diff --git a/filters/common.conf b/filters/common.conf index ba59ef8..de9aef1 100644 --- a/filters/common.conf +++ b/filters/common.conf @@ -163,30 +163,41 @@ function is_default_v6() { function is_bogon_ebgp_v4() { - if net.len > 24 then # RFC7454 + if net.len > 24 then { # RFC7454 + bgp_large_community.add(filtered_import_prefix_too_long); return true; + } - if is_martian_v4() then + if is_martian_v4() then { return true; + } - if is_peering_lan_v4() then + if is_peering_lan_v4() then { return true; + } - if bgp_path.first != my_ripe_asn then + if bgp_path.first != my_ripe_asn then { return true; + } - if bgp_path.len > 32 then + if bgp_path.len > 32 then { + bgp_large_community.add(filtered_import_as_path_too_long); return true; + } - if net.len < 8 then # RFC7454 + if net.len < 8 then { # RFC7454 + bgp_large_community.add(filtered_import_prefix_too_short); return true; + } return false; } function is_bogon_ebgp_v6() { - if net.len > 48 then # RFC7454 + if net.len > 48 then { # RFC7454 + bgp_large_community.add(filtered_import_prefix_too_long); return true; + } if is_martian_v6() then return true; @@ -197,14 +208,20 @@ function is_bogon_ebgp_v6() { #if is_bogon_asn() then # return true; - if bgp_path.first != my_ripe_asn then + if bgp_path.first != my_ripe_asn then { + bgp_large_community.add(filtered_import_first_as_not_peer); return true; + } - if bgp_path.len > 32 then + if bgp_path.len > 32 then { + bgp_large_community.add(filtered_import_as_path_too_long); return true; + } - if net.len < 19 then # RFC7454 + if net.len < 19 then { # RFC7454 + bgp_large_community.add(filtered_import_prefix_too_short); return true; + } return false; } diff --git a/filters/dn42.conf b/filters/dn42.conf index 7d93ccb..2523099 100644 --- a/filters/dn42.conf +++ b/filters/dn42.conf @@ -9,56 +9,70 @@ function is_dn42() { ]; } -filter dn42_import_v4 - bool rej; +function dn42_import_v4() + bool ok; { - accept; - - rej = false; + ok = true; if ! is_dn42() then - rej = true; + ok = false; - if is_rpki_invalid_dn42_v6() then - rej = true; + if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_VALID then + bgp_large_community.add(informational_rpki_valid); + else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then + bgp_large_community.add(informational_rpki_unknown); + else if roa_check(roa_dn42_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID then { + print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto; + bgp_large_community.add(informational_rpki_invalid); + ok = false; + } + else + bgp_large_community.add(informational_rpki_not_checked); - # We delay the final decission until all communities are added - if rej then - reject; - - accept; + return ok; } -filter dn42_import_v6 - bool rej; +function dn42_import_v6() + bool ok; { - accept; - - rej = false; + ok = true; if ! is_dn42() then - rej = true; + ok = false; - if is_rpki_invalid_dn42_v6() then - rej = true; + if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then + bgp_large_community.add(informational_rpki_valid); + else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then + bgp_large_community.add(informational_rpki_unknown); + else if roa_check(roa_dn42_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then { + print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto; + bgp_large_community.add(informational_rpki_invalid); + ok = false; + } + else + bgp_large_community.add(informational_rpki_not_checked); - # We delay the final decission until all communities are added - if rej then - reject; - - accept; + return ok; } -filter dn42_export_v4 { +function dn42_export_v4() + bool ok; +{ + ok = true; + if ! is_mine_dn42() then - reject; + ok = false; - accept; + return ok; } -filter dn42_export_v6 { +function dn42_export_v6() + bool ok; +{ + ok = true; + if ! is_mine_dn42() then - reject; + ok = false; - accept; + return ok; } diff --git a/filters/ebgp.conf b/filters/ebgp.conf index 72bdbf0..1949da3 100644 --- a/filters/ebgp.conf +++ b/filters/ebgp.conf @@ -1,40 +1,59 @@ -filter ebgp_import_v4 { - reject; +function ebgp_import_v4() + bool ok; +{ + ok = false; + + return ok; } -filter ebgp_import_v6 - bool rej; +function ebgp_import_v6() + bool ok; { - rej = false; + ok = true; # Make sure we dont use peering IPs for originating traffic krt_prefsrc = 2a09:11c0:200::14; - if is_rpki_invalid_v6() then - rej = true; + + if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_VALID then + bgp_large_community.add(informational_rpki_valid); + else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_UNKNOWN then + bgp_large_community.add(informational_rpki_unknown); + else if roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID then { + print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last, " from ", proto; + bgp_large_community.add(informational_rpki_invalid); + ok = false; + } + else + bgp_large_community.add(informational_rpki_not_checked); if net.len > 48 then { - filter_reason(filtered_import_prefix_too_long); - rej = true; + bgp_large_community.add(filtered_import_prefix_too_long); + ok = false; } if bgp_path.len > 64 then { - filter_reason(filtered_import_as_path_too_long); - rej = true; + bgp_large_community.add(filtered_import_as_path_too_long); + ok = false; } - # We delay the final decission until all communities are added - if rej then reject; else accept; + return ok; } -filter ebgp_export_v4 { - reject; -} - -filter ebgp_export_v6 - prefix set mynets; +function ebgp_export_v4() + bool ok; { - if is_mine_ripe() then accept; - - reject; + # I dont have ane IPv4 prefixes :( + return false; +} + +function ebgp_export_v6() + bool ok; +{ + ok = true; + + if ! is_mine_ripe() then + ok = false; + + return ok; } diff --git a/filters/ibgp.conf b/filters/ibgp.conf index 8b86275..851fa96 100644 --- a/filters/ibgp.conf +++ b/filters/ibgp.conf @@ -1,23 +1,43 @@ -filter ibgp_export_v4 { +function ibgp_export_v4() + bool ok; +{ + ok = true; + if net.len = 32 then - reject; + ok = false; - accept; + return ok; } -filter ibgp_export_v6 { +function ibgp_export_v6() + bool ok; +{ + ok = true; + if net.len = 128 then - reject; + ok = false; - accept; + return ok; } -filter ibgp_import_v4 { - if net = 0.0.0.0/0 then reject; +function ibgp_import_v4() + bool ok; +{ + ok = true; - accept; + if net = 0.0.0.0/0 then + ok = false; + + return ok; } -filter ibgp_import_v6 { - accept; +function ibgp_import_v6() + bool ok; +{ + ok = true; + + if ! is_mine() then + ok = false; + + return ok; } diff --git a/protocols/4ixp.conf b/protocols/4ixp.conf index 2f09915..e6ffc46 100644 --- a/protocols/4ixp.conf +++ b/protocols/4ixp.conf @@ -1,13 +1,19 @@ -template bgp ixp_ch { - local 2001:7f8:d0:4b42::45 as my_ripe_asn; +template bgp ixp_ch from ebgp_peer_v6 { + local 2001:7f8:d0:4b42::45; neighbor as 35708; ipv6 { - table ebgp_v6; + export filter { + bgp_path = prepend(bgp_path, my_ripe_asn); + bgp_path = prepend(bgp_path, my_ripe_asn); + bgp_path = prepend(bgp_path, my_ripe_asn); + bgp_path = prepend(bgp_path, my_ripe_asn); - #import keep filtered; - import filter ebgp_import_v6; - export filter ebgp_export_v6; + if ebgp_export_v6() then + accept; + else + reject; + }; }; } diff --git a/protocols/decix.conf b/protocols/decix.conf index 0cc0d40..e6a5d73 100644 --- a/protocols/decix.conf +++ b/protocols/decix.conf @@ -1,35 +1,17 @@ - -template bgp decix { - local as my_ripe_asn; - - graceful restart on; +template bgp decix_v4 from ebgp_peer_v4 { + ipv4 { + preference 120; + }; } -template bgp decix_v6 from decix { +template bgp decix_v6 from ebgp_peer_v6 { ipv6 { - table ebgp_v6; - - import keep filtered; import limit 50000; - import filter ebgp_import_v6; - export filter ebgp_export_v6; + preference 120; }; } -template bgp decix_v4 from decix { - ipv4 { - table ebgp_v4; - - import keep filtered; - import limit 200000; - - import filter ebgp_import_v4; - export filter ebgp_export_v4; - }; -} - - ### IPv4 template bgp decix_fra_v4 from decix_v4 { neighbor as 6695; @@ -59,17 +41,24 @@ template bgp decix_muc_v4 from decix_v4 { template bgp decix_fra_v6 from decix_v6 { local 2001:7f8::3:2afd:0:1; neighbor as 6695; + + ipv6 { + preference 140; + }; } template bgp decix_dus_v6 from decix_v6 { + local 2001:7f8:9e:0:3:2afd:0:1; neighbor as 56890; } template bgp decix_ham_v6 from decix_v6 { + local 2001:7f8:3d:0:3:2afd:0:1; neighbor as 43252; } template bgp decix_muc_v6 from decix_v6 { + local 2001:7f8:44:0:3:2afd:0:1; neighbor as 47228; } @@ -137,7 +126,7 @@ protocol bgp decix_dus_rs1_v4 from decix_dus_v4 { protocol bgp decix_dus_rs2_v4 from decix_dus_v4 { description "DE-CIX Düsseldorf RS2 (v4)"; - neighbor 185.1.58.252; + neighbor 185.1.58.253; } protocol bgp decix_dus_rs1_v6 from decix_dus_v6 { @@ -149,7 +138,7 @@ protocol bgp decix_dus_rs1_v6 from decix_dus_v6 { protocol bgp decix_dus_rs2_v6 from decix_dus_v6 { description "DE-CIX Düsseldorf RS2 (v6)"; - neighbor 2001:7f8:9e::de3a:fc:1; + neighbor 2001:7f8:9e::de3a:fd:1; } # München @@ -177,3 +166,20 @@ protocol bgp decix_muc_rs2_v6 from decix_muc_v6 { neighbor 2001:7f8:44::b87c:0:2; } +protocol bgp decix_fra_he_v6 from decix_fra_v6 { + description "DE-CIX Frankfurt: Hurricane Electric (v6)"; + + neighbor 2001:7f8::1b1b:0:1 as 6939; +} + +protocol bgp decix_muc_facebook_1_v6 from decix_muc_v6 { + description "DE-CIX Frankurt: Facebook /1"; + + neighbor 2001:7f8:44::80a6:0:1 as 32934; +} + +protocol bgp decix_muc_facebook_2_v6 from decix_muc_v6 { + description "DE-CIX Frankurt: Facebook /1"; + + neighbor 2001:7f8:44::80a6:0:2 as 32934; +} diff --git a/protocols/dn42.conf b/protocols/dn42.conf index d3a8e9c..a40bfc3 100644 --- a/protocols/dn42.conf +++ b/protocols/dn42.conf @@ -1,4 +1,3 @@ -# ROA tables protocol static static_roa_dn42_v4 { roa4 { table roa_dn42_v4; @@ -15,49 +14,4 @@ protocol static static_roa_dn42_v6 { include "/var/lib/bird/bird_roa_dn42_v6.conf"; } -# Template -template bgp dn42_peer { - local as my_dn42_asn; - - graceful restart on; -} - -template bgp dn42_peer_v46 from dn42_peer { - ipv4 { - table dn42_v4; - - import keep filtered; - import filter dn42_import_v4; - export filter dn42_export_v4; - }; - - ipv6 { - table dn42_v6; - - import keep filtered; - import filter dn42_import_v6; - export filter dn42_export_v6; - }; -} - -template bgp dn42_peer_v4 from dn42_peer { - ipv4 { - table dn42_v4; - - import keep filtered; - import filter dn42_import_v4; - export filter dn42_export_v4; - }; -} - -template bgp dn42_peer_v6 from dn42_peer { - ipv6 { - table dn42_v6; - - import keep filtered; - import filter dn42_import_v6; - export filter dn42_export_v6; - }; -} - include "/etc/bird/protocols/dn42/*.conf"; diff --git a/protocols/dn42/grc.conf b/protocols/dn42/grc.conf index c0b4263..527911e 100644 --- a/protocols/dn42/grc.conf +++ b/protocols/dn42/grc.conf @@ -1,5 +1,10 @@ -protocol bgp dn42_grc { - description "dn42: Global Route Collector (burble)"; +ipv4 table dn42_grc_v4; +ipv6 table dn42_grc_v6; + +protocol bgp dn42_grc_export { + disabled yes; + + description "dn42: Global Route Collector Export (burble)"; local fd42:4dd0:ff00::1 as my_dn42_asn; neighbor fd42:4242:2601:ac12::1 as 4242422602; @@ -23,3 +28,52 @@ protocol bgp dn42_grc { import none; }; } + +protocol bgp dn42_grc_import { + description "dn42: Global Route Collector Import (burble)"; + + local fd42:4dd0:ff00::1:1 as my_dn42_asn; + neighbor fd42:4242:2601:ac12::1 as 4242422602; + + # mrtdump all; + multihop; + + ipv4 { + add paths rx; + table dn42_grc_v4; + + export none; + import all; + }; + + ipv6 { + add paths rx; + table dn42_grc_v6; + + export none; + import all; + }; +} + +protocol bgp dn42_grc_peer { + description "dn42: Global Route Collector Peer"; + + local 2a09:11c0:200::14 as my_dn42_asn; + neighbor range 2a09:11c0:200::/48 internal; + + ipv4 { + add paths tx; + table dn42_grc_v4; + + export all; + import none; + }; + + ipv6 { + add paths tx; + table dn42_grc_v6; + + export all; + import none; + }; +} diff --git a/protocols/dn42/grc_mrtdump.conf b/protocols/dn42/grc_mrtdump.conf new file mode 100644 index 0000000..e0fef3e --- /dev/null +++ b/protocols/dn42/grc_mrtdump.conf @@ -0,0 +1 @@ +mrtdump "/mnt/mrt/bird/today/msgs_dn42_grc_2020-05-02.mrt"; diff --git a/protocols/evix.conf b/protocols/evix.conf index 12909ff..a102ac8 100644 --- a/protocols/evix.conf +++ b/protocols/evix.conf @@ -1,15 +1,5 @@ -template bgp evix { - local 2602:fed2:fff:ffff::233 as my_ripe_asn; - - ipv6 { - table ebgp_v6; - - import keep filtered; - import all; - export filter ebgp_export_v6; - }; - - graceful restart on; +template bgp evix from ebgp_peer_v6 { + local 2602:fed2:fff:ffff::233; } protocol bgp evix_rs1 from evix { diff --git a/protocols/ibgp.conf b/protocols/ibgp.conf index c77c730..76d23ef 100644 --- a/protocols/ibgp.conf +++ b/protocols/ibgp.conf @@ -6,15 +6,15 @@ template bgp rr_clients { ipv4 { import keep filtered; - import filter ibgp_import_v4; - export filter ibgp_export_v4; + import where ibgp_import_v4(); + export where ibgp_export_v4(); next hop self; }; ipv6 { import keep filtered; - import filter ibgp_import_v6; - export filter ibgp_export_v6; + import where ibgp_import_v6(); + export where ibgp_export_v6(); next hop self; }; } diff --git a/protocols/kleyrex.conf b/protocols/kleyrex.conf index 76a0190..31b8093 100644 --- a/protocols/kleyrex.conf +++ b/protocols/kleyrex.conf @@ -1,13 +1,9 @@ -template bgp kleyrex_fra { - local 2001:7f8:33::A120:7613:1 as my_ripe_asn; +template bgp kleyrex_fra from ebgp_peer_v6 { + local 2001:7f8:33::A120:7613:1; neighbor as 31142; ipv6 { - table ebgp_v6; - - #import keep filtered; - import all; - export filter ebgp_export_v6; + preference 120; }; graceful restart on; @@ -34,6 +30,10 @@ protocol bgp kleyrex_fra_rs3 from kleyrex_fra { protocol bgp kleyrex_fra_42b4 from kleyrex_fra { description "KleyRex FRA 42b4"; + ipv6 { + preference 50; + }; + neighbor 2001:7f8:33::a106:474:1 as 60474; } diff --git a/protocols/locix.conf b/protocols/locix.conf index 9dcc6c8..10345d7 100644 --- a/protocols/locix.conf +++ b/protocols/locix.conf @@ -1,43 +1,42 @@ -template bgp locix_fra { - local 2a07:1c44:61f0::a520:7613:1 as my_ripe_asn; +template bgp locix_fra_v6 from ebgp_peer_v6 { + local 2001:7f8:f2:e1:0:a520:7613:1; neighbor as 202409; ipv6 { - table ebgp_v6; - - #import keep filtered; - import all; - export filter ebgp_export_v6; + preference 110; }; graceful restart on; } -protocol bgp locix_fra_rs1 from locix_fra { - description "LocIX FRA RS1"; +protocol bgp locix_fra_rs1 from locix_fra_v6 { + description "LocIX Frankfurt RS1"; - neighbor 2a07:1c44:61f0::babe:1; + neighbor 2001:7f8:f2:e1::babe:1; } -protocol bgp locix_fra_rs2 from locix_fra { - description "LocIX FRA RS2"; +protocol bgp locix_fra_rs2 from locix_fra_v6 { + description "LocIX Frankfurt RS2"; - neighbor 2a07:1c44:61f0::dead:1; + neighbor 2001:7f8:f2:e1::dead:1; } -protocol bgp locix_fra_rs3 from locix_fra { - description "LocIX FRA RS3"; +protocol bgp locix_fra_rs3 from locix_fra_v6 { + description "LocIX Frankfurt RS3"; - neighbor 2a07:1c44:61f0::be5a; + neighbor 2001:7f8:f2:e1::be5a; } -protocol bgp locix_fra_ifog from locix_fra { - description "LocIX FRA iFog"; +protocol bgp locix_fra_ifog from locix_fra_v6 { + description "LocIX Frankfurt iFog"; - neighbor 2a07:1c44:61f0::a120:4927:1 as 34927; - - ipv6 { - preference 80; - }; + neighbor 2001:7f8:f2:e1:0:a120:4927:1 as 34927; } +protocol bgp locix_fra_as112 from locix_fra_v6 { + description "LocIX Frankfurt: AS112"; + + neighbor 2001:7f8:f2:e1::112 as 112; + + disabled yes; +} diff --git a/protocols/meerfarbig.conf b/protocols/meerfarbig.conf index de794cc..c23ee7d 100644 --- a/protocols/meerfarbig.conf +++ b/protocols/meerfarbig.conf @@ -1,15 +1,6 @@ -protocol bgp meerfarbig { +protocol bgp meerfarbig from ebgp_peer_v6 { description "meerfarbig"; - local 2a00:f820:457::2 as my_ripe_asn; + local 2a00:f820:457::2; neighbor 2a00:f820:457::1 as 34549; - - ipv6 { - table ebgp_v6; - - import keep filtered; - import filter ebgp_import_v6; - export filter ebgp_export_v6; - next hop self; - }; } diff --git a/protocols/static.conf b/protocols/static.conf index 0adee07..24e8642 100644 --- a/protocols/static.conf +++ b/protocols/static.conf @@ -27,8 +27,8 @@ protocol static static_v4 { reject; # Marienstrasse - route 192.168.178.0/24 - via 172.23.156.9; + #route 192.168.178.0/24 + # via 172.23.156.9; route 0.0.0.0/0 via 31.47.232.65; diff --git a/protocols/tunnelbroker_net.conf b/protocols/tunnelbroker_net.conf index 7544d1a..dc744ed 100644 --- a/protocols/tunnelbroker_net.conf +++ b/protocols/tunnelbroker_net.conf @@ -1,17 +1,20 @@ -protocol bgp tb_he1 { +protocol bgp tb_he1 from ebgp_peer_v6 { description "tunnelserver.net (Hurricane Electric)"; - local 2001:470:12:1ab::2 as my_ripe_asn; + local 2001:470:12:1ab::2; neighbor 2001:470:12:1ab::1 as 6939; ipv6 { - table ebgp_v6; preference 80; - import keep filtered; - import filter ebgp_import_v6; - export filter ebgp_export_v6; - }; + export filter { + bgp_path = prepend(bgp_path, my_ripe_asn); + bgp_path = prepend(bgp_path, my_ripe_asn); - multihop 10; + if ebgp_export_v6() then + accept; + else + reject; + }; + }; }