On Fri, Oct 04, 2019 at 10:19:00PM +0000, Christoph wrote:
Hello,
(please keep me in CC)
we use filters from https://bgpfilterguide.nlnog.net/
One of the first functions checks for bogon ASNs way before the RPKI ROA check:
filter transit_in {
reject_bogon_asns(); [...] if (net.type = NET_IP4) then { if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last; reject; } } [...]
My assumption was that an announcement from AS0 would never end up at the RPKI ROA check since it is already tested and rejected earlier at the reject_bogon_asns() function but then I found log entries suggesting otherwise:
Reject RPKI INVALID announcement 200.124.231.0/24 by AS0
So I was wondering: - Did I incorrectly assume first match wins? - Is the reject_bogon_asns() function not working as intended?
Hello bgp_path.last returns 0 if the last item is AS_SET. There are most likely no AS0 in the path. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."