Add historical section

+ * [BGP communities](/howto/BGP-communities)

+ * [Bird2](/howto/Bird2)

+* Historical

+ * [Bird 1](/historical/Bird) /

+

+Bird is a commonly used BGP daemon. This page provides configuration and help to run Bird for dn42.

+Compared to quagga, bird supports multiple routing tables, which is useful, if you also plan to peer with other federated networks such as freifunk. In the following a working configuration for dn42 is shown. If you

+want to learn the practical details behind routing protocols in bird, see the following [guide](https://github.com/knorrie/network-examples)

+

+**Bird 1.6.x will be EOL by the end of 2023, it's recommended to upgrade to 2.13.**

+

+# Debian

+In the Debian release cycle the bird packages may become outdated at times, if that is the case you should use the official bird package repository maintained by the developers of nic.cz.

+

+This is not necessary for Debian Stretch, which currently ships the most recent version (1.6.3) in this repositories.

+

+```sh

+echo "deb http://deb.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list

+apt update

+apt install bird

+```

+

+# Example configuration

+

+Note: This file covers the configuration of Bird 1.x. For an example configuration of Bird 2.x see [howto/Bird2](/howto/Bird2)

+

+* Replace `<AS>` with your Autonomous System Number (only the digits)

+* Replace `<GATEWAY_IP>` with your gateway ip (the internal dn42 ip address you use on the host, where dn42 is running)

+* Replace `<SUBNET>` with your registered dn42 subnet

+* Replace `<PEER_IP>` with the ip of your peer who is connected with you using your favorite vpn protocol (openvpn, ipsec, tinc, ...)

+* Replace `<PEER_AS>` the Autonomous System Number of your peer (only the digits)

+* Replace `<PEER_NAME>` a self chosen name for your peer

+

+## IPv6

+

+```conf

+#/etc/bird/bird6.conf

+protocol device {

+ scan time 10;

+}

+

+# local configuration

+######################

+

+include "/etc/bird/local6.conf";

+

+# filter helpers

+#################

+

+##include "/etc/bird/filter6.conf";

+

+# Kernel routing tables

+########################

+

+

+/*

+ krt_prefsrc defines the source address for outgoing connections.

+ On Linux, this causes the "src" attribute of a route to be set.

+

+ Without this option outgoing connections would use the peering IP which

+ would cause packet loss if some peering disconnects but the interface

+ is still available. (The route would still exist and thus route through

+ the TUN/TAP interface but the VPN daemon would simply drop the packet.)

+*/

+protocol kernel {

+ scan time 20;

+ import none;

+ export filter {

+ if source = RTS_STATIC then reject;

+ krt_prefsrc = OWNIP;

+ accept;

+ };

+}

+

+# static routes

+################

+

+protocol static {

+ route <SUBNET> reject;

+ import all;

+ export none;

+}

+

+template bgp dnpeers {

+ local as OWNAS;

+ path metric 1;

+ import keep filtered;

+ import filter {

+ if is_valid_network() && !is_self_net() then {

+ accept;

+ }

+ reject;

+ };

+ export filter {

+ if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {

+ accept;

+ }

+ reject;

+ };

+ import limit 1000 action block;

+}

+

+include "/etc/bird/peers6/*";

+```

+

+```conf

+# /etc/bird/local6.conf

+# should be a unique identifier, use same id as for ipv4

+router id <GATEWAY_IP>;

+

+define OWNAS = <AS>;

+define OWNIP = <GATEWAY_IP>;

+

+function is_self_net() {

+ return net ~ [<SUBNET>+];

+}

+

+function is_valid_network() {

+ return net ~ [

+ fd00::/8{44,64} # ULA address space as per RFC 4193

+ ];

+}

+```

+

+```conf

+# /etc/bird/peers6/<PEER_NAME>

+protocol bgp <PEER_NAME> from dnpeers {

+ neighbor <PEERING_IP> as <PEER_AS>;

+ # if you use link-local ipv6 addresses for peering using the following

+ # neighbor <PEERING_IP> % '<INTERFACE_NAME>' as <PEER_AS>;

+};

+```

+

+### IPv4

+

+```conf

+# /etc/bird/bird.conf

+# Device status

+protocol device {

+ scan time 10; # recheck every 10 seconds

+}

+

+protocol static {

+ # Static routes to announce your own range(s) in dn42

+ route <SUBNET> reject;

+ import all;

+ export none;

+};

+

+# local configuration

+######################

+

+# keeping router specific in a seperate file,

+# so this configuration can be reused on multiple routers in your network

+include "/etc/bird/local4.conf";

+

+# filter helpers

+#################

+

+##include "/etc/bird/filter4.conf";

+

+# Kernel routing tables

+########################

+

+/*

+ krt_prefsrc defines the source address for outgoing connections.

+ On Linux, this causes the "src" attribute of a route to be set.

+

+ Without this option outgoing connections would use the peering IP which

+ would cause packet loss if some peering disconnects but the interface

+ is still available. (The route would still exist and thus route through

+ the TUN/TAP interface but the VPN daemon would simply drop the packet.)

+*/

+protocol kernel {

+ scan time 20;

+ import none;

+ export filter {

+ if source = RTS_STATIC then reject;

+ krt_prefsrc = OWNIP;

+ accept;

+ };

+};

+# DN42

+#######

+

+template bgp dnpeers {

+ local as OWNAS;

+ # metric is the number of hops between us and the peer

+ path metric 1;

+ # this lines allows debugging filter rules

+ # filtered routes can be looked up in birdc using the "show route filtered" command

+ import keep filtered;

+ import filter {

+ # accept every subnet, except our own advertised subnet

+ # filtering is important, because some guys try to advertise routes like 0.0.0.0

+ if is_valid_network() && !is_self_net() then {

+ accept;

+ }

+ reject;

+ };

+ export filter {

+ # here we export the whole net

+ if is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {

+ accept;

+ }

+ reject;

+ };

+ import limit 1000 action block;

+ #source address OWNIP;

+};

+

+include "/etc/bird/peers4/*";

+```

+

+```conf

+#/etc/bird/local4.conf

+# should be a unique identifier, <GATEWAY_IP> is what most people use.

+router id <GATEWAY_IP>;

+

+define OWNAS = <AS>;

+define OWNIP = <GATEWAY_IP>;

+

+function is_self_net() {

+ return net ~ [<SUBNET>+];

+}

+

+function is_valid_network() {

+ return net ~ [

+ 172.20.0.0/14{21,29}, # dn42

+ 172.20.0.0/24{28,32}, # dn42 Anycast

+ 172.21.0.0/24{28,32}, # dn42 Anycast

+ 172.22.0.0/24{28,32}, # dn42 Anycast

+ 172.23.0.0/24{28,32}, # dn42 Anycast

+ 172.31.0.0/16+, # ChaosVPN

+ 10.100.0.0/14+, # ChaosVPN

+ 10.127.0.0/16{16,32}, # neonetwork

+ 10.0.0.0/8{15,24} # Freifunk.net

+ ];

+}

+```

+

+```conf

+# /etc/bird/peers4/<PEER_NAME>

+protocol bgp <PEER_NAME> from dnpeers {

+ neighbor <PEERING_IP> as <PEER_AS>;

+};

+```

+

+# Bird communities

+

+Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing.

+More information can be found [here](/howto/BGP-communities).

+

+# Route Origin Authorization

+

+Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix.

+

+## ROA Tables

+

+The ROA table can be generated from the registry directly or you can use the following pre-built ROA tables for BIRD:

+

+ROA files generated by [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv) are available from burble.dn42:

+

+|URL|&nbsp;IPv4/IPv6&nbsp;|Description|

+|---|---|---|

+| <https://dn42.burble.com/roa/dn42_roa_46.json> &nbsp; | &nbsp;Both&nbsp; | JSON format for use with RPKI |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_46.conf> &nbsp; | &nbsp;Both&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_4.conf> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_6.conf> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_46.conf> &nbsp; | &nbsp;Both&nbsp; | Bird2 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_4.conf> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird2 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_6.conf> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird2 format |

+

+ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are available:

+

+|URL|&nbsp;IPv4/IPv6&nbsp;|Description|

+|---|---|---|

+| <https://kioubit-roa.dn42.dev/?type=v4> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird2 format |

+| <https://kioubit-roa.dn42.dev/?type=v6> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird2 format |

+| <https://kioubit-roa.dn42.dev/?type=json> &nbsp; | &nbsp;Both&nbsp; | JSON format for use with RPKI |

+

+### Updating ROA tables

+

+You can add cron entries to periodically update the tables:

+

+```conf

+*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure

+*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure

+```

+

+Debian version:

+

+```conf

+*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure

+*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure

+```

+

+then create the directory to make sure curls can save the files:

+

+```sh

+mkdir -p /var/lib/bird/

+```

+

+Or use a systemd timer: (check the commands before copy-pasting)

+

+```conf

+# /etc/systemd/system/dn42-roa.service

+[Unit]

+Description=Update DN42 ROA

+

+[Service]

+Type=oneshot

+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf

+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf

+ExecStart=birdc configure

+```

+

+```conf

+# /etc/systemd/system/dn42-roa.timer

+[Unit]

+Description=Update DN42 ROA periodically

+

+[Timer]

+OnBootSec=2m

+OnUnitActiveSec=15m

+AccuracySec=1m

+

+[Install]

+WantedBy=timers.target

+```

+

+then enable and start the timer with `systemctl enable --now dn42-roa.timer`.

+

+More advanced script with error checking:

+```sh

+#!/bin/bash

+roa4URL=""

+roa6URL=""

+

+roa4FILE="/etc/bird/roa/roa_dn42.conf"

+roa6FILE="/etc/bird/roa/roa_dn42_v6.conf"

+

+cp "${roa4FILE}" "${roa4FILE}.old"

+cp "${roa6FILE}" "${roa6FILE}.old"

+

+if curl -f -o "${roa4FILE}.new" "${roa4URL};" ;then

+ mv "${roa4FILE}.new" "${roa4FILE}"

+fi

+

+if curl -f -o "${roa6FILE}.new" "${roa6URL};" ;then

+ mv "${roa6FILE}.new" "${roa6FILE}"

+fi

+

+if birdc configure ; then

+ rm "${roa4FILE}.old"

+ rm "${roa6FILE}.old"

+else

+ mv "${roa4FILE}.old" "${roa4FILE}"

+ mv "${roa6FILE}.old" "${roa6FILE}"

+fi

+```

+

+

+### Use RPKI ROA in bird2

+

+* Download gortr

+

+<https://github.com/cloudflare/gortr/releases>

+

+* Run gortr.

+

+```sh

+./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json

+```

+

+

+* Run with docker

+

+```sh

+docker pull cloudflare/gortr

+```

+

+```sh

+docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json

+```

+

+* Add this to your bird configure file,other ROA protocol must removed.

+

+```conf

+protocol rpki rpki_dn42{

+ roa4 { table dn42_roa; };

+ roa6 { table dn42_roa_v6; };

+

+ remote "<your rpki server ip or domain>" port 8282;

+

+ retry keep 90;

+ refresh keep 900;

+ expire keep 172800;

+}

+```

+

+## Filter configuration

+

+In your import filter add the following to reject invalid routes:

+

+```conf

+if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {

+ print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;

+ reject;

+}

+```

+

+Also, define your ROA table with:

+

+```conf

+roa table dn42_roa {

+ include "/var/lib/bird/bird_roa_dn42.conf";

+};

+```

+

+

+**NOTE**: Make sure you setup ROA checks for both bird and bird6 (for IPv6).

+

+# Useful bird commmands

+

+bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:

+

+```sh

+$ birdc

+BIRD 1.4.5 ready.

+bird> configure # reload configuration

+Reading configuration from /etc/bird.conf

+Reconfigured

+bird> show ? # Completions work either by pressing tab or pressing '?'

+show bfd ... Show information about BFD protocol

+show interfaces Show network interfaces

+show memory Show memory usage

+show ospf ... Show information about OSPF protocol

+show protocols [<protocol> | "<pattern>"] Show routing protocols

+show roa ... Show ROA table

+show route ... Show routing table

+show static [<name>] Show details of static protocol

+show status Show router status

+show symbols ... Show all known symbolic names

+bird> show protocols # this command shows your peering status

+name proto table state since info

+device1 Device master up 07:20:25

+kernel1 Kernel master up 07:20:25

+chelnok BGP master up 07:20:29 Established

+hax404 BGP master up 07:20:26 Established

+static1 Static master up 07:20:25

+bird> show protocols all chelnok # show verbose peering status for peering with chelnok

+bird> show route for 172.22.141.181 # show possible routes to internal.dn42

+172.22.141.0/24 via 172.23.67.1 on tobee [tobee 07:20:30] * (100) [AS64737i]

+ via 172.23.64.1 on chelnok [chelnok 07:20:29] (100) [AS64737i]

+ via 172.23.136.65 on hax404 [hax404 07:20:26] (100) [AS64737i]

+bird> show route filtered # shows routed filtered out by rules

+172.23.245.1/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS76175i]

+172.22.247.128/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS76175i]

+172.22.227.1/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS76115i]

+172.23.196.75/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS76115i]

+172.22.41.241/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS76115i]

+172.22.249.4/30 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS4242420002i]

+172.22.255.133/32 via 172.23.64.1 on chelnok [chelnok 21:26:18] * (100) [AS64654i]

+bird> show route protocol <somepeer> # shows the route they export to you

+bird> show route export <somepeer> # shows the route you export to someone

+...

+```

+

+# External Links

+* detailed bird configuration from Mic92: <https://github.com/Mic92/bird-dn42>

+* more bird commands: <https://bird.network.cz/?get_doc&v=20&f=bird-4.html>

+Bird is a commonly used BGP daemon. This page provides configuration and help for using BGP communities with Bird for dn42.

+

+Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. Please note that everyone should be using community 64511.

+

+The community is applied to the route when it is imported and exported, therefore you need to change your bird configuration, in /etc/bird/peers4 if you followed the Bird guide.

+

+The filter helpers can be stored in a separate file, for example /etc/bird/community_filters.conf.

+

+Below, you will see an example config for peers4 based on the original filter implementation by Jplitza.

+

+To properly assign the right community to your peer, please reference the table below. If you are running your own network and peering internally, please also apply the communities inside your network.

+

+## BGP community criteria

+```conf

+(64511, 1) :: latency \in (0, 2.7ms]

+(64511, 2) :: latency \in (2.7ms, 7.3ms]

+(64511, 3) :: latency \in (7.3ms, 20ms]

+(64511, 4) :: latency \in (20ms, 55ms]

+(64511, 5) :: latency \in (55ms, 148ms]

+(64511, 6) :: latency \in (148ms, 403ms]

+(64511, 7) :: latency \in (403ms, 1097ms]

+(64511, 8) :: latency \in (1097ms, 2981ms]

+(64511, 9) :: latency > 2981ms

+(64511, x) :: latency \in [exp(x-1), exp(x)] ms (for x < 10)

+

+(64511, 21) :: bw >= 0.1mbit

+(64511, 22) :: bw >= 1mbit

+(64511, 23) :: bw >= 10mbit

+(64511, 24) :: bw >= 100mbit

+(64511, 25) :: bw >= 1000mbit

+(64511, 2x) :: bw >= 10^(x-2) mbit

+bw = min(up,down) for asymmetric connections

+

+(64511, 31) :: not encrypted

+(64511, 32) :: encrypted with unsafe vpn solution

+(64511, 33) :: encrypted with safe vpn solution (but no PFS - the usual OpenVPN p2p configuration falls in this category)

+(64511, 34) :: encrypted with safe vpn solution with PFS (Perfect Forward Secrecy)

+

+Propagation:

+- - for latency pick max(received_route.latency, link_latency)

+- - for encryption and bandwidth pick min between received BGP community and peer link

+```

+For example, if your peer is 12ms away and the link speed between you is 250Mbit/s and you are peering using OpenVPN P2P, then the community string would be (3, 24, 33).

+

+Two utilities which measure round trip time and calculate community values automatically are provided, written in [ruby](https://github.com/Mic92/bird-dn42/blob/master/bgp-community.rb) and [C](https://github.com/nixnodes/bird/blob/master/misc/dn42-comgen.c).

+

+**Note: In general, the link latency metric only reflects the latency of the *immediate* link, and not the overall latency from following a path**. A route may traverse multiple internal routers once it enters an AS, and because this is invisible to BGP, it's best to treat latency values as informational only and not use them to make routing decisions.

+

+```sh

+$ ruby bgp-community.rb --help

+USAGE: bgp-community.rb host mbit_speed unencrypted|unsafe|encrypted|pfs

+ -6, --ipv6 Assume ipv6 for ping

+$ ruby bgp-community.rb 212.129.13.123 300 encrypted

+ # 15 ms, 300 mbit/s, encrypted tunnel (updated: 2016-02-11)

+ import where dn42_import_filter(3,24,33);

+ export where dn42_export_filter(3,24,33);

+$ ruby bgp-community.rb -6 dn42-2.higgsboson.tk 1000 pfs

+ # 11 ms, 1000 mbit/s, pfs tunnel (updated: 2016-02-11)

+ import where dn42_import_filter(3,25,34);

+ export where dn42_export_filter(3,25,34);

+```

+

+### Route Origin

+There are two type of route origin: `region` and `country`

+

+#### Region

+The range `41-70` is assigned to the region property.

+The communities for route origin region were first defined in [December 2015](https://lists.nox.tf/pipermail/dn42/2015-December/001259.html) and further extended in [May 2022](https://groups.io/g/dn42/topic/91226190):

+

+```conf

+(64511, 41) :: Europe

+(64511, 42) :: North America-E

+(64511, 43) :: North America-C

+(64511, 44) :: North America-W

+(64511, 45) :: Central America

+(64511, 46) :: South America-E

+(64511, 47) :: South America-W

+(64511, 48) :: Africa-N (above Sahara)

+(64511, 49) :: Africa-S (below Sahara)

+(64511, 50) :: Asia-S (IN,PK,BD)

+(64511, 51) :: Asia-SE (TH,SG,PH,ID,MY)

+(64511, 52) :: Asia-E (JP,CN,KR,TW,HK)

+(64511, 53) :: Pacific&Oceania (AU,NZ,FJ)

+(64511, 54) :: Antarctica

+(64511, 55) :: Asia-N (RU)

+(64511, 56) :: Asia-W (IR,TR,UAE)

+(64511, 57) :: Central Asia (AF,UZ,KZ)

+```

+

+#### Country

+The range `1000-1999` is assigned to the country property. Here we use [ISO-3166-1 numeric](https://github.com/lukes/ISO-3166-Countries-with-Regional-Codes/blob/master/all/all.csv) country codes, adding `1000` to each value to get the country origin community:

+

+```conf

+(64511, 1124) :: Canada

+(64511, 1156) :: China

+(64511, 1158) :: Taiwan

+(64511, 1250) :: France

+(64511, 1276) :: Germany

+(64511, 1344) :: Hong Kong

+(64511, 1392) :: Japan

+(64511, 1528) :: Netherlands

+(64511, 1578) :: Norway

+(64511, 1643) :: Russian Federation

+(64511, 1702) :: Singapore

+(64511, 1756) :: Switzerland

+(64511, 1826) :: United Kingdom

+(64511, 1840) :: United States of America

+```

+etc. Please follow the ISO-3166-1 Numeric standard

+<https://github.com/lukes/ISO-3166-Countries-with-Regional-Codes/blob/master/all/all.csv>.

+

+You need to add following lines to your config(s):

+- `define DN42_REGION = $VALUE_FROM_ABOVE` to your node's config (where OWNAS and OWNIP are set)

+- `if source = RTS_STATIC then bgp_community.add((64511, DN42_REGION));`

+just above `update_flags` in `dn42_export_filter` function

+- Unlike the other community values, **the DN42_REGION community should only be set on routes originating from your network!** (This is what the `source = RTS_STATIC` check does).

+ - Otherwise, if you export routes across multiple regions within your network, you may be sending incorrect origin information to other peers.

+

+

+## Example configurations

+```conf

+# /etc/bird/peers4/tombii.conf

+protocol bgp tombii from dnpeers {

+ neighbor 172.23.102.x as 4242420321;

+ import where dn42_import_filter(3,24,33);

+ export where dn42_export_filter(3,24,33);

+};

+```

+```conf

+#/etc/bird/community_filters.conf

+function update_latency(int link_latency) {

+ bgp_community.add((64511, link_latency));

+ if (64511, 9) ~ bgp_community then { bgp_community.delete([(64511, 1..8)]); return 9; }

+ else if (64511, 8) ~ bgp_community then { bgp_community.delete([(64511, 1..7)]); return 8; }

+ else if (64511, 7) ~ bgp_community then { bgp_community.delete([(64511, 1..6)]); return 7; }

+ else if (64511, 6) ~ bgp_community then { bgp_community.delete([(64511, 1..5)]); return 6; }

+ else if (64511, 5) ~ bgp_community then { bgp_community.delete([(64511, 1..4)]); return 5; }

+ else if (64511, 4) ~ bgp_community then { bgp_community.delete([(64511, 1..3)]); return 4; }

+ else if (64511, 3) ~ bgp_community then { bgp_community.delete([(64511, 1..2)]); return 3; }

+ else if (64511, 2) ~ bgp_community then { bgp_community.delete([(64511, 1..1)]); return 2; }

+ else return 1;

+}

+

+function update_bandwidth(int link_bandwidth) {

+ bgp_community.add((64511, link_bandwidth));

+ if (64511, 21) ~ bgp_community then { bgp_community.delete([(64511, 22..29)]); return 21; }

+ else if (64511, 22) ~ bgp_community then { bgp_community.delete([(64511, 23..29)]); return 22; }

+ else if (64511, 23) ~ bgp_community then { bgp_community.delete([(64511, 24..29)]); return 23; }

+ else if (64511, 24) ~ bgp_community then { bgp_community.delete([(64511, 25..29)]); return 24; }

+ else if (64511, 25) ~ bgp_community then { bgp_community.delete([(64511, 26..29)]); return 25; }

+ else if (64511, 26) ~ bgp_community then { bgp_community.delete([(64511, 27..29)]); return 26; }

+ else if (64511, 27) ~ bgp_community then { bgp_community.delete([(64511, 28..29)]); return 27; }

+ else if (64511, 28) ~ bgp_community then { bgp_community.delete([(64511, 29..29)]); return 28; }

+ else return 29;

+}

+

+function update_crypto(int link_crypto) {

+ bgp_community.add((64511, link_crypto));

+ if (64511, 31) ~ bgp_community then { bgp_community.delete([(64511, 32..34)]); return 31; }

+ else if (64511, 32) ~ bgp_community then { bgp_community.delete([(64511, 33..34)]); return 32; }

+ else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }

+ else return 34;

+}

+

+function update_flags(int link_latency; int link_bandwidth; int link_crypto)

+int dn42_latency;

+int dn42_bandwidth;

+int dn42_crypto;

+{

+ dn42_latency = update_latency(link_latency);

+ dn42_bandwidth = update_bandwidth(link_bandwidth) - 20;

+ dn42_crypto = update_crypto(link_crypto) - 30;

+ # replace 4 with your calculated bandwidth value

+ if dn42_bandwidth > 4 then dn42_bandwidth = 4;

+ return true;

+}

+

+# Combines filter from local4.conf/local6.conf and filter4.conf/filter6.conf,

+# which means, these must included before this file

+

+function dn42_import_filter(int link_latency; int link_bandwidth; int link_crypto) {

+ if is_valid_network() && !is_self_net() then {

+ update_flags(link_latency, link_bandwidth, link_crypto);

+ accept;

+ }

+ reject;

+}

+

+function dn42_export_filter(int link_latency; int link_bandwidth; int link_crypto) {

+ if is_valid_network() then {

+ update_flags(link_latency, link_bandwidth, link_crypto);

+ accept;

+ }

+ reject;

+}

+```

+Please remember to include /etc/bird/community_filters.conf in your bird.conf/birdc6.conf

+```conf

+# local configuration

+######################

+include "bird/local4.conf";

+

+# filter helpers

+#################

+

+include "/etc/bird/filter4.conf";

+include "/etc/bird/community_filters.conf";

+```

+

+

+***

+

+# BGP communities

+

+Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing.

+More information can be found [here](/howto/BGP-communities).

+

+# Route Origin Authorization

+

+Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix.

+

+## ROA Tables

+

+The ROA table can be generated from the registry directly or you can use the following pre-built ROA tables for BIRD:

+

+ROA files generated by [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv) are available from burble.dn42:

+

+|URL|&nbsp;IPv4/IPv6&nbsp;|Description|

+|---|---|---|

+| <https://dn42.burble.com/roa/dn42_roa_46.json> &nbsp; | &nbsp;Both&nbsp; | JSON format for use with RPKI |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_46.conf> &nbsp; | &nbsp;Both&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_4.conf> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird1_6.conf> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird1 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_46.conf> &nbsp; | &nbsp;Both&nbsp; | Bird2 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_4.conf> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird2 format |

+| <https://dn42.burble.com/roa/dn42_roa_bird2_6.conf> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird2 format |

+

+ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are available:

+

+|URL|&nbsp;IPv4/IPv6&nbsp;|Description|

+|---|---|---|

+| <https://kioubit-roa.dn42.dev/?type=v4> &nbsp; | &nbsp;IPv4 Only&nbsp; | Bird2 format |

+| <https://kioubit-roa.dn42.dev/?type=v6> &nbsp; | &nbsp;IPv6 Only&nbsp; | Bird2 format |

+| <https://kioubit-roa.dn42.dev/?type=json> &nbsp; | &nbsp;Both&nbsp; | JSON format for use with RPKI |

+

+### Updating ROA tables

+

+You can add cron entries to periodically update the tables:

+

+```conf

+*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure

+*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure

+```

+

+Debian version:

+

+```conf

+*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure

+*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure

+```

+

+then create the directory to make sure curls can save the files:

+

+```sh

+mkdir -p /var/lib/bird/

+```

+

+Or use a systemd timer: (check the commands before copy-pasting)

+

+```conf

+# /etc/systemd/system/dn42-roa.service

+[Unit]

+Description=Update DN42 ROA

+

+[Service]

+Type=oneshot

+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf

+ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf

+ExecStart=birdc configure

+```

+

+```conf

+# /etc/systemd/system/dn42-roa.timer

+[Unit]

+Description=Update DN42 ROA periodically

+

+[Timer]

+OnBootSec=2m

+OnUnitActiveSec=15m

+AccuracySec=1m

+

+[Install]

+WantedBy=timers.target

+```

+

+then enable and start the timer with `systemctl enable --now dn42-roa.timer`.

+

+More advanced script with error checking:

+```sh

+#!/bin/bash

+roa4URL=""

+roa6URL=""

+

+roa4FILE="/etc/bird/roa/roa_dn42.conf"

+roa6FILE="/etc/bird/roa/roa_dn42_v6.conf"

+

+cp "${roa4FILE}" "${roa4FILE}.old"

+cp "${roa6FILE}" "${roa6FILE}.old"

+

+if curl -f -o "${roa4FILE}.new" "${roa4URL};" ;then

+ mv "${roa4FILE}.new" "${roa4FILE}"

+fi

+

+if curl -f -o "${roa6FILE}.new" "${roa6URL};" ;then

+ mv "${roa6FILE}.new" "${roa6FILE}"

+fi

+

+if birdc configure ; then

+ rm "${roa4FILE}.old"

+ rm "${roa6FILE}.old"

+else

+ mv "${roa4FILE}.old" "${roa4FILE}"

+ mv "${roa6FILE}.old" "${roa6FILE}"

+fi

+```

+

+

+### Use RPKI ROA in bird2

+

+* Download gortr

+

+<https://github.com/cloudflare/gortr/releases>

+

+* Run gortr.

+

+```sh

+./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json

+```

+

+

+* Run with docker

+

+```sh

+docker pull cloudflare/gortr

+```

+

+```sh

+docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json

+```

+

+* Add this to your bird configure file,other ROA protocol must removed.

+

+```conf

+protocol rpki rpki_dn42{

+ roa4 { table dn42_roa; };

+ roa6 { table dn42_roa_v6; };

+

+ remote "<your rpki server ip or domain>" port 8282;

+

+ retry keep 90;

+ refresh keep 900;

+ expire keep 172800;

+}

+```

+

+## Filter configuration

+

+In your import filter add the following to reject invalid routes:

+

+```conf

+if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {

+ print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;

+ reject;

+}

+```

+

+Also, define your ROA table with:

+

+```conf

+roa table dn42_roa {

+ include "/var/lib/bird/bird_roa_dn42.conf";

+};

+```

+

+**NOTE**: Make sure you setup ROA checks for both IPv4 and IPv6.