How to use ROA/RPKI ?

Ondrej Zajicek santiago at crfreenet.org
Wed Apr 10 17:43:45 CEST 2013


On Wed, Apr 10, 2013 at 04:22:11PM +0200, Arnaud Fenioux wrote:
> Hello all,

Hello

> I would like to use ROA filtering on my bird setup to reject invalid
> prefixes announced by my peers.
> 
> I know there is currently no easy way to bind bird to an RPKI validator,
> right?

Yes

> I have to create a table in my conf file with
> "roa table roa_table_name"

Yes

> I have read (
> https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf) there
> is a way to populate dynamically this table.
> How can I do that? "roa add" in cli?
> Is there a way to flush the table?

These commands in CLI:

show roa ...
add roa ...
delete roa ...
flush roa ...

See http://bird.network.cz/?get_doc&f=bird-4.html
(Also try '?' in CLI for interactive help)

Second alternative is to populate ROA table statically - generate
configuration for ROA table with specified ROA entries and call
configure after each change. You could have content of ROA table in
separate (generated) config and include it from the main config file.

> Can I do a filter like this?
> 
>  protocol bgp my_peer {
>         local as 65000;
>         neighbor 192.0.2.1 as 65001;
>         import filter peer_in;
> }
> 
> filter peer_in {
> if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then reject;
>  accept;
> }

This should work, but i would suggest to add 'print' for logging:

{
  if ... then { print "ROA check failed for ", net, " ASN ", bgp_path.last; reject; }
  accept
}


-- 
Elen sila lumenn' omentielvo

Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130410/78a0d500/attachment-0001.asc>


More information about the Bird-users mailing list