e6bdcea327b8b0f493ee9394717cf5852efeda93
howto/Bird.md
| ... | ... | @@ -356,6 +356,49 @@ protocol bgp <PEER_NAME> from dnpeers { |
| 356 | 356 | Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing. |
| 357 | 357 | More information can be found [here](/howto/Bird-communities). |
| 358 | 358 | |
| 359 | +# Route Origin Authorization |
|
| 360 | + |
|
| 361 | +Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix. |
|
| 362 | + |
|
| 363 | +## ROA Tables |
|
| 364 | + |
|
| 365 | +The ROA table can be generated from the registry directly or you can use the following pre-built ROA tables for BIRD (generated every 30 mins from the registry): |
|
| 366 | + |
|
| 367 | +https://dn42.tech9.io/roa/bird_roa_dn42.conf |
|
| 368 | +https://dn42.tech9.io/roa/bird6_roa_dn42.conf |
|
| 369 | + |
|
| 370 | +The files above are maintained by **chrismoos**, contact him on IRC if there are any issues. |
|
| 371 | + |
|
| 372 | +### Updating ROA tables |
|
| 373 | + |
|
| 374 | +You can add cron entries to periodically update the tables: |
|
| 375 | + |
|
| 376 | +``` |
|
| 377 | +*/15 * * * * curl -sL -o "/etc/bird/bird6_roa_dn42.conf" "https://dn42.tech9.io/roa/bird6_roa_dn42.conf" && birdc6 configure |
|
| 378 | +*/15 * * * * curl -sL -o "/etc/bird/bird_roa_dn42.conf" "https://dn42.tech9.io/roa/bird_roa_dn42.conf" && birdc configure |
|
| 379 | +``` |
|
| 380 | + |
|
| 381 | +## Filter configuration |
|
| 382 | + |
|
| 383 | +In your import filter add the following to reject invalid routes: |
|
| 384 | + |
|
| 385 | +``` |
|
| 386 | +if (roa_check(dn42_roa, net, bgp_path.last) = ROA_INVALID) then { |
|
| 387 | + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; |
|
| 388 | + reject; |
|
| 389 | +} |
|
| 390 | +``` |
|
| 391 | + |
|
| 392 | +Also, define your ROA table with: |
|
| 393 | + |
|
| 394 | +``` |
|
| 395 | +roa table dn42_roa { |
|
| 396 | + include "bird_roa_dn42.conf"; |
|
| 397 | +}; |
|
| 398 | +``` |
|
| 399 | + |
|
| 400 | +**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6). |
|
| 401 | + |
|
| 359 | 402 | # Useful bird commmands |
| 360 | 403 | |
| 361 | 404 | bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands: |
| ... | ... | @@ -405,4 +448,3 @@ bird> show route export <somepeer> # shows the route you export to someone |
| 405 | 448 | # External Links |
| 406 | 449 | * detailed bird configuration from Mic92: https://github.com/Mic92/bird-dn42 |
| 407 | 450 | * more bgp commands: http://danrimal.net/doku.php?id=wiki:bgp:bird:postupy |
| 408 | - |