Domain: quagga.net
Stories and comments across the archive that link to quagga.net.
Comments · 22
-
Have you heard of routing protocols?
Have you heard of Quagga? It's a fork of GNU Zebra. It's a suite of Linux software that manages routing with protocols like RIP1&2, EIGRP, OSPF, BGP...
But, I'll warn you now, you're much better off running a dedicated routing box with a ditribution like VyOS a fork of Vyatta, rather than using a desktop system for a router.
What I'm trying to say is ha this article is a waste of time, even to n00bs advertisement peddlers. Also, Soulskill doesn't have a clue what routing is.
-
Not speaking from experience...
Maybe this will work for you. On my linux box, I entered `yum search ospf` and it came back with a package called 'quagga'. I did a Google search and found they have a website. According to the website, they support OSPF and BGP.
-
What about Anonet?
There's a project called Anonet that has developed a similar wrapper infrastructure.
Anonet is a "virtual Internet" that utilizes OpenVPN and Quagga to provide a layer of anonymity and deniability on top of the Internet. It uses a chaotic yet cooperative routing scheme which allows any one to use any IP address while still maintaining their existing Internet connection.
It has everything on it that the Internet does: torrent trackers, web servers, FTP servers, DNS infrastructure, PGP keyservers, IM, IRC, streaming audio, game severs, etc. All Internet-aware applications should work fine as Anonet is simply an addition to your operating system's routing table.
-
I've already solved this problem at work
At work, we use IPv6 for our VPN, and IPv4 for Internet access. All the separate LANs are using private IPv4 addressing, using NAT with static IPs on the external interfaces; OpenWRT-based routers (take a $70 ASUS router and re-flash it with Linux); and tinc VPN software to link the routers together with a private (unique local address) IPv6 subnet. Furthermore, I run a SixXS tunnel at our main server farm that lets me provide IPv6 Internet access to all the sites via the VPN: hence I have both public and private IPv6 subnets running concurrently. If you want automatic routing, you can use Quagga to set interface addresses, do route advertising, and use OSPFv3 or RIPng to manage the subnets.
http://www.openwrt.org/
http://www.tinc-vpn.org/examples/ipv6-network
http://www.wolfsheep.com/index.php/Bookmarks/IPv6
http://en.wikipedia.org/wiki/Unique_local_address
http://www.quagga.net/ -
It exists already
It's tested, mature
.. forked and works well with a number or protocols.
http://www.quagga.net/ -
Re:Psiphon looks good...
Just to add to your list: anoNet
Unlike the others you listed, anoNet is a full IP network built using standard OSS tools (OpenVPN and Quagga being the heart of the network).
It is far from a perfect at giving absolute anonymity at the software level, it requires you to use some common sense. On the plus side, *you* get to decide who you trust and how much you trust them. Like TOR, the more people that are a part of anoNet, the more anonymous the network becomes. Think of the network in terms of old school BBSs.
If you are looking to join a network and just find loads of warez/porn/etc. anoNet is probably not for you. There is nothing to stop someone from hosting a warez site, and inside the network you are pretty darn safe. The reason you won't just find a huge stash is the fact that the network was built by people that believe in their privacy / right to free speech above all else. We are a bunch of network admins / Unix admins / programmers. Obviously we have no reason to pirate software since *nix is our OS of choice.
anoNet is what we call a Democratic Anarchy. There is a nice page on our wiki (inside the network) on what that means, but it is way too much to define here. Bottom line there is no kiddie porn, there will be no kiddie porn and don't bother connecting if you want to debate how not allowing kiddie porn is censorship. We picked a line, that line was kiddie porn and we stick to it.
Windows users are more than welcome. Because there is no BGP implementation for Windows, Windows users can't "natively" be routers, they can get a static IP (or a whole subnet) however. We have a coLinux image that can get you up and running if you really wanted to be a router.
Lastly, we are willing to help you learn. I can't express that enough. If you want to learn about networking or any other aspect of the network, we are all willing to help if you are genuinely interested. If you just want to setup a node and be a part of the network, that is fine also.
Anyway, hope this post tickled the imaginations of at least a few people. If you decide to connect, use a pseudonym that you have never used anywhere else. -
Re:Speaking as a fulltime Free Software zealot
Eh,
http://www.quagga.net/
http://off.net/~jme/vrrpd/
http://sourceforge.net/projects/vrrpd/
To bored to finish feeding you today... -
Re:Well the top three questions I'd have
Something that I haven't seen anyone point out yet:
This has been done for YEARS and YEARS already.
When I worked at a small webhosting company, we did our own routing. We did it with RedHat + zebra + BGPD + cyclades PC300 cards + Motorolla CSU/DSU's. All the people we bought bandwidth from had no idea what the blind hell we were doing, but they were all amazed at how well it worked.- Zebra GNU Routing software (emulates IOS)
- Quagga (Zebra, but more up to date and maintained by people who accept outside input)
- BGPD - Supports BGP-4 and multi-homing.
- Motorola FT100 CSU/DSU (we had the ones with V35's on the back, and custom pinned cables to translate into the 24 pin serial interface on the T1/E1 cards)
- Cyclades PC300 (we had the PC300/TE-2, I believe, with 2x 24 pin serial ports which required adapters from V.35 out of the back of the CSU/DSU)
The X-factor here is the Cyclades card. Appearantly, and I didn't know this when I started writing this post, Cyclades (aside from shifting their site to a webserver on someone's AOL 14.4 modem) has stopped selling Wan cards. I would assume someone has taken up the slack, but whatever.
Anyway, we had 5 T-1's, and this gave us 5 HDLC interfaces, which the linux kernel supports ever since 2.4.something, maybe 2.4.12. We also had our lan port, eth0. I think we had a DMZ on eth1, and then the loopback. Bwm (now bwm-ng) was able to read all the interfaces.
Interestingly enough, since all of our software was open source, we were able to correct an interesting BGP-related problem. We bought bandwidth from "X" tier-1 bandwidth company, and also from "Y" tier-2 bandwidth company. Company "Y" purchased their bandwidth in large part from company "X", so in essence, we were adding an obfucation step by having the reseller in the picture (but, they offered a lower price, about half). Anyway, BGP is set up to allocate routes to the shortest AS pathlength. That meant that every route that was destined to hit network "X" got routed through network "X"'s T-1 line, and not through the 2 T-1's we had from brand "Y" - essentially we ended up saturating X, and never using Y, due to the way BGP worked. We ended up trying lots of things - prepending our AS paths for the X routes, etc, but eventually one of my coassociates decided to just hack the zebra code.
I wish we had released it GPL, but the main programmer had said he didn't feel it was well documented enough and certainly used some unclean workarounds (like reading bandwidth stats from ifconfig and not from /proc), so we didn't release it. But, essentially, he found a way to manually allocate routes, by percentage, onto unused T-1's, so we didn't ever get to a situation where we were slamming one T-1, and had 4 un-used. Then, he went on to create a set of sub-routines whereby it would read traffic statistics to properly route traffic based on percentage of bandwidth used versus other links and available overhead. It resulted in a routing system we almost never had to touch, which automatically made the most economical use of our outgoing bandwidth, ensuring that customers always got the most unsaturated link, even if it was longer by one or two hops.
In the end, we even had the ability via configuration files to add an interface, specify its maximum thruput, and the routing system would automatically take that into account when doing auto route allocation. All because the code was open.
No, this open routing stuff isn't new.
~Will - Zebra GNU Routing software (emulates IOS)
-
Re:XORP + Click
(Quagga, Zebra and MRT are all dead, and GateD was withdrawn).
Not true, Quagga is actively maintained. How on earth did you get the idea it was dead, that concerns me a lot (are you simply mistaken, or is there something we need to fix?)
regards,
--paulj -
The only way to do work
I work in a large telco who's security policy is to restrict everything unless explicitly allowed, and the process to get anything allowed is a 3 month long waste of time.
I also have an ssh tunnel established from my work PC to my home connection, and I run pppd over that to create a VPN between my home network and the network at work. I realise that this is probably completely against company policy, but the "official" VPN solution only lets me hit the Exchange server, and doesn't let me actually do any work. Most of the company's "work" involves forwarding emails, so it's probably fine for them.
Unfortunately tcp over tcp is really quite nasty (http://sites.inka.de/sites/bigred/devel/tcp-tcp.h tml) but as nothing else but ssh is allowed out of the firewall at work, I don't have a lot of choice.
A howto that I found quite helpful is at http://www.tldp.org/HOWTO/ppp-ssh/
Anyway.. on to my anecdote (not required reading):
Part of my job involves working on a distributed monitoring system which is deployed in a star topography around the country. All the remote sites send & receive data from one central site (with one redundant central site) using a variety of protocols, like ssh, xmlrpc, dns, telnet, snmp, syslog, etc.
The network was designed by people who were given a set of instructions like "You will use these 2 vendor's systems" and "You must follow these corporate security policies which were written 10 years ago for phone networks", so it's terrible by today's standards (and for an ISP in general).
There are firewalls between all of my boxes, even though all my boxes are on the management lan, and they only allow a very small set of protocols through - not enough to let my software work. That wasn't the worst part. The worst was that the firewalls are also protecting the billing network so have very low tolerances for intrusion detection and flood protection and such. Basically I can only establish 5 connections per second *across the entire network*. This is clearly not enough for a busy monitoring system. So we decided to build a VPN between all of my boxes using ppp on ssh tunnels.
I now have a separate ppp interface from the central server to each of the remote datacenter servers, all on the 10.0.0.0/16 network. ip forwarding is enabled on the central site, so now remote datacenters can talk to each other (also blocked by the firewalls) and I can use all the connections I need to. I'm running quagga ( http://www.quagga.net/ ) on every remote datacenter and the central servers (along with the redundant one) so I can distribute routes to remote datacenter devices and cope with the death of one of the central servers without major service interruption.
However it really is quite slow. I can only get around 200kb/s over each ppp interface even though the physical links are 100+mbit each. But I really don't need huge bandwidth, just some that isn't firewalled.
This "solution" has been in production for 6 months now, and I'm sure as soon as the corporate security people find out they will shut it down and I'll go back to not being able to do my job. -
Re:nessus is dead, long live gnessus?
This has also happened with Zebra (http://www.zebra.org/ and Quagga (http://www.quagga.net/ amongst others. Despite a piece of software being released under an open license, either BSD-style or GNU-style, if the community feels that an individual or single organisation has some sense of "ownership", then it seems reluctant to contribute. This has been seen with OpenOffice.org. Even projects such as OpenBSD may suffer from this to a certain extent.
-
There are ways to play it safe...
When dealing with oppressive governments there are ways to play it safe. Even if you *THINK* you are playing by the rules why take a chance.
There was a very good concept someone came up with several years ago to build an encrypted network on top of the internet. Myself and a few others decided to put forth the time and resources needed to bring it to fruition. What we ended up with is anoNet.
Most of the info about the layout of the network is available at that link, but here is the "quick and dirty".
We took OpenVPN combined it with Quagga then used IANA reserved address space to build a fault tolerant, encrypted, anonymous network. The basic premis is that you only know the ips of your peers. On top of that you make sure that the people that you peer with are in countries that are not on the best of terms when it comes to cooperating with law enforcement. IE: China -> US. This network is _primarily_ used for two purposes: 1 - We are a self contained (for lack of a better word) Darknet. We have root DNS servers, a search engine (mnogosearch), email (webmail if someone doesn't want to run their own), IM (jabber), Web servers (with the ability to post anonymous content, and by anonymous, I mean anonymous even from the people INSIDE anoNet), FTP servers, IRC, News servers, Asterisk VOIP (although this is still in testing), Proxy servers, etc..etc.. We have taken great pains to re-implement the internet but with anonymity and encryption in mind. 2 - To provide users in countries that restrict internet access (China) the ability to browse (proxy) in a secure, safe manner.
I was going to throw a few common questions and answers in here but this post is long enough. If you want more info we have a nice Wiki setup to handle just about any questions you could have (but you have to connect to access it).
Bottom line if the people mentioned in this article had been using our mail relays / proxies this wouldn't be an issue right now. If people in (supposedly) less oppressive countries want to make a difference in the world, then donate a little time and bandwidth to the cause instead of blowing up countries. -
Re:Zebra
-
Re:I'm sure Cisco is just terrified. . .
so Sun and MS will have no problem taking it proprietary when it's good enough.
Sun integrated GNU Zebra into Solaris 10 and contribute quite a lot to the development of Quagga.
-
XORP vs. Quagga?XORP doesn't actually route packets, it just controls the kernel routing table and speaks dynamic routing protocols like any other route daemon. Any word on how it compares with Quagga?
(Not that I could immediately replace Quagga with XORP here anyway - we use OSPF.)
-
Other alternatives: quagga
there is other routing software alternatives, such us, Zebra, bird, openbgpd and quagga (fork from Zebra).
I find guagga stable and good replacement for some SOHO Cisco equipment, but nothing else. -
Re:For a broader knowledge see also this
Hasn't Zebra been succeeded by Quagga? [quagga.net]
I ask out of curiosity more than anything else - Debian unstable and testing use Quagga instead of Zebra... -
Re:This is so obvious
> MRT and Zebra are now fast-decaying abandoned project I do not follow routing software very near, but you have some alternatives out there: -Zebra
- Quagga
- Bird
>The only Open Source software router I can find is Click
Check these ones:
- LiberRouter
- openrouter -
Quagga
-
No mention of Quagga/Zebra?
Ironic that there is no mention of Quagga or Zebra (that I can see) in either the XORP website, or the CNET article.
Zebra has been around for a long time now, and is pretty good. Due to the slow release cycle, Quagga forked the codebase, and so there are updated releases. Unfortunately neither project has seen fit to hit the magic 1.0 release.
- Ivan -
Re:check out zebra
Zebra is nice, but it is unmaintained. Consequently, it was forked and taken over. It is now called Quagga Kyle
-
Zebra
Can anyone say Zebra? Which is not maintained actively (make that at all) anymore because the main 'developer' is working on a commercial variation called ZebOS.
But fortunately after almost a year of quarrelling we now have the PJ fork called Quagga or mirrored at quagga.ch. So long for official GNU projects ;)