From a114aa9387611da3d721d9775482fd3f0e889861 Mon Sep 17 00:00:00 2001 From: Quantum Date: Fri, 29 Mar 2024 03:42:54 -0400 Subject: [PATCH] Add PeeringDB prefix limit script --- README.md | 26 ++++++++++++++++++++++++++ make-prefix-limits | 32 ++++++++++++++++++++++++++++++++ prefix-limits.example | 5 +++++ 3 files changed, 63 insertions(+) create mode 100755 make-prefix-limits create mode 100644 prefix-limits.example diff --git a/README.md b/README.md index d07297a..9fb852c 100644 --- a/README.md +++ b/README.md @@ -271,6 +271,30 @@ used by downstreams: 5. Create a cron job that runs `make-irr-filter` followed by `birdc configure`. Daily is a reasonable cadence. +## PeeringDB prefix limits + +1. Follow [`prefix-limits.example`][prefix-conf] and create + `/etc/bird/prefix-limits` for peers for whom you'd like to enforce a prefix + limit. +2. Adjust [`make-prefix-limits`][prefix-script] to use your own PeeringDB mirror + if you risk getting rate limited. +3. Run `make-prefix-limits` to re-generate the prefix limits file. +4. Add `include "prefix_limit.conf";` into your `bird.conf`. +5. You can use constants like `LIMIT_AS200351_V4` or `LIMIT_AS200351_V6` in your + `bird.conf`, for example: + ``` + protocol bgp peer_v6 { + ... + + ipv6 { + import limit LIMIT_AS23456_V6 action disable; + ... + }; + } + ``` +6. Create a cron job that runs `make-prefix-limits` followed by + `birdc configure`. Daily is a reasonable cadence. + ## RPKI filtering While this filter library implements RPKI, you still need to populate the @@ -299,3 +323,5 @@ Routinator instance over HTTPS. [skeleton]: skeleton.conf [irr-conf]: irr-filters.example [irr-script]: make-irr-filter + [prefix-conf]: prefix-limits.example + [prefix-script]: make-prefix-limits diff --git a/make-prefix-limits b/make-prefix-limits new file mode 100755 index 0000000..8130abf --- /dev/null +++ b/make-prefix-limits @@ -0,0 +1,32 @@ +#!/bin/bash +set -euo pipefail + +# Change this to a PeeringDB mirror +PEERINGDB=https://www.peeringdb.com + +PEER_SOURCE=/etc/bird/prefix-limits +LIMIT_OUTPUT=/etc/bird/prefix_limits.conf + +[ -f "$PEER_SOURCE" ] || exit + +tmpdir="$(mktemp -d /tmp/bird-prefix-limit.XXXXXX)" +cleanup() { + rm -rf "$tmpdir" +} +trap cleanup EXIT + +join_by() { + local d=${1-} f=${2-} + if shift 2; then + printf %s "$f" "${@/#/$d}" + fi +} + +readarray -t asns < <(grep -vE '^#|^$' "$PEER_SOURCE") + +curl -s "$PEERINGDB/api/net?asn__in=$(join_by , "${asns[@]}")" | \ + jq -r '(.data // [])[] | "define LIMIT_AS\(.asn)_V4 = \(.info_prefixes4);\ndefine LIMIT_AS\(.asn)_V6 = \(.info_prefixes6);"' \ + > "$tmpdir/limits.conf" + +mv "$tmpdir/limits.conf" "$LIMIT_OUTPUT" +chmod a+r "$LIMIT_OUTPUT" diff --git a/prefix-limits.example b/prefix-limits.example new file mode 100644 index 0000000..0799356 --- /dev/null +++ b/prefix-limits.example @@ -0,0 +1,5 @@ +# You can use # for comments. +# Cloudflare +13335 +# Quantum +200351