Hello, (please keep me in CC) we use filters from https://bgpfilterguide.nlnog.net/ One of the first functions checks for bogon ASNs way before the RPKI ROA check:
filter transit_in {
reject_bogon_asns(); [...] if (net.type = NET_IP4) then { if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last; reject; } } [...]
My assumption was that an announcement from AS0 would never end up at the RPKI ROA check since it is already tested and rejected earlier at the reject_bogon_asns() function but then I found log entries suggesting otherwise:
Reject RPKI INVALID announcement 200.124.231.0/24 by AS0
So I was wondering: - Did I incorrectly assume first match wins? - Is the reject_bogon_asns() function not working as intended?
define BOGON_ASNS = [ 0, # RFC 7607 23456, # RFC 4893 AS_TRANS 64496..64511, # RFC 5398 and documentation/example ASNs 64512..65534, # RFC 6996 Private ASNs 65535, # RFC 7300 Last 16 bit ASN 65536..65551, # RFC 5398 and documentation/example ASNs 65552..131071, # RFC IANA reserved ASNs 4200000000..4294967294, # RFC 6996 Private ASNs 4294967295 # RFC 7300 Last 32 bit ASN ];
function reject_bogon_asns() int set bogon_asns; { bogon_asns = BOGON_ASNS; if ( bgp_path ~ bogon_asns ) then { print "Reject: bogon AS_PATH: ", net, " ", bgp_path; reject; } }
thanks, Christoph