Examples of configurations
Default
Configurations built using the default general.yml
and clients.yml
files distributed with the project.
https://github.com/pierky/arouteserver/blob/master/examples/default
See the textual representation (HTML) of this configuration.
Feature-rich example
Configurations built using the files provided in the examples/rich
directory.
GTSM and ADD-PATH are enabled by default on the route server.
Next-hop filtering allows clients to set NEXT_HOP of any client in the same AS.
Local networks are filtered, and also transit-free ASNs, “never via route-servers” networks, invalid paths and prefixes/origin ASNs which are not authorized by clients’ AS-SETs (which are fetched from PeeringDB).
Dataset used for prefix validation extended using NIC.BR Whois DB dump and RPKI ROAs.
RPKI-based Origin Validation is enabled; INVALID routes are rejected.
RFC9234 route leak prevention using roles is configured.
A max-prefix limit is enforced on the basis of PeeringDB information.
Blackhole filtering is implemented with a rewrite-next-hop policy and can be triggered with BGP communities BLACKHOLE, 65534:0 and 999:666:0.
Control communities allow selective announcement control and prepending, also on the basis of peers RTT.
32bit ASNs are mapped to 16bit ASNs for usage in standard BGP communities.
Graceful BGP session shutdown is enabled.
Client timers are configured using the custom, site-specific .local file.
Informational custom BGP communities are used to tag routes from European or American clients.
Please note: for the sake of readability of the configuration files built in this example the set of RPKI ROAs is artificially limited to just a bunch of them.
https://github.com/pierky/arouteserver/blob/master/examples/rich
See the textual representation (HTML) of this configuration.
BIRD hooks example
The BIRD configurations provided in this example have been generated enabling BIRD hooks:
$ arouteserver bird --ip-ver 4 --use-local-files header --use-hooks pre_receive_from_client post_receive_from_client [...]
The above list of hooks passed to the bird
command has been truncated for the sake of readability; the complete list used in this example is provided below.
The command line argument --use-local-files
enables the header
inclusion point, in order to add the include "/etc/bird/header.local";
configuration statement to the BIRD configuration generated by ARouteServer.
define rs_as = 999;
log "/var/log/bird.log" all;
log syslog all;
debug protocols all;
protocol device {};
table master sorted;
include "/etc/bird/header.local";
...
This file must be present on the route server where BIRD is executed and must contain the custom functions used to implement the hooks. See the header.local
file for the functions declaration.
List of hooks used in this example:
pre_receive_from_client
post_receive_from_client
pre_announce_to_client
post_announce_to_client
scrub_communities_in
scrub_communities_out
apply_blackhole_filtering_policy
route_can_be_announced_to
announce_rpki_invalid_to_client
https://github.com/pierky/arouteserver/blob/master/examples/bird_hooks
Clients from Euro-IX member list JSON file
Some clients files automatically built from Euro-IX member list JSON files are reported here.
https://github.com/pierky/arouteserver/blob/master/examples/clients-from-euroix
configure
command output
The configure
command can be used to quickly generate policy definition files (general.yml) which are based on suggested settings and best practices.
A list of BGP communities is also automatically built.
$ arouteserver configure --output examples/auto-config/bird-general.yml
BGP daemon
==========
Depending on the BGP daemon used for the route server some features may not be
available.
Details here:
https://arouteserver.readthedocs.io/en/latest/CONFIG.html#caveats-and-
limitations
Which BGP daemon will be used? [bird/openbgpd] bird
Which version? [1.6.3/1.6.4/1.6.6/1.6.7/1.6.8/2.0.7/2.0.7+b962967e/2.0.8/2.0.9/2.0.10/2.0.11/2.13/2.14/2.15/3.0] 2.15
Router server's ASN
===================
What's the ASN of the route server? 64496
Route server's BGP router-id
============================
Please enter the route server BGP router-id: 192.0.2.1
List of local networks
======================
A list of local IPv4/IPv6 networks must be provided here: routes announced by
route server clients for these prefixes will be filtered out.
Please enter a comma-separated list of local networks: 192.0.2.0/24,2001:db8::/32
Route server policy definition file generated successfully!
===========================================================
The content of the general configuration file will now be written to
examples/auto-config/bird-general.yml
Some notes:
- Accepted prefix lengths are 8-24 for IPv4 and 12-48 for IPv6.
- Routes with 'transit-free networks' or 'never via route-server' (PeeringDB)
ASNs in the middle of AS_PATH are rejected.
- IRR-based filters are enabled; prefixes that are more specific of those
registered are accepted.
- PeeringDB is used to fetch AS-SETs for those clients that are not explicitly
configured.
- RPKI ROAs are used as if they were route objects to further enrich IRR data.
- NIC.BR Whois database dump is fetched from Registro.br to further enrich IRR
data.
- RPKI BGP Origin Validation is enabled. INVALID routes are rejected.
- PeeringDB is used to fetch networks prefix count.
- Route leak prevention using roles (RFC9234) is enabled.
- Routes tagged with the GRACEFUL_SHUTDOWN well-known community (65535:0) are
processed accordingly to draft-ietf-grow-bgp-gshut.
The textual description (HTML and Markdown) generated on the basis of the general.yml files produced by this command is also reported here.
https://github.com/pierky/arouteserver/blob/master/examples/auto-config
bird-general.yml.html - See the textual representation (HTML) of this configuration.
openbgpd-general.yml.html - See the textual representation (HTML) of this configuration.
IX-F Member Export files
The files reported within this directory were generated using the ixf-member-export
command.
https://github.com/pierky/arouteserver/blob/master/examples/ixf-member-export
BIRD v2/v3 and OpenBGPD RPKI RTR configuration
This is an example of how to use BIRD v2/v3 or OpenBGPD with an external source for RPKI ROAs based on the RTR protocol.
BIRD v2/v3 and OpenBGPD (starting with release 6.9) have built-in support for the RTR protocol, that allows to connect the BGP daemon directly to a local cache (a “validator”).
To configure the daemons with ARouteServer in order to fetch ROAs using RTR, the rpki_roas.source
option must be set to rtr
and a local rpki_rtr_config.local file must be placed inside the same directory where the main configuration file is created (/etc/bird or /etc/bgpd by default, or a custom one set using the --local-files-dir
command line argument of ARouteServer).
The rpki_rtr_config.local file is expected to contain the snippet of BIRD or OpenBGPD config needed to setup one or more RTR sessions:
BIRD v2/v3: https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.13
Please note: the names of the tables where ROAs will be injected into must be
RPKI4
andRPKI6
.OpenBGPD: https://man.openbsd.org/bgpd.conf#rtr
Example configurations are reported in the rpki_rtr_config.local.BIRD and rpki_rtr_config.local.OpenBGPD files that can be found within this directory.
https://github.com/pierky/arouteserver/blob/master/examples/rpki_rtr