Skip to content

Commit

Permalink
Update doc and examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@pierky
pierky committed Nov 2, 2019
1 parent 1d95ad1 commit 2851d57
Show file tree
Hide file tree
Showing 17 changed files with 3,649 additions and 235 deletions.
138 changes: 69 additions & 69 deletions docs/SUPPORTED_SPEAKERS_FEATURES.txt
View file
Original file line number Diff line number Diff line change
@@ -1,82 +1,82 @@
.. DO NOT EDIT: this file is automatically created by ../utils/build_supported_speakers_table.py

========================================================== ======== ============ ============
**Feature** **BIRD** **OpenBGPD** **OpenBGPD**
**Portable**
---------------------------------------------------------- -------- ------------ ------------
Path hiding mitigation (RFC7947, 2.3.1) Yes No No
---------------------------------------------------------- -------- ------------ ------------
========================================================== ======== =========== ============ ============
**Feature** **BIRD** **BIRD v2** **OpenBGPD** **OpenBGPD**
**Portable**
---------------------------------------------------------- -------- ----------- ------------ ------------
Path hiding mitigation (RFC7947, 2.3.1) Yes Yes No No
---------------------------------------------------------- -------- ----------- ------------ ------------
**Basic filters:**
---------------------------------------------------------------------------------------------
NEXT_HOP enforcement - strict (RFC7948, 4.8) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
NEXT_HOP enforcement - same AS (RFC7948, 4.8) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Min and max IPv4/IPv6 prefix length Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Max AS_PATH length Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Reject invalid AS_PATHs (private/invalid ASNs) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Reject AS_PATHs containing transit-free ASNs Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Reject bogons Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Max-prefix limit Yes Yes :sup:`1` Yes :sup:`1`
---------------------------------------------------------- -------- ------------ ------------
---------------------------------------------------------------------------------------------------------
NEXT_HOP enforcement - strict (RFC7948, 4.8) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
NEXT_HOP enforcement - same AS (RFC7948, 4.8) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Min and max IPv4/IPv6 prefix length Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Max AS_PATH length Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Reject invalid AS_PATHs (private/invalid ASNs) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Reject AS_PATHs containing transit-free ASNs Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Reject bogons Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Max-prefix limit Yes Yes Yes :sup:`1` Yes :sup:`1`
---------------------------------------------------------- -------- ----------- ------------ ------------
**Prefixes and origin ASNs validation:**
---------------------------------------------------------------------------------------------
IRR-based filters (RFC7948, 4.6.2) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
RPKI ROAs used as route objects Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Origin AS from ARIN Whois database dump Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
NIC.BR Whois data (slide n. 26) from Registro.br Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
RPKI-based filtering (BGP Prefix Origin Validation) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
---------------------------------------------------------------------------------------------------------
IRR-based filters (RFC7948, 4.6.2) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
RPKI ROAs used as route objects Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Origin AS from ARIN Whois database dump Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
NIC.BR Whois data (slide n. 26) from Registro.br Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
RPKI-based filtering (BGP Prefix Origin Validation) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
**Blackhole filtering support:**
---------------------------------------------------------------------------------------------
Optional NEXT_HOP rewriting Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Signalling via BLACKHOLE and custom communities) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Client-by-client control over propagation Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
---------------------------------------------------------------------------------------------------------
Optional NEXT_HOP rewriting Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Signalling via BLACKHOLE and custom communities) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Client-by-client control over propagation Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
**Graceful shutdown support:**
---------------------------------------------------------------------------------------------
GRACEFUL_SHUTDOWN BGP Community Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Graceful shutdown of the route server itself Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
---------------------------------------------------------------------------------------------------------
GRACEFUL_SHUTDOWN BGP Community Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Graceful shutdown of the route server itself Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
**Control and informative communities:**
---------------------------------------------------------------------------------------------
Prefix/origin ASN in IRRDBs data Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Do (not) announce to any / peer / on RTT basis Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ------------ ------------
Prepend to any / peer / on RTT basis Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ------------ ------------
Add NO_EXPORT / NO_ADVERTISE to any / peer Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ------------ ------------
Custom informational BGP communities Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
---------------------------------------------------------------------------------------------------------
Prefix/origin ASN in IRRDBs data Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Do (not) announce to any / peer / on RTT basis Yes Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ----------- ------------ ------------
Prepend to any / peer / on RTT basis Yes Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ----------- ------------ ------------
Add NO_EXPORT / NO_ADVERTISE to any / peer Yes Yes Yes :sup:`2` Yes :sup:`2`
---------------------------------------------------------- -------- ----------- ------------ ------------
Custom informational BGP communities Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
**Optional session features on a client-by-client basis:**
---------------------------------------------------------------------------------------------
Prepend route server ASN (RFC7947, 2.2.2.1) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
Active sessions Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
GTSM (Generalized TTL Security Mechanism) Yes Yes Yes
---------------------------------------------------------- -------- ------------ ------------
ADD_PATH capability (RFC7911) Yes N/A N/A
---------------------------------------------------------- -------- ------------ ------------
========================================================== ======== ============ ============
---------------------------------------------------------------------------------------------------------
Prepend route server ASN (RFC7947, 2.2.2.1) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
Active sessions Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
GTSM (Generalized TTL Security Mechanism) Yes Yes Yes Yes
---------------------------------------------------------- -------- ----------- ------------ ------------
ADD_PATH capability (RFC7911) Yes Yes N/A N/A
---------------------------------------------------------- -------- ----------- ------------ ------------
========================================================== ======== =========== ============ ============


:sup:`2`: OpenBGPD does not offer a way to delete extended communities using wildcard (rt xxx:\*): peer-ASN-specific extended communities (such as prepend_once_to_peer, do_not_announce_to_peer) are not scrubbed from routes that leave OpenBGPD route servers and so they are propagated to the route server clients.

:sup:`1`: For max-prefix filtering, only the shutdown and the restart actions are supported by OpenBGPD. Restart is configured with a 15 minutes timer.

:sup:`2`: OpenBGPD does not offer a way to delete extended communities using wildcard (rt xxx:\*): peer-ASN-specific extended communities (such as prepend_once_to_peer, do_not_announce_to_peer) are not scrubbed from routes that leave OpenBGPD route servers and so they are propagated to the route server clients.


4 changes: 2 additions & 2 deletions examples/auto-config/README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@ A list of BGP communities is also automatically built.
Route server policy definition file generated successfully!
===========================================================
The content of the general configuration file will now be written to examples
/auto-config/bird-general.yml
The content of the general configuration file will now be written to
examples/auto-config/bird-general.yml
Some notes:
Expand Down
60 changes: 36 additions & 24 deletions examples/bird_hooks/bird4.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ protocol device {};

table master sorted;


include "/etc/bird/header.local";


Expand All @@ -32,7 +33,7 @@ define AS_SET_AS3333_asns = [
3333
];

define AS_SET_AS3333_prefixes = [
define AS_SET_AS3333_prefixes_4 = [
85.195.64.1/32, 193.0.0.0/21, 193.0.10.0/23, 193.0.12.0/23,
193.0.18.0/23, 193.0.20.0/22{23,23}
];
Expand All @@ -42,7 +43,7 @@ define AS_SET_AS10745_asns = [
10745
];

define AS_SET_AS10745_prefixes = [
define AS_SET_AS10745_prefixes_4 = [
192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24
];

Expand All @@ -56,9 +57,9 @@ define AS_SET_AS10745_prefixes = [
# This function returns True if 'net' is a bogon prefix
# or falls within a bogon prefix.
function prefix_is_bogon()
prefix set bogons;
prefix set bogons_4;
{
bogons = [
bogons_4 = [
# Default route
0.0.0.0/0,

Expand Down Expand Up @@ -102,22 +103,23 @@ prefix set bogons;
100.64.0.0/10{10,32}
];

if net ~ bogons then return true;
if net ~ bogons_4 then return true;
return false;
}

# This function returns True if 'net' falls within a
# prefix contained in the global blacklist (for example,
# local networks)
function prefix_is_in_global_blacklist()
prefix set global_blacklist;
prefix set global_blacklist_4;
{
global_blacklist = [
global_blacklist_4 = [
# Local network
192.0.2.0/24{24,32}
];

if net ~ global_blacklist then return true;
if net ~ global_blacklist_4 then return true;

return false;
}

Expand All @@ -131,7 +133,7 @@ function prefix_len_is_valid (int pref_len_min; int pref_len_max) {

# This function returns True if the AS_PATH contains one or
# more private/reserved ASN.
function as_path_contains_invalid_asn()
function as_path_contains_invalid_asn()
int set invalid_asns;
{
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
Expand Down Expand Up @@ -275,11 +277,13 @@ function is_blackhole_filtering_request() {
# This function must be applied to outgoing routes.
# It applies the blackhole filtering policy to the current route.
function apply_blackhole_filtering_policy() {

# Configured policy: rewrite-next-hop
bgp_community.add((65535, 666));
bgp_next_hop = 192.0.2.66;
# NO_EXPORT
bgp_community.add((65535, 65281));

hook_apply_blackhole_filtering_policy(4);
}

Expand Down Expand Up @@ -469,9 +473,9 @@ function origin_as_is_in_AS10745_1_as_set() {

# R-SET for AS10745_1
function prefix_is_in_AS10745_1_as_set() {
if net ~ AS_SET_AS10745_prefixes then
return true;
return false;
if net ~ AS_SET_AS10745_prefixes_4 then
return true;
return false;
}

function next_hop_is_valid_for_AS10745_1()
Expand Down Expand Up @@ -524,6 +528,7 @@ filter receive_from_AS10745_1 {
reject "source != RTS_BGP - REJECTING ", net;



if !hook_pre_receive_from_client(10745, 192.0.2.22, "AS10745_1") then
reject "hook_pre_receive_from_client returned false - REJECTING ", net;

Expand Down Expand Up @@ -637,21 +642,24 @@ protocol bgp AS10745_1 {

passive on;
ttl security on;
interpret communities off;


add paths tx;

secondary;

interpret communities off;

import limit 121 action restart;



import keep filtered on;


import filter receive_from_AS10745_1;
export filter announce_to_AS10745_1;
}


}


# AS-SET for AS3333_1
Expand All @@ -663,9 +671,9 @@ function origin_as_is_in_AS3333_1_as_set() {

# R-SET for AS3333_1
function prefix_is_in_AS3333_1_as_set() {
if net ~ AS_SET_AS3333_prefixes then
return true;
return false;
if net ~ AS_SET_AS3333_prefixes_4 then
return true;
return false;
}

function next_hop_is_valid_for_AS3333_1()
Expand Down Expand Up @@ -718,6 +726,7 @@ filter receive_from_AS3333_1 {
reject "source != RTS_BGP - REJECTING ", net;



if !hook_pre_receive_from_client(3333, 192.0.2.11, "AS3333_1") then
reject "hook_pre_receive_from_client returned false - REJECTING ", net;

Expand Down Expand Up @@ -831,21 +840,24 @@ protocol bgp AS3333_1 {

passive on;
ttl security on;
interpret communities off;


add paths tx;

secondary;

interpret communities off;

import limit 150 action restart;



import keep filtered on;


import filter receive_from_AS3333_1;
export filter announce_to_AS3333_1;
}



}



Loading

0 comments on commit 2851d57

Please sign in to comment.