mirror of
https://git.dn42.dev/wiki/wiki
synced 2025-03-14 19:43:32 +00:00
[Yamakaja] Created Bird2 page
This commit is contained in:
parent
2ae80bb6d8
commit
aca9d757dc
198
howto/Bird2.md
Normal file
198
howto/Bird2.md
Normal file
@ -0,0 +1,198 @@
|
||||
This guide is similar to the normal [Bird](/howto/Bird) guide in that it provides you with help setting up the BIRD routing daemon, with the difference that this page is dedicated to versions 2.x.
|
||||
|
||||
# Arch Linux
|
||||
|
||||
The `extra/bird` package in the arch repositories will usually have a relatively recent version and there is (usually) no need for a manual install over the usual `# pacman -S bird'.
|
||||
|
||||
# Example configuration
|
||||
|
||||
Please note: This example configuration is made for use with IPv4 and IPv6 (Really, there is no excuse not to get started with IPv6 networking! :) )
|
||||
|
||||
The default config location in bird version 2.x is `/etc/bird.conf`, but this may vary depending on how your distribution compiled bird.
|
||||
|
||||
When copying the configuration below onto your system, you will have to enter the following values in the file header:
|
||||
|
||||
* Replace `<OWNAS>` with your autonomous system number, e.g. `4242421234`
|
||||
* Replace `<OWNIP>` with the ip that your router is going to have, this is usually the first non-zero ip in your subnet. (E.g. x.x.x.65 in an x.x.x.64/28 network)
|
||||
* Similarly, replace `<OWNIPv6>` with the first non-zero ip in your ipv6 subnet.
|
||||
* Then replace `<OWNNET>` with the IPv4 subnet that was assigned to you.
|
||||
* The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
|
||||
* Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
|
||||
```
|
||||
################################################
|
||||
# Variable header #
|
||||
################################################
|
||||
|
||||
define OWNAS = <OWNAS>;
|
||||
define OWNIP = <OWNIP>;
|
||||
define OWNIPv6 = <OWNIPv6>;
|
||||
define OWNNET = <OWNNET>;
|
||||
define OWNNETv6 = <OWNNETv6>;
|
||||
define OWNNETSET = [<OWNNET>+];
|
||||
define OWNNETSETv6 = [<OWNNETv6>+];
|
||||
|
||||
################################################
|
||||
# Header end #
|
||||
################################################
|
||||
|
||||
router id OWNIP;
|
||||
|
||||
protocol device {
|
||||
scan time 10;
|
||||
}
|
||||
|
||||
/*
|
||||
* Utility functions
|
||||
*/
|
||||
|
||||
function is_self_net() {
|
||||
return net ~ OWNNETSET;
|
||||
}
|
||||
|
||||
function is_self_net_v6() {
|
||||
return net ~ OWNNETSETv6;
|
||||
}
|
||||
|
||||
function is_valid_network() {
|
||||
return net ~ [
|
||||
172.20.0.0/14{21,29}, # dn42
|
||||
172.20.0.0/24{28,32}, # dn42 Anycast
|
||||
172.21.0.0/24{28,32}, # dn42 Anycast
|
||||
172.22.0.0/24{28,32}, # dn42 Anycast
|
||||
172.23.0.0/24{28,32}, # dn42 Anycast
|
||||
172.31.0.0/16+, # ChaosVPN
|
||||
10.100.0.0/14+, # ChaosVPN
|
||||
10.0.0.0/8{15,24} # Freifunk.net
|
||||
];
|
||||
}
|
||||
|
||||
roa4 table dn42_roa;
|
||||
roa6 table dn42_roa_v6;
|
||||
|
||||
protocol static {
|
||||
roa4 { table dn42_roa; };
|
||||
include "/etc/bird/roa_dn42.conf";
|
||||
};
|
||||
|
||||
protocol static {
|
||||
roa6 { table dn42_roa_v6; };
|
||||
include "/etc/bird/roa_dn42_v6.conf";
|
||||
};
|
||||
|
||||
function is_valid_network_v6() {
|
||||
return net ~ [
|
||||
fd00::/8{44,64} # ULA address space as per RFC 4193
|
||||
];
|
||||
}
|
||||
|
||||
protocol kernel {
|
||||
scan time 20;
|
||||
|
||||
ipv6 {
|
||||
import none;
|
||||
export filter {
|
||||
if source = RTS_STATIC then reject;
|
||||
krt_prefsrc = OWNIPv6;
|
||||
accept;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
protocol kernel {
|
||||
scan time 20;
|
||||
|
||||
ipv4 {
|
||||
import none;
|
||||
export filter {
|
||||
if source = RTS_STATIC then reject;
|
||||
krt_prefsrc = OWNIP;
|
||||
accept;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
protocol static {
|
||||
route OWNNET reject;
|
||||
|
||||
ipv4 {
|
||||
import all;
|
||||
export none;
|
||||
};
|
||||
}
|
||||
|
||||
protocol static {
|
||||
route OWNNETv6 reject;
|
||||
|
||||
ipv6 {
|
||||
import all;
|
||||
export none;
|
||||
};
|
||||
}
|
||||
|
||||
template bgp dnpeers {
|
||||
local as OWNAS;
|
||||
path metric 1;
|
||||
|
||||
ipv4 {
|
||||
import filter {
|
||||
if is_valid_network() && !is_self_net() then {
|
||||
if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
|
||||
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
|
||||
reject;
|
||||
} else accept;
|
||||
} else reject;
|
||||
};
|
||||
|
||||
export filter { if is_valid_network() then accept; else reject; };
|
||||
import limit 1000 action block;
|
||||
};
|
||||
|
||||
ipv6 {
|
||||
import filter {
|
||||
if is_valid_network_v6() && !is_self_net_v6() then {
|
||||
if (roa_check(dn42_roa_v6, net, bgp_path.last) = ROA_INVALID) then {
|
||||
print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
|
||||
reject;
|
||||
} else accept;
|
||||
} else reject;
|
||||
};
|
||||
export filter { if is_valid_network_v6() then accept; else reject; };
|
||||
import limit 1000 action block;
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
include "/etc/bird/peers/*";
|
||||
```
|
||||
|
||||
# Route Origin Authorization
|
||||
|
||||
He example config above relies on ROA configuration files in `/etc/bird/roa_dn42{,_v6}.conf`. These should be automatically downloaded and updated every so often to prevent BGP highjacking, which can be achieved using a simple cronjob:
|
||||
|
||||
*/30 * * * * root curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.tech9.io/roa/bird6_roa_dn42.conf && curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.tech9.io/roa/bird_roa_dn42.conf && sed -i 's/roa/route/g' /etc/bird/roa_dn42{,_v6}.conf && birdc configure
|
||||
|
||||
Also make sure the /etc/bird directory exists:
|
||||
|
||||
# mkdir -p /etc/bird
|
||||
|
||||
# Setting up peers
|
||||
|
||||
Please note: This section assumes that you've already got a tunnel to your peering partner setup.
|
||||
|
||||
First, make sure the /etc/bird/peers directory exists:
|
||||
|
||||
# mkdir -p /etc/bird/peers
|
||||
|
||||
Then for each peer, create a configuration file similar to this one:
|
||||
|
||||
```
|
||||
protocol bgp <name> from dnpeers {
|
||||
neighbor <NEIGHBOR_IP> as <NEIGHBOR_ASN>;
|
||||
}
|
||||
|
||||
protocol bgp <name>_v6 from dnpeers {
|
||||
neighbor <NEIGHBOR_IPv6>%<NEIGHBOR_INTERFACE> as <NEIGHBOR_ASN>;
|
||||
}
|
||||
```
|
||||
|
||||
Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
|
Loading…
x
Reference in New Issue
Block a user