mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2025-01-11 03:21:53 +00:00
276 lines
9.5 KiB
Plaintext
276 lines
9.5 KiB
Plaintext
|
|
1. BGPSEC tar ball
|
|
2. Installation Instructions:
|
|
3. BIRD run time configuration
|
|
4. Getting RPKI-RTR data (ROA's and Router Keys)
|
|
5. License(s)
|
|
|
|
|
|
1. BGPSEC patch
|
|
|
|
This code adds BGPSEC capability to the BIRD BGP implementation.
|
|
|
|
This has only been tested on Linux machines. It is in an Alpha release
|
|
and ***should not be considered for production systems***. The basic
|
|
BGPSEC protocol is supported with a several notable exceptions: more
|
|
than one signature block (for algorithm rollover), confederations, and
|
|
bugs we have not seen yet.
|
|
|
|
For information on BGPSEC see the Internet Engineering Task Force
|
|
(IETF) Secure Inter-Domain Routing (SIDR) working group page and
|
|
specifically the draft describing the BGPSEC protocol:
|
|
|
|
https://datatracker.ietf.org/wg/sidr/
|
|
https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
|
|
|
|
This code is based on the v1.5.0 of the BIRD software. Information
|
|
about BIRD including download instructions can be found at:
|
|
|
|
http://bird.network.cz/
|
|
|
|
|
|
2. Installation Instructions:
|
|
|
|
General Instructions
|
|
|
|
Building BGPSEC enabled bird
|
|
|
|
This describes building bird with BGPSEC support turned on, which
|
|
requires a few steps. Contents
|
|
|
|
2.1 Dependencies
|
|
2.1.1 Use An OpenSSL version that supports ECDSA (Elliptic
|
|
Curve Digital Signature Algorithm)
|
|
2.2 Building Bird
|
|
2.2.1 Configuring and Compiling
|
|
2.3 Testing
|
|
2.4 Using It
|
|
2.5 Coding For It
|
|
|
|
|
|
2.1 Dependencies
|
|
|
|
On Fedora, you'll want flex, bison, and readline-devel packages.
|
|
|
|
2.1.1 Use an OpenSSL version that supports ECDSA (Elliptic Curve
|
|
Digital Signature Algorithm)
|
|
|
|
The default OpenSSL distributed on some Linux vendors does not include
|
|
elliptic curve support. If yours distribution does not support
|
|
elliptic curve in the OpenSSL libraries, you'll need to grab a fresh
|
|
copy and compile it by hand. You may want to install it in a location
|
|
separate from the normally installed package. Use the --prefix option
|
|
to do this:
|
|
|
|
# ./config --prefix=/usr/local/openssl-ecdsa
|
|
|
|
Then make and make install
|
|
|
|
|
|
2.2 Building Bird
|
|
|
|
Configuring and Compiling
|
|
|
|
If you are using the patch, download BIRD bird-1.4.5.tar.gz from
|
|
http://bird.network.cz/
|
|
|
|
# tar xvjpf bird-1.5.0.-bgpsec-0.7.tar.bz2
|
|
# cd bird-1.5.0-bgpsec-0.7/
|
|
|
|
Build it.
|
|
First rebuild configure (configure.in was changed by the patch):
|
|
|
|
# autoconf
|
|
|
|
Then Use configure flags that look something like the following. if a
|
|
version of OpenSSL that supported ecdsa had to be installed in a
|
|
non-standard location on your platform, it will be necessary to add
|
|
something like '-I/path/to//openssl-ecdsa/include' and
|
|
'-L/path/to/openssl-ecdsa/lib' options to the configure command.
|
|
|
|
# ./configure '--enable-bgpsec'
|
|
|
|
Then make and you should be good to go.
|
|
|
|
|
|
2.3 Using It
|
|
|
|
You can create key pairs using the proto/bgp/bgpsec/keytool.py
|
|
script. For Example:
|
|
|
|
# proto/bgp/bgpsec/keytool.py --printski --public-key-dir /usr/share/bird/bgpsec-keys --private-key-dir /usr/share/bird/bgpsec-private-keys generate 'ASN'
|
|
40C70252FE48D29401E9156ADBECF3EF42296AE4
|
|
|
|
Where ASN is the AS number for the key you are generating.
|
|
|
|
The generated public key is stored in '--public-key-dir' (default
|
|
/usr/share/bird/bgpsec-keys) and the private key is stored in
|
|
'--private-key-dir' (default /usr/share/bird/bgpsec-private-keys).
|
|
The file names are based on the AS number and the SKI value associated
|
|
with the keys, 'ASN.SKI#', e.g. for an ASN of 12345,
|
|
12345.40C70252FE48D29401E9156ADBECF3EF42296AE4.
|
|
|
|
The public key can be copied to other machines and placed in the same
|
|
public key directory without the private key. Likewise, keys from
|
|
other routers can be placed into the public key directory with their
|
|
ASN/SKI identifying the file names in order for the validation
|
|
routines to look them up.
|
|
|
|
NOTE: in the future, the rpki-rtr protocol could be used instead to
|
|
pull router keys. For example, BGPSEC-BIRD-Client is a tool that can
|
|
pull router keys from a rpki cache using the rpki-rtr protocol.
|
|
|
|
|
|
2.4 Coding For It
|
|
|
|
The API for use in validating stuff can be found in
|
|
proto/bgp/bgpsec/validate.h. But most importantly, these two functions
|
|
will be of the most use:
|
|
|
|
int bgpsec_sign_data_with_ski(...);
|
|
int bgpsec_verify_signature_with_ski(...);
|
|
|
|
As they sign and verify data simply by passing the data along with a
|
|
SKI in ascii/hex form and a ASN integer (in reality, it's just the
|
|
filename from above so as long as it can be stored in a file name it's
|
|
usable).
|
|
|
|
The algorithm option should be set to
|
|
BGPSEC_ALGORITHM_SHA256_ECDSA_P_256 or BGPSEC_DEFAULT_CURVE.
|
|
|
|
|
|
3. BIRD run time configuration
|
|
|
|
The BGPSEC implementation currently has several additional
|
|
configuration options for the configuration file. The following is an
|
|
example bgp section from a BIRD configuration file supporting BGPSEC:
|
|
|
|
protocol bgp {
|
|
# BGPsec configuration
|
|
|
|
# AS4 is required for BGPSEC, this must be enabled
|
|
enable as4;
|
|
|
|
# enable bgpsec for this connection
|
|
bgpsec on;
|
|
|
|
# The local BIRD router subject key identifier (SKI) for this
|
|
# connection. 'bgpsec_ski' identifies the (private) key that
|
|
# the local BIRD router should use to sign BGPSEC packets on
|
|
# this connection.
|
|
bgpsec_ski "8CA56CF0A4D943ACCEB9CB67967561CA8A773B73" ;
|
|
|
|
# The local directory paths for the public router key and private
|
|
# key storage. The defaults are below:
|
|
|
|
bgpsec_key_repo_path "/usr/share/bird/bgpsec-keys/" ;
|
|
bgpsec_priv_key_path "/usr/share/bird/bgpsec-private-keys" ;
|
|
|
|
# bgpsec_no_pcount0 indicates whether a peer is allowed to
|
|
# set its pcount to 0. Default is true. Set this value to
|
|
# false/0 if you want to allow your peer to not have their AS
|
|
# included in the effective AS_PATH of a route (e.g. Route
|
|
# Servers).
|
|
bgpsec_no_pcount0 1;
|
|
|
|
# bgpsec_prefer indicates whether validly signed bgpsec
|
|
# routes are preferred to non-valid and/or non-signed
|
|
# routes. Default is true. This decision is made after the
|
|
# local pref and before the as_path comparison in the best
|
|
# route selection algorithm.
|
|
bgpsec_prefer 1;
|
|
|
|
# bgpsec_require indicates whether bgpsec signed routes are
|
|
# required on this connection. If true, Non-signed routes
|
|
# will not be accepted. Default is false.
|
|
bgpsec_require 0;
|
|
|
|
# bgpsec_no_invalid_routes indicates if invalid routes are
|
|
# accepted. If true, routes that fail the BGPsec validity
|
|
# check are not accepted. Default is false.
|
|
bgpsec_no_invalid_routes 0;
|
|
|
|
|
|
# Non BGPsec configuration
|
|
|
|
description "BGP Link";
|
|
local as 64521;
|
|
|
|
neighbor 172.16.1.2 as 64522;
|
|
gateway direct;
|
|
|
|
path metric 1; # prefer shorter paths
|
|
default bgp_med 0; # when none is available
|
|
|
|
password "demonet";
|
|
}
|
|
|
|
|
|
4. Getting RPKI-RTR data (ROA's and Router Keys)
|
|
|
|
BGPSEC-BIRD-client is a separate application that is provided in order
|
|
to pull data from a rpki-rtr using rtrLib. It can garner Router
|
|
Origin Authorizations (ROAs) from a rpki-rtr and populate BIRD's ROA
|
|
tables in order to filter for Origin Authentication. It can get
|
|
router public keys and place them in the local file system for use by
|
|
the BGPsec code. Please see the README with that software for
|
|
instructions on how to use it.
|
|
|
|
|
|
5. License(s)
|
|
|
|
This BGPSEC code created by Parsons, Inc.
|
|
|
|
(c) 2013-2016 Parsons, Inc.
|
|
All Rights Reserved
|
|
|
|
Code within this patch is dual copyrighted under both the GPLv2+ and
|
|
the BSD license. It can be used under either license below:
|
|
|
|
|
|
GPLv2+
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or (at
|
|
your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
|
|
USA
|
|
|
|
|
|
BSD
|
|
|
|
Redistribution and use in source and binary forms, with or without
|
|
modification, are permitted provided that the following conditions are met:
|
|
|
|
* Redistributions of source code must retain the above copyright notice,
|
|
this list of conditions and the following disclaimer.
|
|
|
|
* Redistributions in binary form must reproduce the above copyright
|
|
notice, this list of conditions and the following disclaimer in the
|
|
documentation and/or other materials provided with the distribution.
|
|
|
|
* Neither the name of Parsons, Inc nor the names of its contributors may
|
|
be used to endorse or promote products derived from this software
|
|
without specific prior written permission.
|
|
|
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS
|
|
IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
|
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
|
|
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|