6a52fac16a3ea6b1aa69c7762a15ad271994385d
howto/OpenBGPD.md
| ... | ... | @@ -79,7 +79,7 @@ Allow own announcements: |
| 79 | 79 | allow to ebgp prefix-set kn large-community $ASN:1:1 |
| 80 | 80 | ``` |
| 81 | 81 | |
| 82 | -Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates: |
|
| 82 | +Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates: |
|
| 83 | 83 | ``` |
| 84 | 84 | # enforce ROA |
| 85 | 85 | allow from ebgp ovs valid |
| ... | ... | @@ -106,5 +106,26 @@ match from AS $A-ASN set { nexthop $A-remote } |
| 106 | 106 | ``` |
| 107 | 107 | |
| 108 | 108 | # ROA |
| 109 | +OpenBSD ships with [**rpki-client(8)**](http://man.openbsd.org/rpki-client.8) which nicely integrates with **bgpd**. |
|
| 110 | +Since DN42 emulates an IRR WHOIS service through the registry repository instead of providing an RPKI repository, this cool cannot be used. |
|
| 111 | + |
|
| 112 | +Instead, a shell script parses route objects from the registry repository and generates a `roa-set { ... }` block that is to be included in the main configuration file. |
|
| 113 | + |
|
| 114 | +One single `roa-set` may be defined, against which **bgpd** will validate the origin of each prefix; this allows filter rules to use the `ovs` keyword as demonstrated above. |
|
| 115 | + |
|
| 116 | +`/etc/dn42.roa-set` is the generated set: |
|
| 117 | +``` |
|
| 118 | +roa-set { |
|
| 119 | + fd00:12:34::/48 source-as 4242421234 |
|
| 120 | + fd00:ab:cd::/44 maxlen 64 source-as 4242427890 |
|
| 121 | + ... |
|
| 122 | +} |
|
| 123 | +``` |
|
| 124 | + |
|
| 125 | +Include it in `/etc/bgpd.conf`: |
|
| 126 | +``` |
|
| 127 | +# defines roat-set, see _rpki-client crontab |
|
| 128 | +include "/etc/dn42.roa-set" |
|
| 129 | +``` |
|
| 109 | 130 | |
| 110 | 131 | # Looking glass |
| ... | ... | \ No newline at end of file |