bird/rpki.conf

protocol rpki {
	roa6 {
		table roa_v6;
	};

	remote "10.43.141.166" port 3323;

	retry keep 90;
	refresh keep 900;
	expire keep 172800;
}

function filter_reason(lc rsn) {
	bgp_large_community.add(rsn);
}

# RPKI tests
function is_rpki_invalid_v6() {
	     if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
		bgp_large_community.add(informational_rpki_valid);
	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
		bgp_large_community.add(informational_rpki_unknown);
	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
		bgp_large_community.add(informational_rpki_invalid);
		return true;
	}
	else
		bgp_large_community.add(informational_rpki_not_checked);

	return false;
}

function is_rpki_invalid_dn42_v4() {
	     if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then
		bgp_large_community.add(informational_rpki_valid);
	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
		bgp_large_community.add(informational_rpki_unknown);
	else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
		bgp_large_community.add(informational_rpki_invalid);
		return true;
	}
	else
		bgp_large_community.add(informational_rpki_not_checked);

	return false;
}

function is_rpki_invalid_dn42_v6() {
	     if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
		bgp_large_community.add(informational_rpki_valid);
	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
		bgp_large_community.add(informational_rpki_unknown);
	else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
		bgp_large_community.add(informational_rpki_invalid);
		return true;
	}
	else
		bgp_large_community.add(informational_rpki_not_checked);

	return false;
}
initial commit 2020-04-20 04:42:25 +02:00			`protocol rpki {`
			`roa6 {`
			`table roa_v6;`
			`};`

			`remote "10.43.141.166" port 3323;`

			`retry keep 90;`
			`refresh keep 900;`
			`expire keep 172800;`
			`}`

			`function filter_reason(lc rsn) {`
			`bgp_large_community.add(rsn);`
			`}`

			`# RPKI tests`
			`function is_rpki_invalid_v6() {`
			`if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then`
			`bgp_large_community.add(informational_rpki_valid);`
			`else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then`
			`bgp_large_community.add(informational_rpki_unknown);`
			`else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {`
			`print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;`
			`bgp_large_community.add(informational_rpki_invalid);`
			`return true;`
			`}`
			`else`
			`bgp_large_community.add(informational_rpki_not_checked);`

			`return false;`
			`}`

			`function is_rpki_invalid_dn42_v4() {`
			`if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then`
			`bgp_large_community.add(informational_rpki_valid);`
			`else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then`
			`bgp_large_community.add(informational_rpki_unknown);`
			`else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then {`
			`print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;`
			`bgp_large_community.add(informational_rpki_invalid);`
			`return true;`
			`}`
			`else`
			`bgp_large_community.add(informational_rpki_not_checked);`

			`return false;`
			`}`

			`function is_rpki_invalid_dn42_v6() {`
			`if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then`
			`bgp_large_community.add(informational_rpki_valid);`
			`else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then`
			`bgp_large_community.add(informational_rpki_unknown);`
			`else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {`
			`print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;`
			`bgp_large_community.add(informational_rpki_invalid);`
			`return true;`
			`}`
			`else`
			`bgp_large_community.add(informational_rpki_not_checked);`

			`return false;`
			`}`