[MUSIC] Hello and welcome everybody to the Nordic Stage. Hafnum, who's a university student who's studying cyber technology, is going to talk about how to make a difference in the world of technology. Hafnum, who's studying cyber technology, is going to talk about how to found an internet exchange he founded LabX from his HackerSpace, Labitet and Copenhagen. Welcome with me, Hafnum. Thank you. I would like to tell you about how we created an internet exchange in my local HackerSpace. First, why I'm making this talk. As a newcomer to the networking world, network routing and similar, I found it really difficult to find good information on IXP operations. I could read some things from some network operator meetups and some of the commercial internet exchanges, but it was really high level, so everything was a bit difficult to understand on what is it exactly. Also, when you need to get an AS number and other IP resources delegated, there is some administration and it differs from region to region. In Europe, it's ripe and there are some policies that they have. So, what is the LabX internet exchange? Well, it is a community run internet exchange in Labitet, in our nice little HackerSpace in Copenhagen. We use it as a place to learn network routing. It is a very difficult topic to get started in. There are some projects that can help you, like DN42, but if you want to do routing where you talk with the real world and not via VPNs, then you need to pay a lot of money to get into a data center or find some project where it is available for you, also closely nearby, that you can actually start doing network routing and bring a small server, perhaps. So, yes, you can learn some BGP. This is where I learned my BGP, at least, in our HackerSpace. You can play with our router server. It has its own nice AS number. You can get started in getting IP resources like AS numbers and IP addresses. You can play with BGP security. This is one of the things where it is really difficult to actually get a grasp on, unless you start playing with it. There are some really nice talks around the world about RPKI and filtering strategies. But if you also want to actually try it, it is kind of difficult to get outside your own home lab. Also, very soon we will change it to 9K MTU. The default in the world is 1500 MTU. There is an expert of C-draft for how to change it. As soon as I get all the way through that and I notify our members, I will change. We will also get that. It has a few advantages compared to 1500. So, what does your HackerSpace need to have an Internet exchange? You need a friendly uplink. Maybe you have multiple. That would be very cool. That is because if they do not necessarily like you, it is very hard to update your policies. Their own policies that allows your IX clients to be announced to the world. So, having a member that works in your uplink really helps. But maybe be good friends and give them a beer. Some people you know. You also need some server housing. You need a rack. We have a used rack. They are available in multiple places. We also have a used layer 2 switch. That is the one marked with my better drawing. You need at least 3 peering clients. This is the magic number of getting anything done. When you talk about an IX, Bright requires it. P-ingDB requires it. The IXP database requires you to even be registered. Or consider having an entry in each of their databases. Of course, this is also a HackerSpace. You need to have more than one person. Because when a person stops coming to the HackerSpace, it will die. That is the usual thing with community run projects. Of course, you need to have some documentation and have some people who like to run this. What is an Internet Exchange? The very simple version is a VLAN on a layer 2 switch. Then we have a few of connector networks. That is operators with their own AS number and prefixes. This was the difficult part. If you don't know much about networking. This was a bit of a large step to have. But if you know what I talked about, this is what you needed. All these 5 slides. But let me explain the Internet a bit. It took me years to understand the Internet. I am still learning a lot. To newcomers, let's explain some things. How do you do Internet routing? I assume you know some networking like IP addresses. You get your IP prefix allocated. You find the host facility. You install your machine. Then you set up your external BTP routing daemon. That can come in proprietary and open source solutions. You need to find some peers to connect with. We will find a transit that allows you to connect to the rest of the Internet. If you are located in Copenhagen, how do you have a connection to Berlin? You need a direct fiber to some place. Some companies do this as their business. Profits, I guess. Let's set a scenario. You are an eyeball ISP in Copenhagen. An eyeball ISP is you have customers with eyeballs that consume content. That could be watching their favorite movies, for example. You need to get content from the content providers. The people having the movies. You need some IP addresses for customers and servers. To be able to be reached from the Internet. You also need some server housing and some fibers around. I won't go into that. This is the nicest image I found yet. This is an example of networking. Some peers and transit providers. Don't bother with the names of them. You can have, for example, AS number one in the total left side. They have some prefixes. They can be announced up to the uplink via the next one in the line. Which then in turn is announced further. This is called a transit because you don't have a direct connection to everybody else. It also goes the same way. You get traffic from everybody else. An autonomous system. The best description I found was in an Internet standard. It says a connected group of one or more IP prefixes. One by one or more network operators. Which has a single and clearly defined routing policy. I'll get a bit more into the details of that. One or more network operators and you have some prefixes. An autonomous system is identified by a unique 16 or 32 ASN. An autonomous system number also called ASN. We use it to say hello, I'm AS 211153. That's my personal AS. If you look that up, you can find out what my routing policies are. Also what addresses do I have. A routing policy, this is the simplified version, is that we have some objects called Internet routing registry. We have them in our local regional Internet database. Like RIPE in our case. At least in Copenhagen. These could say that these IP prefixes should be disneyed to me. And I would accept prefixes disneyed to and from my business customers. AS something something and AX something something else. This is pretty much it. There's other details you can go into. Very simplified. I accept that the people or the organizations behind me can be announced through me. Also I have included when I found a lot of good readme tools, I have included in the bottom. You can find my slides on the program page. We also have peering and transit as I mentioned. Peering is that we agree that we only send traffic distance to each other. You have prefixes here, I have prefixes here. You have some content and I want some content. We have a direct connection to each other and we peer. This is most usually free. There's a small asterisk that costs some things to pull a fiber in the data center. Many data centers take a monthly fee for having a cross connect as we call it. And of course you also need to buy your own optics and things like that. We also have transit. This is the people who like to transport traffic from you to other networks. Also the other way. But it costs something per megabyte. Sorry, megabit I wrote. And of course we would like to avoid this as much as we can. But again we can't be connected to every network in the world. So this creates a little of a dilemma on where should we actually connect. Who should we peer with? Does it really make sense to connect with this small provider? Do we actually want to pay for our part of it? We have the Internet Exchange. I will get back to that question in a small second. The Internet Exchange is that we would like to keep local traffic local. This is the main reason. Because when you have transit providers you sometimes get the issue of having the trombone effects. I included an image here where it says this is a map of the United States. Some of it. And we have three cities here. We have Los Angeles, San Francisco and New York. The traffic goes from Los Angeles to San Francisco. I hope you can see the arrows also. But it does not go directly. It goes all the way to some good amount of kilometers to San Francisco. This creates latency. This isn't just unnecessary. It may be just because your transit provider doesn't have a direct connection between these two cities. Or maybe they made a routing mistake. That happens. So we get lower latency if we are directly connected to each other. An Internet Exchange also makes it more easy to connect to other networks. I always said the recurring cost of data centers. The simplified topology of an Internet Exchange looks kind of like this. We have this mystery meet me room as we call it. We have some providers. There is also a cloud service down here. It will probably be a content provider. We all have one connection into our meet me room. Instead of having connections to each other all the way. This is mostly how it looks. But there are some other things about Internet Exchanges. I would like to explain a bit on some of the characteristics. First we can have our bilateral peering. It is called also many to many. Where I connect to each and everybody I would like to peer with. But instead I go to multilateral. I have one connection to a route server. That makes sure I can connect to the other ones. As everybody else does. We have this central point. You can of course have low balancing and similar things. It is not a single point of failure. The very simple version of this is that you have one machine in here. The route server is for aggregating our control plane traffic. We don't send our traffic over the route server itself. We make sure the routes can be distributed by the route server. The advantages of this is that now we have lower maintenance. We don't need to necessarily have a lot of injuries with each and every peering client. We can connect immediately to newcomers. If we have this small network that would like to connect with me. And I don't necessarily want to pay the cost. We can connect immediately with each other. As soon as they jump on the route server. Given that I am also present. Then traffic does flow. So we don't have to go through the transit. We can also have some debugging tools. And actually see more of what is going on. The image shows how you can do it. Of how it happens. Our route server looks like this. It is a very small machine. It is also a very small space. It is like a thin client. It uses 6 watts of power. We chose this because we had it in our hands already. It is not that powerful. It can run Debian. It is fine I guess. We use the config parser called a route server. To configure our route server. This is where we keep the list of our clients. Then we generate the config that BERT uses. BERT is the program actually getting the routes in. And distributing the routes to our peers. As well as clients can also use BERT. It is a general purpose routing daemon. It is totally fine. You can use it as a route server. But you can also use it as a client. I use it as a client as well. Server hosting. For our case we have our project called Labicolo. It is our co-location facility. It is intended for small embedded devices. We use it for APIs and APUs. This is due to power restrictions. We would like to keep the cost low. This is hobby projects. We don't necessarily need beefy servers. They are also readily available. Not that expensive to have. Again, this is the same picture I used. It looks awful. We have this Cisco SK300. We use it because it was already there. Again, it is free. You can also do Mac port filtering. That is one of the requirements. One of our peering requirements. To avoid loops in the routing. You can make it more pretty than we have. You can also clean it up a bit more. Our peering policy. Every exchange has a peering policy. Just like you as a network provider. You also have some policy. I only want the traffic you mean to go to me. I don't want my neighbors traffic necessarily. I do want my neighbors traffic. But you have to pay. This is based on the local Internet exchange. Peering policy. It looks very much like it. We allow the infinite frames. IPv4, IPv6 and ARP. That is the usual suspects. We do not like proxy ARP and OSPF. And other kinds of these. We only want to know BGP stuff. We want routing and we want data traffic. We don't want a lot of... Let's for example say DCP. But we only allow one kind of routing protocol. BGP. You could use other ones. But the Internet in general uses BGP. So it makes things much more easy. Again the MAC address filtering. We also do not like that... If you connect via VPN we need the full MTU. You have to be physically present. This is not a virtual Internet exchange. These also exist to play around with network routing. They are fine. I have nothing against them. But for our case we wanted to have machines physically located. Virtual Internet exchanges have the issue of... Now you are depending on transits to somewhere. And that transit can take a long time. Still a nice place to learn if you are interested. So an Internet exchange client can also have their own policies. Here is a very high overview of how they are listed. Of some categories. Open is... We just like peering with everybody. This is when you hop on to the route server. We have the lecture where you will talk with us first. And we are usually open to this. We may have our own internal protocols that deny us this. This is where you do direct peering connections. And set up a separate entry for each and everyone. You can also have restricted. This could be a transit or a very large network. They have some security policies or similar that restrict them. That means you have to contact them and maybe you need to be a large entity. To be considered. I have seen this issue personally. With some large providers not necessarily wanting to peer. Even though a network provider did want to peer. It didn't make sense to buy transit. How do you get Internet resources allocated? I have this image of a cake. IANA owns all the Internet addresses in the world. You don't necessarily own the ones. You just get them allocated. This is the regional Internet registry. There are five of these in the world. Spread out through our world. This is RIPE in our case. Then we have the local Internet registry. From what I can understand, a RIPE specific thing. As an end user, you don't talk directly with RIPE. The local Internet registry talks with RIPE for you. If you want to be part of the RIPE NCC, you can pay the fee. For a project, it doesn't make sense. It is for network operators or people who like to pay some money. It is not cheap, but it is not that expensive. As a network operator, that could be an ISP or content provider. You want your addresses to be globally routable. This is where I say I have this content and you have your customers who want this content. The traffic should go through the Internet. I should be able to send traffic to you. Then you can handle it from there. If everything is requested to me, I need an IP address. A source IP address to send it back to. This is where the routing takes over. If you have an ISP, you don't necessarily need to have globally routed IP addresses. The reason you don't necessarily need it is that you just need to have a unique identifier for your Internet Exchange members for their own routers. You don't want it to be mixed up with anybody else in the world. This is why you request some IP addresses. It is not for hosting servers. I didn't explain the cake. IANA has all the addresses. RIPE gets a little piece of the cake. Then your local Internet registry gets a little piece of that cake. Then you get a tiny piece of the local Internet registry cake. There are a lot of addresses in the world. This is only illustrative. It is fine. I use /24 for a lot of things and /48 prefix for a lot of things. We also have the RIPE database. The object you need to create is an organization object. If you already have one for your HackerSpace, this is one thing I did wrong. We already have an organization since we do some BGP routing and announce our members. You should just use your existing org object. If you don't have one, you should create an org object. You also need maintainers. This is a list of people that get access to change your routing policy. Then a person is a person. You also need a... At least it is optional. A normal client, a network operator needs ASSETs. This is where your routing policy lies. You don't need it for an Internet exchange. It is recommended if someone filters for these kinds of things. This is where we look into are you allowed to announce XYZ prefix. XYZ is a number, not a prefix. That is called a route object if you want to tie a prefix and an AS number together. I couldn't find any of this. It was just a thing I learned. You need to give the name of your Internet exchange. They will ask you if you want a route server as soon as you say you want an Internet exchange. Then you say yes, but then you also need to have some... There are also some requirements. For a route server, you need an AS number. Your peers need to connect to the route server. This cannot be a private resource. One thing is that you should request a 16-bit AS number. They are available if you ask directly for them. We are running out. By default, you will be assigned a 32-bit AS number. It does not matter in most cases if you just take your Linux machine and put it up. However, if someone brings a really old machine, they do want a 16-bit AS number. They were just not set up for 32-bit, so it won't work. A bonus is that a Danish number plate also fits on a 16-bit AS number. I have really been considering buying one and putting it up on our rack. Stupid things. Then you will also be asked if you need prefixes. Then you say yes, please. So, RIPE does not give IPv4 addresses out to be globally routed. There is a long, long waiting list. We have been exhausted the IPv4 space for a long time. That is why you say yes, this is not to be routed. This is specifically to be announced within our pre-regulation. This is the actual message I was sent. I said yes. You should give these printers already and they will do pretty good. Also, what size do you want of addresses? You have to confirm that your COLO facility actually has connectivity. I guess it makes sense. I just didn't think of that. I had to scramble and ask three people where this is. A few days later, I could get hold of it. A lot of delays you can actually avoid to get hold of your contract. Again, the magic number was three customers. If you have more than that, you are good. But if you have less, then you need one more. If you have two people, you can peer with each other. It doesn't make sense to set up all these and all the administration. They don't need to be connected directly at that time you set it up. They need to agree and say yes, I will definitely join as soon as I can. We also need to give the postal address. The address is apparently able to receive mail and then a contact person. Their organization and phone number. I was just casually writing emails, so I didn't really think of these. But they are pretty good pointers. How do you find a local internet registry? You ask your local network wizard. I have a few, not that many, but they know the magic of the internet. This is also where I got pointed to the free transit project when I got my own AS number. It's a nice project from Open Factory. There are some really nice people behind it. There are also people behind it that are on this camp. I hear there will also be an internet exchange by some of them. Run on the camp soon, hopefully. Yes, I have a bias that I personally know some of them. But if you want to find a local internet registry service, you hop into your search engine and you search for that term. Some people are happily taking your money to facilitate this. It doesn't really cost that much to get started. For me it was 25 euros, personally. It's fine. If it's another project, then you need to... If it's a commercial actor, then you probably need to pay a bit more. Similar projects are all the community-run internet exchanges in the world. There are commercial actors, many. But a lot of the internet exchanges are just some networking people meeting over a beer and saying, "Yes, we need this." And they made this. There's also some hosting facilities. KoloKlo in Amsterdam, that's case-based, a commercial rack. Then we also have a VGP.WTF in Warsaw, HackerSpace. Regional Learn in Berlin also exists, and also can provide some VGP things. This is not internet exchanges, but these are places that do network routing. And may also have some people that can point in the right directions. I have probably missed a lot of nice projects, but this is the ones I found. I would like to say thank you to my collaborators. This was actually a school project. I managed to get ECTS points for it anyway. Olivia and Daniel, we have created this together. Then we also have Jowe from Street Transit Projects, who really help with all the right things. It was a whole new land for me. And then we also have Asperon, my local network wizard, for sharing a lot of knowledge and a lot of pointers. Here are some good resources. I found PNGDB and BGP tools. I use them almost every day. I would encourage you to go to your local network operator meetup. In Denmark it's called DKNOG, and in Germany it's called DENOG. Lots of nice people. You can meet a lot of nice people, and usually if you say I will buy you a beer, then they will explain the whole thing to you on whatever subject you want. We also have the RIPE Academy. This really helped me in understanding IPv6 and BGP security. They are actually pretty nice. You can also get a certificate if you want. That costs some money though. But you can take the courses for free. That's a bit more. We have the Network Startup Research Center. That's also helped me. We have NLNOG with their PNG, BGP Filter Guide, and NLNOG Ring for search. How does the internet reach you? Then we have Eurex with their B-Cops and their wishlist on what to buy. The $1000 Internet Exchange presentation on how shitty hardware can you buy. It turns out we can buy really shitty hardware, from my experience. If you want to find us, we actually have a self-organization called BGP Enable Hacker Spaces at Shell 4 here at 17 today. You can also meet me at Bornhack Village and also at Bornhack next year. Or you can meet us in Labitat. We would very gladly talk to you. We also have a website. We have a PNG DPA entry, of course. If you want to write an email, throw it at me. If someone is interested in sponsoring this, I paid everything out of my own money. It was doable, but I'm a student, so money is limited. We very much like stickers. That is a huge shortage. Perhaps a second uplink on hardware. The next thing we want to look at is... I should definitely look at getting up a looking glass. Participants can see how it works, how their routing happens. It's a small Internet exchange, so ARP is not that large right now. It's not a problem right now, but it can become a problem. There's a lot of ARP broadcasts when you have Internet exchanges. We need more documentation. I would like to set up RPKI relay. I've set it up personally, but not at the IX. We have already filled our own uplink, so it's not that much of a problem. Thank you for listening. This was my talk. Hopefully there are a few questions. Exactly. Some time for Q&A. If there are any questions, please put your hands up. I'm going to repeat them for the audience online. Yes? Just a second. Thank you so much. The peers you're peering with, are they located in the same building? Or are they having a fiber directly to you, or a wavelength on a fiber, or how do you connect to your peers physically? Let me spool up a tiny bit. If you look up in the imaginary north of the image, there are all the machines. They're all connected by... Yes, they're physically present. Everybody has a APU2, Raspberry Pi, or small machines that are physically present. So your peers are only in the same building? Yes. So you're not peering with other networks? No, that would be very nice, but it's also a small project. Next question. Do you know of any DIY internet access providers or hosting providers in Denmark that you could peer with or connect with? Network providers? Most are happy to peer with you, given that you're present at a place they are present. If you go to one of the larger data centers in Denmark, most definitely yes. Many have an open peering policy and you can just go right ahead. It requires a bit of money to get into a data center though. So that's why sponsoring is so important, am I right? Yes, you need some sponsoring. Any other questions? We have time for one more, if there are any. If not, you can probably find him in the Bornheg village and you can ask him some more, especially if it's like private questions because you want to do the same project. Thank you everyone for listening. Big applause. [MUSIC PLAYING] (upbeat music)