IP version independent RPKI filter
Christoph
cm at appliedprivacy.net
Sat Oct 5 00:00:00 CEST 2019
Hello,
the RPKI documentation section has a RPKI ROV example using
an IPv4 specific filter:
https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.13
> roa4 table r4;
> roa6 table r6;
>
> protocol rpki {
> debug all;
>
> roa4 { table r4; };
> roa6 { table r6; };
>
> # Please, do not use rpki-validator.realmv6.org in production
> remote "rpki-validator.realmv6.org" port 8282;
>
> retry keep 5;
> refresh keep 30;
> expire 600;
> }
>
> filter peer_in_v4 {
> if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
> {
> print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last;
> reject;
> }
> accept;
> }
>
> protocol bgp {
> debug all;
> local as 65000;
> neighbor 192.168.2.1 as 65001;
> ipv4 {
> import filter peer_in_v4;
> export none;
> };
> }
We use a transit_in filter that checks the
net.type to decide which roa_check parameter to use:
> filter transit_in {
>
> reject_bogon_asns();
> reject_small_prefixes();
> reject_bogon_prefixes();
> reject_long_aspaths();
> reject_default_route();
> enforce_neighbor_asn();
> reject_our_networks();
>
> if (net.type = NET_IP4) then {
> if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
> {
> print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last;
> reject;
> }
> } else {
> if (roa_check(r6, net, bgp_path.last) = ROA_INVALID) then
> {
> print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last;
> reject;
> }
> }
>
> accept;
>
> }
Is this significantly less efficient than having separate IPv4/6 filters
that do not need that additional if (net.type = .. ) check?
Or does it not really matter?
If possible I'd prefer a single filter that can be applied to IPv4 and
IPv6 BGP sessions.
thanks,
Christoph
More information about the Bird-users
mailing list