56a87f9d676a1d90143ec42e6c84b9e099fbd729
howto/Bird2.md
| ... | ... | @@ -1,10 +1,10 @@ |
| 1 | -This guide is similar to the normal [Bird](/historical/Bird) guide in that it provides you with help setting up the BIRD routing daemon, with the difference that this page is dedicated to versions 2.x. |
|
| 2 | - |
|
| 3 | -# Arch Linux |
|
| 1 | +# Installation notes |
|
| 2 | +This page is applicable to bird versions 2.x |
|
| 3 | +## Arch Linux |
|
| 4 | 4 | |
| 5 | 5 | The `extra/bird` package in the arch repositories will usually have a relatively recent version and there is (usually) no need for a manual install over the usual `# pacman -S bird`. |
| 6 | 6 | |
| 7 | -# Bird2 Version <2.0.8 / Debian |
|
| 7 | +## Bird2 Version <2.0.8 / Debian |
|
| 8 | 8 | |
| 9 | 9 | Please note, that Bird2 versions before 2.0.8 don't support IPv6 extended nexthops for IPv4 destinations (<https://bird.network.cz/pipermail/bird-users/2020-April/014412.html>). |
| 10 | 10 | Additionally Bird2 before 2.0.8 cannot automatically update filtered bgp routes when an used RPKI source changes. |
| ... | ... | @@ -146,6 +146,7 @@ template bgp dnpeers { |
| 146 | 146 | import filter { |
| 147 | 147 | if is_valid_network() && !is_self_net() then { |
| 148 | 148 | if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { |
| 149 | + # Reject when unknown or invalid according to ROA |
|
| 149 | 150 | print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; |
| 150 | 151 | reject; |
| 151 | 152 | } else accept; |
| ... | ... | @@ -153,20 +154,21 @@ template bgp dnpeers { |
| 153 | 154 | }; |
| 154 | 155 | |
| 155 | 156 | export filter { if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; |
| 156 | - import limit 1000 action block; |
|
| 157 | + import limit 9000 action block; |
|
| 157 | 158 | }; |
| 158 | 159 | |
| 159 | 160 | ipv6 { |
| 160 | 161 | import filter { |
| 161 | 162 | if is_valid_network_v6() && !is_self_net_v6() then { |
| 162 | 163 | if (roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID) then { |
| 164 | + # Reject when unknown or invalid according to ROA |
|
| 163 | 165 | print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; |
| 164 | 166 | reject; |
| 165 | 167 | } else accept; |
| 166 | 168 | } else reject; |
| 167 | 169 | }; |
| 168 | 170 | export filter { if is_valid_network_v6() && source ~ [RTS_STATIC, RTS_BGP] then accept; else reject; }; |
| 169 | - import limit 1000 action block; |
|
| 171 | + import limit 9000 action block; |
|
| 170 | 172 | }; |
| 171 | 173 | } |
| 172 | 174 | |
| ... | ... | @@ -269,7 +271,7 @@ ROA files generated by [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsr |
| 269 | 271 | | <https://dn42.burble.com/roa/dn42_roa_bird2_4.conf> | IPv4 Only | Bird2 format | |
| 270 | 272 | | <https://dn42.burble.com/roa/dn42_roa_bird2_6.conf> | IPv6 Only | Bird2 format | |
| 271 | 273 | |
| 272 | -ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are available: |
|
| 274 | +ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are available from kioubit.dn42: |
|
| 273 | 275 | |
| 274 | 276 | |URL| IPv4/IPv6 |Description| |
| 275 | 277 | |---|---|---| |
| ... | ... | @@ -282,21 +284,8 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are |
| 282 | 284 | You can add cron entries to periodically update the tables: |
| 283 | 285 | |
| 284 | 286 | ```conf |
| 285 | -*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure |
|
| 286 | -*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure |
|
| 287 | -``` |
|
| 288 | - |
|
| 289 | -Debian version: |
|
| 290 | - |
|
| 291 | -```conf |
|
| 292 | -*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure |
|
| 293 | -*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure |
|
| 294 | -``` |
|
| 295 | - |
|
| 296 | -then create the directory to make sure curls can save the files: |
|
| 297 | - |
|
| 298 | -```sh |
|
| 299 | -mkdir -p /var/lib/bird/ |
|
| 287 | +*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf && birdc configure > /dev/null |
|
| 288 | +*/15 * * * * curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf && birdc configure > /dev/null |
|
| 300 | 289 | ``` |
| 301 | 290 | |
| 302 | 291 | Or use a systemd timer: (check the commands before copy-pasting) |
| ... | ... | @@ -308,8 +297,8 @@ Description=Update DN42 ROA |
| 308 | 297 | |
| 309 | 298 | [Service] |
| 310 | 299 | Type=oneshot |
| 311 | -ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf |
|
| 312 | -ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf |
|
| 300 | +ExecStart=curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf |
|
| 301 | +ExecStart=curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf |
|
| 313 | 302 | ExecStart=birdc configure |
| 314 | 303 | ``` |
| 315 | 304 | |
| ... | ... | @@ -396,14 +385,3 @@ protocol rpki rpki_dn42{ |
| 396 | 385 | expire keep 172800; |
| 397 | 386 | } |
| 398 | 387 | ``` |
| 399 | - |
|
| 400 | -## Filter configuration |
|
| 401 | - |
|
| 402 | -In your import filter add the following to reject invalid routes: |
|
| 403 | - |
|
| 404 | -```conf |
|
| 405 | -if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { |
|
| 406 | - print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; |
|
| 407 | - reject; |
|
| 408 | -} |
|
| 409 | -``` |