[ixpmanager] Setup BGP Community Filter
Deri Yusep Apriyadi
cartoen at gmail.com
Mon Oct 14 11:36:17 IST 2024
Hi
I'm a little confused about where to start from activating the Community
Filter for Customers as in the following link
https://github.com/euro-ix/rs-workshop-july-2017/wiki/Route-Server-BGP-Community-usage,
is there a step-by-step reference that can be my reference?
Is the following link appropriate for reference?
https://github.com/inex/IXP-Manager/commit/a65e4ce4dba5a277318f2b9b1f4e4f5c5a8e86bc
Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20241014/0356d72c/attachment.htm>
-------------- next part --------------
# For VLAN: AIX LAN1 (Tag: 803, Database ID: 1)
# standardise time formats:
timeformat base iso long;
timeformat log iso long;
timeformat protocol iso long;
timeformat route iso long;
log "/var/log/bird/rs1-ipv4.log" all;
log syslog all;
define routeserverasn = 123456;
define routeserveraddress = xx.xx.xx.xx;
router id xx.xx.xx.xx;
# ignore interface up/down events
protocol device { }
# This function excludes weird networks
# rfc1918, class D, class E, too long and too short prefixes
function avoid_martians()
prefix set martians;
{
martians = [
0.0.0.0/32-, # rfc5735 Special Use IPv4 Addresses
0.0.0.0/0{0,7}, # rfc1122 Requirements for Internet Hosts -- Communication Layers 3.2.1.3
10.0.0.0/8+, # rfc1918 Address Allocation for Private Internets
100.64.0.0/10+, # rfc6598 IANA-Reserved IPv4 Prefix for Shared Address Space
127.0.0.0/8+, # rfc1122 Requirements for Internet Hosts -- Communication Layers 3.2.1.3
169.254.0.0/16+, # rfc3927 Dynamic Configuration of IPv4 Link-Local Addresses
172.16.0.0/12+, # rfc1918 Address Allocation for Private Internets
192.0.0.0/24+, # rfc6890 Special-Purpose Address Registries
192.0.2.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
192.168.0.0/16+, # rfc1918 Address Allocation for Private Internets
198.18.0.0/15+, # rfc2544 Benchmarking Methodology for Network Interconnect Devices
198.51.100.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
203.0.113.0/24+, # rfc5737 IPv4 Address Blocks Reserved for Documentation
224.0.0.0/4+, # rfc1112 Host Extensions for IP Multicasting
240.0.0.0/4+ # rfc6890 Special-Purpose Address Registries
];
# Avoid RFC1918 and similar networks
if net ~ martians then
return false;
return true;
}
########################################################################################
########################################################################################
#
# Community filtering definitions for use with looking glasses
#
# Current implementation based on:
#
# https://github.com/euro-ix/rs-workshop-july-2017/wiki/Route-Server-BGP-Community-usage
#
########################################################################################
########################################################################################
# These will all be filtered and not piped to the master table:
define IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG = ( routeserverasn, 1101, 1 );
define IXP_LC_FILTERED_PREFIX_LEN_TOO_SHORT = ( routeserverasn, 1101, 2 );
define IXP_LC_FILTERED_BOGON = ( routeserverasn, 1101, 3 );
define IXP_LC_FILTERED_BOGON_ASN = ( routeserverasn, 1101, 4 );
define IXP_LC_FILTERED_AS_PATH_TOO_LONG = ( routeserverasn, 1101, 5 );
define IXP_LC_FILTERED_AS_PATH_TOO_SHORT = ( routeserverasn, 1101, 6 );
define IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS = ( routeserverasn, 1101, 7 );
define IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP = ( routeserverasn, 1101, 8 );
define IXP_LC_FILTERED_IRRDB_PREFIX_FILTERED = ( routeserverasn, 1101, 9 );
define IXP_LC_FILTERED_IRRDB_ORIGIN_AS_FILTERED = ( routeserverasn, 1101, 10 );
define IXP_LC_FILTERED_PREFIX_NOT_IN_ORIGIN_AS = ( routeserverasn, 1101, 11 );
define IXP_LC_FILTERED_RPKI_UNKNOWN = ( routeserverasn, 1101, 12 );
define IXP_LC_FILTERED_RPKI_INVALID = ( routeserverasn, 1101, 13 );
define IXP_LC_FILTERED_TRANSIT_FREE_ASN = ( routeserverasn, 1101, 14 );
define IXP_LC_FILTERED_TOO_MANY_COMMUNITIES = ( routeserverasn, 1101, 15 );
# Informational prefixes
define IXP_LC_INFO_RPKI_VALID = ( routeserverasn, 1000, 1 );
define IXP_LC_INFO_RPKI_UNKNOWN = ( routeserverasn, 1000, 2 );
define IXP_LC_INFO_RPKI_NOT_CHECKED = ( routeserverasn, 1000, 3 );
define IXP_LC_INFO_IRRDB_VALID = ( routeserverasn, 1001, 1 );
define IXP_LC_INFO_IRRDB_NOT_CHECKED = ( routeserverasn, 1001, 2 );
define IXP_LC_INFO_IRRDB_MORE_SPECIFIC = ( routeserverasn, 1001, 3 );
define IXP_LC_INFO_IRRDB_FILTERED_LOOSE = ( routeserverasn, 1001, 1000 );
define IXP_LC_INFO_IRRDB_FILTERED_STRICT = ( routeserverasn, 1001, 1001 );
define IXP_LC_INFO_IRRDB_PREFIX_EMPTY = ( routeserverasn, 1001, 1002 );
define IXP_LC_INFO_SAME_AS_NEXT_HOP = ( routeserverasn, 1001, 1200 );
# ( routeserverasn, 1010, peerasn ) -> route learnt from peerasn via routeserverasn
# ( routeserverasn, 1011, originasn ) -> route origin asn via routeserverasn
# And the filter for examining routes in the peers import table being exported
# to the master table
filter f_export_to_master
{
if bgp_large_community ~ [( routeserverasn, 1101, * )] then reject;
accept;
}
########################################################################################
########################################################################################
#
# Standard IXP community filter
#
########################################################################################
########################################################################################
function ixp_community_filter(int peerasn)
{
if !(source = RTS_BGP) then
return false;
# AS path prepending
if (routeserverasn, 103, peerasn) ~ bgp_large_community then {
bgp_path.prepend( bgp_path.first );
bgp_path.prepend( bgp_path.first );
bgp_path.prepend( bgp_path.first );
} else if (routeserverasn, 102, peerasn) ~ bgp_large_community then {
bgp_path.prepend( bgp_path.first );
bgp_path.prepend( bgp_path.first );
} else if (routeserverasn, 101, peerasn) ~ bgp_large_community then {
bgp_path.prepend( bgp_path.first );
}
# support for BGP Large Communities
if (routeserverasn, 0, peerasn) ~ bgp_large_community then
return false;
if (routeserverasn, 1, peerasn) ~ bgp_large_community then
return true;
if (routeserverasn, 0, 0) ~ bgp_large_community then
return false;
if (routeserverasn, 1, 0) ~ bgp_large_community then
return true;
# it's unwise to conduct a 32-bit check on a 16-bit value
if routeserverasn > 65535 || peerasn > 65535 then
return true;
return true;
}
########################################################################################
########################################################################################
#
# RPKI protocol configuration
#
########################################################################################
########################################################################################
# RPKI not enabled for this router
########################################################################################
########################################################################################
#
# Filter known transit networks
#
# Inspired by: http://bgpfilterguide.nlnog.net/guides/no_transit_leaks/
#
########################################################################################
########################################################################################
# Filtering the following ASNs:
#
# 174 - Cogent
# 701 - UUNET
# 1299 - Telia
# 2914 - NTT Communications
# 3257 - GTT Backbone
# 3320 - Deutsche Telekom AG (DTAG)
# 3356 - Level3
# 3491 - PCCW
# 4134 - Chinanet
# 5511 - Orange opentransit
# 6453 - Tata Communications
# 6461 - Zayo Bandwidth
# 6762 - Seabone / Telecom Italia
# 6830 - Liberty Global
# 7018 - AT&T
define TRANSIT_ASNS = [ 174, 701, 1299, 2914, 3257, 3320, 3356, 3491, 4134, 5511, 6453, 6461, 6762, 6830, 7018 ];
function filter_has_transit_path()
int set transit_asns;
{
transit_asns = TRANSIT_ASNS;
if (bgp_path ~ transit_asns) then {
bgp_large_community.add( IXP_LC_FILTERED_TRANSIT_FREE_ASN );
return true;
}
return false;
}
########################################################################################
########################################################################################
#
# Route Server client configuration
#
########################################################################################
########################################################################################
template bgp tb_rsclient {
local as routeserverasn;
source address routeserveraddress;
strict bind yes;
# give RPKI-RTR a chance to start and populate
# (RPKI is /really/ quick)
connect delay time 30;
interpret communities off; # enable rfc1997 well-known community pass through
ipv4 {
export all;
};
rs client;
}
########################################################################################
########################################################################################
#
# Route server clients
#
########################################################################################
########################################################################################
########################################################################################
########################################################################################
###
### AS11111 - 037_BBB AS11111 - VLAN Interface #32
ipv4 table t_0032_ascc;
filter f_import_as11111
prefix set allnet;
ip set allips;
int set allas;
{
# Filter small prefixes
if ( net ~ [ 0.0.0.0/0{25,32} ] ) then {
bgp_large_community.add( IXP_LC_FILTERED_PREFIX_LEN_TOO_LONG );
accept;
}
if !(avoid_martians()) then {
bgp_large_community.add( IXP_LC_FILTERED_BOGON );
accept;
}
# Belt and braces: must have at least one ASN in the path
if( bgp_path.len < 1 ) then {
bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_SHORT );
accept;
}
# Peer ASN == route's first ASN?
if (bgp_path.first != 42 ) then {
bgp_large_community.add( IXP_LC_FILTERED_FIRST_AS_NOT_PEER_AS );
accept;
}
# set of all IPs this ASN uses to peer with on this VLAN
allips = [ dd.dd.dd.dd ];
# Prevent BGP NEXT_HOP Hijacking
if !( from = bgp_next_hop ) then {
# need to differentiate between same ASN next hop or actual next hop hijacking
if( bgp_next_hop ~ allips ) then {
bgp_large_community.add( IXP_LC_INFO_SAME_AS_NEXT_HOP );
} else {
# looks like hijacking (intentional or not)
bgp_large_community.add( IXP_LC_FILTERED_NEXT_HOP_NOT_PEER_IP );
accept;
}
}
# Filter Known Transit Networks
if filter_has_transit_path() then accept;
# Belt and braces: no one needs an ASN path with > 64 hops, that's just broken
if( bgp_path.len > 64 ) then {
bgp_large_community.add( IXP_LC_FILTERED_AS_PATH_TOO_LONG );
accept;
}
# Skipping RPKI check -> RPKI not enabled / configured correctly.
bgp_large_community.add( IXP_LC_INFO_RPKI_NOT_CHECKED );
# This ASN was configured not to use IRRDB filtering
bgp_large_community.add( IXP_LC_INFO_IRRDB_NOT_CHECKED );
accept;
}
# The route server export filter exists as the export gateway on the BGP protocol.
#
# Remember that standard IXP community filtering has already happened on the
# master -> bgp protocol pipe.
filter f_export_as11111{
# we should strip our own communities which we used for the looking glass
bgp_large_community.delete( [( routeserverasn, *, * )] );
# default position is to accept:
accept;
}
protocol pipe pp_0032_as11111 {
description "Pipe for AS11111 - 037_BBB AS11111 - VLAN Interface 32";
table master4;
peer table t_0032_as11111;
import filter f_export_to_master;
export where ixp_community_filter(11111);
}
protocol bgp pb_0032_as42 from tb_rsclient {
description "AS11111 - 037_BBB AS11111";
neighbor dd.dd.dd.dd as 11111;
ipv4 {
import limit 720 action restart;
import filter f_import_as11111;
table t_0032_as111111;
export filter f_export_as111111;
};
}
More information about the ixpmanager
mailing list