<div dir="ltr">Thank you for you rep<font face="arial, sans-serif"><span style="white-space:nowrap">ly Ondrej,</span></font><div><font face="arial, sans-serif"><span style="white-space:nowrap"><br></span></font></div><div style>
<div><font face="arial, sans-serif"><span style="white-space:nowrap">I tried the filter as you mentioned, all is working fine,</span></font></div><div><font face="arial, sans-serif"><span style="white-space:nowrap">I made a bash script that import into a roa table,</span></font></div>
</div><div style><font face="arial, sans-serif"><span style="white-space:nowrap"><br></span></font></div><div style><font face="arial, sans-serif"><span style="white-space:nowrap">all right!</span></font></div><div style>
<font face="arial, sans-serif"><span style="white-space:nowrap"><br></span></font></div><div style><font face="arial, sans-serif"><span style="white-space:nowrap">Thank you!</span></font></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Wed, Apr 10, 2013 at 5:43 PM, Ondrej Zajicek <span dir="ltr"><<a href="mailto:santiago@crfreenet.org" target="_blank">santiago@crfreenet.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, Apr 10, 2013 at 04:22:11PM +0200, Arnaud Fenioux wrote:<br>
> Hello all,<br>
<br>
Hello<br>
<div class="im"><br>
> I would like to use ROA filtering on my bird setup to reject invalid<br>
> prefixes announced by my peers.<br>
><br>
> I know there is currently no easy way to bind bird to an RPKI validator,<br>
> right?<br>
<br>
</div>Yes<br>
<div class="im"><br>
> I have to create a table in my conf file with<br>
> "roa table roa_table_name"<br>
<br>
</div>Yes<br>
<br>
> I have read (<br>
<div class="im">> <a href="https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf" target="_blank">https://ripe65.ripe.net/presentations/191-BIRD-20120926-OF-RIPE-EIX.pdf</a>) there<br>
> is a way to populate dynamically this table.<br>
> How can I do that? "roa add" in cli?<br>
> Is there a way to flush the table?<br>
<br>
</div>These commands in CLI:<br>
<br>
show roa ...<br>
add roa ...<br>
delete roa ...<br>
flush roa ...<br>
<br>
See <a href="http://bird.network.cz/?get_doc&f=bird-4.html" target="_blank">http://bird.network.cz/?get_doc&f=bird-4.html</a><br>
(Also try '?' in CLI for interactive help)<br>
<br>
Second alternative is to populate ROA table statically - generate<br>
configuration for ROA table with specified ROA entries and call<br>
configure after each change. You could have content of ROA table in<br>
separate (generated) config and include it from the main config file.<br>
<div class="im"><br>
> Can I do a filter like this?<br>
><br>
> protocol bgp my_peer {<br>
> local as 65000;<br>
> neighbor 192.0.2.1 as 65001;<br>
> import filter peer_in;<br>
> }<br>
><br>
> filter peer_in {<br>
> if roa_check(roa_table_name, net, bgp_path.last) = ROA_INVALID then reject;<br>
> accept;<br>
> }<br>
<br>
</div>This should work, but i would suggest to add 'print' for logging:<br>
<br>
{<br>
if ... then { print "ROA check failed for ", net, " ASN ", bgp_path.last; reject; }<br>
accept<br>
}<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
Elen sila lumenn' omentielvo<br>
<br>
Ondrej 'SanTiago' Zajicek (email: <a href="mailto:santiago@crfreenet.org">santiago@crfreenet.org</a>)<br>
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, <a href="http://wwwkeys.pgp.net" target="_blank">wwwkeys.pgp.net</a>)<br>
"To err is human -- to blame it on a computer is even more so."<br>
</font></span><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.9 (GNU/Linux)<br>
<br>
iEYEARECAAYFAlFliLEACgkQw1GB2RHercMjPQCfbZ/eo6pwFus3gKSfnx0L02HE<br>
YBkAn069HY386NYMd6pZrDbhVJKsmvbt<br>
=phkQ<br>
-----END PGP SIGNATURE-----<br>
<br></blockquote></div><br></div>