BI商业智能>> routing-rocks-policy-role>> 返回
项目作者: czerwonk

项目描述 :
Ansible role for the Bird 2.x routing policy used in routing-rocks (AS202739), Freifunk Essen (AS206356), etc.
高级语言:
项目地址: git://github.com/czerwonk/routing-rocks-policy-role.git
创建时间: 2019-06-20T10:17:58Z
项目社区:https://github.com/czerwonk/routing-rocks-policy-role
开源协议:MIT License
下载


routing-rocks routing policy (ansible role)

Bird 2.x routing policy used in routing-rocks (AS202739), Freifunk Essen (AS206356), etc.

Requirements

  • local ansible installation
  • bird routing daemon 2.x installed on the target machine
  • routinator installed on the target machine (if RPKI validation should be used)

Inventory

In this example I will give a brief example how a policy inventory could look like. This is an short example which was derived from the actual routing policy of the ASes running this policy.

Given the following situation:

  • we are AS202739 (routing-rocks) located in DUS
  • we want to peer with AS206356 Freifunk Essen on DE-CIX DUS and FRA using prefix limits
  • DE-CIX FRA is a remote peering
  • we will only configure 1 router
  • we have an downstream with the imaginary ASN 12345 announcing AS_EXAMPLE
  • we have an upstream with the imaginary ASN 54321
  • we will ensure that traffic to our upstreams customers will stay local by using a special rule
  • we do RPKI-validation and the validator is running on localhost (port 3323)
  • the setup is IPv6-only (IPv4 is configurred in the same way)

NixOS

This bird configuration can also be used inside of NixOS.
The module enables and configures services.bird2 building and packaging the bird configuration by running ansible when running nixos-rebuild.

The NixOS module can be imported using flakes.

  1. {
  2.   inputs = {
  3.     routing-rocks-policy.url = "github:czerwonk/routing-rocks-policy-role";
  4.   };
  6.   outputs = { self, nixpkgs, routing-rocks-policy, ... }:
  7.     {
  8.       nixosConfigurations.my-router = nixpkgs.lib.nixosSystem {
  9.         system = "x86_64-linux";
  10.         modules = [
  11.           routing-rocks-policy.nixosModule
  12.           {
  13.             routing-rocks.bird2 = {
  14.               enable = true;
  15.               configYML = ''
  16.                 ... put your config here or read it from filesystem (e.g. using builtins.readFile) ...
  17.               '';
  18.               asSets = ''
  19.                 define AS_ROUTING_ROCKS = [
  20.                   2001:678:1e0::/48
  21.                 ];
  22.               '';
  23.             };
  24.           }
  25.         ];
  26.       };
  27.     };
  28. }

Global Configuration (group_vars)

Here we define the global settings valid for all routers of a specific group

routing.yml

  1. asn: 202739
  3. # RPKI validation is enabled and invalids will be rejected
  4. rpki_validation: yes
  5. rpki_validator:
  6.   host: 127.0.0.1
  7.   port: 3323
  9. # local pref used for transit routes learned from 
  10. last_resort_local_pref: 1
  12. # communities used to tag routes
  13. communities:
  14.   origin: (202739, 0, 1000)
  15.   peer_import: (202739, 0, 2000)
  16.   upstream_import: (202739, 0, 3000)
  17.   downstream_import: (202739, 0, 4000)
  18.   filtered_bogon: (202739, 666, 1)
  19.   filtered_own_prefix: (202739, 666, 2)
  20.   filtered_own_communities: (202739, 666, 3)
  21.   filtered_rpki_invalid: (202739, 666, 4)
  22.   filtered_aspath_invalid: (202739, 666, 5)
  23.   filtered_tier1: (202739, 666, 6)
  24.   filtered_aspath_length: (202739, 666, 7)
  26. # our prefixes announce
  27. prefixes:
  28.   ipv6:
  29.     - 2001:678:1e0::/48
  31. # global filters which can be used as alternative to the auto generated ones
  32. filters:
  33.   ibgp_in:
  34.     prefixes:
  35.       - 2001:678:1e0::/48{56,64}
  36.   default_only:
  37.     accept_default: yes
  39. # peer types are like templates defining common attributes for a group of peers
  40. peer_types:
  41.   internal:
  42.   upstream:
  43.     local_pref: 100
  44.     as_prepend: 2
  45.     local_role: customer
  46.   metro_peer:
  47.     local_pref: 10000
  48.     local_role: peer
  49.   remote_peer:
  50.     local_pref: 1000
  51.     local_role: peer
  53. peers:
  54.   202739: # routing-rocks
  55.     type: internal
  57.   54321: # upstream
  58.     upstream: yes
  59.     filters:
  60.       import: upstream_as54321_in
  61.       export: ebgp_as54321_out
  62.     type: upstream
  63.     rtbh_community: (54321,666)
  64.     rules: # our upstream uses the community (54321,200) to tag his customer routes, we use this to set the local pref
  65.       - when:
  66.           community: (54321,200)
  67.         then:
  68.           set_local_pref: 50000
  70.   206356: # ff-essen
  71.     filters:
  72.       import: peer_as206356_in
  73.       export: ebgp_as206356_out
  74.     type: metro_peer
  75.     max_prefix:
  76.       ipv6: 5
  78.   12345: # downstream
  79.     downstream: yes
  80.     filters:
  81.       import: peer_as12345_in
  82.       export: default_only
  83.     as_set:
  84.       ipv4: AS_EXAMPLE_IPv4
  85.       ipv6: AS_EXAMPLE_IPv6
  86.     type: metro_peer

Metro configuration (group_vars)

This is the common configuration for all routers in one metro

metro.yml

  1. communities_metro:
  2.   origin: (202739, 0, 1100)
  3.   peer_import: (202739, 0, 2100)
  4.   upstream_import: (202739, 0, 3100)
  5.   downstream_import: (202739, 0, 4100)

Router configuration (host_vars)

Here we define the actual sessions for the peers defined in the global config

router.yml

  1. router_id: 100.64.0.1
  2. source_ipv6: 2001:678:1e0:999::1

static.yml

  1. # we have to define the static default route to be able to announce it downstream 
  2. static_default_routes:
  3.   ipv4: no
  4.   ipv6: yes

ospf.yml

  1. ospf:
  2.   interfaces:
  3.     - name: eth0
  4.     - name: eth1
  5.     - name: gre1
  6.       ttl_security: yes
  8.   stub_interfaces:
  9.     - lo 
  11.   prefixes:
  12.     ipv6:
  13.       - 2001:678:1e0::/48

bgp.yml

  1. peerings:
  2.   - asn: 54321
  3.     sessions:
  4.       - name: upstream_01
  5.         ip: 100.64.1.0
  7.   - asn: 12345
  8.     sessions:
  9.       - name: downstream_01
  10.         ip: 2001:678:1e0:888::2
  12.   - asn: 206356
  13.     sessions:
  14.       - name: ff_essen_dus
  15.         ip: 2001:7f8:9e:0:3:2614:0:1
  16.       - name: ff_essen_fra
  17.         ip: 2001:7f8::3:2614:0:1
  18.         type: remote_peer # since DE-CIX FRA is remote peering for this router, we want to override the peering type here

Rules

Rules are very easy and basic way to do a little bit of TE. For now it is not possible to combine conditions. This is planned for future releases.

Conditions

  • source_as
  • prefix
  • community
  • large_community

Actions

  • set_local_pref
  • add_community
  • add_large_community

AS-Sets

The policy expects definitions for the AS_SET values used in the inventory in the as-sets directory. In my setup these prefix lists are auto generated via cronjob. This tooling for this task will be open sourced in the future. For now you have to make sure that theses files exists. In the example I used a AS_SET for a peering between routing-rocks and Freifunk Essen. This file looks like:

  1. define AS_FFE_IPv4 = [
  2.     194.48.228.0/22{22,24}
  3. ];
  5. define AS_FFE_IPv6 = [
  6.   2a0c:efc0::/29{29,48}
  7. ];

License

(c) Daniel Czerwonk, 2019. Licensed under MIT license.

Bird routing daemon

see http://bird.network.cz/