How to use ROA/RPKI ?

Arnaud Fenioux afenioux at gmail.com
Wed Apr 10 16:22:11 CEST 2013


Hello all,


I would like to use ROA filtering on my bird setup to reject invalid
prefixes announced by my peers.

I know there is currently no easy way to bind bird to an RPKI validator,
right?

I have to create a table in my conf file with
"roa table roa_table_name"

I have read (
https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf) there
is a way to populate dynamically this table.
How can I do that? "roa add" in cli?
Is there a way to flush the table?

I have also read (https://github.com/BIRD/bird/blob/master/filter/test.conf)
I can use roa_check().

Can I do a filter like this?

 protocol bgp my_peer {
        local as 65000;
        neighbor 192.0.2.1 as 65001;
        import filter peer_in;
}

filter peer_in {
if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then reject;
 accept;
}


Cheers!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130410/e16877b4/attachment.html>


More information about the Bird-users mailing list