route server community evaluation examples - bug and fix
Chris Caputo
ccaputo at alt.net
Fri Jul 6 20:35:24 CEST 2018
On Mon, 22 Jan 2018, Chris Caputo wrote:
> To see the communities supported by the SIX route servers, refer to:
>
> https://www.seattleix.net/route-servers#communities
>
> Below is how we do it with bird 1.6.3. Not sure about 2.0+.
>
> I hope this helps and feedback from the community is welcome.
>
> Chris
>
> ---
>
> define myas = SET TO IXP ASN;
> define peerPrepend1 = 65001;
> define peerPrepend2 = 65002;
> define peerPrepend3 = 65003;
>
> # BGP output filter (based on communities)
> # Returning false means don't propagate route to peeras.
> # Returning true means do propagate route to peeras.
> function bgp_out_comm(int peeras)
> {
> if ! (source = RTS_BGP ) then return false;
>
> if (myas,0,peeras) ~ bgp_large_community then return false;
> if (myas,1,peeras) ~ bgp_large_community then return true;
> if (myas,0,0) ~ bgp_large_community then return false;
>
> if peeras > 65535 then
> {
> if (ro,0,peeras) ~ bgp_ext_community then return false;
> if (ro,myas,peeras) ~ bgp_ext_community then return true;
> if ((ro,0,myas) ~ bgp_ext_community) then return false;
> } else {
> if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) then return false;
> if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ bgp_ext_community) then return true;
> if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false;
> }
> return true;
> }
I now believe the above and examples at:
https://gitlab.labs.nic.cz/labs/bird/wikis/Route_server_with_community_based_filtering_and_single_RIB
https://www.nanog.org/meetings/nanog57/presentations/Wednesday/wed.general.Filip.BIRD.16.pdf
and likely elsewhere, are buggy in that 32-bit ASN peers of the route
server will be exempt from a standard community deny of (0:IXP_ASN).
They shouldn't be.
I believe the deny check for both standard and extended communities needs
to be outside of the check for a 32-bit ASN peer during the export
evaluation.
Thus the above should be changed as follows:
---
define myas = SET TO IXP ASN;
# BGP output filter (based on communities)
# Returning false means don't propagate route to peeras.
# Returning true means do propagate route to peeras.
function bgp_out_comm(int peeras)
{
if ! (source = RTS_BGP ) then return false;
if (myas,0,peeras) ~ bgp_large_community then return false;
if (myas,1,peeras) ~ bgp_large_community then return true;
if (myas,0,0) ~ bgp_large_community then return false;
if peeras > 65535 then
{
if (ro,0,peeras) ~ bgp_ext_community then return false;
if (ro,myas,peeras) ~ bgp_ext_community then return true;
} else {
if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) then return false;
if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ bgp_ext_community) then return true;
}
if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false;
return true;
}
---
Diff as follows:
---
{
if (ro,0,peeras) ~ bgp_ext_community then return false;
if (ro,myas,peeras) ~ bgp_ext_community then return true;
- if ((ro,0,myas) ~ bgp_ext_community) then return false;
} else {
if ((0,peeras) ~ bgp_community) || ((ro,0,peeras) ~ bgp_ext_community) then return false;
if ((myas,peeras) ~ bgp_community) || ((ro,myas,peeras) ~ bgp_ext_community) then return true;
- if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false;
}
+
+ if ((0,myas) ~ bgp_community) || ((ro,0,myas) ~ bgp_ext_community) then return false;
+
return true;
}
---
Feedback welcome and if agreed, I think the wiki should be updated.
Thanks,
Chris
More information about the Bird-users
mailing list