Skip to content

Commit

Permalink
[IM] Update transit ASN filtering and allow greater control - closes #…
Browse files Browse the repository at this point in the history 
…716

Docs at: https://docs.ixpmanager.org/features/routers/#filtering-known-transit-networks
  • Loading branch information
@barryo
barryo committed Sep 15, 2021
1 parent f3db682 commit ebd32b6
Show file tree
Hide file tree
Showing 7 changed files with 141 additions and 69 deletions.
2 changes: 2 additions & 0 deletions .env.dev
View file
Expand Up @@ -294,4 +294,6 @@ IXP_IRRDB_BGPQ3_PATH=/usr/local/bin/bgpq3

2FA_ENABLED=false

#IXP_NO_TRANSIT_ASNS_EXCLUDE=174,1299
#IXP_NO_TRANSIT_ASNS_OVERRIDE=25,45,174

4 changes: 4 additions & 0 deletions .env.example
View file
Expand Up @@ -289,4 +289,8 @@ IXP_IRRDB_BGPQ3_PATH=/usr/bin/bgpq3
# PEERINGDB_OAUTH_REDIRECT="https://www.example.com/auth/login/peeringdb/callback"


#########################################################################################
### See: https://docs.ixpmanager.org/features/routers/#filtering-known-transit-networks
# IXP_NO_TRANSIT_ASNS_EXCLUDE=65501,65502
# IXP_NO_TRANSIT_ASNS_OVERRIDE=65501,65502,65503

22 changes: 22 additions & 0 deletions config/ixp.php
View file
Expand Up @@ -126,4 +126,26 @@
],


// Filter known transit networks
// Inspired by: http://bgpfilterguide.nlnog.net/guides/no_transit_leaks/
// Overrides:
'no_transit_asns' => [
'override' => call_user_func( function() {
$env = env( 'IXP_NO_TRANSIT_ASNS_OVERRIDE', false );

if( $env === false ) {
return false;
}

if( !$env ) {
return [];
}

return explode( ',', $env );
}),

'exclude' => explode( ',', env( 'IXP_NO_TRANSIT_ASNS_EXCLUDE', '' ) ),
],


];
18 changes: 1 addition & 17 deletions data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf
View file
Expand Up @@ -266,23 +266,7 @@ function filter_rpki()
########################################################################################


define TRANSIT_ASNS = [ 174, # Cogent
209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
701, # UUNET
702, # UUNET
1239, # Sprint
1299, # Telia
2914, # NTT Communications
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3549, # Level3
3561, # Savvis / CenturyLink
4134, # Chinanet
5511, # Orange opentransit
6453, # Tata Communications
6762, # Seabone / Telecom Italia
7018 ]; # AT&T
define TRANSIT_ASNS = [ 174, 701, 1299, 2914, 3257, 3320, 3356, 3491, 4134, 5511, 6453, 6461, 6762, 6830, 7018 ];

function filter_has_transit_path()
int set transit_asns;
Expand Down
18 changes: 1 addition & 17 deletions data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf
View file
Expand Up @@ -275,23 +275,7 @@ function filter_rpki()
########################################################################################


define TRANSIT_ASNS = [ 174, # Cogent
209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
701, # UUNET
702, # UUNET
1239, # Sprint
1299, # Telia
2914, # NTT Communications
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3549, # Level3
3561, # Savvis / CenturyLink
4134, # Chinanet
5511, # Orange opentransit
6453, # Tata Communications
6762, # Seabone / Telecom Italia
7018 ]; # AT&T
define TRANSIT_ASNS = [ 174, 701, 1299, 2914, 3257, 3320, 3356, 3491, 4134, 5511, 6453, 6461, 6762, 6830, 7018 ];

function filter_has_transit_path()
int set transit_asns;
Expand Down
74 changes: 56 additions & 18 deletions resources/views/api/v4/router/collector/bird2/filter-transit-networks.foil.php
View file
Expand Up @@ -10,33 +10,71 @@
########################################################################################
########################################################################################

<?php
// default transit networks to block
$no_transit_asns = [
174 => 'Cogent',
701 => 'UUNET',
1299 => 'Telia',
2914 => 'NTT Communications',
3257 => 'GTT Backbone',
3320 => 'Deutsche Telekom AG (DTAG)',
3356 => 'Level3',
3491 => 'PCCW',
4134 => 'Chinanet',
5511 => 'Orange opentransit',
6453 => 'Tata Communications',
6461 => 'Zayo Bandwidth',
6762 => 'Seabone / Telecom Italia',
6830 => 'Liberty Global',
7018 => 'AT&T',
];

define TRANSIT_ASNS = [ 174, # Cogent
209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
701, # UUNET
702, # UUNET
1239, # Sprint
1299, # Telia
2914, # NTT Communications
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3549, # Level3
3561, # Savvis / CenturyLink
4134, # Chinanet
5511, # Orange opentransit
6453, # Tata Communications
6762, # Seabone / Telecom Italia
7018 ]; # AT&T
// possible overrides - exclusions from the above:
if( count( config( 'ixp.no_transit_asns.exclude' ) ) ) {
foreach( config( 'ixp.no_transit_asns.exclude' ) as $asn ) {
if( isset( $no_transit_asns[$asn] ) ) {
unset( $no_transit_asns[$asn] );
}
}
}

// possible overrides - complete replacement:
if( config( 'ixp.no_transit_asns.override' ) !== false ) {
$no_transit_asns = [];
foreach( config( 'ixp.no_transit_asns.override' ) as $asn ) {
$no_transit_asns[ $asn ] = 'Override from .env file';
}
}
?>

# Filtering the following ASNs:
#
<?php foreach( $no_transit_asns as $asn => $desc ): ?>
# <?= $asn ?> - <?= $desc ?>

<?php endforeach; ?>

<?php if( count( $no_transit_asns ) === 0 ): ?>
# .env file has disabled transit ASN filtering with an empty IXP_NO_TRANSIT_ASNS_OVERRIDE setting:
function filter_has_transit_path()
{
return false;
}

<?php else: ?>
define TRANSIT_ASNS = [ <?= implode( ', ', array_keys( $no_transit_asns ) ) ?> ];

function filter_has_transit_path()
int set transit_asns;
{
transit_asns = TRANSIT_ASNS;
if (bgp_path.first !~ transit_asns && bgp_path ~ transit_asns) then {
if (bgp_path ~ transit_asns) then {
bgp_large_community.add( IXP_LC_FILTERED_TRANSIT_FREE_ASN );
return true;
}

return false;
}

<?php endif; ?>
72 changes: 55 additions & 17 deletions resources/views/api/v4/router/server/bird2/filter-transit-networks.foil.php
View file
Expand Up @@ -10,24 +10,60 @@
########################################################################################
########################################################################################

<?php
// default transit networks to block
$no_transit_asns = [
174 => 'Cogent',
701 => 'UUNET',
1299 => 'Telia',
2914 => 'NTT Communications',
3257 => 'GTT Backbone',
3320 => 'Deutsche Telekom AG (DTAG)',
3356 => 'Level3',
3491 => 'PCCW',
4134 => 'Chinanet',
5511 => 'Orange opentransit',
6453 => 'Tata Communications',
6461 => 'Zayo Bandwidth',
6762 => 'Seabone / Telecom Italia',
6830 => 'Liberty Global',
7018 => 'AT&T',
];

define TRANSIT_ASNS = [ 174, # Cogent
209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018))
701, # UUNET
702, # UUNET
1239, # Sprint
1299, # Telia
2914, # NTT Communications
3257, # GTT Backbone
3320, # Deutsche Telekom AG (DTAG)
3356, # Level3
3549, # Level3
3561, # Savvis / CenturyLink
4134, # Chinanet
5511, # Orange opentransit
6453, # Tata Communications
6762, # Seabone / Telecom Italia
7018 ]; # AT&T
// possible overrides - exclusions from the above:
if( count( config( 'ixp.no_transit_asns.exclude' ) ) ) {
foreach( config( 'ixp.no_transit_asns.exclude' ) as $asn ) {
if( isset( $no_transit_asns[$asn] ) ) {
unset( $no_transit_asns[$asn] );
}
}
}

// possible overrides - complete replacement:
if( config( 'ixp.no_transit_asns.override' ) !== false ) {
$no_transit_asns = [];
foreach( config( 'ixp.no_transit_asns.override' ) as $asn ) {
$no_transit_asns[ $asn ] = 'Override from .env file';
}
}
?>

# Filtering the following ASNs:
#
<?php foreach( $no_transit_asns as $asn => $desc ): ?>
# <?= $asn ?> - <?= $desc ?>

<?php endforeach; ?>

<?php if( count( $no_transit_asns ) === 0 ): ?>
# .env file has disabled transit ASN filtering with an empty IXP_NO_TRANSIT_ASNS_OVERRIDE setting:
function filter_has_transit_path()
{
return false;
}

<?php else: ?>
define TRANSIT_ASNS = [ <?= implode( ', ', array_keys( $no_transit_asns ) ) ?> ];

function filter_has_transit_path()
int set transit_asns;
Expand All @@ -40,3 +76,5 @@ function filter_has_transit_path()

return false;
}

<?php endif; ?>

0 comments on commit ebd32b6

Please sign in to comment.