Question for proper RPKI check integration in the bird v2.0.4 with Euro-IX Informational BGP communities
Hello all, Can you please let me know where is the syntax error in my snippet , or if it is wrong how else I should integrate it in a way bird doesn't complain? Thanks in advance! #RPKI Check filter bgp_in_AS1234 prefix set allnet; { include "/etc/bird/prefix-lists/AS2589-v4"; if (is_martian4()) then reject; if ! (net ~ allnet) then reject; rpki_result = roa check(r4, net, bgp_path.last_nonaggregated ); if ( rpki_result = ROA_INVALID ) then{ bgp_community.add((1234:1000:4)); reject; print "Invalid ROA ", net, " for ASN ", bgp_path.last_nonaggregated, "from AS1234" ; } if ( rpki_result = ROA_VALID ) then{ bgp_community.add((1234:1000:1)); accept; } if ( rpki_result = ROA_ UNKNOWN ) then{ bgp_community.add((1234:1000:2)); accept; print "Unknown RPKI ", net, "for ASN ", bgp_path.last_nonaggregated, "from AS1234 "; } } -- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473
Hi Irene, looks like you're trying to put together a route server config? First thing that jumps out at me is you have "roa check" but it should be "roa_check". We have full working sample configs that are used in our continuous integration tests for IXP Manager - here's a v4 version which includes RPKI: https://github.com/inex/IXP-Manager/blob/master/data/travis-ci/known-good/ci... Loads of info on this on https://docs.ixpmanager.org/ and presentations with videos from 2019 at: https://www.ixpmanager.org/presentations Hope that helps, - Barry Irene Lalioti wrote on 25/09/2019 09:58:
Hello all,
Can you please let me know where is the syntax error in my snippet , or if it is wrong how else I should integrate it in a way bird doesn't complain? Thanks in advance!
#RPKI Check
filter bgp_in_AS1234 prefix set allnet; { include "/etc/bird/prefix-lists/AS2589-v4"; if (is_martian4()) then reject; if ! (net ~ allnet) then reject; rpki_result = roa check(r4, net, bgp_path.last_nonaggregated ); if ( rpki_result = ROA_INVALID ) then{ bgp_community.add((1234:1000:4)); reject; print "Invalid ROA ", net, " for ASN ", bgp_path.last_nonaggregated, "from AS1234" ; } if ( rpki_result = ROA_VALID ) then{ bgp_community.add((1234:1000:1)); accept; } if ( rpki_result = ROA_ UNKNOWN ) then{ bgp_community.add((1234:1000:2)); accept; print "Unknown RPKI ", net, "for ASN ", bgp_path.last_nonaggregated, "from AS1234 "; } }
-- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette
Tel: +352 424409 1 Fax: +352 422473
-- Kind regards, Barry O'Donovan INEX Operations https://www.inex.ie/support/ +353 1 531 3339
Barry, thanks a lot, I appreciate the feedback. In the meantime, we have altered the syntax a bit and it seems to work this snippet. (The issue still persists with the pair errors I sent in my previous email) filter bgp_in_AS39180_4 prefix set allnet; { include "/etc/bird/prefix-lists/AS39180-v4"; if (is_martian4()) then reject; if ! (net ~ allnet) then reject; if (roa_check(r4, net, bgp_path.last_nonaggregated ) = ROA_INVALID ) then{ bgp_large_community.add((49624,1000,4)); accept; print "Invalid ROA ", net, " for ASN ", bgp_path.last_nonaggregated, "from AS39180" ; } if (roa_check(r4, net, bgp_path.last_nonaggregated ) = ROA_VALID ) then{ bgp_large_community.add((49624,1000,1)); accept; } if (roa_check(r4, net, bgp_path.last_nonaggregated ) = ROA_UNKNOWN ) then{ bgp_large_community.add((49624,1000,2)); accept; } } regards, Irene On 9/25/19 12:36 PM, Barry O'Donovan wrote:
Hi Irene,
looks like you're trying to put together a route server config?
First thing that jumps out at me is you have "roa check" but it should be "roa_check".
We have full working sample configs that are used in our continuous integration tests for IXP Manager - here's a v4 version which includes RPKI:
https://github.com/inex/IXP-Manager/blob/master/data/travis-ci/known-good/ci...
Loads of info on this on https://docs.ixpmanager.org/ and presentations with videos from 2019 at:
https://www.ixpmanager.org/presentations
Hope that helps, - Barry
Irene Lalioti wrote on 25/09/2019 09:58:
Hello all,
Can you please let me know where is the syntax error in my snippet , or if it is wrong how else I should integrate it in a way bird doesn't complain? Thanks in advance!
#RPKI Check
filter bgp_in_AS1234 prefix set allnet; { include "/etc/bird/prefix-lists/AS2589-v4"; if (is_martian4()) then reject; if ! (net ~ allnet) then reject; rpki_result = roa check(r4, net, bgp_path.last_nonaggregated ); if ( rpki_result = ROA_INVALID ) then{ bgp_community.add((1234:1000:4)); reject; print "Invalid ROA ", net, " for ASN ", bgp_path.last_nonaggregated, "from AS1234" ; } if ( rpki_result = ROA_VALID ) then{ bgp_community.add((1234:1000:1)); accept; } if ( rpki_result = ROA_ UNKNOWN ) then{ bgp_community.add((1234:1000:2)); accept; print "Unknown RPKI ", net, "for ASN ", bgp_path.last_nonaggregated, "from AS1234 "; } }
-- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette
Tel: +352 424409 1 Fax: +352 422473
-- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473
On Wed, Sep 25, 2019 at 11:36:20AM +0100, Barry O'Donovan wrote:
Hi Irene,
looks like you're trying to put together a route server config?
First thing that jumps out at me is you have "roa check" but it should be "roa_check".
We have full working sample configs that are used in our continuous integration tests for IXP Manager - here's a v4 version which includes RPKI:
https://github.com/inex/IXP-Manager/blob/master/data/travis-ci/known-good/ci...
Hi One note - for roa_check(), you should not use bgp_path.last_nonaggregated, you should use bgp_path.last, or better just use implicit form: roa_check(t_roa) If there is AS_SET on end position, then result should be invalid if there are related ROAs, or unknown otherwise, (see RFC 6907), it should not be check based on neighboring (nonaggregated) ASN. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Děkuji moc Ondrej! That was needed, because I had altered it initially to this after having checked the ripe's slides https://ripe78.ripe.net/wp-content/uploads/presentations/68-inex-ripe-reykja... So the t_roa holds what exactly? not the variable of the route objects? Thanks again , Hezký den! Irene On 9/25/19 4:14 PM, Ondrej Zajicek wrote:
On Wed, Sep 25, 2019 at 11:36:20AM +0100, Barry O'Donovan wrote:
Hi Irene,
looks like you're trying to put together a route server config?
First thing that jumps out at me is you have "roa check" but it should be "roa_check".
We have full working sample configs that are used in our continuous integration tests for IXP Manager - here's a v4 version which includes RPKI:
https://github.com/inex/IXP-Manager/blob/master/data/travis-ci/known-good/ci... Hi
One note - for roa_check(), you should not use bgp_path.last_nonaggregated, you should use bgp_path.last, or better just use implicit form:
roa_check(t_roa)
If there is AS_SET on end position, then result should be invalid if there are related ROAs, or unknown otherwise, (see RFC 6907), it should not be check based on neighboring (nonaggregated) ASN.
-- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473
On Wed, Sep 25, 2019 at 04:24:29PM +0200, Irene Lalioti wrote:
Děkuji moc Ondrej!
That was needed, because I had altered it initially to this after having checked the ripe's slides
https://ripe78.ripe.net/wp-content/uploads/presentations/68-inex-ripe-reykja...
So the t_roa holds what exactly? not the variable of the route objects?
In IXP Manager config 't_roa' is ROA4 table (like 'r4' in your config): roa4 table t_roa; Note that roa_check() has two forms: roa_check(TABLE, NET, ASN) and roa_check(TABLE). In the second form, NET and ASN are taken from the current route. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Wed, Sep 25, 2019 at 10:58:11AM +0200, Irene Lalioti wrote:
Hello all,
Can you please let me know where is the syntax error in my snippet , or if it is wrong how else I should integrate it in a way bird doesn't complain? Thanks in advance!
Hello - As noticed by Barry O'Donovan, it should be roa_check instead of roa check - We currently do not support variable type for rpki_result variable, so it cannot be declared. In your newer variant you use multiple calls to roa_check(), that is ineffective. Currently it could be done efficiently by using switch/case: case roa_check(r4) { ROA_INVALID: reject; ROA_VALID: bgp_community.add((1234:1000:1)); accept; ROA_UNKNOWN: bgp_community.add((1234:1000:2)); accept; } - Also, you have some print statements after 'accept', these would not be applied, because 'accept' ends processing. - As i noted in another e-mail, it should be bgp_path.last instead of last_nonaggregated -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Thanks a lot Ondrej! I will alter my code likewise, For the bgp communities inside the parenthesis, is it with : or , ? seems with , works as well. thanks! Irene On 9/25/19 4:32 PM, Ondrej Zajicek wrote:
On Wed, Sep 25, 2019 at 10:58:11AM +0200, Irene Lalioti wrote:
Hello all,
Can you please let me know where is the syntax error in my snippet , or if it is wrong how else I should integrate it in a way bird doesn't complain? Thanks in advance! Hello
- As noticed by Barry O'Donovan, it should be roa_check instead of roa check
- We currently do not support variable type for rpki_result variable, so it cannot be declared. In your newer variant you use multiple calls to roa_check(), that is ineffective.
Currently it could be done efficiently by using switch/case:
case roa_check(r4) { ROA_INVALID: reject;
ROA_VALID: bgp_community.add((1234:1000:1)); accept;
ROA_UNKNOWN: bgp_community.add((1234:1000:2)); accept; }
- Also, you have some print statements after 'accept', these would not be applied, because 'accept' ends processing.
- As i noted in another e-mail, it should be bgp_path.last instead of last_nonaggregated
-- Irene Lalioti Network Engineer Fondation RESTENA 2, avenue de l'Université L-4365 Esch/Alzette Tel: +352 424409 1 Fax: +352 422473
On Wed, Sep 25, 2019 at 04:39:50PM +0200, Irene Lalioti wrote:
Thanks a lot Ondrej! I will alter my code likewise,
For the bgp communities inside the parenthesis, is it with : or , ? seems with , works as well.
BGP communities uses ',' - i copied it from your code and missed that. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (3)
-
Barry O'Donovan -
Irene Lalioti -
Ondrej Zajicek