On Wed, Apr 10, 2013 at 04:22:11PM +0200, Arnaud Fenioux wrote: > Hello all,
Hello > I would like to use ROA filtering on my bird setup to reject invalid > prefixes announced by my peers. > > I know there is currently no easy way to bind bird to an RPKI validator, > right? Yes > I have to create a table in my conf file with > "roa table roa_table_name" Yes > I have read ( > https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf) there > is a way to populate dynamically this table. > How can I do that? "roa add" in cli? > Is there a way to flush the table? These commands in CLI: show roa ... add roa ... delete roa ... flush roa ... See http://bird.network.cz/?get_doc&f=bird-4.html (Also try '?' in CLI for interactive help) Second alternative is to populate ROA table statically - generate configuration for ROA table with specified ROA entries and call configure after each change. You could have content of ROA table in separate (generated) config and include it from the main config file. > Can I do a filter like this? > > protocol bgp my_peer { > local as 65000; > neighbor 192.0.2.1 as 65001; > import filter peer_in; > } > > filter peer_in { > if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then reject; > accept; > } This should work, but i would suggest to add 'print' for logging: { if ... then { print "ROA check failed for ", net, " ASN ", bgp_path.last; reject; } accept } -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: [email protected]) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
signature.asc
Description: Digital signature
