To all, I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet. Thx Philip
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
Highering a consultant to do your initial configuration is highly recommended. We took this route when we originally configured BGP and it allowed me to learn from and study a known 'good' configuration. - Dan
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
BCP 38: - http://www.ietf.org/rfc/rfc3704.txt ISP Essentials: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412 Securing IP Network Traffic Planes: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - anything and everything regarding IPv6. ...would be a VERY good start (I've read Securing IP Traffic Planes which is also great reference, and am just finishing up ISP Essentials, which is dated, but the principles still apply). Steve
On May 21, 2009, at 8:45 PM, Steve Bertrand wrote:
Securing IP Network Traffic Planes: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365
I can't recommend this book enough - it's the current canonical reference on opsec-related BCPs for network infrastructure, IMHO (full disclosure: I was fortunate enough to have the opportunity to provide some feedback to the authors as they worked on this tome, but have no financial interest whatsoever in its publication or sales thereof). ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Unfortunately, inefficiency scales really well. -- Kevin Lawton
On Thursday 21 May 2009 10:14:00 am Roland Dobbins wrote:
On May 21, 2009, at 8:45 PM, Steve Bertrand wrote:
Securing IP Network Traffic Planes: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365
I can't recommend this book enough - it's the current canonical reference on opsec-related BCPs for network infrastructure, IMHO (full disclosure: I was fortunate enough to have the opportunity to provide some feedback to the authors as they worked on this tome, but have no financial interest whatsoever in its publication or sales thereof).
Ah, a good use for my Safari account. Hmm, there's you a resource; for ~$20 per month, get access to books to read online, download chapters in PDF format for later perusal. I can read this, and if it looks like something I want, I also get a discount ordering through informit. Safari: http://my.safaribooksonline.com/home You do need to read a lot to make it worthwhile; advantage is that you don't have to store or resell the book later.
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
The problem with ISP essentials is it was published in 2002. Same goes for some of the other good Cisco books. A lot has changed in the ISP world since. Sure it has good information but I wouldn¹t spend the $ for a new copy. Find it on half.com or somewhere. Justin From: Steve Bertrand <steve@ibctech.ca> Date: Thu, 21 May 2009 09:45:13 -0400 To: Philip Lavine <source_route@yahoo.com> Cc: <nanog@nanog.org> Subject: Re: ISP best practices Philip Lavine wrote: practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet. BCP 38: - http://www.ietf.org/rfc/rfc3704.txt ISP Essentials: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412 Securing IP Network Traffic Planes: - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - anything and everything regarding IPv6. ...would be a VERY good start (I've read Securing IP Traffic Planes which is also great reference, and am just finishing up ISP Essentials, which is dated, but the principles still apply). Steve
In regards to DNS there is a great secure BIND template here http://www.cymru.com/Documents/secure-bind-template.html which will help stop your server from being an unneeded open resolver, or sending out root hints which are used all the time to amplify DDOS attacks often without you realising. Bradley -----Original Message----- From: Philip Lavine [mailto:source_route@yahoo.com] Sent: 21 May 2009 14:39 To: nanog@nanog.org Subject: ISP best practices To all, I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet. Thx Philip
On Thu, 21 May 2009, Philip Lavine wrote:
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
A few minutes with google would probably find sample BGP multihoming configs. The big things to avoid are unnecessary deaggregation and announcing routes received from one provider to the other. i.e. If you have a /22 of IP space, you may use/see that as 4 /24's or a larger number of smaller subnets, but where eBGP is concerned, you should announce just the /22 route and keep your subnetting to yourself. If you have competent providers, they won't accept routes from you that they're not expecting, which will stop you from offering transit to them by announcing routes received from your other provider. Still, it's better to get your config done right than rely on your providers to ignore what you shouldn't be advertising. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Jon Lewis wrote:
Still, it's better to get your config done right than rely on your providers to ignore what you shouldn't be advertising.
I have to agree completely with Jon here. As a small SP, it is prudent to do everything you can to be a good 'netizen. Apply your outbound prefix lists *before* you turn up your BGP session(s). You should also ensure that you have a good grasp on BCP 38 prior to connecting yourself. This should be done no matter who your upstreams are, large or small. There is nothing more frustrating than seeing RFC 1918, BOGON and/or your own IP space coming back at you eating your bandwidth from your upstreams, so ensure you are not responsible for doing it to them. Steve
This is the Nanog list . . . How about some Nanog resources . . . http://www.nanog.org/resources/tutorials/ And, yes, hiring a consultant is a good idea. But, being an informed consumer is also a good idea. Read lots! Ask lots of questions! Cheers! bbc On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
The African Network Operators Group has quite a good set of workshop materials for both isp routing (including v6) and DNS (seperate workshops) weeklong course materials for the routing track are here: http://www.ws.afnog.org/afnog2009/sie/detail.html Bryan Campbell wrote:
This is the Nanog list . . .
How about some Nanog resources . . .
http://www.nanog.org/resources/tutorials/
And, yes, hiring a consultant is a good idea. But, being an informed consumer is also a good idea. Read lots! Ask lots of questions!
Cheers!
bbc
On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain. Curtis Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
I've deployed PowerDNS before, along with PowerAdmin (https://www.poweradmin.org/trac/). Very easy to set up and manage. Ben For system or network support, please email support@hns.net Curtis Maurand wrote:
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain.
Curtis
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
cmaurand> Check out www.powerdns.com as an alternative to bind. Its cmaurand> faster, more secure, does IPV6 and easier to maintain. This is purely opinion. BIND has warts, just as any large piece of code in wide spread use and with lots of features will have. However, that's also one of its advantages. Lots of folks run it and know it and fix it when it breaks. Works for root & gtld servers, must not totally suck. BIND does ipV6, has since BIND8. It is also fully DNSSEC compliant. Is powerdns yet? Yes. Do check out all the alternatives for DNS. But if you're looking at ipV6 support because you want to be able to support upcoming protocols, make sure your DNS can do DNSSEC correctly too.
If you want to go down the BIND route, I'd recommend using xname as a frontend (http://source.xname.org/). Paul E wrote:
cmaurand> Check out www.powerdns.com as an alternative to bind. Its cmaurand> faster, more secure, does IPV6 and easier to maintain.
This is purely opinion.
BIND has warts, just as any large piece of code in wide spread use and with lots of features will have. However, that's also one of its advantages. Lots of folks run it and know it and fix it when it breaks.
Works for root & gtld servers, must not totally suck.
BIND does ipV6, has since BIND8.
It is also fully DNSSEC compliant. Is powerdns yet?
Yes. Do check out all the alternatives for DNS. But if you're looking at ipV6 support because you want to be able to support upcoming protocols, make sure your DNS can do DNSSEC correctly too.
On 21-May-2009, at 11:06, Curtis Maurand wrote:
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain.
I have heard lots of good things about PowerDNS, and I'm quite prepared to believe that it's a natural choice for a DNS hosting service where the database back-end makes for far simpler provisioning and control than managing a pile of config files. However, you're not necessarily doing anybody any favours in making statements like "faster", "more secure" and "does IPv6". DNS servers are complicated beasts, and simplistic comparisons are not useful for much (it'd be trivial to give you examples where PowerDNS is slower and less secure, for example, and BIND9 has done IPv6 for the better part of a decade). Joe
On Thu, May 21, 2009 at 12:00:58PM -0400, Joe Abley wrote:
However, you're not necessarily doing anybody any favours in making statements like "faster", "more secure" and "does IPv6". DNS servers are complicated beasts, and simplistic comparisons are not useful for much (it'd be trivial to give you examples where PowerDNS is slower and less secure, for example, and BIND9 has done IPv6 for the better part of a decade).
...done IPv6 for the better part of a decade... well yeah, for some very loose definition of "doing IPv6"....
Joe
You're correct on the blanket statement. apologies. --C Joe Abley wrote:
On 21-May-2009, at 11:06, Curtis Maurand wrote:
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain.
I have heard lots of good things about PowerDNS, and I'm quite prepared to believe that it's a natural choice for a DNS hosting service where the database back-end makes for far simpler provisioning and control than managing a pile of config files.
However, you're not necessarily doing anybody any favours in making statements like "faster", "more secure" and "does IPv6". DNS servers are complicated beasts, and simplistic comparisons are not useful for much (it'd be trivial to give you examples where PowerDNS is slower and less secure, for example, and BIND9 has done IPv6 for the better part of a decade).
Joe
Bind is fully capable of IPv6. When combined with Webmin (www.webmin.com), I'm not sure how much easier Bind can get. Webmin will also keep DNSSEC keys up to date with changes, so long as you make those changes from within Webmin. If you make changes in CLI, you can tell Webmin to rehash the keys manually. It's as simple as clicking a GUI button. On 5/21/09 11:06 AM, "Curtis Maurand" <cmaurand@xyonet.com> wrote:
Check out www.powerdns.com as an alternative to bind. Its faster, more secure, does IPV6 and easier to maintain.
Curtis
Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
-- Adam Kennedy Senior Network Administrator Cyberlink Technologies, Inc. Phone: 888-293-3693 x4352 Fax: 574-855-5761
-----Original Message----- From: Adam Kennedy [mailto:akennedy@cyberlinktech.com] Sent: Thursday, May 21, 2009 4:41 PM To: NANOG Subject: Re: ISP best practices
...When combined with Webmin (www.webmin.com),
<shudder> Jason A. Bertoch Network Administrator jason@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
We have several clients using Webmin. If you don¹t know command line Webmin is another tool to help you learn. You can have webmin do it and then look at the config to learn. Justin From: Jason Bertoch <jason@electronet.net> Date: Thu, 21 May 2009 16:48:42 -0400 To: <nanog@nanog.org> Subject: RE: ISP best practices
-----Original Message----- From: Adam Kennedy [mailto:akennedy@cyberlinktech.com] Sent: Thursday, May 21, 2009 4:41 PM To: NANOG Subject: Re: ISP best practices
...When combined with Webmin (www.webmin.com),
<shudder> Jason A. Bertoch Network Administrator jason@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
I have to agree. I've been working with BIND for over 10 years, and still use webmin to help me keep things organized. On May 21, 2009, at 4:58 PM, Justin Wilson - MTIN wrote:
We have several clients using Webmin. If you don’t know command line Webmin is another tool to help you learn. You can have webmin do it and then look at the config to learn.
Justin
From: Jason Bertoch <jason@electronet.net> Date: Thu, 21 May 2009 16:48:42 -0400 To: <nanog@nanog.org> Subject: RE: ISP best practices
-----Original Message----- From: Adam Kennedy [mailto:akennedy@cyberlinktech.com] Sent: Thursday, May 21, 2009 4:41 PM To: NANOG Subject: Re: ISP best practices
...When combined with Webmin (www.webmin.com),
<shudder>
Jason A. Bertoch Network Administrator jason@electronet.net Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Adam Kennedy wrote:
Bind is fully capable of IPv6. When combined with Webmin (www.webmin.com), I'm not sure how much easier Bind can get. Webmin will also keep DNSSEC keys up to date with changes, so long as you make those changes from within Webmin. If you make changes in CLI, you can tell Webmin to rehash the keys manually. It's as simple as clicking a GUI button.
Does anyone still use probind? As much as I am gung-ho command line, managing a huge amount of DNS can get ugly. ~Seth
While BGP can become a rather complex protocol to implement as a network grows, basic BGP peering between two providers isn't really that complex...probably talking 10 config lines at most (excluding bogon/filtering). The first thing you want to make sure is that you're upstream providers are implementing filtering, which most of the serious providers do. That way all you can do is hurt yourself while keeping the rest of us on the list here happy :). It's best to get your own IP address space from ARIN if possible, because if you use IP space from your upstream provider, it's becomes a nightmare to change over at a later date...IP renumbering is not fun! That was the one mistake we made when we first started. Personally I'm a fan of the "do it yourself" club...yeah you'll make mistakes, but the hands-on approach is by far the best way too learn. Bret On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
I learned DNS initially by reading some great documents by Avi Freedman, they are a little out dated, but still very relevant and posted on his website @ http://www.freedman.net/ On May 21, 2009, at 9:38 AM, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
Apologies, this should have said I learned BGP initially not DNS. Sorry!! On May 21, 2009, at 4:38 PM, Shane Ronan wrote:
I learned DNS initially by reading some great documents by Avi Freedman, they are a little out dated, but still very relevant and posted on his website @ http://www.freedman.net/
On May 21, 2009, at 9:38 AM, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
On May 21, 2009, at 3:38 PM, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
O Hai! I would highly advise you have a read at any presentation by Phil Smith: ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login) Read as much as you can from here 1st thing 1st - this is all solid ground knowledge. Then, give a quick read at Cisco's BGP Case Study online on the CCO. And you're OK to go. Now if you want paper material that you can keep, I'd suggest "Internet Routing Architectures" by Sam Halabi - Cisco Press, even though it's getting old, I find it still very valid. Make sure you have a read at team-cymru.org before you roll out your AS, for their BOGONs/Martians ACLs and peerings, as it sure helps. Bear in mind BGP is a simplistic protocol. The pain point *will* be your IGP (if you want to do it correctly from start...) Greg VILLAIN
On Sun, Jun 28, 2009 at 5:50 PM, Gregoire Villain<nanog@grrrrreg.net> wrote:
I would highly advise you have a read at any presentation by Phil Smith: ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login) Read as much as you can from here 1st thing 1st - this is all solid ground knowledge.
And Philip / Barry's Cisco ISP Essentials is a good buy, even if you use non cisco gear .. http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412 --srs
The best training available on the Net for a small ISP to learn from the best is available ..... At www.nanog.org! All the NANOGs are on VOD. Just go to the presentation archive: http://www.nanog.org/presentations/archive/. Put in a keyword to search (say "BGP Tutorial"), cook some popcorn, and sit back and enjoy the session.
-----Original Message----- From: Gregoire Villain [mailto:nanog@grrrrreg.net] Sent: Sunday, June 28, 2009 5:21 AM To: nanog@nanog.org Subject: Re: ISP best practices
On May 21, 2009, at 3:38 PM, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set
small ISP with a few /24's. I want to host DNS as well. Is
up a really there any
whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
Thx
Philip
O Hai!
I would highly advise you have a read at any presentation by Phil Smith: ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login) Read as much as you can from here 1st thing 1st - this is all solid ground knowledge.
Then, give a quick read at Cisco's BGP Case Study online on the CCO. And you're OK to go.
Now if you want paper material that you can keep, I'd suggest "Internet Routing Architectures" by Sam Halabi - Cisco Press, even though it's getting old, I find it still very valid. Make sure you have a read at team-cymru.org before you roll out your AS, for their BOGONs/Martians ACLs and peerings, as it sure helps.
Bear in mind BGP is a simplistic protocol. The pain point *will* be your IGP (if you want to do it correctly from start...)
Greg VILLAIN
Barry Raveendran Greene wrote:
The best training available on the Net for a small ISP to learn from the best is available ..... At www.nanog.org!
All the NANOGs are on VOD. Just go to the presentation archive: http://www.nanog.org/presentations/archive/. Put in a keyword to search (say "BGP Tutorial"), cook some popcorn, and sit back and enjoy the session.
It helps also to communicate with people. [speaking in small sp context] If you know any of the engineers or operators of your upstream, perhaps ask them questions from time to time. If you really know them (and are serious about learning) ask them if they can provide you sample config snips. Contact the people that run your local IXP. I've found that the operators of the exchange points are an aggregation point of 'the best of the best from the best' information, as they generally discuss solutions with chief engineers of all companies that connect to their fabric. IXP ops are a rich source not only of technical information, but also of industry best practises relating to how other providers might prefer to be approached, if they like or dislike feedback, and whether they care to be approached at all. Don't go bombarding your local IXP op with silly questions, it's just another decent source of information, as they seem to be like myself...if you ask a well-thought-out question, you will likely get an answer (even if it's "I dunno, look over there"). With the books I mentioned earlier in the thread, and that others have re-mentioned, I prefer: - read - lab up current environment - implement what you read in lab - test for breakage - pilot lab findings into production - update/tighten control features - implement across network - watch for inconsistencies, but continue to tighten rules - read more - rinse,repeat Steve ps. as always, thanks Jon.
On May 21, 2009, at 3:38 PM, Philip Lavine wrote:
To all,
I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set
small ISP with a few /24's. I want to host DNS as well. Is
up a really there any
whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
not sure if any of these help, but you might want to also take MAAWG's Published Documents http://www.maawg.org/about/publishedDocuments -Dennis
I agree with this whole heartedly. Phil Smith's presentations and papers are fantastic. I'm certain that a sizable portion of the Internet operates because of the material that he has, and continues to, put together. Cheers, Randal On Sun, Jun 28, 2009 at 6:20 AM, Gregoire Villain<nanog@grrrrreg.net> wrote:
O Hai!
I would highly advise you have a read at any presentation by Phil Smith: ftp://ftp-eng.cisco.com/pfs/seminars (anonymous login) Read as much as you can from here 1st thing 1st - this is all solid ground knowledge.
participants (25)
-
Adam Kennedy
-
Barry Raveendran Greene
-
Ben Cooper
-
bmanning@vacation.karoshi.com
-
Bradley Freeman
-
Bret Clark
-
Bryan Campbell
-
Curtis Maurand
-
Dan White
-
Dennis Dayman
-
Gregoire Villain
-
Jason Bertoch
-
Joe Abley
-
Joel Jaeggli
-
Jon Lewis
-
Justin Wilson - MTIN
-
Lamar Owen
-
list-nanog2@dragon.net
-
Philip Lavine
-
randal k
-
Roland Dobbins
-
Seth Mattinen
-
Shane Ronan
-
Steve Bertrand
-
Suresh Ramasubramanian