You want to join dn42, but you don't know where to start. This guide gives general guidelines about dn42 and routing in general, but it assumes that you are knowledgeable with routing.
Don't worry, it's not as tedious as registering with a RIR ;)
This is important, as it allows to stay up-to-date on best practices, new services, security issues...
See Contact to subscribe.
This example assumes that your name is
<FOO>, part of an organisation called
<FOO-ORG> (for instance, your hackerspace). Obviously, these should be replaced by the appropriate values in all examples below.
We will create several types of objects: maintainer objects, which have an associated password and allow you to authenticate so that you can edit your own objects; person objects, which describe people or organisations and provide contact information; and finally, all other objects, which are resources (AS number, IP subnet, DNS zone, etc).
mntner object named
<FOO>-MNT. It will be used to edit all the objects that are under your responsibility.
sha512-pw, you must enter your password directly, not the sha512 of your password.
tech-c. We will update this later.
mnt-by, otherwise, you won't be able to edit your maintainer object.
person object for yourself (not your organisation/hackerspace/whatever).
nic-hdl, it should end with
personfield is more freeform, you may use your nickname or even real name here.
contactfield. For instance
remarks, and so on.
You must now edit the maintainer object created earlier, to properly fill in the
tech-c fields (set them to
If you intend to register resources for an organisation (e.g. your hackerspace), you must also create an
organisation object for your organisation:
organisationis of the form
<FOO>-MNT, since you're managing this object on behalf of your organisation.
From now on, you should use:
tech-c: <FOO>-DN42for your own resources.
tech-c: <FOO>-DN42for the resources of your organisation.
mnt-by: <FOO>-MNTfor all objects, so that you can edit them later.
This applies to AS numbers, network prefixes, routes, DNS records...
To register an AS number, simply create an
Your AS number can be chosen arbitrarily in the dn42 ASN space, look at the
as-block objects. The historic ASN space is around 64600-64855 and 76100-76200. Starting from June 2014, you must allocate your AS number in the new 4242420000-4242423999 range.
For a list of currently assigned AS numbers, see http://ix.ucis.nl/dn42/as.php. This list is automatically built from the registry.
If you intend to use an ASN outside of the native dn42 ranges, please check that it doesn't clash with the Freifunk AS-Numbers or other networks (ChaosVPN, etc). For a list of ASN currently announced in dn42, see this map or this list.
If unsure, ask on the mailing list or IRC.
To register an IPv4 network prefix, simply create an
You may choose your network prefix in one of the currently open netblocks. You can get a list of unassigned subnets on the following sites, please mind the allocation guideline below.
|/24||are you an organization?|
|/25||still a lot of IPs!|
The current guideline is to allocate a /27 or smaller by default, keeping space for up to a /26 if possible. Don't allocate more than a /25 worth of addresses and please think before you allocate: If you are going to have 2-3 servers and two VPN-spaces, a /28 is enough to suit your needs. Same will go for most home-networks. This is not public internet, but our IPv4-space is valuable too! If you need a /24 or larger, please ask in the IRC chan or on the mailing list.
For example, if there is no /27 free, you can split up a /26 into two /27. If you are looking for a /27 but there are none showing in the Open Netblocks tool, instead pick one of the /26 and click Take it! When registering your inetnum, instead of writing 172.2x.xxx.0-172.2x.xxx.63 then you can write 172.2x.xxx.0-172.2x.xxx.31. This will get you a /27 and save our IP space for others.
To register for example 172.20.150.0/27, you need to fill in 172.20.150.0-172.20.150.31.
If you want to register an IPv6 prefix, you can create an
inet6num object. A single /48 allocation in ULA space will likely provide more than enough room for all devices you will ever connect. Some people use “vanity” prefixes like fd42:xyz::/48 instead of the fully standard-conformant pseudorandom ones.
inet6num: fd42:4992:6a6d:0000:0000:0000:0000:0000 - fd42:4992:6a6d:ffff:ffff:ffff:ffff:ffff netname: EVE-NETWORK descr: Network of eve country: DE admin-c: MIC92-DN42 tech-c: MIC92-DN42 mnt-by: MIC92-MNT nserver: ns1.evenet.dn42 nserver: ns2.evenet.dn42 status: ASSIGNED
inetnum: 172.23.75.0 - 172.23.75.255 netname: EVE-NETWORK admin-c: MIC92-DN42 tech-c: MIC92-DN42 mnt-by: MIC92-MNT nserver: ns1.evenet.dn42 nserver: ns2.evenet.dn42 status: ASSIGNED
If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a
route object for ipv4 prefixes and a
route6 object for ipv6 prefixes. This information is used for ROA checks (route origin authorization). If you skip this step, your network will probably get filtered by some peers. Many people enforce ROA checks to prevent (accidental) hijacking of other people's prefixes.
route6: fd42:4992:6a6d::/48 origin: AS4242420092 mnt-by: MIC92-MNT
route: 172.23.75.0/24 origin: AS4242420092 mnt-by: MIC92-MNT bgp-status: active
In dn42, there is no real distinction between peering and transit: in most cases, everybody serves as an upstream provider to all its peers. Note that if you have very slow connectivity to the Internet, you may want to avoid providing transit between your peers, which can be done by filtering or prepending your ASN. For the sake of sane routing, try to peer with people on the same continent to avoid inefficient routing, <50ms is a good rule of thumb. You can also look into Bird communities if you are using Bird to mark the latency for the link.
If you don't know anybody who can peer with you, you can use this tool: https://dn42.us/peers
It will let you find people to peer with. You can then contact them on IRC or by email. In case you're really at loss, you can also ask for peers on the mailing list.
Unless your dn42 peers are on the same network, you must establish tunnels. Choose anything you like: OpenVPN, GRE, GRE + IPSec, IPIP, Tinc, ...
There is some documentation in this wiki, like gre-plus-ipsec.
You need a routing daemon to speak BGP with your peers. People usually run Quagga or Bird, but you may use anything (OpenBGPD, XORP, somebody even used an old hardware router ). See the relevant FAQ entry.
You can find configuration examples for Bird here.
Some documentation of the old wiki might still be handy, but remember that everything there is terribly outdated.
See Services DNS.
See internal for internal services.
Don't hesitate to provide interesting services, but please, document them on the wiki! Otherwise, nobody will use them because nobody can guess they even exist.
Last edited by root, 2017-05-19 16:56:52