diff --git a/bird.conf b/bird.conf index aa7f187..948d4d0 100644 --- a/bird.conf +++ b/bird.conf @@ -12,7 +12,6 @@ include "/etc/bird/constants.conf"; include "/etc/bird/passwords.conf"; include "/etc/bird/communities.conf"; include "/etc/bird/tables.conf"; -include "/etc/bird/rpki.conf"; include "/etc/bird/filters/*.conf"; include "/etc/bird/protocols/*.conf"; diff --git a/protocols/rpki.conf b/protocols/rpki.conf new file mode 100644 index 0000000..fad7722 --- /dev/null +++ b/protocols/rpki.conf @@ -0,0 +1,11 @@ +protocol rpki { + roa6 { + table roa_v6; + }; + + remote "10.43.141.166" port 3323; + + retry keep 90; + refresh keep 900; + expire keep 172800; +} diff --git a/rpki.conf b/rpki.conf deleted file mode 100644 index f17165a..0000000 --- a/rpki.conf +++ /dev/null @@ -1,65 +0,0 @@ -protocol rpki { - roa6 { - table roa_v6; - }; - - remote "10.43.141.166" port 3323; - - retry keep 90; - refresh keep 900; - expire keep 172800; -} - -function filter_reason(lc rsn) { - bgp_large_community.add(rsn); -} - -# RPKI tests -function is_rpki_invalid_v6() { - if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then - bgp_large_community.add(informational_rpki_valid); - else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then - bgp_large_community.add(informational_rpki_unknown); - else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then { - print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last; - bgp_large_community.add(informational_rpki_invalid); - return true; - } - else - bgp_large_community.add(informational_rpki_not_checked); - - return false; -} - -function is_rpki_invalid_dn42_v4() { - if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then - bgp_large_community.add(informational_rpki_valid); - else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then - bgp_large_community.add(informational_rpki_unknown); - else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then { - print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last; - bgp_large_community.add(informational_rpki_invalid); - return true; - } - else - bgp_large_community.add(informational_rpki_not_checked); - - return false; -} - -function is_rpki_invalid_dn42_v6() { - if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then - bgp_large_community.add(informational_rpki_valid); - else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then - bgp_large_community.add(informational_rpki_unknown); - else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then { - print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last; - bgp_large_community.add(informational_rpki_invalid); - return true; - } - else - bgp_large_community.add(informational_rpki_not_checked); - - return false; -} -