initial commit for moon

.gitignore

@@ -0,0 +1,2 @@
+icvpn-meta/
+passwords.conf

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "icvpn-scripts"]
+	path = icvpn-scripts
+	url = https://github.com/freifunk/icvpn-scripts.git

bird.conf

@@ -0,0 +1,27 @@
+log syslog all;
+
+router id 172.23.156.2;
+
+timeformat base         iso long;
+timeformat log          iso long;
+timeformat protocol     iso long;
+timeformat route        iso long;
+
+include "/etc/bird/constants.conf";
+include "/etc/bird/passwords.conf";
+include "/etc/bird/communities.conf";
+include "/etc/bird/tables.conf";
+include "/etc/bird/filters/*.conf";
+include "/etc/bird/templates/*.conf";
+include "/etc/bird/protocols/*.conf";
+
+protocol device {
+
+}
+
+protocol direct {
+	ipv4;
+	ipv6;
+
+	interface "bond0", "wg-*", "virbr*";
+}

communities.conf

@@ -0,0 +1,54 @@
+define cymru_fullbogons		= (65332, 888);
+
+# Well-known: https://www.iana.org/assignments/bgp-well-known-communities/bgp-well-known-communities.xhtml
+define wk_graceful_shutdown	= (0xffff, 0x0000); # RFC8326
+define wk_accept_own		= (0xffff, 0x0001); # RFC7611
+define wk_blackhole		= (0xffff, 0x029a); # RFC7999
+define wk_no_export		= (0xffff, 0xff01); # RFC1997
+define wk_no_advertise		= (0xffff, 0xff02); # RFC1997
+define wk_no_export_subconfed	= (0xffff, 0xff03); # RFC1997
+define wk_nopeer		= (0xffff, 0xff04); # RFC3765
+
+# See https://www.euro-ix.net/en/forixps/large-bgp-communities/
+
+# Informational RS:1000-1999:*
+
+## Informational tags RS:1000-1099:*
+define informational_rpki_valid = (my_ripe_asn, 1000, 1);
+define informational_rpki_unknown = (my_ripe_asn, 1000, 2);
+define informational_rpki_not_checked = (my_ripe_asn, 1000, 3);
+define informational_rpki_invalid = (my_ripe_asn, 1000, 4);
+define informational_rpki_invalid_origin_as = (my_ripe_asn, 1000, 5);
+define informational_rpki_invalid_max_length = (my_ripe_asn, 1000, 6);
+
+define informational_irrdb_valid = (my_ripe_asn, 1001, 1);
+define informational_irrdb_not_checked = (my_ripe_asn, 1001, 2);
+define informational_irrdb_more_specific = (my_ripe_asn, 1001, 3);
+define informational_irrdb_prefix_not_found_in_as_set = (my_ripe_asn, 1001, 4);
+define informational_irrdb_invalid_origin_as = (my_ripe_asn, 1001, 5);
+define informational_irrdb_invalid_prefix_for_origin_as = (my_ripe_asn, 1001, 6);
+
+# Filtered reasons: RS:1100-1199:*
+
+## Route was filtered on import RS:1101:*
+define filtered_import_prefix_too_long = (my_ripe_asn, 1101, 1);
+define filtered_import_prefix_too_short = (my_ripe_asn, 1101, 2);
+define filtered_import_bogon_prefix = (my_ripe_asn, 1101, 3);
+define filtered_import_bogon_as = (my_ripe_asn, 1101, 4);
+define filtered_import_as_path_too_long = (my_ripe_asn, 1101, 5);
+define filtered_import_as_path_too_short = (my_ripe_asn, 1101, 6);
+define filtered_import_first_as_not_peer = (my_ripe_asn, 1101, 7);
+define filtered_import_next_hop_not_peer = (my_ripe_asn, 1101, 8);
+define filtered_import_irrdb_prefix_not_in_as_set = (my_ripe_asn, 1101, 9);
+define filtered_import_origin_as_not_in_peer_as_set = (my_ripe_asn, 1101, 10);
+define filtered_import_prefix_not_found_in_origin_as = (my_ripe_asn, 1101, 11);
+define filtered_import_prefix_is_rpki_unknown = (my_ripe_asn, 1101, 12);
+define filtered_import_prefix_is_rpki_invalid = (my_ripe_asn, 1101, 13);
+define filtered_import_transit_free_asn_in_as_path = (my_ripe_asn, 1101, 14);
+define filtered_import_too_many_bgp_communities = (my_ripe_asn, 1101, 15);
+
+# Route was filtered on export RS:1102:*
+define filtered_export_advertising_peer_declines_prefix = (my_ripe_asn, 1102, 1);
+define filtered_export_declined_from_advertising_peer = (my_ripe_asn, 1102, 2);
+define filtered_export_too_many_bgp_communities = (my_ripe_asn, 1102, 3);
+

constants.conf

@@ -0,0 +1,5 @@
+define my_ripe_asn = 207613;
+define my_dn42_asn = 4242422428;
+
+define l66_gw_v4 = 141.98.136.129;
+define l66_gw_v6 = 2a09:11c0:f0:bbf0::1;

filters/common.conf

@@ -0,0 +1,230 @@
+# Sources:
+#   http://www.us.ntt.net/support/policy/routing.cfm#bogon
+#   http://as2914.net/bogon_asns/configuration_examples.txt
+#   https://www.de-cix.net/en/locations/germany/frankfurt/routeserver-guide
+#   https://archive.nanog.org/sites/default/files/Snijders_Everyday_Practical_Bgp.pdf
+#   http://bgpfilterguide.nlnog.net/
+#   https://gitlab.labs.nic.cz/labs/bird/-/wikis/BGP_filtering
+
+function is_mine_ripe() {
+	return net ~ [
+		2a09:11c0:200::/44+,
+		2a0e:97c7:100::/44+,
+		2a09:4c2:1b::/48+,
+		31.47.232.64/29+,  # meerfarbig
+		141.98.136.128/29+ # level66
+	];
+}
+
+function is_mine_dn42() {
+	return net ~ [
+		172.23.156.0/23+,
+		fd42:4dd0:ff00::/48+
+	];
+}
+
+function is_mine() {
+	return is_mine_dn42() || is_mine_ripe();
+}
+
+# Big transit / tier 1 ASNs for "peerlock"
+function is_big_asn(int asnum) {
+	return asnum ~ [
+		174,				# Cogent
+		209,				# Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
+		701,				# UUNET
+		702,				# UUNET
+		1239,				# Sprint
+		1299,				# Telia
+		2914,				# NTT Communications
+		3257,				# GTT Backbone
+		3320,				# Deutsche Telekom AG (DTAG)
+		3356,				# Level3
+		3549,				# Level3
+		3561,				# Savvis / CenturyLink
+		4134,				# Chinanet
+		5511,				# Orange opentransit
+		6453,				# Tata Communications
+		6461,				# Zayo Bandwidth
+		6762,				# Seabone / Telecom Italia
+		7018				# AT&T
+	];
+}
+
+# Source: https://wiki.freifunk.net/AS-Nummern
+function is_freifunk_asn(int asnum) {
+	return asnum ~ [ 64856..65534 ];
+}
+
+# Source: https://dn42.net/services/Whois
+function is_dn42_asn(int asnum) {
+	return asnum ~ [ 4242420000..4242429999 ];
+}
+
+function is_bogon_asn(int asnum) {
+	return asnum ~ [
+		0,				# RFC7607: Codification of AS 0 Processing
+		23456,				# RFC6793: AS_TRANS for 32bit extendend ASN range
+		64496..64511,			# RFC5398: Reservation for Documentation Use 16bit ASN
+		64512..65534,			# RFC6996: Reservation for Private Use 16bit ASN
+		65535,				# RFC7300: Reservation of Last ASNs
+		65536..65551,			# RFC5398: Reservation for Documentation Use 32bit ASN
+		65552..131071,			# IANA reserved ASNs https://www.mail-archive.com/uknof@lists.uknof.org.uk/msg03395.html
+		4200000000..4294967294,		# RFC6996: Reservation for Private Use 32bit ASN
+		4294967295			# RFC7300: Reservation of Last ASNs
+	];
+}
+
+# RFC 1918
+function is_private_v4() {
+	return net ~ [
+		10.0.0.0/8+,
+		172.16.0.0/12+,
+		192.168.0.0/16+
+	];
+}
+
+function is_private_v6() {
+	return net ~ [
+		fc00::/7+			# RFC4193: Unique-Local
+	];
+}
+
+function is_peering_lan_v4() {
+	return net ~ [
+		185.1.119.0/24+,		# LocIX Frankfurt
+		80.81.192.0/21+,		# DE-CIX Frankfurt
+		185.1.125.0/24+,		# 4IXP / 4b42
+		206.81.104.0/24+,		# EVIX
+		193.189.82.0/23+		# KleyRex
+	];
+}
+
+function is_peering_lan_v6() {
+	return net ~ [
+		2a07:1c44:61f0::/64+,		# LocIX Frankfurt
+		2001:7f8::/64+,			# DE-CIX Frankfurt
+		2001:7f8:d0:b901::/64+,		# 4IXP / 4b42
+		2001:7f8:d0:4b42::/64+,		# 4IXP / 4b42
+		2602:fed2:fff:ffff::/64,	# EVIX
+		2001:7f8:33::/48+		# KleyRex
+	];
+}
+
+function is_martian_v4() {
+	# See RFC6890
+
+	return is_private_v4() ||
+	       net ~ [
+			0.0.0.0/8+,		# RFC1122: This host on this network
+			100.64.0.0/10+,		# RFC6598: IANA-Reserved IPv4 Prefix for Shared Address Space
+			127.0.0.0/8+,		# RFC1122: Loopback
+			192.18.0.0/15+,		# RFC2544: Benchmarking Methodology for Network Interconnect Devices
+			169.254.0.0/16+,	# RFC3927: Dynamic Configuration of IPv4 Link-Local Addresses
+			192.0.0.0/24+,		# RFC6890: IETF Protocol Assignments
+			192.0.0.0/29+,		# RFC6333: DS-Lite
+			192.0.2.0/24+,		# RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-1)
+			198.51.100.0/24+,	# RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-2)
+			192.88.99.0/24+,	# RFC3068: 6to4 Relay Anycast
+			203.0.113.0/24+,	# RFC5737: IPv4 Address Blocks Reserved for Documentation (TEST-NET-3)
+			224.0.0.0/4+,		# RFC5771: IPv4 Multicast
+			240.0.0.0/4+,		# RFC1112: Reserved for Future Use
+			255.255.255.255/32	# RFC0919: Limited Broadcast
+		];
+}
+
+function is_martian_v6() {
+	# See RFC6890
+
+	return is_private_v6() ||
+		net ~ [
+			::ffff:0:0/96+,		# RFC4291: IPv4-mapped Address
+			::ffff:0:0:0/96+,	# IPv4 translated
+			::/128,			# RFC4291: Unspecified Address
+			::1/128,		# RFC4291: Loopback Address
+			64:ff9b::/96+,		# RFC6052: IPv4-IPv6 Translated (NAT64)
+			100::/64+,		# RFC6666: Discard-Only Address Block
+			2001::/23+,		# RFC2928: IETF Protocol Assignments
+			2001::/32+,		# RFC4380: TEREDO
+			2001:2::/48+,		# RFC5180: Benchmarking
+			2001:10::/28+,		# RFC4843: ORCHID
+			2001:db8::/32+,		# RFC3849: Documentation
+			2002::/16+,		# RFC3056: 6to4
+			fe80::/10+,		# RFC4291: Linked-Scoped Unicast
+			ff00::/8+		# RFC2373/3306: IPv6 Multicast
+		];
+}
+
+function is_default_v4() {
+	return net = 0.0.0.0/0;
+}
+
+function is_default_v6() {
+	return net ~ ::/0;
+}
+
+
+function is_bogon_ebgp_v4() {
+	if net.len > 24 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_long);
+		return true;
+	}
+
+	if is_martian_v4() then {
+		return true;
+	}
+
+	if is_peering_lan_v4() then {
+		return true;
+	}
+
+	if bgp_path.first != my_ripe_asn then {
+		return true;
+	}
+
+	if bgp_path.len > 32 then {
+		bgp_large_community.add(filtered_import_as_path_too_long);
+		return true;
+	}
+
+	if net.len < 8 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_short);
+		return true;
+	}
+
+	return false;
+}
+
+function is_bogon_ebgp_v6() {
+	if net.len > 48 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_long);
+		return true;
+	}
+
+	if is_martian_v6() then
+		return true;
+
+	if is_peering_lan_v6() then
+		return true;
+
+	#if is_bogon_asn() then
+	#	return true;
+
+	if bgp_path.first != my_ripe_asn then {
+		bgp_large_community.add(filtered_import_first_as_not_peer);
+		return true;
+	}
+
+	if bgp_path.len > 32 then {
+		bgp_large_community.add(filtered_import_as_path_too_long);
+		return true;
+	}
+
+	if net.len < 19 then { # RFC7454
+		bgp_large_community.add(filtered_import_prefix_too_short);
+		return true;
+	}
+
+	return false;
+}
+

filters/ebgp.conf

@@ -0,0 +1,59 @@
+function ebgp_import_v4()
+	bool ok;
+{
+	ok = false;
+
+	return ok;
+}
+
+function ebgp_import_v6()
+	bool ok;
+{
+	ok = true;
+
+	# Make sure we dont use peering IPs for originating traffic
+	krt_prefsrc = 2a09:11c0:200::14;
+
+
+	     if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then
+		bgp_large_community.add(informational_rpki_valid);
+	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then
+		bgp_large_community.add(informational_rpki_unknown);
+	else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then {
+		print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto;
+		bgp_large_community.add(informational_rpki_invalid);
+		ok = false;
+	}
+	else
+		bgp_large_community.add(informational_rpki_not_checked);
+
+	if net.len > 48 then {
+		bgp_large_community.add(filtered_import_prefix_too_long);
+		ok = false;
+	}
+
+	if bgp_path.len > 64 then {
+		bgp_large_community.add(filtered_import_as_path_too_long);
+		ok = false;
+	}
+
+	return ok;
+}
+
+function ebgp_export_v4()
+	bool ok;
+{
+	# I dont have ane IPv4 prefixes :(
+	return false;
+}
+
+function ebgp_export_v6()
+	bool ok;
+{
+	ok = true;
+
+	if ! is_mine_ripe() then
+		ok = false;
+
+	return ok;
+}

filters/ibgp.conf

@@ -0,0 +1,28 @@
+filter ibgp_export_v4 {
+        if net.len = 32 then
+                reject;
+
+        accept;
+}
+
+filter ibgp_export_v6 {
+	if net.len = 128 then
+		reject;
+
+        accept;
+}
+
+filter ibgp_import_v4 {
+	# if net = 0.0.0.0/0 then
+	#	reject;
+
+	accept;
+}
+
+filter ibgp_import_v6 {
+	# if net = 0::/0 then
+	#	reject;
+
+	accept;
+}
+

filters/idfx.conf

@@ -0,0 +1,12 @@
+function is_idfx() {
+	return net ~ [
+		10.1.0.0/16{19,24},    # iiidefix internal
+		10.42.0.0/16{19,24},   # iiidefix friends
+		194.127.157.224/27{27,32}, # MKD net
+		148.251.17.70/32,      # defks1
+		85.214.96.242/32,      # deber1
+		fdb0:4339::/32{48,64}, # iiidefix v6
+		2a09:11c0:20f:100::/56{56,64}
+	];
+}
+

protocols/bfd.conf

@@ -0,0 +1,6 @@
+protocol bfd bfd1 {
+
+	interface "wg-*" {
+
+	};
+}

protocols/ibgp.conf

@@ -0,0 +1,63 @@
+template bgp rr_clients {
+	local as my_ripe_asn;
+	neighbor as my_ripe_asn;
+
+	rr client;
+	rr cluster id 172.23.156.2;
+
+	direct;
+
+	ipv4 {
+		import keep filtered;
+		import filter ibgp_import_v4;
+		export filter ibgp_export_v4;
+		next hop self;
+	};
+
+	ipv6 {
+		import keep filtered;
+		import filter ibgp_import_v6;
+		export filter ibgp_export_v6;
+		next hop self;
+	};
+}
+
+protocol bgp k8s_1_v4 from rr_clients {
+	description "iBGP: k8s-1.lian.vms.0l.de";
+
+	local 172.23.156.2;
+	neighbor 172.23.156.120;
+
+	ipv4 {
+		export none;
+	};
+}
+
+protocol bgp k8s_1_v6 from rr_clients {
+	description "iBGP: k8s-1.lian.vms.0l.de";
+
+	local 2a09:11c0:200::2;
+	neighbor 2a09:11c0:200:100:4cd2:28f8:e1b:9b22;
+
+	ipv6 {
+		export none;
+	};
+}
+
+protocol bgp rpi from rr_clients {
+	description "iBGP: rpi.home.0l.de";
+
+	local 2a09:11c0:200::2;
+	neighbor 2a09:11c0:200::3;
+
+	bfd yes;
+}
+
+protocol bgp edgy from rr_clients {
+	description "iBGP: edgy.0l.de";
+
+	local 2a09:11c0:200::2;
+	neighbor 2a09:11c0:200::14;
+
+	bfd yes;
+}

protocols/idfx.conf

@@ -0,0 +1,37 @@
+template bgp idfx  {
+	local as my_ripe_asn;
+
+	ipv4 {
+		import keep filtered;
+		import where is_idfx();
+		
+		export filter {
+			if !is_mine() then
+				reject;
+
+			if source = RTS_STATIC || source = RTS_DEVICE then
+				bgp_local_pref = 200;
+
+			accept;
+		};
+
+		next hop self yes;
+	};
+
+	ipv6 {
+		import keep filtered;
+		import where is_idfx();
+		export where is_mine();
+
+		next hop self yes;
+	};
+
+	allow bgp_local_pref yes;
+}
+
+protocol bgp idfx_derhr1 from idfx {
+	description "iBGP: idfx-derhr1";
+
+	local fd42:4dd0:ff00::6;
+	neighbor fdb0:4339:ffff::106 as 4243390106;
+}

protocols/kernel.conf

@@ -0,0 +1,28 @@
+protocol kernel {
+	ipv4 {
+		import all;
+		export filter {
+			if proto ~ "direct*" then reject;
+
+			accept;
+		};
+	};
+
+	metric 0;
+	learn;
+}
+
+protocol kernel {
+	ipv6 {
+		import all;
+		export filter {
+			if proto ~ "direct*" then reject;
+
+			accept;
+		};
+	};
+
+	metric 0;
+	learn;
+}
+

protocols/level66.conf

@@ -0,0 +1,27 @@
+protocol bgp level66_rs1_v4 from ebgp_peer_v4 {
+	description "level66.network RS1 (v4)";
+
+	local 141.98.136.131;
+	neighbor 141.98.136.129 as 209844;
+}
+
+protocol bgp level66_rs1_v6 from ebgp_peer_v6 {
+	description "level66.network RS1 (v6)";
+
+	local 2a09:11c0:f0:bbf0::3;
+	neighbor 2a09:11c0:f0:bbf0::1 as 209844;
+}
+
+protocol bgp level66_rs2_v4 from ebgp_peer_v4 {
+	description "level66.network RS2 (v4)";
+
+	local 141.98.136.131;
+	neighbor 141.98.136.130 as 209844;
+}
+
+protocol bgp level66_rs2_v6 from ebgp_peer_v6 {
+	description "level66.network RS2 (v6)";
+
+	local 2a09:11c0:f0:bbf0::3;
+	neighbor 2a09:11c0:f0:bbf0::2 as 209844;
+}

protocols/static.conf

@@ -0,0 +1,46 @@
+protocol static static_v4 {
+	ipv4 {
+		preference 100;
+	};
+
+	# hap-1.moon.vms.0l.de
+	route 141.98.136.132/32
+		via "virbr1";
+
+	# idfx-1.moon.vms.0l.de
+	route 141.98.136.133/32
+		via "virbr1";
+
+	route 0.0.0.0/0
+		via l66_gw_v4;
+}
+
+protocol static	static_v6 {
+	ipv6;
+
+	# route ::/0
+	#	via l66_gw_v6;
+}
+
+
+protocol static static_ebgp_v6 {
+	ipv6 {
+		table ebgp_v6;
+	};
+
+	# My own prefixes for eBGP announcement
+	route 2a09:11c0:202::/48 reject;
+	#route 2a0e:97c7:100::/44 reject;
+	#route 2a09:11c0:200::/44 reject;
+	#route 2a09:4c2:1b::/48 reject;
+}
+
+protocol static static_ebgp_v4 {
+	ipv4 {
+		table ebgp_v4;
+	};
+
+	# For wireguard
+	route 0.0.0.0/0 via 141.98.136.129;
+	route 141.98.136.128/29 via "bond0";
+}

tables.conf

@@ -0,0 +1,19 @@
+# Kernel routing tables
+define krt_main = 254;
+define krt_local = 255;
+define krt_default = 253;
+define krt_ebgp = 100;
+define krt_dn42 = 101;
+
+# Bird tables
+ipv4 table ebgp_v4;
+
+ipv6 table ebgp_v6_bh; # Blackholing
+ipv6 table ebgp_v6;
+roa6 table roa_v6;
+
+ipv4 table dn42_v4;
+roa4 table roa_dn42_v4;
+
+ipv6 table dn42_v6;
+roa6 table roa_dn42_v6;

templates/ebgp.conf

@@ -0,0 +1,30 @@
+template bgp ebgp_peer {
+	local as my_ripe_asn;
+
+	graceful restart on;
+}
+
+template bgp ebgp_peer_v6 from ebgp_peer {
+	ipv6 {
+		table ebgp_v6;
+
+		import keep filtered;
+		import limit 100000;
+
+		import where ebgp_import_v6();
+		export where ebgp_export_v6();
+	};
+}
+
+template bgp ebgp_peer_v4 from ebgp_peer {
+	ipv4 {
+		table ebgp_v4;
+
+		import keep filtered;
+		import limit 200000;
+
+		import where ebgp_import_v4();
+		export where ebgp_export_v4();
+	};
+}
+