Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Feed Auto-Config #459

Closed
sward1557 opened this issue Oct 13, 2020 · 2 comments · Fixed by #460
Closed

Trusted Feed Auto-Config #459

sward1557 opened this issue Oct 13, 2020 · 2 comments · Fixed by #460
Assignees
@vkotronis
Labels
autoconf
Milestone
release-1.6.0

Comments

@sward1557
Copy link

Is your feature request related to a problem? Please describe.
Yes. We have two exabgp containers. One of these containers receives the full route table and can evaluate for hijacking/squatting events. The second container receives only trusted route updates that can all be used to populate the config file. The problem is the trusted feed is not working to populate the config.

Describe the solution you'd like
The best solution is that every update received on the Trusted exabgp container populate the config if it is not already in the config.

Describe alternatives you've considered
Unfortunately there are no alternatives since the updates are so frequent it has to be automated.

Additional context
docker-compose.exabgp.yaml

version: '3'
services:
    exabgp_full_table_feed:
        image: mavromat/exabgp-monitor:latest
        container_name: exabgp_full_table_feed
        restart: always
        ports:
          - 1234:5000 # Map default exabgp TCP port 5000 in the container to port 1234 on the Docker host.
        networks:
            - artemis
        volumes:
            - ./local_configs/monitor/exabgp_full.conf:/home/config/exabgp_full.conf
    exabgp_autoconf_trusted_feed:
        image: mavromat/exabgp-monitor:latest
        container_name: exabgp_autoconf_trusted_feed
        restart: always
        ports:
          - 1235:5000 # Map default exabgp TCP port 5000 in the container to port 1235 on the Docker host.
        networks:
            - artemis
        volumes:
            - ./local_configs/autoconf/exabgp_auto.conf:/home/config/exabgp_auto.conf

config file

#
# ARTEMIS Configuration File (default config, please change in your deployment)
#
# Defining a named variable:
#     named_variable: &named_variable
#         value_of_variable
# Use named variable:
#     *named_variable
# - denotes an entry
#
# Start of Prefix Definitions (IPv4 and IPv6 are supported)
prefixes: {}
#
# Start of Monitor Definitions
monitors:
  riperis: ['']   # by default this uses all available monitors
  bgpstreamlive:
  - routeviews
  - ris
  - caida
    # bgpstreamkafka:
    #     host: bmp.bgpstream.caida.org
    #     port: 9092
    #     topic: '^openbmp\.router--.+\.peer-as--.+\.bmp_raw'
  exabgp:
  - ip: exabgp_full_table_feed
    port: 5000
  - ip: exabgp_autoconf_trusted_feed
    port: 5000
    autoconf: "true"
    # bgpstreamhist:
    #     - <csv_dir_with_formatted_BGP_updates>
# End of Monitor Definitions
#
# Start of ASN Definitions
asns: {}
# End of ASN Definitions
#
# Start of Rule Definitions
rules: []
# End of Rule Definitions

FYI I have confirmed both BGP sessions are Established and the correct route updates are being advertised to the correct peers.
@vkotronis
Copy link
Member

@sward1557 thanks for reporting this! As discussed, the reason why you are not seeing your trusted feed updating the configuration is because the BGP updates ARTEMIS receives in this use case are paths not related to self-originations (e.g., prefix-origin_ASN), but paths of type prefix-origin-other_AS-.... As we describe in the docs we ignore such paths for autoconf since we do not consider them "trusted" (we trust only local AS-originations since one may receive feeds from non-relevant ASes on this session too). However, in your use case the entire feed is trusted. I will check if we can simply allow the user to configure autoconf so that the entire feed is used to at least extract the origin ASNs from all paths, no matter the length. Note that the 2nd step of this, which will be the autoconfiguration of pattern matching (beyond the origin) will be the subject of a separate issue. I will follow-up with a PR on this while in parallel we both examine how we can really secure the feed seen on ARTEMIS (and make sure that non-relevant updates will never update the configuration erroneously).

@vkotronis
Copy link
Member

As discussed in slack, work on this issue will focus on getting all possible origins and prefixes for all BGP updates (with any kind of path) of a trusted feed (plus updating the relevant documentation https://bgpartemis.readthedocs.io/en/latest/autoconfiguration/ ). @sward1557 in case you will need also arbitrary pattern generation from all BGP updates, please create a separate issue since this is sth separate.

@vkotronis vkotronis self-assigned this Oct 14, 2020
@vkotronis vkotronis added this to the release-.1.6.0 milestone Oct 14, 2020
@vkotronis vkotronis mentioned this issue Oct 14, 2020
Merged
18 tasks
@sward1557 sward1557 mentioned this issue Oct 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vkotronis vkotronis

Labels
autoconf
Projects
None yet
Milestone
release-1.6.0
Development

Successfully merging a pull request may close this issue.

Trusted feed auto-config from arbitrary paths (origins + prefixes + kafka) FORTH-ICS-INSPIRE/artemis
2 participants
@vkotronis @sward1557