Update bird/bird.conf.tmpl, bird/rpki/known_hosts, bird/rpki/hosts/denco_mane_lixo, README.md files

README.md

@@ -42,7 +42,10 @@ For options we expose here, for information see: https://bird.network.cz/?get_do
 
  * `bgp_path_metric`: Enable comparison of path lengths when deciding which BGP route is the best one (`0` or `1`): defaults to `1`
  * `bgp_aigp`: BGP AIGP state (`enable`, `disable`, or `originate`): defaults to `originate` (see BIRD documentation)
-
+ * `bgp_rpki_retry`: If RPKI cache data cannot be obtained, the time period in seconds between a failed query the next attempt.  Defaults to `90`.
+ * `bgp_rpki_refresh`: How long to wait in seconds before attempting to poll RPKI cache data after the last successful poll.  Defaults to `900`.
+ * `bgp_rpki_expire`: How long to keep any records locally cached before they are deleted.  Defaults to `172800` (2 days).
+ * `bgp_rpki_known_hosts`: The file path for the SSH key `known_hosts` file to use when validating remote RPKI hosts.  Defaults to `/etc/bird/rpki/known_hosts` (provided by Lixonet; don't change this unless you need to!).
 # Setup
 
 Prerequisites:

bird/bird.conf.tmpl

@@ -15,8 +15,38 @@ debug protocols all;    # Enable debugging (this should be switched off in prod)
 router id ${address};
 
 # Custom routing tables
-# See: https://bird.network.cz/?get_doc&v=20&f=bird-2.html (recommend; BIRD is neat)
-ipv4 table lixonet;
+# See: https://bird.network.cz/?get_doc&v=20&f=bird-2.html (recommended read)
+ipv4 table lixonet_v4;
+roa4 table r4; # ROA RPKI
+
+# RPKI
+# See: https://brooks.sh/2019/11/11/validating-bgp-routes-with-rpki-in-bird/
+protocol rpki {
+    roa4 { table r4; };
+
+    {{ range files "bird/rpki/hosts" }} {{ if ne . "${name}" }}# {{.}}
+    {{ file (print "bird/rpki/" .) }}
+    {{ end }}{{ end }}
+
+    # Time period in seconds between a failed query the next attempt
+    retry keep ${bgp_rpki_retry:-90};
+
+    # Tells how long to wait before attempting to poll the cache
+    refresh keep ${bgp_rpki_refresh:-900};
+
+    # How long to keep any records locally cached before they are deleted
+    # The "refresh" interval will control how often records are refreshed
+    # and not considered expired.
+    expire keep ${bgp_rpki_expire:-172800};
+
+    # Enable SSH transport, disable TCP transport (insecure)
+    port 22;
+    transport ssh {
+        remote public key "${bgp_rpki_known_hosts:-/etc/bird/rpki/known_hosts}";
+        #user "lixonet";
+        #bird private key "</path/to/id_rsa>";
+    };
+}
 
 # Filters
 # Define a series of filters for Lixonet routing policies:
@@ -24,10 +54,24 @@ ipv4 table lixonet;
 # See: https://gitlab.labs.nic.cz/labs/bird/wikis/BGP_filtering
 # For syntax docs, see: https://bird.network.cz/?get_doc&v=16&f=bird-5.html
 
+# Returns TRUE if the given prefix is found in a kept RPKI cache.
+# Returns FALSE if the given prefix is either,
+#  - Valid in the cached RPKI list, or
+#  - RPKI has not yet been established and the route cannot be validated
+# From BIRD documentation (https://bird.network.cz/?get_doc&v=20&f=bird-5.html):
+#   roa_check: Checks the current route (which should be from BGP to
+#   have AS_PATH argument) in the specified ROA table and returns
+#   ROA_UNKNOWN if there is no relevant ROA, ROA_VALID if there is
+#   a matching ROA, or ROA_INVALID if there are some relevant ROAs
+#   but none of them match.
+function is_rpki_invalid_v4 () {
+  return roa_check(r4, net, bgp_path.last_nonaggregated) = ROA_INVALID;
+}
+
 # Returns TRUE if the given tested network is within the global network prefix for
 # Lixonet.  Used to filter networks outside of this range as they are not within
 # the global mesh network.
-function is_lixonet_global()
+function is_lixonet_global_v4()
 {
     return net ~ [ ${network_address}/${global_prefix:-16}+ ];
 }
@@ -35,39 +79,39 @@ function is_lixonet_global()
 # Returns TRUE if the given tested network is within the router network prefix for
 # Lixonet.  Used to filter these routes from BGP as Tinc statically assigns them
 # for us.  Helps prevent a security vulnerability of hijacking another router.
-function is_lixonet_router()
+function is_lixonet_router_v4()
 {
     return net ~ [ ${network_address}/${router_prefix:-24}+ ];
 }
 
-function is_own_route()
+function is_own_route_v4()
 {
     {{ if len "${routes:-}" }}{{ range "$routes" | split "," }}if net ~ [ {{.}}+ ] then return true;
     {{ end }}{{ end }}
     return false;
 }
 
-filter bgp_import_filter
+filter bgp_import_filter_v4
 {
-    # TODO: check RPKI here!
     if source ~ [RTS_STATIC] then reject; # Reject our own routes
-    if is_lixonet_router() then reject; # Reject poisons
-    if is_own_route() then reject; # Reject poisons
-    if is_lixonet_global() then accept; # Accept anything else
+    if is_rpki_invalid_v4() then reject; # Reject posions
+    if is_lixonet_router_v4() then reject; # Reject poisons
+    if is_own_route_v4() then reject; # Reject poisons
+    if is_lixonet_global_v4() then accept; # Accept anything else
     reject; # Reject anything else (non-Lixonet)
 }
 
-filter bgp_export_filter
+filter bgp_export_filter_v4
 {
-    if is_lixonet_router() then reject; # Reject poisons
-    if is_lixonet_global() then accept; # Accept anything else
+    if is_lixonet_router_v4() then reject; # Reject poisons
+    if is_lixonet_global_v4() then accept; # Accept anything else
     reject; # Reject anything else (non-Lixonet)
 }
 
-filter kernel_export_filter
+filter kernel_export_filter_v4
 {
-    if is_own_route() then reject; # Reject poisons
-    if is_lixonet_global() then accept; # Accept anything else
+    if is_own_route_v4() then reject; # Reject poisons
+    if is_lixonet_global_v4() then accept; # Accept anything else
     reject; # Reject anything else (non-Lixonet)
 }
 
@@ -77,7 +121,7 @@ filter kernel_export_filter
 # See how dn42 does it; we're very similar: https://dn42.net/howto/Bird
 protocol static {
     ipv4 {
-        table lixonet;
+        table lixonet_v4;
         import all;
         export none;
     };
@@ -112,9 +156,9 @@ protocol kernel {               # Primary routing table
     persist;                # Don't remove routes on bird shutdown
     scan time 10;           # Scan kernel routing table every 10 seconds
     ipv4 {
-        table lixonet;
+        table lixonet_v4;
         import none;                        # Don't try to import any routes from the kernel
-        export filter kernel_export_filter; # Export everything we are told to the kernel
+        export filter kernel_export_filter_v4; # Export everything we are told to the kernel
     };
 };
 
@@ -137,7 +181,7 @@ template bgp lixonet_client {
 
     # BGP IPv4 channel settings
     ipv4 {
-        table lixonet;
+        table lixonet_v4;
 
         # Always advertise our own local address as a next hop, even in cases where the
         # current Next Hop attribute should be used unchanged.
@@ -155,15 +199,14 @@ template bgp lixonet_client {
         # Set filters for both exported (sent) and imported (received) BGP prefixes.
         # This is explicitly required per RFC 8212, at least on export.
         # See: https://gitlab.labs.nic.cz/labs/bird/commit/3831b619661d08d935fd78656732cd2f339ff811
-        export filter bgp_export_filter;
-        import filter bgp_import_filter;
+        export filter bgp_export_filter_v4;
+        import filter bgp_import_filter_v4;
     };
 };
 
 # Neighbors
-
 {{ range files "bird/neighbors" }} {{ if ne . "${name}" }}
 protocol bgp {{ . }} from lixonet_client {
     description "Lixonet BGP link from ${address} (ASN: ${asn}) to {{ . }}";
     {{ file (print "bird/neighbors/" .) }}
-}; {{ end }} {{ end }}
+};{{ end }}{{ end }}

bird/rpki/hosts/denco_mane_lixo

@@ -0,0 +1 @@
+remote 172.30.0.8 port 22