misunderstanding or incorrectly implemented filter?
Christoph
cm at appliedprivacy.net
Sat Oct 5 00:19:00 CEST 2019
Hello,
(please keep me in CC)
we use filters from
https://bgpfilterguide.nlnog.net/
One of the first functions checks for bogon ASNs
way before the RPKI ROA check:
> filter transit_in {
>
> reject_bogon_asns();
[...]
> if (net.type = NET_IP4) then {
> if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
> {
> print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last;
> reject;
> }
> }
[...]
My assumption was that an announcement from AS0 would never end up
at the RPKI ROA check since it is already tested and rejected earlier at
the reject_bogon_asns() function
but then I found log entries suggesting otherwise:
> Reject RPKI INVALID announcement 200.124.231.0/24 by AS0
So I was wondering:
- Did I incorrectly assume first match wins?
- Is the reject_bogon_asns() function not working as intended?
> define BOGON_ASNS = [ 0, # RFC 7607
> 23456, # RFC 4893 AS_TRANS
> 64496..64511, # RFC 5398 and documentation/example ASNs
> 64512..65534, # RFC 6996 Private ASNs
> 65535, # RFC 7300 Last 16 bit ASN
> 65536..65551, # RFC 5398 and documentation/example ASNs
> 65552..131071, # RFC IANA reserved ASNs
> 4200000000..4294967294, # RFC 6996 Private ASNs
> 4294967295 # RFC 7300 Last 32 bit ASN
> ];
> function reject_bogon_asns()
> int set bogon_asns;
> {
> bogon_asns = BOGON_ASNS;
> if ( bgp_path ~ bogon_asns ) then {
> print "Reject: bogon AS_PATH: ", net, " ", bgp_path;
> reject;
> }
> }
thanks,
Christoph
More information about the Bird-users
mailing list