<div dir="ltr">Hello,<br><br>I've reviewed all the changes and am happy with them. Had some misgivings about renaming 'strict mode ' to 'required roles' , but since this option can be easily found by searching for a phrase in the documentation, it looks fine too.<br><br>Therefore, I have no additional concerns and agree with the merging of the current version of the patch.<br><br>Two words about the mentioned problems.<br>1) In the RFC, we wanted to address a situation where roles could be used in a complex confederation setup without leaking information outside the confederation. However, since this action is NOT RECOMMENDED, the ISP should apply route filtering or attribute removal at the edge of an AS Confederation with a member ASN as an OTC value at its own risk. So, warning seems to be the most appropriate solution for this case.<br>2) Including the bgp_otc attribute in the route map can be a great option for complex bgp relationships between two ISPs. And they can be used in some weird scenarios (like the confederation scenario mentioned above, for example). They were not included in the core patch only because they are not part of the core functionality of the roles that we want to provide as soon as possible.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 11, 2022 at 6:59 PM Ondrej Zajicek <<a href="mailto:santiago@crfreenet.org">santiago@crfreenet.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Jun 28, 2022 at 12:37:08PM +0300, Eugene Bogomazov wrote:<br>
> Hello everyone,<br>
> <br>
> The current changes were sufficient to add the described AFI/SAFI check.<br>
> Role/OTC rules now only apply to the unicast session. I've checked this on<br>
> a stand with a mixture of multicast and unicast sessions and it seems to<br>
> work well in all cases.<br>
> <br>
> As a result, all the necessary basic functionality for roles has been<br>
> achieved.<br>
> <br>
> I decided to collect all my patches into one to make patching easier and<br>
> I'll attach it to this post. This can be applied to the latest master<br>
> version.<br>
<br>
Hello<br>
<br>
Finally did some thorough review and prepared it for merging.<br>
<br>
Found some bugs:<br>
<br>
bgp_update_attrs():<br>
bgp_set_attr_u32(&attrs, pool, BA_ONLY_TO_CUSTOMER, 0, p->local_as);<br>
<br>
Here should be p->public_as, to handle case of AS confederation boundary,<br>
where local_as is internal member-AS, while public_as is a confederation ID.<br>
<br>
<br>
bgp_read_capabilities():<br>
caps->role = BGP_ROLE_UNDEFINED;<br>
<br>
This should be set when caps is allocated (caps = mb_allocz()), as it is<br>
possible to call bgp_read_capabilities() multiple times (if capabilities<br>
are split to multiple OPEN option).<br>
<br>
There should also be a check for received capability value equal to<br>
BGP_ROLE_UNDEFINED, in which case it should fail.<br>
<br>
<br>
bgp_format_role_name():<br>
if (role <= 5)<br>
<br>
Here should be (role < 5)?<br>
<br>
<br>
Also did some minor changes:<br>
<br>
- renamed 'strict mode' to 'require roles'<br>
- removed conn->neighbor_role, just used caps->role<br>
- simplified error handling in bgp_read_capabilities() and bgp_finish_attrs()<br>
- improve error messages in case of route leaks<br>
<br>
<br>
The final patch is here:<br>
<br>
<a href="https://gitlab.nic.cz/labs/bird/-/commit/c73b5d2d3d94204d2a81d93efd02c4c115859353" rel="noreferrer" target="_blank">https://gitlab.nic.cz/labs/bird/-/commit/c73b5d2d3d94204d2a81d93efd02c4c115859353</a><br>
<br>
Are you OK with these changes? If so, i will merge it to the master branch.<br>
<br>
I am also working on some test setup for our CI.<br>
<br>
<br>
There are still two remaining issues related to BGP roles (which could be<br>
targetted in following patches):<br>
<br>
1) As confederation handling<br>
<br>
It does not really work properly. RFC says:<br>
<br>
Also, on egress from the AS Confederation, an UPDATE MUST NOT contain an<br>
OTC Attribute with a value corresponding to any Member-AS Number other<br>
than the AS Confederation Identifier.<br>
<br>
That is not done and cannot be done based on local information. That is<br>
why AS_PATH has separate AS_SEQUENCE and AS_CONFED_SEQUENCE, so internal<br>
ASes can be stripped on confederation boundary without knowledge of all<br>
internal ASes. This is something that is underestimated in the RFC 9234.<br>
<br>
We could either just disallow roles on intra-confederation EBGP links, or<br>
just put big fat warning when configured.<br>
<br>
<br>
2) Filter support for bgp_otc attribute<br>
<br>
I think there should be filter support, although it could be<br>
controversial considering RFC says:<br>
<br>
Once the OTC Attribute has been set, it MUST be preserved unchanged<br>
(this also applies to an AS Confederation).<br>
<br>
The operator MUST NOT have the ability to modify the procedures<br>
defined in this section.<br>
<br>
<br>
-- <br>
Elen sila lumenn' omentielvo<br>
<br>
Ondrej 'Santiago' Zajicek (email: <a href="mailto:santiago@crfreenet.org" target="_blank">santiago@crfreenet.org</a>)<br>
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, <a href="http://wwwkeys.pgp.net" rel="noreferrer" target="_blank">wwwkeys.pgp.net</a>)<br>
"To err is human -- to blame it on a computer is even more so."<br>
</blockquote></div>