6a52fac16a3ea6b1aa69c7762a15ad271994385d
howto/OpenBGPD.md
... | ... | @@ -79,7 +79,7 @@ Allow own announcements: |
79 | 79 | allow to ebgp prefix-set kn large-community $ASN:1:1 |
80 | 80 | ``` |
81 | 81 | |
82 | -Allow all remaining UPDATES based on __O_rigin __V__alidation __S__tates: |
|
82 | +Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates: |
|
83 | 83 | ``` |
84 | 84 | # enforce ROA |
85 | 85 | allow from ebgp ovs valid |
... | ... | @@ -106,5 +106,26 @@ match from AS $A-ASN set { nexthop $A-remote } |
106 | 106 | ``` |
107 | 107 | |
108 | 108 | # ROA |
109 | +OpenBSD ships with [**rpki-client(8)**](http://man.openbsd.org/rpki-client.8) which nicely integrates with **bgpd**. |
|
110 | +Since DN42 emulates an IRR WHOIS service through the registry repository instead of providing an RPKI repository, this cool cannot be used. |
|
111 | + |
|
112 | +Instead, a shell script parses route objects from the registry repository and generates a `roa-set { ... }` block that is to be included in the main configuration file. |
|
113 | + |
|
114 | +One single `roa-set` may be defined, against which **bgpd** will validate the origin of each prefix; this allows filter rules to use the `ovs` keyword as demonstrated above. |
|
115 | + |
|
116 | +`/etc/dn42.roa-set` is the generated set: |
|
117 | +``` |
|
118 | +roa-set { |
|
119 | + fd00:12:34::/48 source-as 4242421234 |
|
120 | + fd00:ab:cd::/44 maxlen 64 source-as 4242427890 |
|
121 | + ... |
|
122 | +} |
|
123 | +``` |
|
124 | + |
|
125 | +Include it in `/etc/bgpd.conf`: |
|
126 | +``` |
|
127 | +# defines roat-set, see _rpki-client crontab |
|
128 | +include "/etc/dn42.roa-set" |
|
129 | +``` |
|
109 | 130 | |
110 | 131 | # Looking glass |
... | ... | \ No newline at end of file |