Import filter on 2nd ASN in AS path?
Hello folks, can I somehow import filter only on the 2nd AS number in the AS path? I know with the snippet below (heavily inspired by bgpfilterguide.nlnog.net), I can filter on AS numbers that appear somewhere in the AS path, however this import filter catches by nature also some pseudo-legitimate networks. define BOGON_ASNS = [ 0, 23456, 64496..64511, 64512..65534, 65535, 65536..65551, 65552..131071, 4200000000..4294967294, 4294967295 ]; if (bgp_path ~ BOGON_ASNS) then { print "Detected bogon AS path: ", net, " ", bgp_path, ", (neighbour ", from, ")"; } There are unfortunately some transits with broken export filters which e.g. export their DSL/FTTC and FTTH networks using private ASNs and I would like to explicitly filter these (example path: AS-TRANSIT AS-BOGON1 AS-BOGON2). The documentation has hints for first and last ASN in path, but this would catch in above example only AS-TRANSIT or AS-BOGON2, but not AS-BOGON1. Any pointers? Thank you. Regards, Robert
Hi, You can try to delete AS-TRANSIT from the path and get first. Something like (this is just a sketch): delete(bgp_path, AS-TRANSIT).first ~ BOGON_ASNS On Mon, Mar 25, 2019 at 9:50 PM Robert Scheck <bird@robert-scheck.de> wrote:
Hello folks,
can I somehow import filter only on the 2nd AS number in the AS path? I know with the snippet below (heavily inspired by bgpfilterguide.nlnog.net), I can filter on AS numbers that appear somewhere in the AS path, however this import filter catches by nature also some pseudo-legitimate networks.
define BOGON_ASNS = [ 0, 23456, 64496..64511, 64512..65534, 65535, 65536..65551, 65552..131071, 4200000000..4294967294, 4294967295 ];
if (bgp_path ~ BOGON_ASNS) then { print "Detected bogon AS path: ", net, " ", bgp_path, ", (neighbour ", from, ")"; }
There are unfortunately some transits with broken export filters which e.g. export their DSL/FTTC and FTTH networks using private ASNs and I would like to explicitly filter these (example path: AS-TRANSIT AS-BOGON1 AS-BOGON2).
The documentation has hints for first and last ASN in path, but this would catch in above example only AS-TRANSIT or AS-BOGON2, but not AS-BOGON1. Any pointers?
Thank you.
Regards, Robert
Hi! Did you try using BGP path mask? Like if (bgp.path ~ [= ? bogon bogon * =]) … Writing this from my phone. Please consult documentation or filter/test.conf file in source tree for exact syntax and examples. Maria On March 26, 2019 10:34:39 AM GMT+01:00, Alexander Zubkov <green@qrator.net> wrote:
Hi,
You can try to delete AS-TRANSIT from the path and get first. Something like (this is just a sketch):
delete(bgp_path, AS-TRANSIT).first ~ BOGON_ASNS
On Mon, Mar 25, 2019 at 9:50 PM Robert Scheck <bird@robert-scheck.de> wrote:
Hello folks,
can I somehow import filter only on the 2nd AS number in the AS path?
I
know with the snippet below (heavily inspired by bgpfilterguide.nlnog.net), I can filter on AS numbers that appear somewhere in the AS path, however this import filter catches by nature also some pseudo-legitimate networks.
define BOGON_ASNS = [ 0, 23456, 64496..64511, 64512..65534, 65535, 65536..65551, 65552..131071, 4200000000..4294967294, 4294967295 ];
if (bgp_path ~ BOGON_ASNS) then { print "Detected bogon AS path: ", net, " ", bgp_path, ", (neighbour ", from, ")"; }
There are unfortunately some transits with broken export filters which e.g. export their DSL/FTTC and FTTH networks using private ASNs and I would like to explicitly filter these (example path: AS-TRANSIT AS-BOGON1 AS-BOGON2).
The documentation has hints for first and last ASN in path, but this would catch in above example only AS-TRANSIT or AS-BOGON2, but not AS-BOGON1. Any pointers?
Thank you.
Regards, Robert
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hello Maria, hello Alexander, first of all, thank you very much for your suggestions. On Tue, 26 Mar 2019, Maria Matějka wrote:
Did you try using BGP path mask? Like if (bgp.path ~ [= ? bogon bogon * =]) …
I didn't try this before, but I'm now also not sure how I could get my int set (BOGON_ASNS) properly into your example, because just if (bgp_path ~ [= ? BOGON_ASNS * =]) then { … simply leads to "Error resolving path mask template: value not an integer", where as the error message itself is indeed true.
On March 26, 2019 10:34:39 AM GMT+01:00, Alexander Zubkov <green@qrator.net> wrote:
You can try to delete AS-TRANSIT from the path and get first. Something like (this is just a sketch):
delete(bgp_path, AS-TRANSIT).first ~ BOGON_ASNS
While if (delete(bgp_path, [ AS-TRANSIT1, AS-TRANSIT2 ]).first ~ BOGON_ASNS) then { … seems to work at the first glance, it also filters all prefixes originating from AS-TRANSIT1/2, so delete() seems to simply return 0 if bgp_path.len is 1 (rather "undefined" or failing). It starts to work properly when using if (bgp_path.len >= 2 && delete(bgp_path, [ AS-TRANSIT1, AS-TRANSIT2 ]).first ~ BOGON_ASNS) then { … but it still leaves me with a list of transit ASNs to be fed (thus Maria's suggestion seems to be a more maintenance-friendly approach - if int sets could be used somehow). Regards, Robert
On Thu, Mar 28, 2019 at 12:25:29AM +0100, Robert Scheck wrote:
Hello Maria, hello Alexander,
first of all, thank you very much for your suggestions.
On Tue, 26 Mar 2019, Maria Matějka wrote:
Did you try using BGP path mask? Like if (bgp.path ~ [= ? bogon bogon * =]) …
I didn't try this before, but I'm now also not sure how I could get my int set (BOGON_ASNS) properly into your example, because just
That is unfortuately not possible (only single ASNs or ASN ranges), although it is a thing that makes perfect sense, so we should implement it.
On March 26, 2019 10:34:39 AM GMT+01:00, Alexander Zubkov <green@qrator.net> wrote: 1 (rather "undefined" or failing). It starts to work properly when using
if (bgp_path.len >= 2 && delete(bgp_path, [ AS-TRANSIT1, AS-TRANSIT2 ]).first ~ BOGON_ASNS) then { …
but it still leaves me with a list of transit ASNs to be fed (thus Maria's suggestion seems to be a more maintenance-friendly approach - if int sets could be used somehow).
What about: delete(bgp_path, bgp_path.first).first ? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello Ondrej, On Thu, 28 Mar 2019, Ondrej Zajicek wrote:
That is unfortuately not possible (only single ASNs or ASN ranges), although it is a thing that makes perfect sense, so we should implement it.
cool, I'm curious for it :)
What about: delete(bgp_path, bgp_path.first).first ?
Yes, this worked together with: bgp_path.len >= 2 Thank you. Regards, Robert
participants (4)
-
Alexander Zubkov -
Maria Matějka -
Ondrej Zajicek -
Robert Scheck