summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOndrej Zajicek (work) <santiago@crfreenet.org>2021-03-15 17:51:33 +0100
committerOndrej Zajicek (work) <santiago@crfreenet.org>2021-03-15 17:51:33 +0100
commit0d1a11cca3136828808b8e73f4d5e547cc787fb8 (patch)
treea8b6dc6a8549c710acbe9b26d3af7d7f06289de5
parent6489a2450e0ab4aa63c25ac2f9be354fdbd711d2 (diff)
Doc: Document automatic RPKI reload
-rw-r--r--doc/bird.sgml39
1 files changed, 26 insertions, 13 deletions
diff --git a/doc/bird.sgml b/doc/bird.sgml
index b2e83d81..e4ddded2 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -875,6 +875,19 @@ inherited from templates can be updated by new definitions.
possible to show them using <cf/show route filtered/. Note that this
option does not work for the pipe protocol. Default: off.
+ <tag><label id="proto-rpki-reload">rpki reload <m/switch/</tag>
+ Import or export filters may depend on route RPKI status (using
+ <cf/roa_check()/ operator). In contrast to to other filter operators,
+ this status for the same route may change as the content of ROA tables
+ changes. When this option is active, BIRD activates automatic reload of
+ affected channels whenever ROA tables are updated (after a short settle
+ time). When disabled, route reloads have to be requested manually. The
+ option is ignored if <cf/roa_check()/ is not used in channel filters.
+ Note that for BGP channels, automatic reload requires
+ <ref id="bgp-import-table" name="import table"> or
+ <ref id="bgp-export-table" name="export table"> (for respective
+ direction). Default: on.
+
<tag><label id="proto-import-limit">import limit [<m/number/ | off ] [action warn | block | restart | disable]</tag>
Specify an import route limit (a maximum number of routes imported from
the protocol) and optionally the action to be taken when the limit is
@@ -4761,21 +4774,21 @@ protocol rip {
<sect1>Introduction
<p>The Resource Public Key Infrastructure (RPKI) is mechanism for origin
-validation of BGP routes (RFC 6480). BIRD supports only so-called RPKI-based
-origin validation. There is implemented RPKI to Router (RPKI-RTR) protocol (RFC
-6810). It uses some of the RPKI data to allow a router to verify that the
-autonomous system announcing an IP address prefix is in fact authorized to do
-so. This is not crypto checked so can be violated. But it should prevent the
-vast majority of accidental hijackings on the Internet today, e.g. the famous
-Pakastani accidental announcement of YouTube's address space.
+validation of BGP routes (<rfc id="6480">). BIRD supports only so-called
+RPKI-based origin validation. There is implemented RPKI to Router (RPKI-RTR)
+protocol (<rfc id="6810">). It uses some of the RPKI data to allow a router to
+verify that the autonomous system announcing an IP address prefix is in fact
+authorized to do so. This is not crypto checked so can be violated. But it
+should prevent the vast majority of accidental hijackings on the Internet today,
+e.g. the famous Pakistani accidental announcement of YouTube's address space.
<p>The RPKI-RTR protocol receives and maintains a set of ROAs from a cache
-server (also called validator). You can validate routes (RFC 6483) using
-function <cf/roa_check()/ in filter and set it as import filter at the BGP
-protocol. BIRD should re-validate all of affected routes after RPKI update by
-RFC 6811, but we don't support it yet! You can use a BIRD's client command
-<cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all
-routes.
+server (also called validator). You can validate routes (<rfc id="6483">,
+<rfc id="6811">) using function <cf/roa_check()/ in filter and set it as import
+filter at the BGP protocol. BIRD offers crude automatic re-validating of
+affected routes after RPKI update, see option <ref id="proto-rpki-reload"
+name="rpki reload">. Or you can use a BIRD client command <cf>reload in
+<m/bgp_protocol_name/</cf> for manual call of revalidation of all routes.
<sect1>Supported transports
<p>