[patch] add 'source address' configuration option to RPKI protocols

Job Snijders job at fastly.com
Wed Feb 21 19:14:18 CET 2024 

Dear BIRD team,

Greetings from Amsterdam!

I'd like to be able to explicitly configure the source IP address for
RPKI-To-Router sessions. Predictable source addresses are useful for
minimizing the holes to be poked in ACLs. The below changeset adds a
'source address' configuration option to RPKI protocols.

Kind regards,

Job

diff --git doc/bird.sgml doc/bird.sgml
index 76ca7f75..a271d47e 100644
--- doc/bird.sgml
+++ doc/bird.sgml
@@ -5700,6 +5700,7 @@ protocol rpki [<name>] {
         refresh [keep] <num>;
         retry [keep] <num>;
         expire [keep] <num>;
+        source address <ip>;
         transport tcp;
         transport ssh {
                 bird private key "</path/to/id_rsa>";
@@ -5753,6 +5754,9 @@ specify both channels.
 	instead. This may be useful for implementing loose RPKI check for
 	blackholes. Default: disabled.
 
+        <tag>source address <m/ip/</tag>
+        Define local address we should use as a source address for the RTR session.
+
         <tag>transport tcp</tag> Unprotected transport over TCP. It's a default
         transport. Should be used only on secure private networks.
         Default: tcp
diff --git proto/rpki/config.Y proto/rpki/config.Y
index c28cab7a..31656057 100644
--- proto/rpki/config.Y
+++ proto/rpki/config.Y
@@ -32,7 +32,7 @@ rpki_check_unused_transport(void)
 CF_DECLS
 
 CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER,
-	    RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH)
+	    RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH, SOURCE, ADDRESS)
 
 %type <i> rpki_keep_interval
 
@@ -60,6 +60,7 @@ rpki_proto_item:
  | REMOTE rpki_cache_addr
  | REMOTE rpki_cache_addr rpki_proto_item_port
  | rpki_proto_item_port
+ | SOURCE ADDRESS ipa { RPKI_CFG->local_ip = $3; }
  | TRANSPORT rpki_transport
  | REFRESH rpki_keep_interval expr {
      if (rpki_check_refresh_interval($3))
diff --git proto/rpki/rpki.h proto/rpki/rpki.h
index 8a5c38fd..e67eb0e3 100644
--- proto/rpki/rpki.h
+++ proto/rpki/rpki.h
@@ -116,6 +116,7 @@ struct rpki_proto {
 struct rpki_config {
   struct proto_config c;
   const char *hostname;			/* Full domain name or stringified IP address of cache server */
+  ip_addr local_ip;			/* Source address to use */
   ip_addr ip;				/* IP address of cache server or IPA_NONE */
   u16 port;				/* Port number of cache server */
   struct rpki_tr_config tr_config;	/* Specific transport configuration structure */
diff --git proto/rpki/transport.c proto/rpki/transport.c
index 81bd6dd8..26571977 100644
--- proto/rpki/transport.c
+++ proto/rpki/transport.c
@@ -82,6 +82,7 @@ rpki_tr_open(struct rpki_tr_sock *tr)
   sk->daddr = cf->ip;
   sk->dport = cf->port;
   sk->host = cf->hostname;
+  sk->saddr = cf->local_ip;
   sk->rbsize = RPKI_RX_BUFFER_SIZE;
   sk->tbsize = RPKI_TX_BUFFER_SIZE;
   sk->tos = IP_PREC_INTERNET_CONTROL;

More information about the Bird-users mailing list