NLNOG RING from a user perspective Bartek Gajda - - PowerPoint PPT Presentation

NLNOG RING from a user perspective

Bartek Gajda gajda@man.poznan.pl

Source: Job Snijders https://ripe65.ripe.net/presentations/105-RIPE65_NLNOG_RING_Job_Snijders.pdf

2

Source: Job Snijders https://ripe65.ripe.net/presentations/105-RIPE65_NLNOG_RING_Job_Snijders.pdf

3

NLNOG RING - Motivation

• Debug network issues and troubleshoot ‘from the outside’
• A point of view outside your network is absolutely essential
• Seeing what others see is a useful thing with a variety of

network problems

Source: ring.nlnog.net 4

NLNOG RING - Solution

• Provide a streamlined way of cooperating
• ”NLNOG RING” – simple essence:
• You make a (virtual) machine available to the RING,
• You gain access on all servers which are part of the

project, hence the name “RING”.

• Great example would be to launch a traceroute from

173 servers in different networks and quickly get the results instead of waiting till somebody has the time to run some tests for you.

Source: ring.nlnog.net 5

NLNOG RING – how to use it

• CLI interface: ring scripts
• ring-all – run commands on all servers
• ring-ping – run comands from all servers
• ring-trace - ICMP traceroutes from all servers

allows to create graphs which visualise traceroutes from a number of ring sources

• Distributed Smokeping
• Web based statistics
• A smokeping Master/Slave setup has been created to graph latency

between all nodes thus graphing nodes in context of a torus.

• BGP Looking glass
• Web based on-line interface

6

CLI interface

• ring-ping [-6v] host

poznan@poznan01:~$ ring-ping -v www.terena.org sidn01: 3.934 fnutt01: 25.511 a2binternet01: 2.007 melbourne01: 16.713 digiweb01: 17.661 … ring-ping www.terena.org connect: Network is unreachable www.terena.org - 173 servers: 44ms average www.terena.org - unreachable via: nlnetlabs01 ssh connection failed: atrato01 bahnhof01 bci01 digmia01 occaid01 solnet01 teamix0

7

CLI interface

• usage: ring-trace [-h]
• a, --asn group by ASN instead of IP
• c, --show-country show country codes for IP addresses
• n RANDOM, pick a given number of hosts at random
• b

send output to a pastebin instead of saving it to file

• B

remove broken hops from output image

• e

exclude a specific host

• i

include this host

• l {dot,neato,fdp,sfdp,twopi,circo}] layout style
• utput filename
• p

pick top N and bottom N hosts based on hopcount

• r

try to resolve all addresses (WARNING: can take long!)

• t {dot,gif,pdf,png,jpg,ps,svg} output filetype
• T TIMEOUT
• u username for SSH logins
• U

use UDP instead of ICMP ECHO

• v -vv
• x,

remove IXP hops from traces

• X,

highlight IXP hops in output

• 4 | -6

destination

8

CLI interface

poznan@poznan01:~$ ring-trace -a -4 -b -B -n 5 www.terena.org ring-trace v1.6.1 - written by Teun Vink <teun@teun.tv> picked 5 hosts at random: imagine01 heanet01 solido01 claranet04 rootlu01 Performing ICMP traceroutes towards www.terena.org from 5 ring hosts, ssh-timeout is 10 seconds. Image uploaded to https://ring.nlnog.net/paste/p/1t1kmf13ocmuzj0 Done in 12.5 seconds. Or (Created file: trace-www.terena.org.jpg)

9

CLI interface

• ring-trace -c -B -n 10 www.terena.org

10

Distributed Smokeping

• AMP (AcIve Measurement Project)
• Developed by WAND Network Research Group
• http://amp.ring.nlnog.net/
• Ping
• Historic Traceroutes
• MTU testing
• Jitter
• loss, etc

11

Distributed Smokeping

12

Distributed Smokeping

13

BGP looking glass

14

BGP looking glass – BGP map

15

NLNOG RING - Participation

Open to everybody who meets the following requirements:

• You are a network operator
• The organisation you work for has BGP routers connected

to the ”Default Free Zone” and maybe even IXP’s.

• Your organisation has its own ASN, IPv4 and IPv6

prefix(es).

• You have enable or configure rights on those routers.
• You are involved in the networkers community.
• You have permission from your organisation to become

involved in the NLNOG RING.

Source: ring.nlnog.net 16

NLNOG RING – Hardware

• Hardware requirements
• Mandatory:

– Clean Ubuntu 12.04 Precise Pangolin 64-bit (amd64/x86_64) Server Edition installation (no special packages are required except

• penssh-server)

– 64 bit CPU – 1 globally reachable and unique statically configured IPv4 address – 1 globally reachable and unique statically configured IPv6 address – You are willing to give full sudo access to the Ring-Admins

• The following suggestions are indicative:

– 1 core or CPU – 20 gigabyte disk space – at least 512 megabyte RAM, but more is better – 10mbit NIC (more is fine)

Source: ring.nlnog.net 17

NLNOG RING – Management

• All regular nodes (machines provided by
• rganisations) are managed through a centralized

puppet system.

• Ring-Admins will take care of software and security

updates, installation and user management.

• The goal: make it as easy as possible for
• rganisations
• Not to worry about it afterwards.
• Machine owners are allowed and encouraged to

install software which they deem necessary to comply with the standards of their organisation, examples are: n2, backup programs or a snmp daemon.

Source: ring.nlnog.net 18

NLNOG RING – Participants

https://ring.nlnog.net/participants/ PSNC joined in October 2012

19

NLNOG RING – Security considerations

• A ‘zero tolerance’ policy
• RING box – regarded as (your) enduser
• Should be placed outside internal network
• Separate VLAN etc.

20

NLNOG RING – aditional information

• Link to RIPE presentation pdf & video(!)
• https://ripe65.ripe.net/programme/meeting-plan/plenary-

agenda/#tues2

21