log syslog all; router id xxx.xxx.xxx.xxx; # WAN IPv4 Address # The Device protocol is not a real routing protocol. It does not generate any # routes and it only serves as a module for getting information about network # interfaces from the kernel. It is necessary in almost any configuration. protocol device { } # The direct protocol is not a real routing protocol. It automatically generates # direct routes to all network interfaces. Can exist in as many instances as you # wish if you want to populate multiple routing tables with direct routes. # Assign IP address in announced prefix(es) to the interface listed below protocol direct direct1 { ipv4; # Remove if not announcing IPv4 prefixes ipv6; # Remove if not announcing IPv6 prefixes interface "dummy0"; } # The Kernel protocol is not a real routing protocol. Instead of communicating # with other routers in the network, it performs synchronization of BIRD # routing tables with the OS kernel. One instance per table. protocol kernel { ipv4 { # table master4; # Default IPv4 table is master4 # import all; # Import to table, default is import all # export all; # Export to protocol. default is export none export filter { if proto = "direct1" then reject; accept; }; }; # learn; # Learn alien routes from the kernel # kernel table 10; # Kernel table to synchronize with (default: main) } protocol static { ipv4; # import to master4 table route 0.0.0.0/0 via xxx.xxx.xxx.xxx; # default IPv4 gateway } protocol static { ipv6; # import to master6 table route ::/0 via xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx; # default IPv6 gateway } ############################################################################################### # RPKI filtering ############################################################################################### roa4 table r4; roa6 table r6; protocol rpki { roa4 { table r4; }; roa6 { table r6; }; remote "rtr.fqdn" port 8282; # RPKI filtering host retry keep 90; refresh keep 900; expire keep 172800; } function is_v4_rpki_invalid() { return roa_check(r4, net, bgp_path.last_nonaggregated) = ROA_INVALID; } function is_v6_rpki_invalid() { return roa_check(r6, net, bgp_path.last_nonaggregated) = ROA_INVALID; } ############################################################################################### # BGP Sessions ############################################################################################### protocol bgp AS53667v4 { description "Frantech Solutions v4"; local xxx.xxx.xxx.xxx as XXXXXX; # WAN IPv4 address and client ASN neighbor 169.254.169.179 as 53667; # Neighbour IPv4 address and ASN multihop 2; password "yyyyyyyyyy"; # BGP Session Password hold time 90; keepalive time 30; graceful restart; ipv4 { export filter { if is_v4_rpki_invalid() then reject; accept; }; import keep filtered; import filter { if is_v4_rpki_invalid() then reject; accept; }; }; } protocol bgp AS53667v6 { description "Frantech Solutions v6"; local xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx as XXXXXX; # WAN IPv6 address and client ASN neighbor 2605:6400:ffff::2 as 53667; # Neighbour IPv6 address and ASN multihop 2; password "yyyyyyyyyy"; # BGP Session Password hold time 90; keepalive time 30; graceful restart; ipv6 { export filter { if is_v6_rpki_invalid() then reject; accept; }; import keep filtered; import filter { if is_v6_rpki_invalid() then reject; accept; }; }; }