From: Pavel TvrdĂ­k Date: Tue, 22 Dec 2015 08:44:54 +0000 (+0100) Subject: RPKI: Add a documentation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf2d812e9d6441a867489766d6b97e85f272f4bc;p=thirdparty%2Fbird.git RPKI: Add a documentation --- diff --git a/doc/bird.sgml b/doc/bird.sgml index 86df04569..192013a91 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -3485,6 +3485,97 @@ protocol rip { } +RPKI + +

The Resource Public Key Infrastructure (RPKI) to Router Protocol (RFC 6810) +is a simple but reliable mechanism to receive Resource Public Key +Infrastructure (RFC 6480) prefix origin data from a trusted cache. + +It is possible to configure only one cache server per protocol yet. + + +protocol rpki [<name>] { + roa table <name>; + cache <ip> | "<domain>" { + port <num>; + ssh encryption { + bird private key "</path/to/id_rsa>"; + cache public key "</path/to/known_host>"; + user "<name>"; + }; + }; +} + + +RPKI protocol options + + roa table + Specifies the roa table into which will import the routes from cache. + This option is required. + + cache + Specifies a destination address of the cache server. + Can be specified by an IP address or by full domain name. + By default there is no encryption in transport. + Only one cache can be specified per protocol. + + +Cache options + + port + Specifies the port number. + The default port number is 8282 for transpoert without any encryption + and 22 for transport with SSH encryption. + + ssh encryption { + This enables a SSH encryption. + + +SSH encryption options + + bird private key " + A path to the BIRD's private SSH key for authentication. + It can be a cache public key " + A path to the cache's public SSH key for verification identity + of the cache server. It could be a user " + A SSH user name for authentication. This option is a required. + + +Examples +

A simple configuration without transport encryption: + +roa table my_roa_table; +protocol rpki { + debug all; + roa table my_roa_table; + + cache "rpki-validator.realmv6.org"; +} + + +

A configuration using SSHv2 transport encryption: + +roa table my_roa_table; +protocol rpki { + debug all; + roa table my_roa_table; + + cache 127.0.0.1 { + port 2345; + ssh encryption { + bird private key "/home/birdgeek/.ssh/id_rsa"; + cache public key "/home/birdgeek/.ssh/known_hosts"; + user "birdgeek"; + }; + }; +} + + + Static diff --git a/proto/rpki/Doc b/proto/rpki/Doc index 3ffa7cb0b..697969030 100644 --- a/proto/rpki/Doc +++ b/proto/rpki/Doc @@ -1 +1,6 @@ -C rpki.c +S rpki.c +S packets.c +S rtr.c +S transport.c +S tcp_transport.c +S ssh_transport.c \ No newline at end of file diff --git a/proto/rpki/packets.c b/proto/rpki/packets.c index 7e628cbf4..ac4ce14c3 100644 --- a/proto/rpki/packets.c +++ b/proto/rpki/packets.c @@ -483,7 +483,7 @@ rtr_check_receive_packet(struct rpki_cache *cache, void *pdu, const size_t len) struct rpki_proto *p = cache->p; int error = RTR_SUCCESS; - //header in hostbyte order, retain original received pdu, in case we need to detach it to an error pdu + // header in hostbyte order, retain original received pdu, in case we need to detach it to an error pdu struct pdu_header header; memcpy(&header, pdu, sizeof(header)); rtr_pdu_header_to_host_byte_order(&header); @@ -495,7 +495,7 @@ rtr_check_receive_packet(struct rpki_cache *cache, void *pdu, const size_t len) return RTR_ERROR; } - // Do dont handle error PDUs here, leave this task to rtr_handle_error_pdu() + // Do not handle error PDUs here, leave this task to rtr_handle_error_pdu() if (header.ver != rtr_socket->version && header.type != ERROR) { // If this is the first PDU we have received -> Downgrade. diff --git a/proto/rpki/rpki.c b/proto/rpki/rpki.c index fc3b7c12f..a92739f0c 100644 --- a/proto/rpki/rpki.c +++ b/proto/rpki/rpki.c @@ -3,7 +3,7 @@ * * (c) 2015 CZ.NIC * - * Using RTRLib: http://rpki.realmv6.org/ + * Using RTRlib: http://rpki.realmv6.org/ * * Can be freely distributed and used under the terms of the GNU GPL. */ @@ -319,12 +319,12 @@ rpki_free_cache(struct rpki_cache *cache) mb_free(cache->rtr_socket->tr_socket); mb_free(cache->rtr_socket); - /* Timers */ + /* timers */ tm_stop(cache->retry_timer); tm_stop(cache->refresh_timer); tm_stop(cache->expire_timer); - rfree(cache->retry_timer); + rfree(cache->refresh_timer); rfree(cache->expire_timer); diff --git a/proto/rpki/rpki.h b/proto/rpki/rpki.h index 5afab494f..a21c4ba6a 100644 --- a/proto/rpki/rpki.h +++ b/proto/rpki/rpki.h @@ -3,7 +3,7 @@ * * (c) 2015 CZ.NIC * - * Using RTRLib: http://rpki.realmv6.org/ + * Using RTRlib: http://rpki.realmv6.org/ * * Can be freely distributed and used under the terms of the GNU GPL. */ diff --git a/proto/rpki/rtr.c b/proto/rpki/rtr.c index c8c1e97b5..4d208c765 100644 --- a/proto/rpki/rtr.c +++ b/proto/rpki/rtr.c @@ -76,7 +76,7 @@ rtr_purge_records_if_outdated(struct rpki_cache *cache) } pfx_table_src_remove(cache); - CACHE_TRACE(D_EVENTS, cache, "Remove outdated records from pfx_table"); + CACHE_TRACE(D_EVENTS, cache, "All ROA records from %s expired", get_cache_ident(cache)); rtr_socket->request_session_id = true; rtr_socket->serial_number = 0; rtr_socket->last_update = 0; @@ -288,7 +288,7 @@ rpki_refresh_hook(struct timer *tm) case RTR_CONNECTING: case RTR_SYNC: - /* Wait small amout of time to transite state */ + /* Wait a small amount of time to the end of transitive state */ tm_start(tm, 1); break;