You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Yes. We have two exabgp containers. One of these containers receives the full route table and can evaluate for hijacking/squatting events. The second container receives only trusted route updates that can all be used to populate the config file. The problem is the trusted feed is not working to populate the config.
Describe the solution you'd like
The best solution is that every update received on the Trusted exabgp container populate the config if it is not already in the config.
Describe alternatives you've considered
Unfortunately there are no alternatives since the updates are so frequent it has to be automated.
Additional context docker-compose.exabgp.yaml
version: '3'
services:
exabgp_full_table_feed:
image: mavromat/exabgp-monitor:latest
container_name: exabgp_full_table_feed
restart: always
ports:
- 1234:5000 # Map default exabgp TCP port 5000 in the container to port 1234 on the Docker host.
networks:
- artemis
volumes:
- ./local_configs/monitor/exabgp_full.conf:/home/config/exabgp_full.conf
exabgp_autoconf_trusted_feed:
image: mavromat/exabgp-monitor:latest
container_name: exabgp_autoconf_trusted_feed
restart: always
ports:
- 1235:5000 # Map default exabgp TCP port 5000 in the container to port 1235 on the Docker host.
networks:
- artemis
volumes:
- ./local_configs/autoconf/exabgp_auto.conf:/home/config/exabgp_auto.conf
config file
#
# ARTEMIS Configuration File (default config, please change in your deployment)
#
# Defining a named variable:
# named_variable: &named_variable
# value_of_variable
# Use named variable:
# *named_variable
# - denotes an entry
#
# Start of Prefix Definitions (IPv4 and IPv6 are supported)
prefixes: {}
#
# Start of Monitor Definitions
monitors:
riperis: [''] # by default this uses all available monitors
bgpstreamlive:
- routeviews
- ris
- caida
# bgpstreamkafka:
# host: bmp.bgpstream.caida.org
# port: 9092
# topic: '^openbmp\.router--.+\.peer-as--.+\.bmp_raw'
exabgp:
- ip: exabgp_full_table_feed
port: 5000
- ip: exabgp_autoconf_trusted_feed
port: 5000
autoconf: "true"
# bgpstreamhist:
# - <csv_dir_with_formatted_BGP_updates>
# End of Monitor Definitions
#
# Start of ASN Definitions
asns: {}
# End of ASN Definitions
#
# Start of Rule Definitions
rules: []
# End of Rule Definitions
FYI I have confirmed both BGP sessions are Established and the correct route updates are being advertised to the correct peers.
The text was updated successfully, but these errors were encountered:
@sward1557 thanks for reporting this! As discussed, the reason why you are not seeing your trusted feed updating the configuration is because the BGP updates ARTEMIS receives in this use case are paths not related to self-originations (e.g., prefix-origin_ASN), but paths of type prefix-origin-other_AS-.... As we describe in the docs we ignore such paths for autoconf since we do not consider them "trusted" (we trust only local AS-originations since one may receive feeds from non-relevant ASes on this session too). However, in your use case the entire feed is trusted. I will check if we can simply allow the user to configure autoconf so that the entire feed is used to at least extract the origin ASNs from all paths, no matter the length. Note that the 2nd step of this, which will be the autoconfiguration of pattern matching (beyond the origin) will be the subject of a separate issue. I will follow-up with a PR on this while in parallel we both examine how we can really secure the feed seen on ARTEMIS (and make sure that non-relevant updates will never update the configuration erroneously).
As discussed in slack, work on this issue will focus on getting all possible origins and prefixes for all BGP updates (with any kind of path) of a trusted feed (plus updating the relevant documentation https://bgpartemis.readthedocs.io/en/latest/autoconfiguration/ ). @sward1557 in case you will need also arbitrary pattern generation from all BGP updates, please create a separate issue since this is sth separate.
Is your feature request related to a problem? Please describe.
Yes. We have two exabgp containers. One of these containers receives the full route table and can evaluate for hijacking/squatting events. The second container receives only trusted route updates that can all be used to populate the config file. The problem is the trusted feed is not working to populate the config.
Describe the solution you'd like
The best solution is that every update received on the Trusted exabgp container populate the config if it is not already in the config.
Describe alternatives you've considered
Unfortunately there are no alternatives since the updates are so frequent it has to be automated.
Additional context
docker-compose.exabgp.yaml
config file
FYI I have confirmed both BGP sessions are Established and the correct route updates are being advertised to the correct peers.
The text was updated successfully, but these errors were encountered: