4.8.5 TO 5.0.0

bgp/ix/AS210440_v6.conf

@@ -0,0 +1,8 @@
+protocol bgp AS210440_v6 from tixp {
+    local 2a14:67c1:a080::571 as 151194;
+    neighbor 2a14:67c1:a080::1 as 210440;
+    multihop 2;
+    ipv6 {
+        next hop self;
+    };
+}

bgp/ix/AS47498_v6.conf

@@ -0,0 +1,4 @@
+protocol bgp AS47498_v6 from tixp {
+    local 2001:7f8:ca:1::15:1194:1 as 151194;
+    neighbor 2001:7f8:ca:1::111 as 47498;
+}

bgp/upstream/AS34927_v6.conf

@@ -0,0 +1,4 @@
+protocol bgp AS34927_v6 from tuplink {
+    local 2a0c:9a40:1072::641 as 151194;
+    neighbor 2a0c:9a40:1072::1 as 34927;
+}

bgp/upstream/AS44324_v6.conf

@@ -0,0 +1,6 @@
+protocol bgp AS44324_v6 from tuplink {
+    local 2001:7f8:ca:1:0:15:1194:1 as151194;
+    neighbor 2001:7f8:ca:1:0:4:4324:1 as 44324;
+}
+
+

bird.conf

@@ -0,0 +1,151 @@
+################################################
+#               STE Network 4.0                #
+################################################
+router id 193.148.248.170;
+
+include "/etc/bird/roa/roa4.conf";
+include "/etc/bird/roa/roa6.conf";
+
+include "/etc/bird/roa/homelab4.conf";
+include "/etc/bird/roa/homelab6.conf";
+
+include "/etc/bird/roa/ix4.conf";
+include "/etc/bird/roa/ix6.conf";
+
+protocol device {
+    scan time 10;
+}
+
+protocol kernel {
+    ipv6 {
+        export all;
+        import all;
+    };
+    learn;
+    merge paths yes;
+    scan time 10;
+}
+
+protocol direct
+{
+    interface "dummy*";
+    ipv6 {
+        import all;
+    };
+};
+
+
+roa4 table ste_roa;
+roa6 table ste_roa_v6;
+
+protocol static {
+    roa4 { 
+        table ste_roa; 
+    };
+    include "/etc/bird/roa/roa_from_sdixp_v4.conf";
+};
+
+protocol static {
+    roa6 { 
+        table ste_roa_v6; 
+    };
+    include "/etc/bird/roa/roa_from_sdixp_v6.conf";
+};
+
+#Uplink
+filter uplink_import {
+    accept;
+};
+
+filter uplink_import_v6 {
+    accept;
+};
+
+filter uplink_export {
+if net ~ myip then accept;
+reject;
+};
+
+filter uplink_export_v6 {
+if net ~ myip6 then accept;
+reject;
+};
+
+#ix
+filter ix_import {
+    accept;
+};
+
+filter ix_import_v6 {
+    accept;
+};
+
+filter ix_export {
+if net ~ ix then accept;
+reject;
+};
+
+filter ix_export_v6 {
+if net ~ ix6 then accept;
+reject;
+};
+
+#homelab
+filter homelab_import {
+    reject;
+};
+
+filter homelab_import_v6 {
+    reject;
+};
+
+filter homelab_export {
+if net ~ homelabip then accept;
+reject;
+};
+
+filter homelab_export_v6 {
+if net ~ homelabip6 then accept;
+reject;
+};
+
+#Customer
+filter customer_import {
+if net ~ myip then accept;
+reject;
+};
+
+filter customer_import_v6 {
+if net ~ myip6 then accept;
+reject;
+};
+
+
+filter customer_export { 
+    accept; 
+}
+
+filter customer_export_v6 { 
+    accept; 
+}
+
+filter community_export_v6 {
+    if net ~ communitys then {
+        bgp_path.prepend(151194);
+        bgp_path.prepend(151194);
+        accept;
+    }
+reject;
+};
+
+#Filter
+include "/etc/bird/filters/*.conf";
+include "/etc/bird/commuintys/*.conf";
+#Protocol
+include "/etc/bird/protocol/*.conf";
+include "/etc/bird/templates/*.conf";
+#BGP Session
+include "/etc/bird/bgp/uplink/*.conf";
+include "/etc/bird/bgp/ix/*.conf";
+include "/etc/bird/bgp/downstream/*.conf";
+include "/etc/bird/bgp/peers/*.conf";

envvars

@@ -0,0 +1,3 @@
+BIRD_RUN_USER=bird
+BIRD_RUN_GROUP=bird
+#BIRD_ARGS=

filters/bogons.conf

@@ -0,0 +1,52 @@
+define BOGON_ASNS = [
+    0,                      # RFC 7607
+    23456,                  # RFC 4893 AS_TRANS
+    64496..64511,           # RFC 5398 and documentation/example ASNs
+    64512..65534,           # RFC 6996 Private ASNs
+    65535,                  # RFC 7300 Last 16 bit ASN
+    65536..65551,           # RFC 5398 and documentation/example ASNs
+    65552..131071,          # RFC IANA reserved ASNs
+    4200000000..4294967294, # RFC 6996 Private ASNs
+    4294967295              # RFC 7300 Last 32 bit ASN
+];
+define BOGON_PREFIXES_V4 = [
+    0.0.0.0/8+,             # RFC 1122 'this' network
+    10.0.0.0/8+,            # RFC 1918 private space
+    100.64.0.0/10+,         # RFC 6598 Carrier grade nat space
+    127.0.0.0/8+,           # RFC 1122 localhost
+    169.254.0.0/16+,        # RFC 3927 link local
+    172.16.0.0/12+,         # RFC 1918 private space
+    192.0.2.0/24+,          # RFC 5737 TEST-NET-1
+    192.88.99.0/24{25,32},  # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `24+` to `24{25,32}`(no more specific)
+    192.168.0.0/16+,        # RFC 1918 private space
+    198.18.0.0/15+,         # RFC 2544 benchmarking
+    198.51.100.0/24+,       # RFC 5737 TEST-NET-2
+    203.0.113.0/24+,        # RFC 5737 TEST-NET-3
+    224.0.0.0/4+,           # multicast
+    240.0.0.0/4+            # reserved
+];
+define BOGON_PREFIXES_V6 = [
+    ::/8+,                  # RFC 4291 IPv4-compatible, loopback, et al
+    0064:ff9b::/96+,        # RFC 6052 IPv4/IPv6 Translation
+    0064:ff9b:1::/48+,      # RFC 8215 Local-Use IPv4/IPv6 Translation
+    0100::/64+,             # RFC 6666 Discard-Only
+    2001::/32{33,128},      # RFC 4380 Teredo, no more specific
+    2001:2::/48+,           # RFC 5180 BMWG
+    2001:10::/28+,          # RFC 4843 ORCHID
+    2001:db8::/32+,         # RFC 3849 documentation
+    2002::/16{17,128},      # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `16+` to `16{17,128}`(no more specific)
+    3ffe::/16+, 5f00::/8+,  # RFC 3701 old 6bone
+    fc00::/7+,              # RFC 4193 unique local unicast
+    fe80::/10+,             # RFC 4291 link local unicast
+    fec0::/10+,             # RFC 3879 old site local unicast
+    ff00::/8+               # RFC 4291 multicast
+];
+
+function general_check(){
+        if bgp_path ~ BOGON_ASNS then return true;
+    case net.type {
+        NET_IP4: return net.len > 24 || net ~ BOGON_PREFIXES_V4;
+        NET_IP6: return net.len > 48 || net ~ BOGON_PREFIXES_V6;
+        else: print "unexpected net.type ", net.type, " ", net;
+    }
+};

filters/rpki.conf

@@ -0,0 +1,10 @@
+protocol rpki rpki_axivora{
+  roa4 { table axivora_roa4; };
+  roa6 { table axivora_roa6; };
+
+  remote "rpki.axivora.net" port 5807;
+
+  retry keep 90;
+  refresh keep 900;
+  expire keep 172800;
+};

protocol/dummy.conf

@@ -0,0 +1,8 @@
+protocol direct
+{
+    interface "dummy*";
+    ipv6 {
+        import all;
+        export all;
+    };
+};

protocol/vxlan151194.conf

@@ -0,0 +1,7 @@
+protocol direct {
+    interface "vxlan151194";
+    ipv6 {
+        import all;
+        export all;
+    };
+}

roa.serivce

@@ -0,0 +1,11 @@
+#/etc/systemd/system/roa.service
+[Unit]
+Description=Update ROA TABLE
+
+[Service]
+Type=oneshot
+ExecStart=curl -sfSLR -o /etc/bird/roa/AS_STELIGHT_4.conf -z /etc/bird/roa/AS_STELIGHT_4.conf https://rpki.axivora.net/ste/roa/AS_STELIGHT_4.conf
+ExecStart=curl -sfSLR -o /etc/bird/roa/AS_STELIGHT_6.conf -z /etc/bird/roa/AS_STELIGHT_6.conf https://rpki.axivora.net/ste/roa/AS_STELIGHT_6.conf
+ExecStart=curl -sfSLR -o /etc/bird/roa/AS_198025_DOWNSTREAM_4.conf -z /etc/bird/roa/AS_198025_DOWNSTREAM_4.conf https://rpki.axivora.net/ste/roa/AS_198025_DOWNSTREAM_4.conf
+ExecStart=curl -sfSLR -o /etc/bird/roa/AS_198025_DOWNSTREAM_6.conf -z /etc/bird/roa/AS_198025_DOWNSTREAM_6.conf https://rpki.axivora.net/ste/roa/AS_198025_DOWNSTREAM_6.conf
+ExecStart=birdc configure

roa.sh

@@ -0,0 +1,29 @@
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+SERVICE_FILE="roa.service"
+TIMER_FILE="roa.timer"
+
+SYSTEMD_DIR="/etc/systemd/system"
+
+if [[ ! -f "$SCRIPT_DIR/$SERVICE_FILE" ]]; then
+    echo "NOT FIND $SERVICE_FILE"
+    exit 1
+fi
+
+if [[ ! -f "$SCRIPT_DIR/$TIMER_FILE" ]]; then
+    echo "NOT FIND $TIMER_FILE"
+    exit 1
+fi
+
+mv "$SCRIPT_DIR/$SERVICE_FILE" "$SYSTEMD_DIR/"
+mv "$SCRIPT_DIR/$TIMER_FILE" "$SYSTEMD_DIR/"
+
+systemctl daemon-reload
+
+systemctl start roa.service
+
+systemctl enable --now roa.timer
+
+echo "Done "

roa.timer

@@ -0,0 +1,11 @@
+# /etc/systemd/system/droa.timer
+[Unit]
+Description=Update ROA periodically
+
+[Timer]
+OnBootSec=2m
+OnUnitActiveSec=30m
+AccuracySec=1m
+
+[Install]
+WantedBy=timers.target

templates/tdownstream.conf

@@ -0,0 +1,15 @@
+template bgp tdownstream {
+    ipv4 {
+        import filter irr_v4;
+        export filter irr_v4;
+        export limit 100;
+        import limit 100;
+    };
+    ipv6 {
+        import filter irr_v6;
+        export filter irr_v6;
+        export limit 100;
+        import limit 100;
+    };
+    graceful restart;
+}

templates/tfulltable.conf

@@ -0,0 +1,14 @@
+template bgp uplink {
+    ipv4 {
+        import filter irr_v4;
+        export all;
+        import limit 100;
+    };
+
+    ipv6 {
+        import filter irr_v6;
+        export all;
+        import limit 100;
+    };
+    graceful restart;
+}

templates/tix.conf

@@ -0,0 +1,13 @@
+template bgp tix {
+    ipv4 {
+        import filter rpki_and_bogons_v4;
+        export filter irr_v4;
+        export limit 1000;
+    };
+    ipv6 {
+        import filter rpki_and_bogons_v6;
+        export filter irr_v6;
+        export limit 1000;
+    };
+    graceful restart;
+}

templates/tpeer.conf

@@ -0,0 +1,15 @@
+template bgp tpeer {
+    ipv4 {
+        import filter rpki_and_bogons_v4;
+        export filter irr_v4;
+        export limit 1000;
+        import limit 1000;
+    };
+    ipv6 {
+        import filter rpki_and_bogons_v6;
+        export filter irr_v6;
+        export limit 1000;
+        import limit 1000;
+    };
+    graceful restart;
+}

templates/tuplink.conf

@@ -0,0 +1,13 @@
+template bgp tuplink {
+    ipv4 {
+        import filter rpki_and_bogons_v4;
+        export filter irr_v4;
+        export limit 1000;
+    };
+    ipv6 {
+        import filter rpki_and_bogons_v6;
+        export filter irr_v6;
+        export limit 1000;
+    };
+    graceful restart;
+}