diff --git a/bird.conf b/bird.conf index a95ead2..1c86cff 100644 --- a/bird.conf +++ b/bird.conf @@ -7,32 +7,13 @@ timeformat log iso long; timeformat protocol iso long; timeformat route iso long; -filter ibgp_export_v4 { - if net = 178.202.247.4/32 then - reject; - - accept; -} - -filter ibgp_export_v6 { - accept; -} - -filter ibgp_import_v4 { - krt_metric = 200; - - if net = 0.0.0.0/0 then reject; - - accept; -} - -filter ibgp_import_v6 { - krt_metric = 200; - -# if net = 0::/0 then reject; - - accept; -} +include "/etc/bird/constants.conf"; +include "/etc/bird/passwords.conf"; +include "/etc/bird/communities.conf"; +include "/etc/bird/tables.conf"; +include "/etc/bird/filters/*.conf"; +include "/etc/bird/templates/*.conf"; +include "/etc/bird/protocols/*.conf"; protocol device { @@ -43,117 +24,3 @@ protocol direct { ipv6; interface "ens*", "tun*", "vpn-*"; } - -protocol kernel { - ipv4 { - import all; - export where proto !~ "direct*"; - }; - metric 0; - learn; -} - -protocol kernel { - ipv6 { - import all; - export where proto !~ "direct*"; - }; - metric 0; - learn; -} - -protocol static { - check link yes; - - route 134.61.120.0/22 - via "tun0"; # ITC iDRACs - - route 134.130.43.208/30 - via "tun0"; # ITC deploy1-jh.itc.rwth-aachen.de - - route 137.226.50.224/27 - via "tun0"; # Jupyter - - route 137.226.254.0/23 - via "tun0"; # EONERC office network - - route 134.130.48.0/24 - via "tun0"; # EONERC server network - - route 137.226.81.156/32 - via "tun0"; # efs-itc01.eonerc.rwth-aachen.de - - route 134.130.0.0/16 - via 134.130.169.1 - via 137.226.133.129; - - route 134.61.0.0/16 - via 134.130.169.1 - via 137.226.133.129; - - route 137.226.0.0/16 - via 134.130.169.1 - via 137.226.133.129; - - route 192.35.229.0/24 - via 134.130.169.1 - via 137.226.133.129; - - # lian.0l.de - route 178.202.247.4/32 - via 134.130.169.1; -# via 137.226.133.129; - - ipv4; -} - -template bgp rr_clients { - local as 207613; - neighbor as 207613; - rr client; - rr cluster id 172.23.156.4; - - ipv4 { - import keep filtered; - import filter ibgp_import_v4; - export filter ibgp_export_v4; - next hop self; - }; - - ipv6 { - import keep filtered; - import filter ibgp_import_v6; - export filter ibgp_export_v6; - next hop self; - }; -} - -protocol bgp edgy from rr_clients { - description "iBGP: edgy.int.0l.de"; - - local 2a09:11c0:200::6; - neighbor 2a09:11c0:200::7; -} - -protocol bgp k8s_2_v4 from rr_clients { - description "iBGP: k8s-2.acs.vms.0l.de"; - - local 172.23.156.6; - neighbor 172.23.156.130; - - ipv4 { - export none; - }; -} - -protocol bgp k8s_2_v6 from rr_clients { - description "iBGP: k8s-2.acs.vms.0l.de"; - - local 2a09:11c0:200::6; - neighbor 2a09:11c0:200:103:f0f4:8dff:fed4:d18d; - - ipv6 { - export none; - }; -} - diff --git a/communities.conf b/communities.conf new file mode 100644 index 0000000..a6c0e4a --- /dev/null +++ b/communities.conf @@ -0,0 +1,54 @@ +define cymru_fullbogons = (65332, 888); + +# Well-known: https://www.iana.org/assignments/bgp-well-known-communities/bgp-well-known-communities.xhtml +define wk_graceful_shutdown = (0xffff, 0x0000); # RFC8326 +define wk_accept_own = (0xffff, 0x0001); # RFC7611 +define wk_blackhole = (0xffff, 0x029a); # RFC7999 +define wk_no_export = (0xffff, 0xff01); # RFC1997 +define wk_no_advertise = (0xffff, 0xff02); # RFC1997 +define wk_no_export_subconfed = (0xffff, 0xff03); # RFC1997 +define wk_nopeer = (0xffff, 0xff04); # RFC3765 + +# See https://www.euro-ix.net/en/forixps/large-bgp-communities/ + +# Informational RS:1000-1999:* + +## Informational tags RS:1000-1099:* +define informational_rpki_valid = (my_ripe_asn, 1000, 1); +define informational_rpki_unknown = (my_ripe_asn, 1000, 2); +define informational_rpki_not_checked = (my_ripe_asn, 1000, 3); +define informational_rpki_invalid = (my_ripe_asn, 1000, 4); +define informational_rpki_invalid_origin_as = (my_ripe_asn, 1000, 5); +define informational_rpki_invalid_max_length = (my_ripe_asn, 1000, 6); + +define informational_irrdb_valid = (my_ripe_asn, 1001, 1); +define informational_irrdb_not_checked = (my_ripe_asn, 1001, 2); +define informational_irrdb_more_specific = (my_ripe_asn, 1001, 3); +define informational_irrdb_prefix_not_found_in_as_set = (my_ripe_asn, 1001, 4); +define informational_irrdb_invalid_origin_as = (my_ripe_asn, 1001, 5); +define informational_irrdb_invalid_prefix_for_origin_as = (my_ripe_asn, 1001, 6); + +# Filtered reasons: RS:1100-1199:* + +## Route was filtered on import RS:1101:* +define filtered_import_prefix_too_long = (my_ripe_asn, 1101, 1); +define filtered_import_prefix_too_short = (my_ripe_asn, 1101, 2); +define filtered_import_bogon_prefix = (my_ripe_asn, 1101, 3); +define filtered_import_bogon_as = (my_ripe_asn, 1101, 4); +define filtered_import_as_path_too_long = (my_ripe_asn, 1101, 5); +define filtered_import_as_path_too_short = (my_ripe_asn, 1101, 6); +define filtered_import_first_as_not_peer = (my_ripe_asn, 1101, 7); +define filtered_import_next_hop_not_peer = (my_ripe_asn, 1101, 8); +define filtered_import_irrdb_prefix_not_in_as_set = (my_ripe_asn, 1101, 9); +define filtered_import_origin_as_not_in_peer_as_set = (my_ripe_asn, 1101, 10); +define filtered_import_prefix_not_found_in_origin_as = (my_ripe_asn, 1101, 11); +define filtered_import_prefix_is_rpki_unknown = (my_ripe_asn, 1101, 12); +define filtered_import_prefix_is_rpki_invalid = (my_ripe_asn, 1101, 13); +define filtered_import_transit_free_asn_in_as_path = (my_ripe_asn, 1101, 14); +define filtered_import_too_many_bgp_communities = (my_ripe_asn, 1101, 15); + +# Route was filtered on export RS:1102:* +define filtered_export_advertising_peer_declines_prefix = (my_ripe_asn, 1102, 1); +define filtered_export_declined_from_advertising_peer = (my_ripe_asn, 1102, 2); +define filtered_export_too_many_bgp_communities = (my_ripe_asn, 1102, 3); + diff --git a/constants.conf b/constants.conf new file mode 100644 index 0000000..c3a03b4 --- /dev/null +++ b/constants.conf @@ -0,0 +1,3 @@ +define my_ripe_asn = 207613; +define my_dn42_asn = 4242422428; + diff --git a/filters/ibgp.conf b/filters/ibgp.conf new file mode 100644 index 0000000..71f8f94 --- /dev/null +++ b/filters/ibgp.conf @@ -0,0 +1,26 @@ +filter ibgp_export_v4 { + if net = 178.202.247.4/32 then + reject; + + accept; +} + +filter ibgp_export_v6 { + accept; +} + +filter ibgp_import_v4 { + krt_metric = 200; + + if net = 0.0.0.0/0 then reject; + + accept; +} + +filter ibgp_import_v6 { + krt_metric = 200; + +# if net = 0::/0 then reject; + + accept; +} diff --git a/protocols/bfd.conf b/protocols/bfd.conf new file mode 100644 index 0000000..1189dbf --- /dev/null +++ b/protocols/bfd.conf @@ -0,0 +1,8 @@ +protocol bfd bfd1 { + + interface "wg-*" { + interval 100 ms; + authentication simple; + password pw_bfd; + }; +} diff --git a/protocols/ibgp.conf b/protocols/ibgp.conf new file mode 100644 index 0000000..b33884d --- /dev/null +++ b/protocols/ibgp.conf @@ -0,0 +1,51 @@ +template bgp rr_clients { + local as 207613; + neighbor as 207613; + rr client; + rr cluster id 172.23.156.4; + + ipv4 { + import keep filtered; + import filter ibgp_import_v4; + export filter ibgp_export_v4; + next hop self; + }; + + ipv6 { + import keep filtered; + import filter ibgp_import_v6; + export filter ibgp_export_v6; + next hop self; + }; +} + +protocol bgp edgy from rr_clients { + description "iBGP: edgy.int.0l.de"; + + local 2a09:11c0:200::6; + neighbor 2a09:11c0:200::7; + + bfd yes; +} + +protocol bgp k8s_2_v4 from rr_clients { + description "iBGP: k8s-2.acs.vms.0l.de"; + + local 172.23.156.6; + neighbor 172.23.156.130; + + ipv4 { + export none; + }; +} + +protocol bgp k8s_2_v6 from rr_clients { + description "iBGP: k8s-2.acs.vms.0l.de"; + + local 2a09:11c0:200::6; + neighbor 2a09:11c0:200:103:f0f4:8dff:fed4:d18d; + + ipv6 { + export none; + }; +} diff --git a/protocols/kernel.conf b/protocols/kernel.conf new file mode 100644 index 0000000..403ea1e --- /dev/null +++ b/protocols/kernel.conf @@ -0,0 +1,17 @@ +protocol kernel { + ipv4 { + import all; + export where proto !~ "direct*"; + }; + metric 0; + learn; +} + +protocol kernel { + ipv6 { + import all; + export where proto !~ "direct*"; + }; + metric 0; + learn; +} diff --git a/protocols/static.conf b/protocols/static.conf new file mode 100644 index 0000000..aed450f --- /dev/null +++ b/protocols/static.conf @@ -0,0 +1,45 @@ +protocol static { + check link yes; + + route 134.61.120.0/22 + via "tun0"; # ITC iDRACs + + route 134.130.43.208/30 + via "tun0"; # ITC deploy1-jh.itc.rwth-aachen.de + + route 137.226.50.224/27 + via "tun0"; # Jupyter + + route 137.226.254.0/23 + via "tun0"; # EONERC office network + + route 134.130.48.0/24 + via "tun0"; # EONERC server network + + route 137.226.81.156/32 + via "tun0"; # efs-itc01.eonerc.rwth-aachen.de + + route 134.130.0.0/16 + via 134.130.169.1 + via 137.226.133.129; + + route 134.61.0.0/16 + via 134.130.169.1 + via 137.226.133.129; + + route 137.226.0.0/16 + via 134.130.169.1 + via 137.226.133.129; + + route 192.35.229.0/24 + via 134.130.169.1 + via 137.226.133.129; + + # lian.0l.de + route 178.202.247.4/32 + via 134.130.169.1; +# via 137.226.133.129; + + ipv4; +} + diff --git a/tables.conf b/tables.conf new file mode 100644 index 0000000..e69de29