Hello, the RPKI documentation section has a RPKI ROV example using an IPv4 specific filter:
https://bird.network.cz/?get_doc&v=20&f=bird-6.html#ss6.13 > roa4 table r4; > roa6 table r6; > > protocol rpki { > debug all; > > roa4 { table r4; }; > roa6 { table r6; }; > > # Please, do not use rpki-validator.realmv6.org in production > remote "rpki-validator.realmv6.org" port 8282; > > retry keep 5; > refresh keep 30; > expire 600; > } > > filter peer_in_v4 { > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then > { > print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last; > reject; > } > accept; > } > > protocol bgp { > debug all; > local as 65000; > neighbor 192.168.2.1 as 65001; > ipv4 { > import filter peer_in_v4; > export none; > }; > } We use a transit_in filter that checks the net.type to decide which roa_check parameter to use: > filter transit_in { > > reject_bogon_asns(); > reject_small_prefixes(); > reject_bogon_prefixes(); > reject_long_aspaths(); > reject_default_route(); > enforce_neighbor_asn(); > reject_our_networks(); > > if (net.type = NET_IP4) then { > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then > { > print "Reject RPKI INVALID announcement ", net, " by > AS", bgp_path.last; > reject; > } > } else { > if (roa_check(r6, net, bgp_path.last) = ROA_INVALID) then > { > print "Reject RPKI INVALID announcement ", net, " by > AS", bgp_path.last; > reject; > } > } > > accept; > > } Is this significantly less efficient than having separate IPv4/6 filters that do not need that additional if (net.type = .. ) check? Or does it not really matter? If possible I'd prefer a single filter that can be applied to IPv4 and IPv6 BGP sessions. thanks, Christoph
