Lab 示例

让我们建立一个 Lab，同时包含三种角色：

graph LR
  Upstream[Upstream<br/>广播前缀：2001:db8:1::/48<br/>Router-ID：1.1.1.1<br/>ASN：65001]
  Downstream[Downstream<br/>广播前缀：2001:db8:2::/48<br/>Router-ID：1.1.1.2<br/>ASN：65002]
  Peer[Peer<br/>广播前缀：2001:db8:3::/48<br/>Router-ID：1.1.1.3<br/>ASN：65003]

  Upstream -->|"fd00::1:1/126 — fd00::1:2/126"| Downstream
  Downstream -->|"fd00::2:1/126 — fd00::2:2/126"| Peer

全部配置

这里我们将一些常量和定义分到了 utils.conf，将函数整理到了 functions.conf并按照对应机器的 ASN 进行更改，省略 irr.conf

1
roa4 table rpki4;
2
roa6 table rpki6;
3

4

5
protocol rpki rpki_cloudflare {
6
    roa4 {
7
      table rpki4;
8
    };
9
    roa6 {
10
      table rpki6;
11
    };
12
    remote 172.65.0.2 port 8282;
13
    retry keep 5;
14
    refresh keep 30;
15
    expire 600;
16
    transport tcp;
17
}
18
define BOGON_ASNS = [
19
    0, # RFC 7607
20
    23456, # RFC 4893 AS_TRANS
21
    64496..64511, # RFC 5398 and documentation/example ASNs
22
#    64512..65534, # RFC 6996 Private ASNs 这里我们注释掉，但你在公网上不行！
23
    65535, # RFC 7300 Last 16 bit ASN
24
    65536..65551, # RFC 5398 and documentation/example ASNs
25
    65552..131071, # RFC IANA reserved ASNs
26
    4200000000..4294967294, # RFC 6996 Private ASNs
27
    4294967295 # RFC 7300 Last 32 bit ASN
28
];
29
define BOGON_PREFIXES_V4 = [
30
    0.0.0.0/8+, # RFC 1122 'this' network
31
    10.0.0.0/8+, # RFC 1918 private space
32
    100.64.0.0/10+, # RFC 6598 Carrier grade nat space
33
    127.0.0.0/8+, # RFC 1122 localhost
34
    169.254.0.0/16+, # RFC 3927 link local
35
    172.16.0.0/12+, # RFC 1918 private space
36
    192.0.2.0/24+, # RFC 5737 TEST-NET-1
37
    192.88.99.0/24{25,32}, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `24+` to `24{25,32}`(no more specific)
38
    192.168.0.0/16+, # RFC 1918 private space
39
    198.18.0.0/15+, # RFC 2544 benchmarking
40
    198.51.100.0/24+, # RFC 5737 TEST-NET-2
41
    203.0.113.0/24+, # RFC 5737 TEST-NET-3
42
    224.0.0.0/4+ # multicast
43
];
44
define BOGON_PREFIXES_V6 = [
45
    ::/8+, # RFC 4291 IPv4-compatible, loopback, et al
46
    0064:ff9b::/96+, # RFC 6052 IPv4/IPv6 Translation
47
    0064:ff9b:1::/48+, # RFC 8215 Local-Use IPv4/IPv6 Translation
48
    0100::/64+, # RFC 6666 Discard-Only
49
    2001::/32{33,128}, # RFC 4380 Teredo, no more specific
50
    2001:2::/48+, # RFC 5180 BMWG
51
    2001:10::/28+, # RFC 4843 ORCHID
52
#    2001:db8::/32+, # RFC 3849 documentation 这里我们注释掉，但你在公网上不行！
53
    2002::/16{17,128}, # RFC 7526 deprecated 6to4 relay anycast. If you wish to allow this, change `16+` to `16{17,128}`(no more specific)
54
    3ffe::/16+, 5f00::/8+, # RFC 3701 old 6bone
55
    fc00::/7+, # RFC 4193 unique local unicast
56
    fe80::/10+, # RFC 4291 link local unicast
57
    fec0::/10+, # RFC 3879 old site local unicast
58
    ff00::/8+ # RFC 4291 multicast
59
];

1
include "utils.conf";
2
function net_len_too_long() -> bool {
3
    case net.type {
4
        NET_IP4: return net.len > 24; # IPv4 CIDR 大于 /24 为太长
5
        NET_IP6: return net.len > 48; # IPv6 CIDR 大于 /48 为太长
6
        else: print "net_len_too_long: unexpected net.type ", net.type, " ", net; return false;
7
    }
8
}
9

10
function is_not_valid_prefix() -> bool {
11
    case net.type {
12
        NET_IP4: return net ~ BOGON_PREFIXES_V4;
13
        NET_IP6: return net ~ BOGON_PREFIXES_V6;
14
        else: print "is_not_valid_prefix: unexpected net.type ", net.type, " ", net; return false;
15
    }
16
}
17

18
function is_not_valid_asn() -> bool {
19
    if bgp_path ~ BOGON_ASNS then return true;
20
    return false;
21
}
22

23
function rpki_check() -> bool {
24
    if ( net.type = NET_IP4 && roa_check(rpki4, net, bgp_path.last) = ROA_INVALID ) then {
25
        return false;
26
    }
27
    else if ( net.type = NET_IP6 && roa_check(rpki6, net, bgp_path.last) = ROA_INVALID ) then {
28
        return false;
29
    }
30
    else {
31
        return true;
32
    }
33
}
34

35
include "irr.conf";
36

37
function import_filter_upstream() -> bool {
38
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
39
        print net, " invalid prefix, reject";
40
        return false;
41
    }
42
    if !rpki_check() then return false;
43
    bgp_large_community.add((114514,1,1)); # 添加区分 Community
44
    bgp_local_pref = 100; # 设置路由优先级为比较靠后
45
    return true;
46
}
47

48
function export_filter_upstream() -> bool {
49
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
50
        print net, " export invalid prefix, reject";
51
        return false;
52
    }
53
    if bgp_large_community ~ [(114514, 1, 3), (114514, 1, 4)] then return true;
54
    return false;
55
}
56

57
function import_filter_peer(string s_name) -> bool {
58
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
59
        print net, " invalid prefix, reject";
60
        return false;
61
    }
62
    if !rpki_check() then return false;
63
    if inet_irr_check(s_name) then {
64
        bgp_large_community.add((114514,1,2));
65
        bgp_local_pref = 200;
66
        return true;
67
    }
68
    return false;
69
}
70

71
function export_filter_peer() -> bool {
72
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
73
        print net, " export invalid prefix, reject";
74
        return false;
75
    }
76
    if bgp_large_community ~ [(114514, 1, 3), (114514, 1, 4)] then return true;
77
    return false;
78
}
79

80
function import_filter_downstream(string s_name) -> bool {
81
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
82
        print net, " invalid prefix, reject";
83
        return false;
84
    }
85
    if !rpki_check() then return false;
86
    if inet_irr_check(s_name) then {
87
        bgp_large_community.add((114514,1,4));
88
        bgp_local_pref = 400;
89
        return true;
90
    }
91
    return false;
92
}
93

94
function export_filter_downstream() -> bool {
95
    if net_len_too_long() || is_not_valid_asn() || is_not_valid_prefix() then {
96
        print net, " export invalid prefix, reject";
97
        return false;
98
    }
99
    if bgp_large_community ~ [(114514, 1, 1), (114514, 1, 2), (114514, 1, 3), (114514, 1, 4)] then return true;
100
    return false;
101
}

1
include "functions.conf";
2
log syslog all;
3
router id 1.1.1.1;
4
protocol device {
5
};
6
protocol kernel {
7
    ipv6 {
8
        export all;
9
    };
10
};
11

12
protocol static static_v6 {
13
    ipv6;
14
    route 2001:db8:1::/48 reject {bgp_large_community.add((65001,1,3));};
15
};
16

17
protocol bgp upstream {
18
    local fd00::1:1 as 65001;
19
    neighbor fd00::1:2 as 65002;
20
    direct;
21
    ipv6 {
22
        import where import_filter_downstream("AS65001");
23
        export where export_filter_downstream();
24
    };
25
    graceful restart;
26
};

1
include "functions.conf";
2
log syslog all;
3
router id 1.1.1.2;
4
protocol device {
5
};
6
protocol kernel {
7
    ipv6 {
8
        export all;
9
    };
10
};
11

12
protocol static static_v6 {
13
    ipv6;
14
    route 2001:db8:2::/48 reject {bgp_large_community.add((65002,1,3));};
15
};
16

17
protocol bgp upstream {
18
    local fd00::1:2 as 65002;
19
    neighbor fd00::1:1 as 65001;
20
    direct;
21
    ipv6 {
22
        import where import_filter_upstream();
23
        export where export_filter_upstream();
24
    };
25
    graceful restart;
26
};
27
protocol bgp peer {
28
    local fd00::2:1 as 65002;
29
    neighbor fd00::2:2 as 65003;
30
    direct;
31
    ipv6 {
32
        import where import_filter_peer("AS65003");
33
        export where export_filter_peer();
34
    };
35
    graceful restart;
36
};

1
include "functions.conf";
2
log syslog all;
3
router id 1.1.1.3;
4
protocol device {
5
};
6
protocol kernel {
7
    ipv6 {
8
        export all;
9
    };
10
};
11

12
protocol static static_v6 {
13
    ipv6;
14
    route 2001:db8:3::/48 reject {bgp_large_community.add((65003,1,3));};
15
};
16

17
protocol bgp peer {
18
    local fd00::2:2 as 65003;
19
    neighbor fd00::2:1 as 65002;
20
    direct;
21
    ipv6 {
22
        import where import_filter_peer("AS65002");
23
        export where export_filter_peer();
24
    };
25
    graceful restart;
26
};

结果

1
root@debian:~# birdc s r
2
BIRD 2.17.1 ready.
3
Table master6:
4
2001:db8:1::/48      unreachable [static_v6 13:08:09.860] * (200)
5
2001:db8:2::/48      unicast [upstream 13:09:27.800] * (100) [AS65002i]
6
  via fd00::1:2 on ens3
7
root@debian:~#

1
root@debian:~# birdc s r
2
BIRD 2.17.1 ready.
3
Table master6:
4
2001:db8:1::/48      unicast [upstream 13:09:27.861] * (100) [AS65001i]
5
  via fd00::1:1 on ens3
6
2001:db8:2::/48      unreachable [static_v6 13:04:01.157] * (200)
7
2001:db8:3::/48      unicast [peer 00:46:07.340] * (100) [AS65003i]
8
  via fd00::2:2 on ens4
9
root@debian:~#

1
root@debian:~# birdc s r
2
BIRD 2.17.1 ready.
3
Table master6:
4
2001:db8:2::/48      unicast [peer 00:47:21.551] * (100) [AS65002i]
5
  via fd00::2:1 on ens3
6
2001:db8:3::/48      unreachable [static_v6 00:44:32.293] * (200)
7
root@debian:~#

可以看到路由成功地被传递，并且没有泄露。