Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Bird v2 Route Server configuration generated by IXP Manager
- #
- # Do not edit this file, it will be overwritten. Please see:
- #
- # https://github.com/inex/IXP-Manager/wiki/Route-Server
- #
- # Generated: 2020-04-16 10:54:14
- #
- # For VLAN: CIX-AUS Sydney (Tag: 2, Database ID: 1)
- # standardise time formats:
- timeformat base iso long;
- timeformat log iso long;
- timeformat protocol iso long;
- timeformat route iso long;
- log "/var/log/bird/rs-cixaus-syd-ipv4.log" all;
- log syslog all;
- define routeserverasn = 37980;
- define routeserveraddress = 103.149.217.2;
- router id 103.149.217.2;
- # ignore interface up/down events
- protocol device { }
- # This function excludes weird networks
- # rfc1918, class D, class E, too long and too short prefixes
- function avoid_martians()
- prefix set martians;
- {
- martians = [
- 10.0.0.0/8+,
- 169.254.0.0/16+,
- 172.16.0.0/12+,
- 192.0.0.0/24+,
- 192.0.2.0/24+,
- 192.168.0.0/16+,
- 198.18.0.0/15+,
- 198.51.100.0/24+,
- 203.0.113.0/24+,
- 224.0.0.0/4+,
- 240.0.0.0/4+,
- 0.0.0.0/32-,
- 0.0.0.0/0{25,32},
- 0.0.0.0/0{0,7}
- ];
- # Avoid RFC1918 and similar networks
- if net ~ martians then
- return false;
- return true;
- }
- ########################################################################################
- ########################################################################################
- #
- # Community filtering definitions for use with looking glasses
- #
- # Current implementation based on:
- #
- # https://github.com/euro-ix/rs-workshop-july-2017/wiki/Route-Server-BGP-Community-usage
- #
- ########################################################################################
- ########################################################################################
- # These will all be filtered and not piped to the master table:
- define IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG = ( routeserverasn, 1101, 1 );
- define IXP_LC_FILTERED_PREFIX_LEN_TOO_SHORT = ( routeserverasn, 1101, 2 );
- define IXP_LC_FILTERED_BOGON = ( routeserverasn, 1101, 3 );
- define IXP_LC_FILTERED_BOGON_ASN = ( routeserverasn, 1101, 4 );
- define IXP_LC_FILTERED_AS_PATH_TOO_LONG = ( routeserverasn, 1101, 5 );
- define IXP_LC_FILTERED_AS_PATH_TOO_SHORT = ( routeserverasn, 1101, 6 );
- define IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS = ( routeserverasn, 1101, 7 );
- define IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP = ( routeserverasn, 1101, 8 );
- define IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED = ( routeserverasn, 1101, 9 );
- define IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED = ( routeserverasn, 1101, 10 );
- define IXP_LC_FILTERED_PREFIX_NOT_IN_ORIGIN_AS = ( routeserverasn, 1101, 11 );
- define IXP_LC_FILTERED_RPKI_UNKNOWN = ( routeserverasn, 1101, 12 );
- define IXP_LC_FILTERED_RPKI_INVALID = ( routeserverasn, 1101, 13 );
- define IXP_LC_FILTERED_TRANSIT_FREE_ASN = ( routeserverasn, 1101, 14 );
- define IXP_LC_FILTERED_TOO_MANY_COMMUNITIES = ( routeserverasn, 1101, 15 );
- # Informational prefixes
- define IXP_LC_INFO_RPKI_VALID = ( routeserverasn, 1000, 1 );
- define IXP_LC_INFO_RPKI_UNKNOWN = ( routeserverasn, 1000, 2 );
- define IXP_LC_INFO_RPKI_NOT_CHECKED = ( routeserverasn, 1000, 3 );
- define IXP_LC_INFO_IRRDB_VALID = ( routeserverasn, 1001, 1 );
- define IXP_LC_INFO_IRRDB_NOT_CHECKED = ( routeserverasn, 1001, 2 );
- define IXP_LC_INFO_IRRDB_MORE_SPECIFIC = ( routeserverasn, 1001, 3 );
- define IXP_LC_INFO_IRRDB_FILTERED_LOOSE = ( routeserverasn, 1001, 1000 );
- define IXP_LC_INFO_IRRDB_FILTERED_STRICT = ( routeserverasn, 1001, 1001 );
- define IXP_LC_INFO_IRRDB_PREFIX_EMPTY = ( routeserverasn, 1001, 1002 );
- define IXP_LC_INFO_SAME_AS_NEXT_HOP = ( routeserverasn, 1001, 1200 );
- # ( routeserverasn, 1010, peerasn ) -> route learnt from peerasn via routeserverasn
- # ( routeserverasn, 1011, originasn ) -> route origin asn via routeserverasn
- # And the filter for examing routes in the peers import table being exported
- # to the master table
- filter f_export_to_master
- {
- if bgp_large_community ~ [( routeserverasn, 1101, * )] then reject;
- accept;
- }
- ########################################################################################
- ########################################################################################
- #
- # Standard IXP community filter
- #
- ########################################################################################
- ########################################################################################
- function ixp_community_filter(int peerasn)
- {
- if !(source = RTS_BGP) then
- return false;
- # AS path prepending
- if (routeserverasn, 103, peerasn) ~ bgp_large_community then {
- bgp_path.prepend( bgp_path.first );
- bgp_path.prepend( bgp_path.first );
- bgp_path.prepend( bgp_path.first );
- } else if (routeserverasn, 102, peerasn) ~ bgp_large_community then {
- bgp_path.prepend( bgp_path.first );
- bgp_path.prepend( bgp_path.first );
- } else if (routeserverasn, 101, peerasn) ~ bgp_large_community then {
- bgp_path.prepend( bgp_path.first );
- }
- # support for BGP Large Communities
- if (routeserverasn, 0, peerasn) ~ bgp_large_community then
- return false;
- if (routeserverasn, 1, peerasn) ~ bgp_large_community then
- return true;
- if (routeserverasn, 0, 0) ~ bgp_large_community then
- return false;
- if (routeserverasn, 1, 0) ~ bgp_large_community then
- return true;
- # it's unwise to conduct a 32-bit check on a 16-bit value
- if peerasn > 65535 then
- return true;
- # Implement widely used community filtering schema.
- if (0, peerasn) ~ bgp_community then
- return false;
- if (routeserverasn, peerasn) ~ bgp_community then
- return true;
- if (0, routeserverasn) ~ bgp_community then
- return false;
- return true;
- }
- ########################################################################################
- ########################################################################################
- #
- # RPKI protocol configuration
- #
- ########################################################################################
- ########################################################################################
- # RPKI not enabled for this router
- ########################################################################################
- ########################################################################################
- #
- # Filter known transit networks
- #
- # Inspired by: http://bgpfilterguide.nlnog.net/guides/no_transit_leaks/
- #
- ########################################################################################
- ########################################################################################
- define TRANSIT_ASNS = [ 174, # Cogent
- 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
- 701, # UUNET
- 702, # UUNET
- 1239, # Sprint
- 1299, # Telia
- 2914, # NTT Communications
- 3257, # GTT Backbone
- 3320, # Deutsche Telekom AG (DTAG)
- 3356, # Level3
- 3549, # Level3
- 3561, # Savvis / CenturyLink
- 4134, # Chinanet
- 5511, # Orange opentransit
- 6453, # Tata Communications
- 6762, # Seabone / Telecom Italia
- 7018 ]; # AT&T
- function filter_has_transit_path()
- int set transit_asns;
- {
- transit_asns = TRANSIT_ASNS;
- if (bgp_path ~ transit_asns) then {
- bgp_large_community.add( IXP_LC_FILTERED_TRANSIT_FREE_ASN );
- return true;
- }
- return false;
- }
- ########################################################################################
- ########################################################################################
- #
- # Route Server client configuration
- #
- ########################################################################################
- ########################################################################################
- template bgp tb_rsclient {
- local as routeserverasn;
- source address routeserveraddress;
- strict bind yes;
- # give RPKI-RTR a chance to start and populate
- # (RPKI is /really/ quick)
- connect delay time 30;
- ipv4 {
- export all;
- };
- rs client;
- }
- ########################################################################################
- ########################################################################################
- #
- # Route server clients
- #
- ########################################################################################
- ########################################################################################
- ########################################################################################
- ########################################################################################
- ###
- ### AS6939 - Hurricane Electric - VLAN Interface #3
- ipv4 table t_0003_as6939;
- filter f_import_as6939
- prefix set allnet;
- ip set allips;
- int set allas;
- {
- # Filter small prefixes
- if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
- bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
- accept;
- }
- if !(avoid_martians()) then {
- bgp_large_community.add( IXP_LC_FILTERED_BOGON );
- accept;
- }
- # Belt and braces: must have at least one ASN in the path
- if( bgp_path.len < 1 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
- accept;
- }
- # Peer ASN == route's first ASN?
- if (bgp_path.first != 6939 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
- accept;
- }
- # set of all IPs this ASN uses to peer with on this VLAN
- allips = [ 103.149.217.12 ];
- # Prevent BGP NEXT_HOP Hijacking
- if !( from = bgp_next_hop ) then {
- # need to differentiate between same ASN next hop or actual next hop hijacking
- if( bgp_next_hop ~ allips ) then {
- bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
- } else {
- # looks like hijacking (intentional or not)
- bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
- accept;
- }
- }
- # Filter Known Transit Networks
- if filter_has_transit_path() then accept;
- # Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
- if( bgp_path.len > 64 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
- accept;
- }
- allas = [ 6939 ];
- # Ensure origin ASN is in the neighbors AS-SET
- if !(bgp_path.last_nonaggregated ~ allas) then {
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED );
- accept;
- }
- # Skipping RPKI check -> RPKI not enabled / configured correctly.
- bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
- # Deny everything because the IRR database returned nothing
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED );
- bgp_large_community.add( IXP_LC_INFO_IRRDB_PREFIX_EMPTY );
- accept;
- accept;
- }
- # The route server export filter exists as the export gateway on the BGP protocol.
- #
- # Remember that standard IXP community filtering has already happened on the
- # master -> bgp protocol pipe.
- filter f_export_as6939{
- # we should strip our own communities which we used for the looking glass
- bgp_large_community.delete( [( routeserverasn, *, * )] );
- bgp_community.delete( [( routeserverasn, * )] );
- # default position is to accept:
- accept;
- }
- protocol pipe pp_0003_as6939 {
- description "Pipe for AS6939 - Hurricane Electric - VLAN Interface 3";
- table master4;
- peer table t_0003_as6939;
- import filter f_export_to_master;
- export where ixp_community_filter(6939);
- }
- protocol bgp pb_0003_as6939 from tb_rsclient {
- description "AS6939 - Hurricane Electric";
- neighbor 103.149.217.12 as 6939;
- ipv4 {
- import limit 202800 action restart;
- import filter f_import_as6939;
- table t_0003_as6939;
- export filter f_export_as6939;
- };
- }
- ########################################################################################
- ########################################################################################
- ###
- ### AS32590 - Valve Corporation - VLAN Interface #4
- ipv4 table t_0004_as32590;
- filter f_import_as32590
- prefix set allnet;
- ip set allips;
- int set allas;
- {
- # Filter small prefixes
- if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
- bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
- accept;
- }
- if !(avoid_martians()) then {
- bgp_large_community.add( IXP_LC_FILTERED_BOGON );
- accept;
- }
- # Belt and braces: must have at least one ASN in the path
- if( bgp_path.len < 1 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
- accept;
- }
- # Peer ASN == route's first ASN?
- if (bgp_path.first != 32590 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
- accept;
- }
- # set of all IPs this ASN uses to peer with on this VLAN
- allips = [ 103.149.217.11 ];
- # Prevent BGP NEXT_HOP Hijacking
- if !( from = bgp_next_hop ) then {
- # need to differentiate between same ASN next hop or actual next hop hijacking
- if( bgp_next_hop ~ allips ) then {
- bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
- } else {
- # looks like hijacking (intentional or not)
- bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
- accept;
- }
- }
- # Filter Known Transit Networks
- if filter_has_transit_path() then accept;
- # Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
- if( bgp_path.len > 64 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
- accept;
- }
- allas = [ 32590 ];
- # Ensure origin ASN is in the neighbors AS-SET
- if !(bgp_path.last_nonaggregated ~ allas) then {
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED );
- accept;
- }
- # Skipping RPKI check -> RPKI not enabled / configured correctly.
- bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
- # Deny everything because the IRR database returned nothing
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED );
- bgp_large_community.add( IXP_LC_INFO_IRRDB_PREFIX_EMPTY );
- accept;
- accept;
- }
- # The route server export filter exists as the export gateway on the BGP protocol.
- #
- # Remember that standard IXP community filtering has already happened on the
- # master -> bgp protocol pipe.
- filter f_export_as32590{
- # we should strip our own communities which we used for the looking glass
- bgp_large_community.delete( [( routeserverasn, *, * )] );
- bgp_community.delete( [( routeserverasn, * )] );
- # default position is to accept:
- accept;
- }
- protocol pipe pp_0004_as32590 {
- description "Pipe for AS32590 - Valve Corporation - VLAN Interface 4";
- table master4;
- peer table t_0004_as32590;
- import filter f_export_to_master;
- export where ixp_community_filter(32590);
- }
- protocol bgp pb_0004_as32590 from tb_rsclient {
- description "AS32590 - Valve Corporation";
- neighbor 103.149.217.11 as 32590;
- ipv4 {
- import limit 120 action restart;
- import filter f_import_as32590;
- table t_0004_as32590;
- export filter f_export_as32590;
- };
- }
- ########################################################################################
- ########################################################################################
- ###
- ### AS132269 - CommSphere - VLAN Interface #7
- ipv4 table t_0007_as132269;
- filter f_import_as132269
- prefix set allnet;
- ip set allips;
- int set allas;
- {
- # Filter small prefixes
- if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
- bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
- accept;
- }
- if !(avoid_martians()) then {
- bgp_large_community.add( IXP_LC_FILTERED_BOGON );
- accept;
- }
- # Belt and braces: must have at least one ASN in the path
- if( bgp_path.len < 1 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
- accept;
- }
- # Peer ASN == route's first ASN?
- if (bgp_path.first != 132269 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
- accept;
- }
- # set of all IPs this ASN uses to peer with on this VLAN
- allips = [ 103.149.217.10 ];
- # Prevent BGP NEXT_HOP Hijacking
- if !( from = bgp_next_hop ) then {
- # need to differentiate between same ASN next hop or actual next hop hijacking
- if( bgp_next_hop ~ allips ) then {
- bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
- } else {
- # looks like hijacking (intentional or not)
- bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
- accept;
- }
- }
- # Filter Known Transit Networks
- if filter_has_transit_path() then accept;
- # Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
- if( bgp_path.len > 64 ) then {
- bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
- accept;
- }
- allas = [ 132269
- ];
- # Ensure origin ASN is in the neighbors AS-SET
- if !(bgp_path.last_nonaggregated ~ allas) then {
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED );
- accept;
- }
- # Skipping RPKI check -> RPKI not enabled / configured correctly.
- bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
- # Deny everything because the IRR database returned nothing
- bgp_large_community.add( IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED );
- bgp_large_community.add( IXP_LC_INFO_IRRDB_PREFIX_EMPTY );
- accept;
- accept;
- }
- # The route server export filter exists as the export gateway on the BGP protocol.
- #
- # Remember that standard IXP community filtering has already happened on the
- # master -> bgp protocol pipe.
- filter f_export_as132269{
- # we should strip our own communities which we used for the looking glass
- bgp_large_community.delete( [( routeserverasn, *, * )] );
- bgp_community.delete( [( routeserverasn, * )] );
- # default position is to accept:
- accept;
- }
- protocol pipe pp_0007_as132269 {
- description "Pipe for AS132269 - CommSphere - VLAN Interface 7";
- table master4;
- peer table t_0007_as132269;
- import filter f_export_to_master;
- export where ixp_community_filter(132269);
- }
- protocol bgp pb_0007_as132269 from tb_rsclient {
- description "AS132269 - CommSphere";
- neighbor 103.149.217.10 as 132269;
- ipv4 {
- import limit 12000 action restart;
- import filter f_import_as132269;
- table t_0007_as132269;
- export filter f_export_as132269;
- };
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement