howto/Bird2.md
... ...
@@ -171,6 +171,50 @@ include "/etc/bird/peers/*";
171 171
172 172
The example config above relies on ROA configuration files in `/etc/bird/roa_dn42{,_v6}.conf`. These should be automatically downloaded and updated every so often to prevent BGP highjacking, [see the bird1 page](/howto/Bird#route-origin-authorization) for more details and links to the ROA files.
173 173
174
+# RPKI / RTR for ROA
175
+
176
+To use an RTR server for ROA information, replace this config in your bird2 configuration file:
177
+
178
+```
179
+protocol static {
180
+ roa4 { table dn42_roa; };
181
+ include "/etc/bird/roa_dn42.conf";
182
+};
183
+
184
+protocol static {
185
+ roa6 { table dn42_roa_v6; };
186
+ include "/etc/bird/roa_dn42_v6.conf";
187
+};
188
+```
189
+
190
+... with this one (by changing address and port so it points to your RTR server)
191
+
192
+```
193
+protocol rpki roa_dn42 {
194
+ roa4 { table dn42_roa; };
195
+ roa6 { table dn42_roa_v6; };
196
+ remote 10.1.3.3;
197
+ port 323;
198
+ refresh 600;
199
+ retry 300;
200
+ expire 7200;
201
+}
202
+```
203
+To reflect changes in the ROA table without a manual reload, **ADD** "import table" switch for both channels in your DN42 BGP template:
204
+
205
+```
206
+template bgp dnpeers {
207
+ ipv4 {
208
+ ...existing configuration
209
+ import table;
210
+ };
211
+ ipv6 {
212
+ ...existing configuration
213
+ import table;
214
+ };
215
+}
216
+```
217
+
174 218
# Setting up peers
175 219
176 220
Please note: This section assumes that you've already got a tunnel to your peering partner setup.