Add PeeringDB prefix limit script

quantum5 · Mar 29, 2024 · a114aa9 · a114aa9
1 parent 37ef7fc
commit a114aa9
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -271,6 +271,30 @@ used by downstreams:
 5. Create a cron job that runs `make-irr-filter` followed by `birdc configure`.
    Daily is a reasonable cadence.
 
+## PeeringDB prefix limits
+
+1. Follow [`prefix-limits.example`][prefix-conf] and create
+   `/etc/bird/prefix-limits` for peers for whom you'd like to enforce a prefix
+   limit.
+2. Adjust [`make-prefix-limits`][prefix-script] to use your own PeeringDB mirror
+   if you risk getting rate limited.
+3. Run `make-prefix-limits` to re-generate the prefix limits file.
+4. Add `include "prefix_limit.conf";` into your `bird.conf`.
+5. You can use constants like `LIMIT_AS200351_V4` or `LIMIT_AS200351_V6` in your
+   `bird.conf`, for example:
+   ```
+   protocol bgp peer_v6 {
+       ...
+
+       ipv6 {
+           import limit LIMIT_AS23456_V6 action disable;
+           ...
+       };
+   }
+   ```
+6. Create a cron job that runs `make-prefix-limits` followed by
+   `birdc configure`. Daily is a reasonable cadence.
+
 ## RPKI filtering
 
 While this filter library implements RPKI, you still need to populate the
@@ -299,3 +323,5 @@ Routinator instance over HTTPS.
   [skeleton]: skeleton.conf
   [irr-conf]: irr-filters.example
   [irr-script]: make-irr-filter
+  [prefix-conf]: prefix-limits.example
+  [prefix-script]: make-prefix-limits
diff --git a/make-prefix-limits b/make-prefix-limits
@@ -0,0 +1,32 @@
+#!/bin/bash
+set -euo pipefail
+
+# Change this to a PeeringDB mirror
+PEERINGDB=https://www.peeringdb.com
+
+PEER_SOURCE=/etc/bird/prefix-limits
+LIMIT_OUTPUT=/etc/bird/prefix_limits.conf
+
+[ -f "$PEER_SOURCE" ] || exit
+
+tmpdir="$(mktemp -d /tmp/bird-prefix-limit.XXXXXX)"
+cleanup() {
+  rm -rf "$tmpdir"
+}
+trap cleanup EXIT
+
+join_by() {
+  local d=${1-} f=${2-}
+  if shift 2; then
+    printf %s "$f" "${@/#/$d}"
+  fi
+}
+
+readarray -t asns < <(grep -vE '^#|^$' "$PEER_SOURCE")
+
+curl -s "$PEERINGDB/api/net?asn__in=$(join_by , "${asns[@]}")" | \
+  jq -r '(.data // [])[] | "define LIMIT_AS\(.asn)_V4 = \(.info_prefixes4);\ndefine LIMIT_AS\(.asn)_V6 = \(.info_prefixes6);"' \
+  > "$tmpdir/limits.conf"
+
+mv "$tmpdir/limits.conf" "$LIMIT_OUTPUT"
+chmod a+r "$LIMIT_OUTPUT"
diff --git a/prefix-limits.example b/prefix-limits.example
@@ -0,0 +1,5 @@
+# You can use # for comments.
+# Cloudflare
+13335
+# Quantum
+200351