chaosvpn.png

+ * List of nodes: http://vpnhub1-intern.hamburg.ccc.de/chaosvpn.nodes.html

+

+## Freifunk

+

+### Augsburg

+

+We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.

+(Upload is not fast, most probably DSL speed only)

+# Forwarder setup

+

+Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `172.22.0.53`.

+

+## BIND

+

+If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains

+by adding the following to /etc/bind/named.conf.local

+

+```

+zone "dn42" {

+ type forward;

+ forwarders { 172.22.0.53; };

+};

+zone "22.172.in-addr.arpa" {

+ type forward;

+ forwarders { 172.22.0.53; };

+};

+zone "23.172.in-addr.arpa" {

+ type forward;

+ forwarders { 172.22.0.53; };

+};

+```

+

+## dnsmasq

+

+If you are running dnsmasq under openwrt, you just have to add

+

+```

+config dnsmasq

+ option boguspriv '0'

+ option rebind_protection '1'

+ list rebind_domain 'dn42'

+ list server '/dn42/172.22.0.53'

+ list server '/22.172.in-addr.arpa/172.22.0.53'

+ list server '/23.172.in-addr.arpa/172.22.0.53'

+```

+

+to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq` restart. After that you are able to resolve `.dn42`

+with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.

+

+Attention: If you go with the default config you'll have to disable "boguspriv" in the first dnsmasq config section.

+

+For normal dnsmasq use

+

+```

+server=/dn42/172.22.0.53

+server=/22.172.in-addr.arpa/172.22.0.53

+server=/23.172.in-addr.arpa/172.22.0.53

+```

+in `dnsmasq.conf`.

+

+## PowerDNS recursor

+Add this to /etc/powerdns/recursor.conf (at least in Debian)

+

+```

+dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10

+forward-zones= dn42=172.22.0.53,22.172.in-addr.arpa=172.22.0.53,23.172.in-addr.arpa=172.22.0.53

+```

+

+## MaraDNS

+Put this in your mararc:

+

+```

+ipv4_alias["dn42_root"] = "172.22.0.53"

+root_servers["dn42."] = "dn42_root"

+root_servers["22.172.in-addr.arpa."] = "dn42_root"

+root_servers["23.172.in-addr.arpa."] = "dn42_root"

+```

+

+## Unbound

+

+`unbound.conf` for forwarding requests to `172.22.0.53`.

+

+

+```

+server:

+ domain-insecure: "dn42"

+ local-zone: "22.172.in-addr.arpa." nodefault

+ local-zone: "23.172.in-addr.arpa." nodefault

+ local-zone: "d.f.ip6.arpa." nodefault

+

+forward-zone:

+ name: "dn42"

+ forward-addr: 172.22.0.53

+

+forward-zone:

+ name: "22.172.in-addr.arpa"

+ forward-addr: 172.22.0.53

+

+forward-zone:

+ name: "23.172.in-addr.arpa"

+ forward-addr: 172.22.0.53

+

+forward-zone:

+ name: "d.f.ip6.arpa"

+ forward-addr: 172.22.0.53

+```

+

+## JunOS (SRX 12.1X46)

+Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:

+```

+restart named-service

+```

+Config (vlan.0 is presumed to be your LAN/Trust interface)

+```

+system {

+ services {

+ dns {

+ dns-proxy {

+ interface {

+ vlan.0;

+ }

+ default-domain dn42 {

+ forwarders {

+ 172.22.0.53;

+ }

+ }

+ default-domain 22.172.in-addr.arpa {

+ forwarders {

+ 172.22.0.53;

+ }

+ }

+ default-domain 23.172.in-addr.arpa {

+ forwarders {

+ 172.22.0.53;

+ }

+ }

+ }

+ }

+ }

+}

+```

+# DNS

+

+*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.22.0.53`.

+

+**DNS is build from [[whois database|Services Whois]]. So please edit your DNS-records there.**

+

+## Using the DNS service

+

+Below are several ways to use the `dn42` DNS service, from easiest to more challenging. The recommended method is the second one.

+

+### Using the anycast resolver directly

+

+Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.

+

+To do this, just use `172.22.0.53` as your resolver, for instance in `/etc/resolv.conf`.

+

+### Forwarding `.dn42` queries to the anycast resolver

+

+If you run your own resolver (`unbound`, `dnsmasq`, `bind`), you can configure it to forward dn42 queries to the anycast DNS resolver. See [[DNS forwarder configuration|Services DNS Configuration]].

+

+### Recursive resolver

+

+You may also want to configure your resolver to recursively resolve dn42 domains. For this, you need to find authoritative DNS servers for the `dn42` zone (and for the reverse zones). See [[Recursive DNS resolver]].

+

+### Building the dn42 zones from the registry

+

+Finally, you may want to host your own authoritative DNS server for the `dn42` zone and the reverse zones. The zone files are built from the monotone repository: scripts are provided in the repository itself.

+

+## Register a `.dn42` domain name

+

+The root zone for `dn42.` is built from the [[whois registry|Services Whois]]. If you want to register a domain name, you need to add it to the registry (of course, you also need one or two authoritative nameservers).

+

+## DNS services for other networks

+

+Other networks are interconnected with dn42 (ChaosVPN, Freifunk, etc). Some of them also provide DNS service, you can configure your resolver to use it. See [[External DNS]].

+

+## Providing DNS service

+

+See [[Providing Anycast DNS]].

+# What's FreePhone?

+Where's the point in using a phone flat just for a single person? !FreePhone is a project aimed to develop a VPN wide SIP phone service. Calling german landline is possible at the moment, as well as local participants (eg. maxx).

+

+## How does this work?

+### Public proxy

+Set up your softphone or hardware implementation to use:

+ * SIP-Proxy/Proxy domain: maxx.spaceboyz.net (SRV-Record)

+ * Username/Account/Login: vpn

+ * Password: vpn

+The proxy is strictly outbound, registration is impossible and unintended.

+

+## Special needs

+Just contact me if you like to use your SIP hardware (eg. Fritz!Box FON). You'll get a special account allowing registrations plus a local extension.

+

+## Restrictions

+ * Any call under the terms of the flatrate is allowed, so to speak: no mobile phones or pr0n calls

+ * One call at a time for FreePhone users (stupid bandwidth restrictions :/).

+ * Internal calls are more or less unrestricted.

+ * alaw/ulaw are disallowed for bandwidth reasons

+

+## Additional extensions

+| **Extension** | **Target** |

+|---|---|

+| maxx | myself, almost anywhere wireless lan is availiable |

+| grim | sometimes, sometimes not |

+| equinox | i think nokia prevents but you may try |

+| helios | did not connect for some time now |

+

+If you like listening to german news, dial 787326353 (Vanity: STREAMDLF). Just contact me in case you want more.

+

+## Configuration examples

+Just look at the german version, you'll get the idea.

+

+## What's next?

+### Real dn42 phone system

+If i'm bored some day i might implement the following:

+ * SIP extensions for every participant

+ * Voicemail

+ * Funny games

+ * FreePhone integration (maybe with redundancy)

+ * ...

+

+If someone is willing to experiment we could try allowing reinvites. This way all SIP endpoints inside the VPN could connect their media streams directly, thus saving bandwidth and raising call quality.

+

+## Latest changes

+ * G.729 now is the preferred codec because of bandwith issues

+ * My "Homezone" works perfectly, moving with me

+ * Phone #: +493727/959023

+ * Sipgate: 5884293

+ * SIP: maxx(at)maxx.spaceboyz.net

+ * Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.

+# IRC

+

+We have several [hackint](http://www.hackint.eu/)-IRC-Servers, reachable via internet, but also via dn42.

+

+## irc.spaceboyz.net

+ * IPv6: 2001:8d8:81:5c0::1

+ * dn42: 172.22.24.1

+ * IPv4: 87.106.131.203

+ * Ports: 6666-6669 & SSL 6697,9999

+

+## irc.chaostreff-dortmund.de

+ * irc.chaostreff-dortmund.de (195.160.168.7, 6666-6669 & ssl: 6697, 9999)

+

+## lechuck.darmstadt.ccc.de

+ * lechuck.darmstadt.ccc.de (via dn42: 172.31.98.1)

+

+Usage with SSL (6697/tcp) is preferred.

+**Please join #dn42.**

+# List of Usenet servers

+| **Person** | **Status** | **Address** | **Posting** | **Newsgroups** | **Binaries** |

+|----|----|----|----|----|----|

+| welterde | _up_ | news.welterde.dn42 | _yes_ | Big 8, de.\*, alt.\* | _no_ |

+| UFO | _up_ | core.ucis.dn42 | _yes_ | anonet, dn42 | _no_ |

+| blacksheep | _up_ | news.blacksheep.dn42 | _ask_ | Big 8, de.\*, alt.\*, uk.\*, etc. | _no_ |

+

+# List of Usenet WebFrontends

+| **Person** | **Status** | **Address** | **Posting** | **Newsgroups** | **Binaries** |

+|----|----|----|----|----|----|

+| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |

+| UFO | _up_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |

+| SeekingFor | _up_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |

+# Statistics

+Please add your public statistics.

+

+## Scripts

+

+### Number of prefixes for collectd

+

+#### collectd.conf

+

+```

+LoadPlugin exec

+<Plugin exec>

+ Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"

+</Plugin>

+```

+

+collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.

+

+#### bgp_prefixes-quagga.sh

+

+```

+#!/bin/bash

+

+INTERVAL=10

+HOSTNAME=dn42.hq.c3d2.de

+

+while true; do

+n4=$(vtysh -d bgpd -c "show ip bgp"|grep Total|sed -e 's/Total number of prefixes //')

+n6=$(vtysh -d bgpd -c "show ipv6 bgp"|grep Total|sed -e 's/Total number of prefixes //')

+

+echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv4 interval=$INTERVAL N:$n4"

+echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"

+

+sleep $INTERVAL

+done

+```

+

+#### Number of prefixes per neighbour for bird

+

+```

+#!/bin/sh

+#

+# Collectd script for collecting the number of routes going through each

+# BGP neighour. Works for bird.

+#

+# See https://dn42.net/Services-Statistics

+

+INTERVAL=60

+HOSTNAME=mydn42router

+[ -n "$COLLECTD_HOSTNAME" ] && HOSTNAME="$COLLECTD_HOSTNAME"

+

+while true

+do

+ birdc 'show protocols "*"' | grep ' BGP' | cut -d ' ' -f 1 | while read neighbour

+ do

+ nbroutes=$(birdc "show route protocol $neighbour primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)

+ echo "PUTVAL $HOSTNAME/bird-bgpd/routes-$neighbour interval=$INTERVAL N:$nbroutes"

+ done

+ # FIXME: we probably count non-BGP routes here

+ totalroutes=$(birdc "show route primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)

+ echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"

+ sleep $INTERVAL

+done

+```

+

+### munin plugin

+* add the following to /etc/munin/plugin-conf.d/munin-node

+

+```

+[quagga_bgp]

+user root

+```

+

+* place the script as quagga_bgp in /etc/munin/plugins

+

+```

+#!/bin/sh

+#

+#

+# Munin Plugin to show quagga bgp4 routes

+

+# Standard Config Section Begin ##

+ if [ "$1" = "autoconf" ]; then

+ echo yes

+ exit 0

+ fi

+

+ if [ "$1" = "config" ]; then

+

+ echo 'graph_title Quagga BGP4 Routes'

+ echo 'graph_args --base 1000 -l 0'

+ echo 'graph_scale yes'

+ echo 'graph_vlabel Received routes via BGP4'

+ echo 'graph_category Network'

+ echo 'bgproutes.label Routes'

+ echo 'graph_info Route information provided by quagga daemon via vtysh'

+ exit 0

+ fi

+# Standard Config Section End ####

+

+# Measure Section Begin ##########

+ data=($(vtysh -c "show ip bgp"|grep Total|cut -d" " -f5))

+

+ if [ "$data" = "" ]; then

+ echo bgproutes.value 0

+ else

+ echo bgproutes.value $data

+ fi

+# Measure Section ##########

+```

+* restart munin-node

+# Virtual Machines

+

+| Person | RAM | HDD | Net | CPU | Description |

+|:------------- |:----- |:---- |:--------- |:-------- |:--------------------- |

+| otih | | | | | KVM/OpenVZ (AS64608)

+| siska | 384Mb | 40Gb | 10/10Mbit | 1x2.9Ghz | KVM/QEMU (VNC) (AS76103)

+| thomasdotde | | | | | HyperV-Server

+# Whois registry

+**aka** _The registry_ contains:

+

+ * AS numbers assignations

+ * Subnet assignations

+ * DNS root zone for `dn42.`

+

+## Names and numbers

+

+dn42 uses some names and numbers, which are declared in the registry. Whenever possible, we try to stick to names and numbers that do not conflict with the ICANN-net or other networks similar to dn42, for instance by using private numbers space.

+

+### Address space

+

+dn42 uses **172.22.0.0/15** for IPv4.

+

+For IPv6, we use both ULA (that is, **fd00::/8**) and globally unique PI/PA address space of participants. ULA is prefered for various reasons, see the [FAQ](Frequently-Asked-Questions#What-about-IPv6-in-DN42?).

+

+### AS numbers

+

+Since June 2014, dn42 is using the **4242420000-4242429999** ASN range for allocations. This range is further subdivided:

+* **4242420000-4242423999** for end-users allocations

+* **4242424000-4242426999** reserved for future use

+* **4242427000-4242429999** for sub-allocations

+

+If you are running a project similar to dn42, please use another range of ASN. The "sub-allocations" range is meant for dn42 users willing to have administrative control over a small, consecutive range of ASN (e.g. to use them directly or to distribute them).

+

+Note that currently, most AS are using one of the legacy ASN range (and will probably continue to do so, as renumbering is painful). See the [FAQ](Frequently-Asked-Questions#Why-are-you-using-ASN-in-the-76100-76199-range?) for a discussion on AS ranges.

+

+### DNS zones

+

+dn42 uses the `dn42.` TLD, which is not present in the root DNS zone of the ICANN-net. For details, see [DNS](Services-DNS).

+

+Note that other TLDs should also be usable from dn42, most notably from Freifunk and ChaosVPN. A tentative list is available at [External DNS](External-DNS).

+

+## Web interface

+

+Nixnodes provides a nice web interface, that allows you to **add/edit records** easily. It is available at https://io.nixnodes.net/?registry. A full guide is available at [Getting started](Getting-started-with-dn42#Fill-in-the-registry).

+

+### Authentication

+

+To add or edit records with the web interface, authentication is done thanks to **maintainer objects**. Each maintainer object has a password associated to it.

+

+The password are not stored in cleartext in the registry: a hash is computed from the password and the name of the maintainer object. To generate such a hash (e.g. in case you forgot your password), use https://io.nixnodes.net/nctlio.php?m=dnr&gen=mypassword&mnt=MYMAINTAINER-MNT

+

+### Misc

+

+A read-only interface is also available at http://ix.ucis.dn42/dn42/ ([public](http://ix.ucis.nl/dn42/) or 172.22.166.3). The used PHP scripts are available from UFO a.k.a. Ivo at request.

+

+## DNS interface

+

+There is also a DNS-based interface to query AS information from the registry. The DNS zone is `asn.dn42`. Example:

+

+ $ dig +short AS76103.asn.dn42 TXT

+ "76103 | DN42 | dn42 | | NIXNODES-IX - NixNodes CORE Network"

+

+The Python code for generating the zone from the registry is available on the monotone repository.

+

+The idea comes from the guys at cymru.com, who provide this service for the Internet (e.g. `AS1.asn.cymru.com`), see https://www.team-cymru.org/Services/ip-to-asn.html#dns

+

+## Address space

+

+There is nice 3djs visualisation showing current address space usage: http://dataviz.polynome.dn42/dn42-netblock-visu/registry.html ([public](http://109.24.208.244:8888/dn42-netblock-visu/registry.html) or 172.23.184.98). The input data is taken from the registry.

+

+Another visualisation shows the prefixes seen by BGP: http://dataviz.polynome.dn42/dn42-netblock-visu/index.html ([public](http://109.24.208.244:8888/dn42-netblock-visu/index.html) or 172.23.184.98).

+

+## Software

+

+ * [[lglass]] is a python implementation for working with the registry. It features a whois server, tools to manipulate the data (DNS zone generation, etc).

+

+## Whois daemons

+

+| **person** | **dns** | **ip** |

+|------------|---------------------------|-----------------|

+| welterde | thinkbase.srv.welterde.de | 46.4.248.201 |

+| fritz | whois.fritz.dn42 | 172.22.119.139 |

+| nixnodes | whois.nixnodes.dn42 | 172.22.177.77 |

+

+### Usage

+```sh

+whois -h $host $query

+```

+### Using a whois config

+```sh

+$ cat /etc/whois.conf

+\.dn42$ 172.22.177.77

+\-DN42$ 172.22.177.77

+# dn42 range 64512-65534

+^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ 172.22.177.77

+# dn42 range 76100-76199

+^as761[0-9][0-9]$ 172.22.177.77

+# dn42 range 4242420000-4242429999

+^as424242[0-9]{4}$ 172.22.177.77

+# dn42 ipv4 address space

+^172\.2[2-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ 172.22.177.77

+

+# dn42 ula ipv6 address space

+fd**:****:****:****:****:****:****:**** 172.22.177.77

+

+```

+You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.

+

+### Running your own whoisd

+```sh

+cd /home/some/path/to/store/branch

+sudo aptitude install ruby rubygems

+sudo gem install netaddr

+cd whoisd/ruby

+sudo ruby whoisd.rb nobody

+```

+

+## Monotone

+Monotone is an distributed revision control system. Monotone tracks revisions to files, groups sets of revisions into changesets, and tracks history across renames. The design principle is distributed operation making heavy use of cryptographic primitives to track file revisions (via the SHA-1 secure hash) and to authenticate user actions (via RSA cryptographic signatures). Each participant maintains their own revision history store in a local SQLite database. Monotone is especially strong in its support of a diverge/merge workflow, which it achieves in part by always allowing commit before merge. Revisions are exchanged using the custom netsync protocol which shares some conceptual ground with rsync and cvs.

+ * [Website](http://monotone.ca/)

+ * [Tutorial](http://monotone.ca/docs/Tutorial.html)

+

+### Monotone servers

+

+| Person | Address | Status |

+|----------|----------------------------------------|--------|

+| crest | mtn.crest.dn42 | UP |

+| dracoling | dn42.smrsh.net (net.smrsh.dn42) | UP |

+| siska | mtn.nixnodes.net / mtn.nixnodes.dn42 (172.22.177.77) | UP |

+| xuu | mtn.xuu.dn42 (172.22.141.248) | UP |

+| zorun | mtn.polyno.me / mtn.polynome.dn42 (172.23.184.71| UP |

+

+### Monotone branches

+ * net.dn42.registry: Contains the registry and some related code

+

+### Client setup

+```sh

+mtn genkey [email protected]

+mtn pubkey [email protected] # send the output to some $monotone_server operator (do NOT send the keypair!)

+mtn clone 'mtn://$monotone_server/?net.dn42.*' --branch net.dn42.registry

+cd net.dn42.registry

+$add_your_objects

+mtn add --unknown

+mtn ci -k [email protected]

+mtn sync

+```

+

+### Server setup

+

+Debian has a package "monotone-server", with config located in "/etc/monotone".

+

+Pro-tip: monotone seems to use `SO_V6ONLY`, which is annoying. To bind to both IPv4 and IPv6, use `ADDRESS=":: --bind 0.0.0.0"` in `/etc/default/monotone`.