mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2025-01-18 06:51:54 +00:00
RPKI: Add a documentation
This commit is contained in:
parent
41f4b5940f
commit
cf2d812e9d
@ -3485,6 +3485,97 @@ protocol rip {
|
||||
}
|
||||
</code>
|
||||
|
||||
<sect>RPKI
|
||||
|
||||
<p>The Resource Public Key Infrastructure (RPKI) to Router Protocol (RFC 6810)
|
||||
is a simple but reliable mechanism to receive Resource Public Key
|
||||
Infrastructure (RFC 6480) prefix origin data from a trusted cache.
|
||||
|
||||
It is possible to configure only one cache server per protocol yet.
|
||||
|
||||
<code>
|
||||
protocol rpki [<name>] {
|
||||
roa table <name>;
|
||||
cache <ip> | "<domain>" {
|
||||
port <num>;
|
||||
ssh encryption {
|
||||
bird private key "</path/to/id_rsa>";
|
||||
cache public key "</path/to/known_host>";
|
||||
user "<name>";
|
||||
};
|
||||
};
|
||||
}
|
||||
</code>
|
||||
|
||||
<sect1>RPKI protocol options
|
||||
<descrip>
|
||||
<tag>roa table <m/name/</tag>
|
||||
Specifies the roa table into which will import the routes from cache.
|
||||
This option is required.
|
||||
|
||||
<tag>cache <m/ip/ | "<m/domain/" [ { <m/cache options.../ } ]</tag>
|
||||
Specifies a destination address of the cache server.
|
||||
Can be specified by an IP address or by full domain name.
|
||||
By default there is no encryption in transport.
|
||||
Only one cache can be specified per protocol.
|
||||
</descrip>
|
||||
|
||||
<sect1>Cache options
|
||||
<descrip>
|
||||
<tag>port <m/num/</tag>
|
||||
Specifies the port number.
|
||||
The default port number is 8282 for transpoert without any encryption
|
||||
and 22 for transport with SSH encryption.
|
||||
|
||||
<tag>ssh encryption { <m/ssh encryption options.../ }</tag>
|
||||
This enables a SSH encryption.
|
||||
</descrip>
|
||||
|
||||
<sect1>SSH encryption options
|
||||
<descrip>
|
||||
<tag>bird private key "<m///path/to/id_rsa"</tag>
|
||||
A path to the BIRD's private SSH key for authentication.
|
||||
It can be a <cf/id_rsa/ file.
|
||||
|
||||
<tag>cache public key "<m///path/to/known_host"</tag>
|
||||
A path to the cache's public SSH key for verification identity
|
||||
of the cache server. It could be a <cf/known_host/ file.
|
||||
|
||||
<tag>user "<m/name/"</tag>
|
||||
A SSH user name for authentication. This option is a required.
|
||||
</descrip>
|
||||
|
||||
<sect1>Examples
|
||||
<p>A simple configuration without transport encryption:
|
||||
<code>
|
||||
roa table my_roa_table;
|
||||
protocol rpki {
|
||||
debug all;
|
||||
roa table my_roa_table;
|
||||
|
||||
cache "rpki-validator.realmv6.org";
|
||||
}
|
||||
</code>
|
||||
|
||||
<p>A configuration using SSHv2 transport encryption:
|
||||
<code>
|
||||
roa table my_roa_table;
|
||||
protocol rpki {
|
||||
debug all;
|
||||
roa table my_roa_table;
|
||||
|
||||
cache 127.0.0.1 {
|
||||
port 2345;
|
||||
ssh encryption {
|
||||
bird private key "/home/birdgeek/.ssh/id_rsa";
|
||||
cache public key "/home/birdgeek/.ssh/known_hosts";
|
||||
user "birdgeek";
|
||||
};
|
||||
};
|
||||
}
|
||||
</code>
|
||||
|
||||
|
||||
|
||||
<sect>Static
|
||||
|
||||
|
@ -1 +1,6 @@
|
||||
C rpki.c
|
||||
S rpki.c
|
||||
S packets.c
|
||||
S rtr.c
|
||||
S transport.c
|
||||
S tcp_transport.c
|
||||
S ssh_transport.c
|
@ -483,7 +483,7 @@ rtr_check_receive_packet(struct rpki_cache *cache, void *pdu, const size_t len)
|
||||
struct rpki_proto *p = cache->p;
|
||||
int error = RTR_SUCCESS;
|
||||
|
||||
//header in hostbyte order, retain original received pdu, in case we need to detach it to an error pdu
|
||||
// header in hostbyte order, retain original received pdu, in case we need to detach it to an error pdu
|
||||
struct pdu_header header;
|
||||
memcpy(&header, pdu, sizeof(header));
|
||||
rtr_pdu_header_to_host_byte_order(&header);
|
||||
@ -495,7 +495,7 @@ rtr_check_receive_packet(struct rpki_cache *cache, void *pdu, const size_t len)
|
||||
return RTR_ERROR;
|
||||
}
|
||||
|
||||
// Do dont handle error PDUs here, leave this task to rtr_handle_error_pdu()
|
||||
// Do not handle error PDUs here, leave this task to rtr_handle_error_pdu()
|
||||
if (header.ver != rtr_socket->version && header.type != ERROR)
|
||||
{
|
||||
// If this is the first PDU we have received -> Downgrade.
|
||||
|
@ -3,7 +3,7 @@
|
||||
*
|
||||
* (c) 2015 CZ.NIC
|
||||
*
|
||||
* Using RTRLib: http://rpki.realmv6.org/
|
||||
* Using RTRlib: http://rpki.realmv6.org/
|
||||
*
|
||||
* Can be freely distributed and used under the terms of the GNU GPL.
|
||||
*/
|
||||
@ -319,12 +319,12 @@ rpki_free_cache(struct rpki_cache *cache)
|
||||
mb_free(cache->rtr_socket->tr_socket);
|
||||
mb_free(cache->rtr_socket);
|
||||
|
||||
/* Timers */
|
||||
/* timers */
|
||||
tm_stop(cache->retry_timer);
|
||||
tm_stop(cache->refresh_timer);
|
||||
tm_stop(cache->expire_timer);
|
||||
|
||||
rfree(cache->retry_timer);
|
||||
|
||||
rfree(cache->refresh_timer);
|
||||
rfree(cache->expire_timer);
|
||||
|
||||
|
@ -3,7 +3,7 @@
|
||||
*
|
||||
* (c) 2015 CZ.NIC
|
||||
*
|
||||
* Using RTRLib: http://rpki.realmv6.org/
|
||||
* Using RTRlib: http://rpki.realmv6.org/
|
||||
*
|
||||
* Can be freely distributed and used under the terms of the GNU GPL.
|
||||
*/
|
||||
|
@ -76,7 +76,7 @@ rtr_purge_records_if_outdated(struct rpki_cache *cache)
|
||||
}
|
||||
|
||||
pfx_table_src_remove(cache);
|
||||
CACHE_TRACE(D_EVENTS, cache, "Remove outdated records from pfx_table");
|
||||
CACHE_TRACE(D_EVENTS, cache, "All ROA records from %s expired", get_cache_ident(cache));
|
||||
rtr_socket->request_session_id = true;
|
||||
rtr_socket->serial_number = 0;
|
||||
rtr_socket->last_update = 0;
|
||||
@ -288,7 +288,7 @@ rpki_refresh_hook(struct timer *tm)
|
||||
|
||||
case RTR_CONNECTING:
|
||||
case RTR_SYNC:
|
||||
/* Wait small amout of time to transite state */
|
||||
/* Wait a small amount of time to the end of transitive state */
|
||||
tm_start(tm, 1);
|
||||
break;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user