From ce31caee6ce414fd3abd3b323b5ccfeda6733986 Mon Sep 17 00:00:00 2001 From: Trygve Laugstøl Date: Wed, 17 Jul 2024 20:38:43 +0200 Subject: routedbits --- tnet/files/knot/bird-tnet.conf | 29 +++++++++++++++++++++++ tnet/host_vars/knot/bird.yml | 4 ++++ tnet/host_vars/knot/wg.yml | 4 ++++ tnet/keys/wg-knot-routedbits_lon1.pub | 1 + tnet/keys/wg-knot-routedbits_lon1.sops.key | 28 ++++++++++++++++++++++ tnet/keys/wg-routedbits_lon1-knot.pub | 1 + tnet/templates/bird-tnet.conf.j2 | 38 +++++++++++++++++++++++++++++- 7 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 tnet/keys/wg-knot-routedbits_lon1.pub create mode 100644 tnet/keys/wg-knot-routedbits_lon1.sops.key create mode 100644 tnet/keys/wg-routedbits_lon1-knot.pub (limited to 'tnet') diff --git a/tnet/files/knot/bird-tnet.conf b/tnet/files/knot/bird-tnet.conf index fcecc19..bb76fe8 100644 --- a/tnet/files/knot/bird-tnet.conf +++ b/tnet/files/knot/bird-tnet.conf @@ -47,3 +47,32 @@ protocol bgp tnet_node2 from tnet_tpl { rr client; } + +protocol bgp routedbits_lon1 { + local as 4242423538; + neighbor fe80::207 + neighbor as 4242420207; + + ipv6 { + import filter { + if dn42_is_valid_network() && !is_tnet() then { + # Check when unknown or invalid according to ROA + if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then { + accept; + } else { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } + } else { + reject; + } + } + export filter { + if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { + accept; + } else { + reject; + } + } + } +} diff --git a/tnet/host_vars/knot/bird.yml b/tnet/host_vars/knot/bird.yml index 0c1d73b..d995a46 100644 --- a/tnet/host_vars/knot/bird.yml +++ b/tnet/host_vars/knot/bird.yml @@ -5,3 +5,7 @@ tnet_bird_peers: rr_client: true node2: rr_client: true + routedbits_lon1: + policy: dn42 + as: 4242420207 + address: fe80::207 diff --git a/tnet/host_vars/knot/wg.yml b/tnet/host_vars/knot/wg.yml index 6fe932e..6536d9c 100644 --- a/tnet/host_vars/knot/wg.yml +++ b/tnet/host_vars/knot/wg.yml @@ -26,3 +26,7 @@ tnet_wg: node2: port: 51008 address: fe80:9dd8:abac:cf05:aea3:dc03:4c74:32da + routedbits_lon1: + port: 51009 + address: fe80:fc91:da95:dc6b:621b:7ccf:ff44:c42c + endpoint: router.lon1.routedbits.com:53538 diff --git a/tnet/keys/wg-knot-routedbits_lon1.pub b/tnet/keys/wg-knot-routedbits_lon1.pub new file mode 100644 index 0000000..4be8cef --- /dev/null +++ b/tnet/keys/wg-knot-routedbits_lon1.pub @@ -0,0 +1 @@ +x/cvEG6uyatJEao1ob2aPGi7QGqY+2ShdtB/FTGlmAs= \ No newline at end of file diff --git a/tnet/keys/wg-knot-routedbits_lon1.sops.key b/tnet/keys/wg-knot-routedbits_lon1.sops.key new file mode 100644 index 0000000..e40eba9 --- /dev/null +++ b/tnet/keys/wg-knot-routedbits_lon1.sops.key @@ -0,0 +1,28 @@ +{ + "data": "ENC[AES256_GCM,data:u95NnCXihKwyPP/ZujqZlCMgTI7j5DmTaFqrDa9Y3yc2uNystrCqdSqHZIQ=,iv:U6pvVRkDNx392kh3ofdfUVQ5Sf9hwa/HKNukkG5BvWg=,tag:Kb+uplrA41vB/FefskN5bA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age13wv3rp0varlg4nvt3tca48fq8u9q3mc6yfdekjeapcmc7kaq4dysrzcmv3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYy9GNDJWVkQ4MFpMQkFG\nRHZhemFySDFQUy9jR0ZaUkpXcTVNSkFid3p3ClZ0azRFUW82UjFyckNoM0RRNUhm\nMUpyNG04RVROQ0NibDRwb2ZxanYyMWMKLS0tIGVXdVJ2a1g1SU5LcFNMY1hVUU5X\nV0VYZ2pLNHpyUWEwSHJnTEdaWDFnV1UKi1U6BjgEjQT9KOMLajdDViKmb4XBSj1+\noTmdC1ZV2B4a/tlwRQjO0Rr3UoprPy+s4sKDIJNpbz9RcqxSU/voig==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mvh832crygenu5tu5njtraraet656rzwnawuasjggvs999dc9ueqj9qclw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBodGhUSnZZS0FpY1VqV0g3\nYVV0VW5OQUptckx1dVAwZjNLUHdtU3Q0S1dFCnh3RWlieU50a2c4SnRFYkFWcGNC\nOERSdG15VnQ4ZVZDZ3ErTW1nWGJQRVkKLS0tIHJPM3h6bEtwMGI3SGdHTFJiWFoy\nQUVGRm9JZzYwRkdmT0QzdUY5Z3F4V2cK7JhYdWfI3/PRKCyNCTbLj6gm9OkbkNzR\nVtLStGD0goqVNo1rpMecZxSqsypJgTmypbFl6tYClNKp5Ti33ptXqA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1teasctdpkatekpsa47q58d3ugwyyqcuj5v9udtusk7ca9sfv694sw057a5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHSzJ3cm45MXF0TEFPUHds\nVG9aSmd5REFweDdIbURhbU9HYmxURWV5WEhrCitXaFAvRFJ5eGk2cVB1YXAwRDNj\nMnFOaXFWd1VCdEl3SThqQ2N4U0pValUKLS0tIGdPK01VbFJac2JMMVlvWHNSd3lI\nbzVWRmZJTEpQamQ0Y2xXdk9aN3VPTTAKRtaOSu5GSw6lxG7ogYTx9AilqdeEcYGb\ngrWXPYPNfs7ePcItFSUiDiuS38eXpKCdfqjZmekBCxGCJQnuhMZZ6A==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-06-16T20:30:33Z", + "mac": "ENC[AES256_GCM,data:SIbpVs2mmMlp8mfPr0vXI8ZSENuwIAslEcZHfFg7YfC9gcEHHFYq/ngeB62/8YBcOsYnhO9Sip3VvEg2MsdQe6if8asew67D0udPATrfHRhk55PIxLLb1DszlI8edAhH7PzcNRFSYy72mKvxK2eDeDw71sfBr73254jD6ud699s=,iv:6RUG4ZUGXWpV2CYGgFVI6SRSZRzNbNNQlbwLb0TS15c=,tag:KY0WAn+rW/xJjBUpHPq1Tw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/tnet/keys/wg-routedbits_lon1-knot.pub b/tnet/keys/wg-routedbits_lon1-knot.pub new file mode 100644 index 0000000..dd12e17 --- /dev/null +++ b/tnet/keys/wg-routedbits_lon1-knot.pub @@ -0,0 +1 @@ +vlqNoUSJ4T2sORBHusdwr9rCtQfdsIJvjV3Y/qBUcgY= diff --git a/tnet/templates/bird-tnet.conf.j2 b/tnet/templates/bird-tnet.conf.j2 index 57e557a..b11bf0c 100644 --- a/tnet/templates/bird-tnet.conf.j2 +++ b/tnet/templates/bird-tnet.conf.j2 @@ -27,13 +27,49 @@ template bgp tnet_tpl { }; } {% for p in tnet_bird_peers|default([])|sort %} +{% set peer = tnet_bird_peers[p] %} +{% set policy = peer.policy | default("tnet") %} +{% if policy == "tnet" %} protocol bgp tnet_{{ p }} from tnet_tpl { neighbor {{ hostvars[p].tnet_wg[inventory_hostname].address }}; interface "tnet-{{ p }}"; -{% if tnet_bird_peers[p].rr_client|default(False) %} +{% if peer.rr_client|default(False) %} rr client; {% endif %} } +{% elif policy == "dn42" %} +protocol bgp {{ p }} { + local as 4242423538; + neighbor {{ peer.address }} + neighbor as {{ peer.as }}; +{% if peer.interface is defined %} + interface "{{ peer.interface }}"; +{% endif %} + + ipv6 { + import filter { + if dn42_is_valid_network() && !is_tnet() then { + # Check when unknown or invalid according to ROA + if (roa_check(dn42_roa, net, bgp_path.last) == ROA_VALID) then { + accept; + } else { + print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last; + reject; + } + } else { + reject; + } + } + export filter { + if dn42_is_valid_network() && source ~ [RTS_STATIC, RTS_BGP] then { + accept; + } else { + reject; + } + } + } +} +{% endif %} {% endfor %} -- cgit v1.2.3