cb8989b67116532af43499b7b3fbd6fcc3472adc
howto/Bird2.md
| ... | ... | @@ -171,6 +171,50 @@ include "/etc/bird/peers/*"; |
| 171 | 171 | |
| 172 | 172 | The example config above relies on ROA configuration files in `/etc/bird/roa_dn42{,_v6}.conf`. These should be automatically downloaded and updated every so often to prevent BGP highjacking, [see the bird1 page](/howto/Bird#route-origin-authorization) for more details and links to the ROA files. |
| 173 | 173 | |
| 174 | +# RPKI / RTR for ROA |
|
| 175 | + |
|
| 176 | +To use an RTR server for ROA information, replace this config in your bird2 configuration file: |
|
| 177 | + |
|
| 178 | +``` |
|
| 179 | +protocol static { |
|
| 180 | + roa4 { table dn42_roa; }; |
|
| 181 | + include "/etc/bird/roa_dn42.conf"; |
|
| 182 | +}; |
|
| 183 | + |
|
| 184 | +protocol static { |
|
| 185 | + roa6 { table dn42_roa_v6; }; |
|
| 186 | + include "/etc/bird/roa_dn42_v6.conf"; |
|
| 187 | +}; |
|
| 188 | +``` |
|
| 189 | + |
|
| 190 | +... with this one (by changing address and port so it points to your RTR server) |
|
| 191 | + |
|
| 192 | +``` |
|
| 193 | +protocol rpki roa_dn42 { |
|
| 194 | + roa4 { table dn42_roa; }; |
|
| 195 | + roa6 { table dn42_roa_v6; }; |
|
| 196 | + remote 10.1.3.3; |
|
| 197 | + port 323; |
|
| 198 | + refresh 600; |
|
| 199 | + retry 300; |
|
| 200 | + expire 7200; |
|
| 201 | +} |
|
| 202 | +``` |
|
| 203 | +To reflect changes in the ROA table without a manual reload, **ADD** "import table" switch for both channels in your DN42 BGP template: |
|
| 204 | + |
|
| 205 | +``` |
|
| 206 | +template bgp dnpeers { |
|
| 207 | + ipv4 { |
|
| 208 | + ...existing configuration |
|
| 209 | + import table; |
|
| 210 | + }; |
|
| 211 | + ipv6 { |
|
| 212 | + ...existing configuration |
|
| 213 | + import table; |
|
| 214 | + }; |
|
| 215 | +} |
|
| 216 | +``` |
|
| 217 | + |
|
| 174 | 218 | # Setting up peers |
| 175 | 219 | |
| 176 | 220 | Please note: This section assumes that you've already got a tunnel to your peering partner setup. |