ROA with static protocol in BIRD 2

Tue Feb 25 09:54:14 CET 2020

Hello!

> I wonder if there's a good, full example about ROA with static protocol in
> BIRD 2. The following snippet is only for BIRD 1.x, right?
> 
> --- %< ---
> roa table roa {
>   roa 1.0.0.0/24 max 24 as 13335;
>   # […]
> }
> --- %< ---

Yes.

> Based on various snippets and half examples on the Internet, I've made this
> currently:
> 
> --- %< /etc/bird.conf %< ---
> # […]
> 
> roa4 table roa_v4;
> roa6 table roa_v6;
> include "/var/lib/rpki-client/bird2";
> 
> function reject_invalid_roa() {
>   if (force_roa_table_update > 0) then {
>     if (net.type = NET_IP4) then {
>       case roa_check(roa_v4, net, bgp_path.last) {
>         ROA_INVALID:
>           reject;
> #        ROA_VALID:
> #        ROA_UNKNOWN:
>       }
>     }
> 
>     if (net.type = NET_IP6) then {
>       case roa_check(roa_v6, net, bgp_path.last) {
>         ROA_INVALID:
>           reject;
> #        ROA_VALID:
> #        ROA_UNKNOWN:
>       }
>     }
>   }
> }
> 
> # […]
> --- %< /etc/bird.conf %< ---
> 
> Note that /var/lib/rpki-client/bird2 is generated on a regular base.
> 
> --- %< /var/lib/rpki-client/bird2 %< ---
> define force_roa_table_update = 1582237716;
> 
> protocol static {
>   roa4 { table roa_v4; };
> 
>   route 1.0.0.0/24 max 24 as 13335;
>   # […]
> }
> 
> protocol static {
>   roa6 { table roa_v6; };
> 
>   route 2001:200::/32 max 32 as 2500;
>   # […]
> }
> --- %< /var/lib/rpki-client/bird2 %< ---

Yes, this seems to be valid.

> This however raises the following questions for me:
> 
>  - Is this good style at all?

If you prefer this to dynamically loading data via the rpki protocol inside BIRD, yes.

>  - Should "roa4 table roa_v4; roa6 table roa_v6;" be moved to the include?

This is a matter of a local admin policy.

>  - To cover IPv4 and IPv6, I need two different tables and two different
>    static protocols, and there is no way using one table/channel, right?

Yes.

>  - Is "define force_roa_table_update = 1582237716;" still needed with BIRD
>    2.0.7 to ensure proper revalidation?

Yes. The autorevalidation is in code collision with ongoing structural changes
of route propagation inside BIRD which is needed to allow proper multithreaded
execution and better utilization of hardware.

>  - Some use "bgp_path.last_nonaggregated", some "bgp_path.last". What is
>    more suitable here?

The latter. Last nonaggregated should be used if and only if you are sure that
there is an aggregate on the last position and you are also sure that it is OK
to have an aggregate there and you really need to know the value before it.

Don't use last_nonaggregated unless you really know what you're doing.

>  - Is "birdc configure soft && birdc reload in all" the only/best way?

Still yes, unfortunately; see my pre-previous answer.
Maria

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3028 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200225/ccde6eb8/attachment.p7s>