Commit 4cf229a0 authored by Pavel Tvrdík's avatar Pavel Tvrdík
Browse files

RPKI protocol with integrated RTRLib inside 

Add the RPKI protocol (RFC 6810) using the RTRLib
(http://rpki.realmv6.org/) that is integrated inside
the BIRD's code.

Implemeted transports are:
 - unprotected transport over TCP
 - secure transport over SSHv2

The code should work properly with one cache server per protocol.

A compilation has to be hacked with:
  $ ./configure LIBS='-lssh' ...

Example configuration of bird.conf:
  ...
  roa table roatable;

  protocol rpki {
      roa table roatable;
      cache "rpki-validator.realmv6.org";
  }

  protocol rpki {
    roa table roatable;
    cache "localhost" {
      port 2222;
      ssh encryption {
        bird private key "/home/birdgeek/.ssh/id_rsa";
        cache public key "/home/birdgeek/.ssh/known_hosts";
        user "birdgeek";
      };
    };
  }
  ...

TODO list:
 - load libssh2 using dlopen
 - support more cache servers per protocol
parent 33b4f40a

conf/confbase.Y

+20 −0
Original line number Diff line number Diff line
@@ -10,6 +10,8 @@ CF_HDR 


#define PARSER 1



#include <stdio.h>



#include "nest/bird.h"

#include "conf/conf.h"

#include "lib/resource.h"
@@ -26,6 +28,13 @@ CF_HDR 


CF_DEFINES



static void

check_u8(unsigned val)

{

  if (val > 0xFF)

    cf_error("Value %d out of range (0-255)", val);

}



static void

check_u16(unsigned val)

{
@@ -33,6 +42,16 @@ check_u16(unsigned val) 
    cf_error("Value %d out of range (0-65535)", val);

}



static void

check_file_readability(const char *file_path)

{

  FILE *file = fopen(file_path, "r");

  if (file)

    fclose(file);

  else

    cf_error("File '%s' cannot be open for read: %m", file_path);

}



CF_DECLS



%union {
@@ -55,6 +74,7 @@ CF_DECLS 
  struct lsadb_show_data *ld;

  struct iface *iface;

  struct roa_table *rot;

  struct roa_table_config *rotcf;

  void *g;

  bird_clock_t time;

  struct prefix px;

configure.in

+5 −1
Original line number Diff line number Diff line
@@ -205,7 +205,7 @@ fi 


AC_SUBST(iproutedir)



all_protocols="$proto_bfd bgp ospf pipe $proto_radv rip static"

all_protocols="$proto_bfd bgp ospf pipe $proto_radv rip rpki static"

all_protocols=`echo $all_protocols | sed 's/ /,/g'`



if test "$with_protocols" = all ; then
@@ -262,6 +262,10 @@ if test "$enable_debug" = yes ; then 
	fi

fi



BIRD_LIBS=

AC_CHECK_LIB(dl, dlopen, BIRD_LIBS="-ldl")

AC_SUBST(BIRD_LIBS)



CLIENT=

CLIENT_LIBS=

if test "$enable_client" = yes ; then

lib/socket.h

+23 −1
Original line number Diff line number Diff line
@@ -10,16 +10,35 @@ 
#define _BIRD_SOCKET_H_



#include <errno.h>

#include <libssh/libssh.h>

// #include <sys/socket.h>



#include "lib/resource.h"



struct ssh_sock {

    char *username;			/* (Required) SSH user name */

    char *server_hostkey_path;		/* (Optional) Filepath to the SSH public key of remote side, can be knownhost file */

    char *client_privkey_path;		/* (Optional) Filepath to the SSH private key of BIRD */

    char *subsystem;			/* (Optional) Name of SSH subsytem */

    ssh_session session;		/* Internal */

    ssh_channel channel;		/* Internal */

    int state;				/* Internal */

#define BIRD_SSH_CONNECT			0 /* Start state */

#define BIRD_SSH_IS_SERVER_KNOWN		1

#define BIRD_SSH_USERAUTH_PUBLICKEY_AUTO 	2

#define BIRD_SSH_CHANNEL_NEW			3

#define BIRD_SSH_CHANNEL_OPEN_SESSION		4

#define BIRD_SSH_CHANNEL_REQUEST_SUBSYSTEM	5

#define BIRD_SSH_CONNECTION_ESTABLISHED		6 /* Final state */

};



typedef struct birdsock {

  resource r;

  pool *pool;				/* Pool where incoming connections should be allocated (for SK_xxx_PASSIVE) */

  int type;				/* Socket type */

  void *data;				/* User data */

  ip_addr saddr, daddr;			/* IPA_NONE = unspecified */

  char *host;				/* Alternative to daddr, NULL = unspecified */

  uint sport, dport;			/* 0 = unspecified (for IP: protocol type) */

  int tos;				/* TOS / traffic class, -1 = default */

  int priority;				/* Local socket priority, -1 = default */
@@ -51,7 +70,8 @@ typedef struct birdsock { 
  node n;

  void *rbuf_alloc, *tbuf_alloc;

  char *password;			/* Password for MD5 authentication */

  char *err;				/* Error message */

  const char *err;				/* Error message */

  struct ssh_sock *ssh;			/* Used in SK_SSH */

} sock;



sock *sock_new(pool *);			/* Allocate new socket */
@@ -122,6 +142,8 @@ extern int sk_priority_control; /* Suggested priority for control traffic, shou 
#define SK_MAGIC	7	   /* Internal use by sysdep code */

#define SK_UNIX_PASSIVE	8

#define SK_UNIX		9

#define SK_SSH_ACTIVE	10         /* -  -  *  *  -  ?   -	DA = host */

#define SK_SSH		11



/*

 *  For SK_UDP or SK_IP sockets setting DA/DP allows to use sk_send(),

nest/config.Y

+9 −0
Original line number Diff line number Diff line
@@ -76,6 +76,7 @@ CF_ENUM(T_ENUM_ROA, ROA_, UNKNOWN, VALID, INVALID) 
%type <ra> r_args

%type <ro> roa_args

%type <rot> roa_table_arg

%type <rotcf> roa_table_cf

%type <sd> sym_args

%type <i> proto_start echo_mask echo_size debug_mask debug_list debug_flag mrtdump_mask mrtdump_list mrtdump_flag export_mode roa_mode limit_action tab_sorted tos

%type <ps> proto_patt proto_patt2
@@ -262,6 +263,14 @@ rtable: 
   }

 ;



roa_table_cf:

    SYM {

      if ($1->class != SYM_ROA) cf_error("ROA table name expected");

      $$ = $1->def;

    }

  ;





CF_ADDTO(conf, debug_default)



debug_default:

nest/proto.c

+3 −0
Original line number Diff line number Diff line
@@ -919,6 +919,9 @@ protos_build(void) 
  proto_build(&proto_bfd);

  bfd_init_all();

#endif

#ifdef CONFIG_RPKI

  proto_build(&proto_rpki);

#endif



  proto_pool = rp_new(&root_pool, "Protocols");

  proto_flush_event = ev_new(proto_pool);

CRA Git | Maintained and supported by SUSTech CRA and CCSE