Hello, the RPKI documentation section has a RPKI ROV example using an IPv4 specific filter: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.13
roa4 table r4; roa6 table r6;
protocol rpki { debug all;
roa4 { table r4; }; roa6 { table r6; };
# Please, do not use rpki-validator.realmv6.org in production remote "rpki-validator.realmv6.org" port 8282;
retry keep 5; refresh keep 30; expire 600; }
filter peer_in_v4 { if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last; reject; } accept; }
protocol bgp { debug all; local as 65000; neighbor 192.168.2.1 as 65001; ipv4 { import filter peer_in_v4; export none; }; }
We use a transit_in filter that checks the net.type to decide which roa_check parameter to use:
filter transit_in {
reject_bogon_asns(); reject_small_prefixes(); reject_bogon_prefixes(); reject_long_aspaths(); reject_default_route(); enforce_neighbor_asn(); reject_our_networks();
if (net.type = NET_IP4) then { if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last; reject; } } else { if (roa_check(r6, net, bgp_path.last) = ROA_INVALID) then { print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last; reject; } }
accept;
}
Is this significantly less efficient than having separate IPv4/6 filters that do not need that additional if (net.type = .. ) check? Or does it not really matter? If possible I'd prefer a single filter that can be applied to IPv4 and IPv6 BGP sessions. thanks, Christoph