From fa2b7eda7c67d5e78fe8d4864ce3d82ac6794e68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Wed, 28 Feb 2024 12:12:39 +0000 Subject: [PATCH] Add historical section --- _Sidebar.md | 7 +- {howto => historical}/Bird.md | 2 +- ...Bird-communities.md => BGP-communities.md} | 0 howto/Bird2.md | 174 ++++++++++++++++++ 4 files changed, 180 insertions(+), 3 deletions(-) rename {howto => historical}/Bird.md (99%) rename howto/{Bird-communities.md => BGP-communities.md} (100%) diff --git a/_Sidebar.md b/_Sidebar.md index c26d76c..6e4163b 100644 --- a/_Sidebar.md +++ b/_Sidebar.md @@ -2,7 +2,7 @@ * [Getting Started](/howto/Getting-Started) * [Registry Authentication](/howto/Registry-Authentication) * [Address Space](/howto/Address-Space) - * [BGP communities](/howto/Bird-communities) + * [BGP communities](/howto/BGP-communities) * [FAQ](/FAQ) * How-To @@ -15,7 +15,7 @@ * [IPv6 Multicast (PIM-SM)](/howto/IPv6-Multicast) * [SSM Multicast](/howto/multicast) * [MPLS](/howto/mpls) - * [Bird](/howto/Bird) / [Bird2](/howto/Bird2) + * [Bird2](/howto/Bird2) * [Quagga](/howto/Quagga) * [FRRouting](/howto/frr) * [OpenBGPD](/howto/OpenBGPD) @@ -46,6 +46,9 @@ * [Show and Tell](/internal/ShowAndTell) * [Historical services](/internal/Historical-Services) +* Historical + * [Bird 1](/historical/Bird) / + * External Tools * [Paste Board](https://paste.dn42.us) * [Git Repositories](https://git.dn42.dev) diff --git a/howto/Bird.md b/historical/Bird.md similarity index 99% rename from howto/Bird.md rename to historical/Bird.md index cd23aeb..92ab753 100644 --- a/howto/Bird.md +++ b/historical/Bird.md @@ -244,7 +244,7 @@ protocol bgp from dnpeers { # Bird communities Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing. -More information can be found [here](/howto/Bird-communities). +More information can be found [here](/howto/BGP-communities). # Route Origin Authorization diff --git a/howto/Bird-communities.md b/howto/BGP-communities.md similarity index 100% rename from howto/Bird-communities.md rename to howto/BGP-communities.md diff --git a/howto/Bird2.md b/howto/Bird2.md index a592f8e..d070b46 100644 --- a/howto/Bird2.md +++ b/howto/Bird2.md @@ -247,3 +247,177 @@ protocol bgp _v6 from dnpeers { ``` Due to the special link local addresses of IPv6, an interface has to be specified using the `%` syntax if a link local address is used (Which is recommended) + +# BGP communities + +Communities can be used to prioritize traffic based on different flags, in DN42 we are using communities to prioritize based on latency, bandwidth and encryption. It is really easy to get started with communities and we encourage all of you to get the basic configuration done and to mark your peerings with the correct flags for improved routing. +More information can be found [here](/howto/BGP-communities). + +# Route Origin Authorization + +Route Origin Authorizations should be used in BIRD to authenticate prefix announcements. These check the originating AS and validate that they are allowed to advertise a prefix. + +## ROA Tables + +The ROA table can be generated from the registry directly or you can use the following pre-built ROA tables for BIRD: + +ROA files generated by [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv) are available from burble.dn42: + +|URL| IPv4/IPv6 |Description| +|---|---|---| +|   |  Both  | JSON format for use with RPKI | +|   |  Both  | Bird1 format | +|   |  IPv4 Only  | Bird1 format | +|   |  IPv6 Only  | Bird1 format | +|   |  Both  | Bird2 format | +|   |  IPv4 Only  | Bird2 format | +|   |  IPv6 Only  | Bird2 format | + +ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are available: + +|URL| IPv4/IPv6 |Description| +|---|---|---| +|   |  IPv4 Only  | Bird2 format | +|   |  IPv6 Only  | Bird2 format | +|   |  Both  | JSON format for use with RPKI | + +### Updating ROA tables + +You can add cron entries to periodically update the tables: + +```conf +*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure +*/15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure +``` + +Debian version: + +```conf +*/15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure +*/15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure +``` + +then create the directory to make sure curls can save the files: + +```sh +mkdir -p /var/lib/bird/ +``` + +Or use a systemd timer: (check the commands before copy-pasting) + +```conf +# /etc/systemd/system/dn42-roa.service +[Unit] +Description=Update DN42 ROA + +[Service] +Type=oneshot +ExecStart=curl -sfSLR -o /etc/bird/roa_dn42.conf -z /etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf +ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf +ExecStart=birdc configure +``` + +```conf +# /etc/systemd/system/dn42-roa.timer +[Unit] +Description=Update DN42 ROA periodically + +[Timer] +OnBootSec=2m +OnUnitActiveSec=15m +AccuracySec=1m + +[Install] +WantedBy=timers.target +``` + +then enable and start the timer with `systemctl enable --now dn42-roa.timer`. + +More advanced script with error checking: +```sh +#!/bin/bash +roa4URL="" +roa6URL="" + +roa4FILE="/etc/bird/roa/roa_dn42.conf" +roa6FILE="/etc/bird/roa/roa_dn42_v6.conf" + +cp "${roa4FILE}" "${roa4FILE}.old" +cp "${roa6FILE}" "${roa6FILE}.old" + +if curl -f -o "${roa4FILE}.new" "${roa4URL};" ;then + mv "${roa4FILE}.new" "${roa4FILE}" +fi + +if curl -f -o "${roa6FILE}.new" "${roa6URL};" ;then + mv "${roa6FILE}.new" "${roa6FILE}" +fi + +if birdc configure ; then + rm "${roa4FILE}.old" + rm "${roa6FILE}.old" +else + mv "${roa4FILE}.old" "${roa4FILE}" + mv "${roa6FILE}.old" "${roa6FILE}" +fi +``` + + +### Use RPKI ROA in bird2 + +* Download gortr + + + +* Run gortr. + +```sh +./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json +``` + + +* Run with docker + +```sh +docker pull cloudflare/gortr +``` + +```sh +docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json +``` + +* Add this to your bird configure file,other ROA protocol must removed. + +```conf +protocol rpki rpki_dn42{ + roa4 { table dn42_roa; }; + roa6 { table dn42_roa_v6; }; + + remote "" port 8282; + + retry keep 90; + refresh keep 900; + expire keep 172800; +} +``` + +## Filter configuration + +In your import filter add the following to reject invalid routes: + +```conf +if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; +} +``` + +Also, define your ROA table with: + +```conf +roa table dn42_roa { + include "/var/lib/bird/bird_roa_dn42.conf"; +}; +``` + +**NOTE**: Make sure you setup ROA checks for both IPv4 and IPv6.