Skip to content

Instantly share code, notes, and snippets.

@mschep

mschep/bird2.conf

Last active January 30, 2024 19:55
Show Gist options
  • Star 13 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save mschep/695413d3ba47b5d5c5ce91f096793c19 to your computer and use it in GitHub Desktop.
Save mschep/695413d3ba47b5d5c5ce91f096793c19 to your computer and use it in GitHub Desktop.
Download ZIP
BIRD 2 configuration including RPKI
Raw
bird2.conf
# Very minimal BIRD2 configuration with RPKI enabled
log syslog { info, remote, warning, error, auth, fatal, bug };
log "/var/log/bird.debug.log" { debug, remote, trace };
router id 193.0.31.28;
protocol device {
}
# IPv4
protocol static default_v4
{
ipv4 {
preference 50;
};
route 0.0.0.0/0 unreachable;
}
protocol kernel kernel_v4
{
ipv4 {
export all;
};
}
roa4 table r4;
roa6 table r6;
protocol rpki rpki1
{
# debug all;
roa4 { table r4; };
roa6 { table r6; };
remote 193.0.31.2 port 8323;
retry 300;
}
protocol static as2121_v4
{
ipv4 {
import all;
};
route 193.0.24.0/21 reject;
}
protocol static vfw_1_v4
{
ipv4 {
import all;
};
route 192.168.2.0/24 via 193.0.31.216; # wifi mgmt
route 193.0.24.0/22 via 193.0.31.216; # public
route 193.0.28.0/23 via 193.0.31.216; # public
route 193.0.31.0/26 via 193.0.31.216; # private
route 193.0.31.64/26 via 193.0.31.216; # service
route 193.0.31.192/28 via 193.0.31.216; # dns
route 193.0.31.236/30 via 193.0.31.216; # dns vips
}
function net_as2121_v4()
{
return net ~ [ 193.0.24.0/21+ ];
}
function net_martians_v4()
{
return net ~ [ 10.0.0.0/8+, 172.16.0.0/12+, 192.168.0.0/16+,
0.0.0.0/0, 0.0.0.0/8+, 100.64.0.0/10+, 127.0.0.0/8+,
169.254.0.0/16+, 192.0.0.0/24+, 192.0.2.0/24+,
198.18.0.0/15+, 198.51.100.0/24+, 203.0.113.0/24+,
224.0.0.0/3+,
0.0.0.0/0{25,32} ];
}
function ix_import_v4(int asnr)
{
if net_as2121_v4() || net_martians_v4() then return false;
if bgp_path.first != asnr then return false;
if bgp_path.len > 64 then return false;
if(roa_check(r4, net, bgp_path.last_nonaggregated) = ROA_INVALID) then return false;
return true;
}
filter bgp_in_as2121_nat64_v4
{
if net ~ [ 193.0.31.240/28 ] then accept;
reject;
}
template bgp ok_transit_v4
{
direct;
local 31.15.115.63 as 2121;
ipv4 {
export where proto = "as2121_v4";
import none;
import keep filtered;
};
}
protocol bgp peer_as56704_1_v4 from ok_transit_v4 {
neighbor 31.15.115.62 as 56704;
ipv4 {
import where ix_import_v4(56704);
};
}
# IPv6
protocol static default_v6
{
ipv6 {
preference 50;
};
route ::/0 unreachable;
}
protocol kernel kernel_v6
{
ipv6 {
export all;
};
}
protocol static as2121_v6
{
ipv6 {
import all;
};
route 2001:67c:64::/48 reject;
}
protocol static vfw_1_v6
{
ipv6 {
import all;
};
route 2001:67c:64:42::/64 via 2001:67c:64:50::8; # public
route 2001:67c:64:43::/64 via 2001:67c:64:50::8; # private
route 2001:67c:64:44::/64 via 2001:67c:64:50::8; # service
route 2001:67c:64:47::/64 via 2001:67c:64:50::8; # dns
route 2001:67c:64:53::/64 via 2001:67c:64:50::8; # dns vips
}
function net_as2121_v6()
{
return net ~ [ 2001:67c:64::/48+ ];
}
function net_martians_v6()
{
return net ~ [ ::/0, 2001::/32{33,128}, 2001:10::/28+, 2001:db8::/32+,
2002::/16{17,128} ];
}
function ix_import_v6(int asnr)
{
if net_as2121_v6() || net_martians_v6() then return false;
if bgp_path.first != asnr then return false;
if bgp_path.len > 64 then return false;
if(roa_check(r6, net, bgp_path.last_nonaggregated) = ROA_INVALID) then return false;
# Global unicast
if net ~ [ 2000::/3{3,48} ] then return true;
return false;
}
template bgp ok_transit_v6
{
direct;
local 2a03:eb80:0:100::4f as 2121;
ipv6 {
export where proto = "as2121_v6";
import none;
import keep filtered;
};
}
protocol bgp peer_as56704_1_v6 from ok_transit_v6 {
neighbor 2a03:eb80:0:100::4e as 56704;
ipv6 {
import where ix_import_v6(56704);
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment