search

pierky / arouteserver

A tool to automatically build (and test) feature-rich configurations for BGP route servers.
https://arouteserver.readthedocs.org/
GNU General Public License v3.0
288 stars 46 forks source link

transit_free['asns'] members should be omitted on sessions with such a member #21

Closed job closed 6 years ago

job commented 6 years ago

Imagine we add 2914 to transit_free['asns'] but 2914 wishes to peer with an arouteserver instance - the _2914_ prefixes should be accepted on the direct 2914 sessions but not on any other sessions.

AKA - pop 2914 from transit_free_asns list on the direct 2914 sessions - but not other sessions

pierky commented 6 years ago

Hi @job,

on OpenBGPD, if the client's ASN is in the transit_free['asns'] list the filter is not applied at all:

https://github.com/pierky/arouteserver/blob/3f336028f2b52993fee38b61d06267eb58bd35f2/templates/openbgpd/filters.j2#L255-L262

On BIRD, there's a function that determines whether the filter must be applied or not, and it returns false when the first ASN in the AS_PATH (that is, the client's ASN) is within the list:

https://github.com/pierky/arouteserver/blob/3f336028f2b52993fee38b61d06267eb58bd35f2/templates/bird/common.j2#L71-L90

That allows the route server to accept routes from a specific "transit free" ASN when they are announced on the session toward the transit free network itself. Does it work for you?

job commented 6 years ago

on OpenBGPD, if the client's ASN is in the transit_free['asns'] list the filter is not applied at all

OK - I think we should improve on this. If the client's ASN is in the transit_free['asns'] list, the client's should be popped from the list but the other transit-free ASNs should still be blocked on that one client.

Aka - if I add 1299 and 2914 to the list, arouteserver shouldn't accept 1299 behind 2914.

On Tue, Mar 13, 2018 at 7:02 PM, Pier Carlo Chiodi <notifications@github.com

wrote:

Hi @job https://github.com/job,

on OpenBGPD, if the client's ASN is in the transit_free['asns'] list the filter is not applied at all:

https://github.com/pierky/arouteserver/blob/3f336028f2b52993fee38b61d06267 eb58bd35f2/templates/openbgpd/filters.j2#L255-L262

On BIRD, there's a function that determines whether the filter must be applied or not, and it returns false when the first ASN in the AS_PATH (that is, the client's ASN) is within the list:

https://github.com/pierky/arouteserver/blob/3f336028f2b52993fee38b61d06267 eb58bd35f2/templates/bird/common.j2#L71-L90

That allows the route server to accept routes from a specific "transit free" ASN when they are announced on the session toward the transit free network itself. Does it work for you?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pierky/arouteserver/issues/21#issuecomment-372761997, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJY2H0BRg2eRfA_-kMgeyFmS8TmtoESks5teAnIgaJpZM4SlQZe .

job commented 6 years ago

Should I test this https://github.com/pierky/arouteserver/commit/03caa69014cb0ace66123c0413d53f037d646e9e commit?

pierky commented 6 years ago

Yes, it should work. I'm sorry for being slow to push updates on this, btw I've run regression tests and also a new test case to verify the changes and they work.