How to use ROA/RPKI ?
Arnaud Fenioux
afenioux at gmail.com
Fri Apr 12 12:27:04 CEST 2013
Thank you for you reply Ondrej,
I tried the filter as you mentioned, all is working fine,
I made a bash script that import into a roa table,
all right!
Thank you!
On Wed, Apr 10, 2013 at 5:43 PM, Ondrej Zajicek <santiago at crfreenet.org>wrote:
> On Wed, Apr 10, 2013 at 04:22:11PM +0200, Arnaud Fenioux wrote:
> > Hello all,
>
> Hello
>
> > I would like to use ROA filtering on my bird setup to reject invalid
> > prefixes announced by my peers.
> >
> > I know there is currently no easy way to bind bird to an RPKI validator,
> > right?
>
> Yes
>
> > I have to create a table in my conf file with
> > "roa table roa_table_name"
>
> Yes
>
> > I have read (
> > https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf)
> there
> > is a way to populate dynamically this table.
> > How can I do that? "roa add" in cli?
> > Is there a way to flush the table?
>
> These commands in CLI:
>
> show roa ...
> add roa ...
> delete roa ...
> flush roa ...
>
> See http://bird.network.cz/?get_doc&f=bird-4.html
> (Also try '?' in CLI for interactive help)
>
> Second alternative is to populate ROA table statically - generate
> configuration for ROA table with specified ROA entries and call
> configure after each change. You could have content of ROA table in
> separate (generated) config and include it from the main config file.
>
> > Can I do a filter like this?
> >
> > protocol bgp my_peer {
> > local as 65000;
> > neighbor 192.0.2.1 as 65001;
> > import filter peer_in;
> > }
> >
> > filter peer_in {
> > if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then
> reject;
> > accept;
> > }
>
> This should work, but i would suggest to add 'print' for logging:
>
> {
> if ... then { print "ROA check failed for ", net, " ASN ",
> bgp_path.last; reject; }
> accept
> }
>
>
> --
> Elen sila lumenn' omentielvo
>
> Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAlFliLEACgkQw1GB2RHercMjPQCfbZ/eo6pwFus3gKSfnx0L02HE
> YBkAn069HY386NYMd6pZrDbhVJKsmvbt
> =phkQ
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130412/6620daf3/attachment-0001.html>
More information about the Bird-users
mailing list