From e2728c8078161d9811d6c24a11e4c95efd1c9313 Mon Sep 17 00:00:00 2001 From: Job Snijders Date: Thu, 22 Feb 2024 14:58:29 +0100 Subject: RPKI: Add 'local address' configuration option Allow to explicitly configure the source IP address for RPKI-To-Router sessions. Predictable source addresses are useful for minimizing the holes to be poked in ACLs. Changed from 'source address' to 'local address' by committer. --- doc/bird.sgml | 4 ++++ proto/rpki/config.Y | 3 ++- proto/rpki/rpki.h | 1 + proto/rpki/transport.c | 1 + 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/bird.sgml b/doc/bird.sgml index 76ca7f75..aeecb1dc 100644 --- a/doc/bird.sgml +++ b/doc/bird.sgml @@ -5697,6 +5697,7 @@ protocol rpki [<name>] { roa6 { table <tab>; }; remote <ip> | "<domain>" [port <num>]; port <num>; + local address <ip>; refresh [keep] <num>; retry [keep] <num>; expire [keep] <num>; @@ -5726,6 +5727,9 @@ specify both channels. number is 323 for transport without any encryption and 22 for transport with SSH encryption. + local address + Define local address we should use as a source address for the RTR session. + refresh [keep] Time period in seconds. Tells how long to wait before next attempting to poll the cache using a Serial Query or a Reset Query packet. Must be lower than 86400 seconds (one diff --git a/proto/rpki/config.Y b/proto/rpki/config.Y index c28cab7a..769ebb2c 100644 --- a/proto/rpki/config.Y +++ b/proto/rpki/config.Y @@ -32,7 +32,7 @@ rpki_check_unused_transport(void) CF_DECLS CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER, - RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH) + RETRY, REFRESH, EXPIRE, KEEP, IGNORE, MAX, LENGTH, LOCAL, ADDRESS) %type rpki_keep_interval @@ -60,6 +60,7 @@ rpki_proto_item: | REMOTE rpki_cache_addr | REMOTE rpki_cache_addr rpki_proto_item_port | rpki_proto_item_port + | LOCAL ADDRESS ipa { RPKI_CFG->local_ip = $3; } | TRANSPORT rpki_transport | REFRESH rpki_keep_interval expr { if (rpki_check_refresh_interval($3)) diff --git a/proto/rpki/rpki.h b/proto/rpki/rpki.h index 8a5c38fd..e67eb0e3 100644 --- a/proto/rpki/rpki.h +++ b/proto/rpki/rpki.h @@ -116,6 +116,7 @@ struct rpki_proto { struct rpki_config { struct proto_config c; const char *hostname; /* Full domain name or stringified IP address of cache server */ + ip_addr local_ip; /* Source address to use */ ip_addr ip; /* IP address of cache server or IPA_NONE */ u16 port; /* Port number of cache server */ struct rpki_tr_config tr_config; /* Specific transport configuration structure */ diff --git a/proto/rpki/transport.c b/proto/rpki/transport.c index 81bd6dd8..26571977 100644 --- a/proto/rpki/transport.c +++ b/proto/rpki/transport.c @@ -82,6 +82,7 @@ rpki_tr_open(struct rpki_tr_sock *tr) sk->daddr = cf->ip; sk->dport = cf->port; sk->host = cf->hostname; + sk->saddr = cf->local_ip; sk->rbsize = RPKI_RX_BUFFER_SIZE; sk->tbsize = RPKI_TX_BUFFER_SIZE; sk->tos = IP_PREC_INTERNET_CONTROL; -- cgit v1.2.3