From 9e9ad27fff7f4fa49caf6e84727abbdbb2d6997b Mon Sep 17 00:00:00 2001
From: Alarig Le Lay <alelay@scaleway.com>
Date: Thu, 17 Oct 2024 15:26:37 +0200
Subject: [PATCH] bird example config

Signed-off-by: Alarig Le Lay <alelay@scaleway.com>
---
 bird.conf | 208 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 208 insertions(+)
 create mode 100644 bird.conf

diff --git a/bird.conf b/bird.conf
new file mode 100644
index 0000000..a88bcd5
--- /dev/null
+++ b/bird.conf
@@ -0,0 +1,208 @@
+# Configure logging
+#log syslog { warning, error, fatal, bug };
+log syslog all;
+
+# Turn on global debugging of all protocols
+#debug protocols all;
+debug protocols { states };
+
+
+# Override router ID and store ASN
+router id 193.34.197.192;
+define myasn = 47214;
+
+
+#####################
+# GENERAL PROTOCOLS #
+#####################
+# This pseudo-protocol watches all interface up/down events.
+protocol device {
+        # Scan interfaces every 5 seconds
+        scan time 5;
+}
+
+protocol bfd {
+	interface "ens19" {
+		passive on;
+	};
+}
+
+roa4 table r4;
+roa6 table r6;
+
+protocol rpki rpki_alarig {
+	remote "msi.no.swordarmor.fr";
+
+	roa4 { table r4; };
+	roa6 { table r6; };
+}
+
+protocol rpki rpki_cf {
+	remote "rtr.rpki.cloudflare.com";
+	port 8282;
+
+	roa4 { table r4; };
+	roa6 { table r6; };
+}
+
+###############
+# BGP FILTERS #
+###############
+include "/etc/bird/check_import.conf";
+
+function check_ipv4(int peeras; ip nexthop)
+  prefix set martians;
+  prefix set our_prefixes;
+{
+
+	check_import(peeras, nexthop);
+
+	martians = [
+		10.0.0.0/8+, 100.64.0.0/10+, 127.0.0.0/8+, 169.254.0.0/16+,
+		172.16.0.0/12+, 192.0.0.0/24+, 192.0.2.0/24+, 192.168.0.0/16+,
+		198.18.0.0/15+, 198.51.100.0/24+, 203.0.113.0/24+,
+		224.0.0.0/4+, 240.0.0.0/4+, 255.255.255.255/32
+	];
+
+    # Avoid reserved networks
+    if net ~ martians then return false;
+
+    # Avoid too short and too long prefixes
+    if (net.len < 8) || (net.len > 24) then return false;
+
+    # Avoid 0.0.0.0/X (default route + 0.0.0.0/8)
+    if net.ip = 0.0.0.0 then return false;
+
+    # Remove our prefixes. Only us can announce them
+    # Remove also our interconnection prefixes. We are directly connected.
+    if net ~ [ 185.1.89.0/24+ ] then return false;
+
+	# scrub Origin Validation State Extended Community
+	bgp_ext_community.delete((unknown 0x4300, 0, 0));
+	bgp_ext_community.delete((unknown 0x4300, 0, 1));
+	bgp_ext_community.delete((unknown 0x4300, 0, 2));
+
+	# set RPKI Origin Validation State Extended Community
+	case roa_check(r4, net, bgp_path.last_nonaggregated) {
+		ROA_VALID:
+			# add rfc8097 marker to routes for which a valid
+			# matching ROA exists
+			bgp_ext_community.add((unknown 0x4300, 0, 0));
+		ROA_INVALID:
+			bgp_ext_community.add((unknown 0x4300, 0, 2));
+			return false;
+		else:
+			# add rfc8097 marker to routes for which no covering
+			# ROA exists
+			bgp_ext_community.add((unknown 0x4300, 0, 1));
+	}
+
+	return true;
+};
+
+function check_ipv6(int peeras; ip nexthop)
+  prefix set martians;
+  prefix set our_prefixes;
+{
+
+	check_import(peeras, nexthop);
+
+    martians = [ ::1/128, ::/128, ::ffff:0:0/96+, 100::/64+,
+	2001:db8::/32+, 2001::/23, 2001:2::/48+, 2001:10::/28+, 2002::/17+,
+	fc00::/7, fe80::/10, ff00::/8+, 3FFE::/16+, 5F00::/8+
+    ];
+
+    # Avoid reserved networks
+    if net ~ martians then return false;
+
+    # Avoid too short and too long prefixes
+    if (net.len < 16) || (net.len > 48) then return false;
+
+    # Avoid bogons. IANA didn't allocate outside of 2000::/3
+    # but there are already announces there
+    if ! (net.ip ~ 2000::/3) then return false;
+
+    # Avoid 0.0.0.0/X (default route + 0.0.0.0/8)
+    if net.ip = ::/0 then return false;
+
+    # Remove our prefixes. Only us can announce them
+    # Remove also our interconnection prefixes. We are directly connected.
+    if net ~ 2001:7f8:b1::/48 then return false;
+
+	# scrub Origin Validation State Extended Community
+	bgp_ext_community.delete((unknown 0x4300, 0, 0));
+	bgp_ext_community.delete((unknown 0x4300, 0, 1));
+	bgp_ext_community.delete((unknown 0x4300, 0, 2));
+
+	# set RPKI Origin Validation State Extended Community
+	case roa_check(r6, net, bgp_path.last_nonaggregated) {
+		ROA_VALID:
+			# add rfc8097 marker to routes for which a valid
+			# matching ROA exists
+			bgp_ext_community.add((unknown 0x4300, 0, 0));
+		ROA_INVALID:
+			bgp_ext_community.add((unknown 0x4300, 0, 2));
+			return false;
+		else:
+			# add rfc8097 marker to routes for which no covering
+			# ROA exists
+			bgp_ext_community.add((unknown 0x4300, 0, 1));
+	}
+
+	return true;
+};
+
+#############
+# Templates #
+#############
+
+template bgp PEERS_IPv4 {
+        local as myasn;
+	rs client;
+	passive;
+	local role rs_server;
+	#bfd on;
+	prefer older;
+
+        ipv4 {
+		import table on;
+		export table on;
+		rpki reload;
+		add paths tx;
+	        import keep filtered;
+	        import all;
+	        export all;
+	        import limit 100 action block;
+		receive limit 1000 action disable;
+        };
+}
+
+template bgp PEERS_IPv6 {
+        local as myasn;
+	rs client;
+	passive;
+	local role rs_server;
+	#bfd on;
+	prefer older;
+
+	ipv6 {
+		import table on;
+		export table on;
+		rpki reload;
+		add paths tx;
+	        import keep filtered;
+	        import all;
+	        export all;
+	        import limit 100 action block;
+		receive limit 1000 action disable;
+	};
+}
+
+
+#########
+# PEERS #
+#########
+
+include "/etc/bird/google.conf";
+include "/etc/bird/functions/*.conf";
+include "/etc/bird/peers/*.conf";