aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--tnet/files/knot/bird-tnet.conf29
-rw-r--r--tnet/host_vars/knot/bird.yml4
-rw-r--r--tnet/host_vars/knot/wg.yml4
-rw-r--r--tnet/keys/wg-knot-routedbits_lon1.pub1
-rw-r--r--tnet/keys/wg-knot-routedbits_lon1.sops.key28
-rw-r--r--tnet/keys/wg-routedbits_lon1-knot.pub1
-rw-r--r--tnet/templates/bird-tnet.conf.j238
7 files changed, 104 insertions, 1 deletions
diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/files/knot/bird-tnet.conf
index fcecc19..bb76fe8 100644
--- a/tnet/files/knot/bird-tnet.conf
+++ b/tnet/files/knot/bird-tnet.conf
@@ -47,3 +47,32 @@ protocol bgp tnet_node2 from tnet_tpl {
rr client;
}
+
+protocol bgp routedbits_lon1 {
+ local as 4242423538;
+ neighbor fe80::207
+ neighbor as 4242420207;
+
+ ipv6 {
+ import filter {
+ if dn42_is_valid_network() && !is_tnet() then {
+ # Check when unknown or invalid according to ROA
+ if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then {
+ accept;
+ } else {
+ print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+ reject;
+ }
+ } else {
+ reject;
+ }
+ }
+ export filter {
+ if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
+ accept;
+ } else {
+ reject;
+ }
+ }
+ }
+}
diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml
index 0c1d73b..d995a46 100644
--- a/tnet/host_vars/knot/bird.yml
+++ b/tnet/host_vars/knot/bird.yml
@@ -5,3 +5,7 @@ tnet_bird_peers:
rr_client: true
node2:
rr_client: true
+ routedbits_lon1:
+ policy: dn42
+ as: 4242420207
+ address: fe80::207
diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml
index 6fe932e..6536d9c 100644
--- a/tnet/host_vars/knot/wg.yml
+++ b/tnet/host_vars/knot/wg.yml
@@ -26,3 +26,7 @@ tnet_wg:
node2:
port: 51008
address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da
+ routedbits_lon1:
+ port: 51009
+ address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c
+ endpoint: router.lon1.routedbits.com:53538
diff --git a/tnet/keys/wg-knot-routedbits_lon1.pub b/tnet/keys/wg-knot-routedbits_lon1.pub
new file mode 100644
index 0000000..4be8cef
--- /dev/null
+++ b/tnet/keys/wg-knot-routedbits_lon1.pub
@@ -0,0 +1 @@
+x/cvEG6uyatJEao1ob2aPGi7QGqY+2ShdtB/FTGlmAs= \ No newline at end of file
diff --git a/tnet/keys/wg-knot-routedbits_lon1.sops.key b/tnet/keys/wg-knot-routedbits_lon1.sops.key
new file mode 100644
index 0000000..e40eba9
--- /dev/null
+++ b/tnet/keys/wg-knot-routedbits_lon1.sops.key
@@ -0,0 +1,28 @@
+{
+ "data": "ENC[AES256_GCM,data:u95NnCXihKwyPP/ZujqZlCMgTI7j5DmTaFqrDa9Y3yc2uNystrCqdSqHZIQ=,iv:U6pvVRkDNx392kh3ofdfUVQ5Sf9hwa/HKNukkG5BvWg=,tag:Kb+uplrA41vB/FefskN5bA==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": [
+ {
+ "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYy9GNDJWVkQ4MFpMQkFG\nRHZhemFySDFQUy9jR0ZaUkpXcTVNSkFid3p3ClZ0azRFUW82UjFyckNoM0RRNUhm\nMUpyNG04RVROQ0NibDRwb2ZxanYyMWMKLS0tIGVXdVJ2a1g1SU5LcFNMY1hVUU5X\nV0VYZ2pLNHpyUWEwSHJnTEdaWDFnV1UKi1U6BjgEjQT9KOMLajdDViKmb4XBSj1+\noTmdC1ZV2B4a/tlwRQjO0Rr3UoprPy+s4sKDIJNpbz9RcqxSU/voig==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodGhUSnZZS0FpY1VqV0g3\nYVV0VW5OQUptckx1dVAwZjNLUHdtU3Q0S1dFCnh3RWlieU50a2c4SnRFYkFWcGNC\nOERSdG15VnQ4ZVZDZ3ErTW1nWGJQRVkKLS0tIHJPM3h6bEtwMGI3SGdHTFJiWFoy\nQUVGRm9JZzYwRkdmT0QzdUY5Z3F4V2cK7JhYdWfI3/PRKCyNCTbLj6gm9OkbkNzR\nVtLStGD0goqVNo1rpMecZxSqsypJgTmypbFl6tYClNKp5Ti33ptXqA==\n-----END AGE ENCRYPTED FILE-----\n"
+ },
+ {
+ "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5",
+ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSzJ3cm45MXF0TEFPUHds\nVG9aSmd5REFweDdIbURhbU9HYmxURWV5WEhrCitXaFAvRFJ5eGk2cVB1YXAwRDNj\nMnFOaXFWd1VCdEl3SThqQ2N4U0pValUKLS0tIGdPK01VbFJac2JMMVlvWHNSd3lI\nbzVWRmZJTEpQamQ0Y2xXdk9aN3VPTTAKRtaOSu5GSw6lxG7ogYTx9AilqdeEcYGb\ngrWXPYPNfs7ePcItFSUiDiuS38eXpKCdfqjZmekBCxGCJQnuhMZZ6A==\n-----END AGE ENCRYPTED FILE-----\n"
+ }
+ ],
+ "lastmodified": "2024-06-16T20:30:33Z",
+ "mac": "ENC[AES256_GCM,data:SIbpVs2mmMlp8mfPr0vXI8ZSENuwIAslEcZHfFg7YfC9gcEHHFYq/ngeB62/8YBcOsYnhO9Sip3VvEg2MsdQe6if8asew67D0udPATrfHRhk55PIxLLb1DszlI8edAhH7PzcNRFSYy72mKvxK2eDeDw71sfBr73254jD6ud699s=,iv:6RUG4ZUGXWpV2CYGgFVI6SRSZRzNbNNQlbwLb0TS15c=,tag:KY0WAn+rW/xJjBUpHPq1Tw==,type:str]",
+ "pgp": null,
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.7.3"
+ }
+} \ No newline at end of file
diff --git a/tnet/keys/wg-routedbits_lon1-knot.pub b/tnet/keys/wg-routedbits_lon1-knot.pub
new file mode 100644
index 0000000..dd12e17
--- /dev/null
+++ b/tnet/keys/wg-routedbits_lon1-knot.pub
@@ -0,0 +1 @@
+vlqNoUSJ4T2sORBHusdwr9rCtQfdsIJvjV3Y/qBUcgY=
diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2
index 57e557a..b11bf0c 100644
--- a/tnet/templates/bird-tnet.conf.j2
+++ b/tnet/templates/bird-tnet.conf.j2
@@ -27,13 +27,49 @@ template bgp tnet_tpl {
};
}
{% for p in tnet_bird_peers|default([])|sort %}
+{% set peer = tnet_bird_peers[p] %}
+{% set policy = peer.policy | default("tnet") %}
+{% if policy == "tnet" %}
protocol bgp tnet_{{ p }} from tnet_tpl {
neighbor {{ hostvars[p].tnet_wg[inventory_hostname].address }};
interface "tnet-{{ p }}";
-{% if tnet_bird_peers[p].rr_client|default(False) %}
+{% if peer.rr_client|default(False) %}
rr client;
{% endif %}
}
+{% elif policy == "dn42" %}
+protocol bgp {{ p }} {
+ local as 4242423538;
+ neighbor {{ peer.address }}
+ neighbor as {{ peer.as }};
+{% if peer.interface is defined %}
+ interface "{{ peer.interface }}";
+{% endif %}
+
+ ipv6 {
+ import filter {
+ if dn42_is_valid_network() && !is_tnet() then {
+ # Check when unknown or invalid according to ROA
+ if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then {
+ accept;
+ } else {
+ print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
+ reject;
+ }
+ } else {
+ reject;
+ }
+ }
+ export filter {
+ if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then {
+ accept;
+ } else {
+ reject;
+ }
+ }
+ }
+}
+{% endif %}
{% endfor %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-20 02:49:15 +0000