f947da485fc3b6d7f0903615767ab4d22d9b9bd3
howto/Bird2.md
| ... | ... | @@ -4,6 +4,13 @@ This guide is similar to the normal [Bird](/howto/Bird) guide in that it provide |
| 4 | 4 | |
| 5 | 5 | The `extra/bird` package in the arch repositories will usually have a relatively recent version and there is (usually) no need for a manual install over the usual `# pacman -S bird`. |
| 6 | 6 | |
| 7 | +# Bird2 Version <2.0.8 / Debian |
|
| 8 | + |
|
| 9 | +Please note, that Bird2 versions before 2.0.8 don't support IPv6 extended nexthops for IPv4 destinations (https://bird.network.cz/pipermail/bird-users/2020-April/014412.html). |
|
| 10 | +Additionally Bird2 before 2.0.8 cannot automatically update filtered bgp routes when an used RPKI source changes. |
|
| 11 | + |
|
| 12 | +Debian 11 Bullseye delivers Bird 2.0.7. But you can use the Debian Bullseye backport-repository which provides version 2.0.8 (see https://backports.debian.org/Instructions/ for adding backports repository and install packages from the repository). |
|
| 13 | + |
|
| 7 | 14 | # Example configuration |
| 8 | 15 | |
| 9 | 16 | Please note: This example configuration is made for use with IPv4 and IPv6 (Really, there is no excuse not to get started with IPv6 networking! :) ) |
| ... | ... | @@ -171,6 +178,50 @@ include "/etc/bird/peers/*"; |
| 171 | 178 | |
| 172 | 179 | The example config above relies on ROA configuration files in `/etc/bird/roa_dn42{,_v6}.conf`. These should be automatically downloaded and updated every so often to prevent BGP highjacking, [see the bird1 page](/howto/Bird#route-origin-authorization) for more details and links to the ROA files. |
| 173 | 180 | |
| 181 | +# RPKI / RTR for ROA |
|
| 182 | + |
|
| 183 | +To use an RTR server for ROA information, replace this config in your bird2 configuration file: |
|
| 184 | + |
|
| 185 | +``` |
|
| 186 | +protocol static { |
|
| 187 | + roa4 { table dn42_roa; }; |
|
| 188 | + include "/etc/bird/roa_dn42.conf"; |
|
| 189 | +}; |
|
| 190 | + |
|
| 191 | +protocol static { |
|
| 192 | + roa6 { table dn42_roa_v6; }; |
|
| 193 | + include "/etc/bird/roa_dn42_v6.conf"; |
|
| 194 | +}; |
|
| 195 | +``` |
|
| 196 | + |
|
| 197 | +... with this one (by changing address and port so it points to your RTR server) |
|
| 198 | + |
|
| 199 | +``` |
|
| 200 | +protocol rpki roa_dn42 { |
|
| 201 | + roa4 { table dn42_roa; }; |
|
| 202 | + roa6 { table dn42_roa_v6; }; |
|
| 203 | + remote 10.1.3.3; |
|
| 204 | + port 323; |
|
| 205 | + refresh 600; |
|
| 206 | + retry 300; |
|
| 207 | + expire 7200; |
|
| 208 | +} |
|
| 209 | +``` |
|
| 210 | +To reflect changes in the ROA table without a manual reload, **ADD** "import table" switch for both channels in your DN42 BGP template: |
|
| 211 | + |
|
| 212 | +``` |
|
| 213 | +template bgp dnpeers { |
|
| 214 | + ipv4 { |
|
| 215 | + ...existing configuration |
|
| 216 | + import table; |
|
| 217 | + }; |
|
| 218 | + ipv6 { |
|
| 219 | + ...existing configuration |
|
| 220 | + import table; |
|
| 221 | + }; |
|
| 222 | +} |
|
| 223 | +``` |
|
| 224 | + |
|
| 174 | 225 | # Setting up peers |
| 175 | 226 | |
| 176 | 227 | Please note: This section assumes that you've already got a tunnel to your peering partner setup. |
howto/ROA-slash-RPKI.md
| ... | ... | @@ -50,6 +50,30 @@ You can use these to simply run gortr via docker: |
| 50 | 50 | |
| 51 | 51 | docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 |
| 52 | 52 | |
| 53 | +### rtrtr |
|
| 54 | + |
|
| 55 | +rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-JSON or burbles provided one (https://dn42.burble.com/roa/dn42_roa_46.json) too. |
|
| 56 | + |
|
| 57 | +NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file: |
|
| 58 | + |
|
| 59 | + docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf |
|
| 60 | + |
|
| 61 | +This is a working configuration file for dn42. Maybe change the listen addresses: |
|
| 62 | + |
|
| 63 | + log_level = "debug" |
|
| 64 | + log_target = "stderr" |
|
| 65 | + http-listen = [] |
|
| 66 | + [units.dn42-json] |
|
| 67 | + type = "json" |
|
| 68 | + uri = "https://dn42.burble.com/roa/dn42_roa_46.json" |
|
| 69 | + refresh = 600 |
|
| 70 | + [targets.dn42-rtr] |
|
| 71 | + type = "rtr" |
|
| 72 | + listen = ["0.0.0.0:323", "[::]:323"] |
|
| 73 | + unit = "dn42-json" |
|
| 74 | + |
|
| 75 | +For more information cosult the official documentation: https://rtrtr.docs.nlnetlabs.nl/en/stable/ |
|
| 76 | + |
|
| 53 | 77 | ### Other tools / generators |
| 54 | 78 | - bauen1's dn42-roagen: https://gitlab.com/bauen1/dn42-roagen |
| 55 | 79 | - Kioubit's registry wizard: https://git.dn42.dev/Kioubit/RegistryWizard |
howto/mikrotik.md
| ... | ... | @@ -22,6 +22,8 @@ |
| 22 | 22 | |
| 23 | 23 | Mikrotik/RouterOS can't handle very well /32 on Point-to-Point links (like GRE). There is a [separate howto](/howto/mikrotik/ptp32) to explain how to setup /32 between in a GRE link (or even a OpenVPN). What is the easy way? Just use any /30 on the GRE Link, either from your assigned DN42 pool address or use a private address like 192.168. Please don't choose from 172.16.0.0/12 or 10.0.0.0/8 because they may overlap with DN42 or ChaosVPN. |
| 24 | 24 | |
| 25 | +RouterOS v7.2 has some nasty bugs when using PTP configuration or IPv6 link local addresses as NEXTHOP. It won't work (confirmed for v7.2 by their support staff). |
|
| 26 | + |
|
| 25 | 27 | ## Tunnel |
| 26 | 28 | |
| 27 | 29 | ### IPSec |