From aed899676344fc6046e967d6ff59b773cefa4880 Mon Sep 17 00:00:00 2001 From: claudio Date: Thu, 12 Oct 2023 09:18:56 +0000 Subject: [PATCH] Add a fairly minimal ixp setup generated by arouteserver This does a lot of community manipulation and also tests a few other bits of code (prepends, roa, prefix-set). --- .../usr.sbin/bgpd/integrationtests/Makefile | 7 +- .../integrationtests/bgpd.ixp.rdomain1.conf | 2528 +++++++++++++++++ .../integrationtests/bgpd.ixp.rdomain2_1.conf | 11 + .../integrationtests/bgpd.ixp.rdomain2_2.conf | 28 + .../integrationtests/bgpd.ixp.rdomain2_3.conf | 33 + .../integrationtests/bgpd.ixp.rdomain2_4.conf | 12 + .../bgpd/integrationtests/ixp.rdomain1.ok | 155 + .../bgpd/integrationtests/ixp.rdomain2.ok | 73 + regress/usr.sbin/bgpd/integrationtests/ixp.sh | 101 + 9 files changed, 2946 insertions(+), 2 deletions(-) create mode 100644 regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain1.conf create mode 100644 regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_1.conf create mode 100644 regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_2.conf create mode 100644 regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_3.conf create mode 100644 regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_4.conf create mode 100644 regress/usr.sbin/bgpd/integrationtests/ixp.rdomain1.ok create mode 100644 regress/usr.sbin/bgpd/integrationtests/ixp.rdomain2.ok create mode 100644 regress/usr.sbin/bgpd/integrationtests/ixp.sh diff --git a/regress/usr.sbin/bgpd/integrationtests/Makefile b/regress/usr.sbin/bgpd/integrationtests/Makefile index 31f32c8df18..bc0b9810cb2 100644 --- a/regress/usr.sbin/bgpd/integrationtests/Makefile +++ b/regress/usr.sbin/bgpd/integrationtests/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.21 2023/07/12 15:34:59 claudio Exp $ +# $OpenBSD: Makefile,v 1.22 2023/10/12 09:18:56 claudio Exp $ REGRESS_TARGETS = network_statement md5 ovs mrt pftable \ maxprefix maxprefixout maxcomm \ - as0 med eval_all policy l3vpn attr + as0 med eval_all policy l3vpn attr ixp BGPD ?= /usr/sbin/bgpd @@ -41,6 +41,9 @@ maxcomm: l3vpn: ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 13 14 +ixp: + ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 + .if ! exists(/usr/local/bin/exabgp) as0: # install exabgp from ports for additional tests diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain1.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain1.conf new file mode 100644 index 00000000000..ece5fab72e7 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain1.conf @@ -0,0 +1,2528 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS2, used by client AS2_1 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1 +as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" { + 1 101 103 104 +} +prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" { + 1.0.0.0/8 prefixlen 8 - 32 + 128.0.0.0/7 prefixlen 7 - 32 + 101.0.0.0/16 prefixlen 16 - 32 + 103.0.0.0/16 prefixlen 16 - 32 +} + +# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1 +as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" { + 2 101 103 +} +prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" { + 2.0.0.0/16 prefixlen 16 - 32 + 101.0.0.0/16 prefixlen 16 - 32 + 103.0.0.0/16 prefixlen 16 - 32 +} + +# AS1, used by client AS1_1 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS1_1, used by client AS1_1 white list +as-set "AS_SET_WHITE_LIST_AS1_1_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 +} + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 2.0.3.0/24 source-as 2 + 2.0.4.0/24 source-as 0 +} + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + transparent-as yes + rde evaluate all + + neighbor 192.0.2.11 { + remote-as 1 + descr "AS1_1 client" + } + + neighbor 192.0.2.21 { + remote-as 2 + descr "AS2_1 client" + } + + neighbor 192.0.2.31 { + remote-as 3 + descr "AS3_1 client" + } + + neighbor 192.0.2.41 { + remote-as 4 + descr "AS4_1 client" + } +} + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + +prefix-set "global_black_list_pref" { + 192.0.2.0/24 prefixlen 24 - 32 + 2.0.7.0/24 prefixlen 24 - 32 +} + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + +# never via route-servers ASNs +as-set "neverviarouteserver" { + 666, 777 +} + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 65530:0 +match from group clients set large-community delete 999:65530:0 + +# origin_present_in_as_set +match from group clients set community delete 65530:1 +match from group clients set large-community delete 999:65530:1 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 65530:3 +match from group clients set large-community delete 999:65530:3 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 65530:2 +match from group clients set large-community delete 999:65530:2 + +# reject_cause +match from group clients set community delete 65520:* + +# rejected_route_announced_by +match from group clients set community delete 65524:* +match from group clients set ext-community delete rt 65524:* + +# rpki_bgp_origin_validation_not_performed +match from group clients set community delete 65530:4 +match from group clients set large-community delete 999:65530:4 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +# Since RPKI-based Origin Validation is already performed above, +# use the origin validation state to identify valid routes. +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set community 65524:1 +match from 192.0.2.11 set ext-community rt 65524:1 + +match from 192.0.2.21 set community 65524:2 +match from 192.0.2.21 set ext-community rt 65524:2 + +match from 192.0.2.31 set community 65524:3 +match from 192.0.2.31 set ext-community rt 65524:3 + +match from 192.0.2.41 set community 65524:4 +match from 192.0.2.41 set ext-community rt 65524:4 + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1 +allow quick from group clients max-as-len 6 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: global blacklist +# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3 +allow quick from group clients prefix-set global_black_list_pref set { + localpref 1 + community 65520:0 + community 65520:3 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_1 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.11 set community delete 65524:1 +match from 192.0.2.11 set ext-community delete rt 65524:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.11 community BLACKHOLE set community 65530:4 +match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.11 community BLACKHOLE +allow quick from 192.0.2.11 community 65534:0 +allow quick from 192.0.2.11 large-community 65534:0:0 + + +match from 192.0.2.11 set community 65524:1 +match from 192.0.2.11 set ext-community rt 65524:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set community delete 65524:1 +match from 192.0.2.11 set ext-community delete rt 65524:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.11 community 65534:0 set community BLACKHOLE +match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.11 community 65507:999 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.11 community 65509:1 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.11 community 65501:1 +allow to 192.0.2.11 ext-community rt 65501:1 +allow to 192.0.2.11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.21 set community delete 65524:2 +match from 192.0.2.21 set ext-community delete rt 65524:2 + + +# Remove internal communities before accepting the route +match from 192.0.2.21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.21 community BLACKHOLE set community 65530:4 +match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.21 community BLACKHOLE +allow quick from 192.0.2.21 community 65534:0 +allow quick from 192.0.2.21 large-community 65534:0:0 + + +match from 192.0.2.21 set community 65524:2 +match from 192.0.2.21 set ext-community rt 65524:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set community delete 65524:2 +match from 192.0.2.21 set ext-community delete rt 65524:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.21 community 65534:0 set community BLACKHOLE +match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.21 community 65507:999 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.21 community 65509:2 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_any +deny to 192.0.2.21 community 0:999 +deny to 192.0.2.21 ext-community rt 0:999 +deny to 192.0.2.21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 +deny quick to 192.0.2.21 ext-community rt 0:2 +deny quick to 192.0.2.21 large-community 999:0:2 + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8 +allow quick from 192.0.2.31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_1_black_list_pref_ipv4" { + 3.0.1.0/24 prefixlen 24 - 32 + +} +# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11 +allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 192.0.2.31 set community delete 65524:3 +match from 192.0.2.31 set ext-community delete rt 65524:3 + + +# Remove internal communities before accepting the route +match from 192.0.2.31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.31 community BLACKHOLE set community 65530:4 +match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.31 community BLACKHOLE +allow quick from 192.0.2.31 community 65534:0 +allow quick from 192.0.2.31 large-community 65534:0:0 + + +match from 192.0.2.31 set community 65524:3 +match from 192.0.2.31 set ext-community rt 65524:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set community delete 65524:3 +match from 192.0.2.31 set ext-community delete rt 65524:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.31 community 65534:0 set community BLACKHOLE +match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.31 community 65507:999 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.31 community 65509:3 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_any +deny to 192.0.2.31 community 0:999 +deny to 192.0.2.31 ext-community rt 0:999 +deny to 192.0.2.31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 +deny quick to 192.0.2.31 ext-community rt 0:3 +deny quick to 192.0.2.31 large-community 999:0:3 + +# announce_to_peer +allow to 192.0.2.31 community 65501:3 +allow to 192.0.2.31 ext-community rt 65501:3 +allow to 192.0.2.31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 192.0.2.41 set community delete 65524:4 +match from 192.0.2.41 set ext-community delete rt 65524:4 + + +# Remove internal communities before accepting the route +match from 192.0.2.41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.41 community BLACKHOLE set community 65530:4 +match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.41 community BLACKHOLE +allow quick from 192.0.2.41 community 65534:0 +allow quick from 192.0.2.41 large-community 65534:0:0 + + +match from 192.0.2.41 set community 65524:4 +match from 192.0.2.41 set ext-community rt 65524:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set community delete 65524:4 +match from 192.0.2.41 set ext-community delete rt 65524:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.41 community 65534:0 set community BLACKHOLE +match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.41 community 65507:999 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.41 community 65509:4 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_any +deny to 192.0.2.41 community 0:999 +deny to 192.0.2.41 ext-community rt 0:999 +deny to 192.0.2.41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 +deny quick to 192.0.2.41 ext-community rt 0:4 +deny quick to 192.0.2.41 large-community 999:0:4 + + +# announce_to_peer +allow to 192.0.2.41 community 65501:4 +allow to 192.0.2.41 ext-community rt 65501:4 +allow to 192.0.2.41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# Scrub communities from outbound routes +# add_noadvertise_to_any +match to group clients set community delete 65508:999 +match to group clients set ext-community delete rt 65508:999 +match to group clients set large-community delete 999:65508:999 + +# add_noadvertise_to_peer +match to group clients set community delete 65510:* +match to group clients set ext-community delete rt 65510:* +match to group clients set large-community delete 999:65510:* + +# add_noexport_to_any +match to group clients set community delete 65507:999 +match to group clients set ext-community delete rt 65507:999 +match to group clients set large-community delete 999:65507:999 + +# add_noexport_to_peer +match to group clients set community delete 65509:* +match to group clients set ext-community delete rt 65509:* +match to group clients set large-community delete 999:65509:* + +# announce_to_peer +match to group clients set community delete 65501:* +match to group clients set ext-community delete rt 65501:* +match to group clients set large-community delete 999:65501:* + +# blackholing +match to group clients set community delete 65534:0 +match to group clients set large-community delete 65534:0:0 + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# prepend_once_to_any +match to group clients set community delete 65521:65521 +match to group clients set ext-community delete rt 65521:65521 +match to group clients set large-community delete 999:65521:65521 + +# prepend_once_to_peer +match to group clients set community delete 65521:* +match to group clients set ext-community delete rt 65521:* +match to group clients set large-community delete 999:65521:* + +# prepend_thrice_to_any +match to group clients set community delete 65523:65523 +match to group clients set ext-community delete rt 65523:65523 +match to group clients set large-community delete 999:65523:65523 + +# prepend_thrice_to_peer +match to group clients set community delete 65523:* +match to group clients set ext-community delete rt 65523:* +match to group clients set large-community delete 999:65523:* + +# prepend_twice_to_any +match to group clients set community delete 65522:65522 +match to group clients set ext-community delete rt 65522:65522 +match to group clients set large-community delete 999:65522:65522 + +# prepend_twice_to_peer +match to group clients set community delete 65522:* +match to group clients set ext-community delete rt 65522:* +match to group clients set large-community delete 999:65522:* + +# reject_cause +match to group clients set community delete 65520:* + +# rejected_route_announced_by +match to group clients set community delete 65524:* +match to group clients set ext-community delete rt 65524:* + + +# Scrub prepending communities +match to group clients set { + community delete 65521:65521 + ext-community delete rt 65521:65521 + large-community delete 999:65521:65521 + +} +match to group clients set { + community delete 65521:* + ext-community delete rt 65521:* + large-community delete 999:65521:* + +} +match to group clients set { + community delete 64537:* + ext-community delete rt 64537:* + large-community delete 999:64537:* + +} +match to group clients set { + community delete 64534:* + ext-community delete rt 64534:* + large-community delete 999:64534:* + +} +match to group clients set { + community delete 65523:65523 + ext-community delete rt 65523:65523 + large-community delete 999:65523:65523 + +} +match to group clients set { + community delete 65523:* + ext-community delete rt 65523:* + large-community delete 999:65523:* + +} +match to group clients set { + community delete 64539:* + ext-community delete rt 64539:* + large-community delete 999:64539:* + +} +match to group clients set { + community delete 64536:* + ext-community delete rt 64536:* + large-community delete 999:64536:* + +} +match to group clients set { + community delete 65522:65522 + ext-community delete rt 65522:65522 + large-community delete 999:65522:65522 + +} +match to group clients set { + community delete 65522:* + ext-community delete rt 65522:* + large-community delete 999:65522:* + +} +match to group clients set { + community delete 64538:* + ext-community delete rt 64538:* + large-community delete 999:64538:* + +} +match to group clients set { + community delete 64535:* + ext-community delete rt 64535:* + large-community delete 999:64535:* + +} + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_1.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_1.conf new file mode 100644 index 00000000000..f18c505bfe2 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_1.conf @@ -0,0 +1,11 @@ +AS 1 +listen on 192.0.2.11 + +neighbor 192.0.2.2 { + remote-as 999 + local-address 192.0.2.11 + enforce neighbor-as no +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_2.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_2.conf new file mode 100644 index 00000000000..a0d92e2bacf --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_2.conf @@ -0,0 +1,28 @@ +AS 2 +listen on 192.0.2.21 +socket "/var/run/bgpd.sock.12_2" + +network 2.0.1.0/24 set community NO_EXPORT +network 2.0.2.0/24 set community NO_ADVERTISE +network 2.0.3.0/24 +network 2.0.4.0/24 +network 2.0.5.0/24 +network 2.0.6.0/24 set prepend-self 8 +network 2.0.7.0/24 +network 192.168.8.0/24 +network 2.0.9.0/24 set nexthop 192.0.2.77 +network 22.0.10.0/24 +network 2.0.11.0/24 set community BLACKHOLE +network 2.0.12.0/24 set community 65534:0 +network 2.0.13.0/24 set large-community 65534:0:0 +network 2.0.14.0/25 +network 2.0.15.0/24 set community GRACEFUL_SHUTDOWN + +neighbor 192.0.2.2 { + remote-as 999 + local-address 192.0.2.21 + enforce neighbor-as no +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_3.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_3.conf new file mode 100644 index 00000000000..a19a8f01e3c --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_3.conf @@ -0,0 +1,33 @@ +AS 3 +listen on 192.0.2.31 +socket "/var/run/bgpd.sock.12_3" + +network 3.0.1.0/24 set community NO_EXPORT +network 3.0.2.0/24 set community NO_ADVERTISE +#add_noexport_to_any +network 3.0.3.0/24 set community 65507:999 +#add_noadvertise_to_any +network 3.0.4.0/24 set large-community 999:65508:999 +#do_not_announce_to_any +network 3.0.5.0/24 set large-community 999:0:999 +#do_not_announce_to_peer +network 3.0.6.0/24 set community 0:1 +#do_not_announce_to_any but announce_to_peer +network 3.0.7.0/24 set { community 0:999 large-community 999:65501:1 } +# prepend_once_to_peer +network 3.0.8.0/24 set community 65521:1 +# prepend_twice_to_peer +network 3.0.9.0/24 set large-community 999:65522:1 +# prepend_thrice_to_peer +network 3.0.10.0/24 set community 65523:1 +# prepend_thrice_to_any & prepend_twice_to_any & prepend_once_to_any +network 3.0.11.0/24 set { community 65523:65523 community 65522:65522 community 65521:65521 } + +neighbor 192.0.2.2 { + remote-as 999 + local-address 192.0.2.31 + enforce neighbor-as no +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_4.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_4.conf new file mode 100644 index 00000000000..a8de1f3fa1f --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.ixp.rdomain2_4.conf @@ -0,0 +1,12 @@ +AS 4 +listen on 192.0.2.41 +socket "/var/run/bgpd.sock.12_4" + +neighbor 192.0.2.2 { + remote-as 999 + local-address 192.0.2.41 + enforce neighbor-as no +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain1.ok b/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain1.ok new file mode 100644 index 00000000000..a777215c126 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain1.ok @@ -0,0 +1,155 @@ + +BGP routing table entry for 2.0.3.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs valid, avs unknown, external, valid, best + Ext. Communities: ovs valid + +BGP routing table entry for 2.0.4.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs invalid, avs unknown, external, valid, best + Communities: 65520:0 65520:14 65524:2 + Ext. Communities: ovs invalid rt 65524:2 + +BGP routing table entry for 2.0.5.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Ext. Communities: ovs not-found + +BGP routing table entry for 2.0.6.0/24 + 2 2 2 2 2 2 2 2 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:1 65524:2 + Ext. Communities: ovs not-found rt 65524:2 + +BGP routing table entry for 2.0.7.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:3 65524:2 + Ext. Communities: ovs not-found rt 65524:2 + +BGP routing table entry for 2.0.9.0/24 + 2 + Nexthop 192.0.2.77 (via 192.0.2.77) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:5 65524:2 + Ext. Communities: ovs not-found rt 65524:2 + +BGP routing table entry for 2.0.11.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 BLACKHOLE + Ext. Communities: ovs not-found + Large Communities: 999:65530:4 + +BGP routing table entry for 2.0.12.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 65534:0 + Ext. Communities: ovs not-found + Large Communities: 999:65530:4 + +BGP routing table entry for 2.0.13.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 + Ext. Communities: ovs not-found + Large Communities: 999:65530:4 65534:0:0 + +BGP routing table entry for 2.0.14.0/25 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:13 65524:2 + Ext. Communities: ovs not-found rt 65524:2 + +BGP routing table entry for 2.0.15.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Ext. Communities: ovs not-found + +BGP routing table entry for 3.0.3.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65507:999 + Ext. Communities: ovs not-found + +BGP routing table entry for 3.0.4.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Ext. Communities: ovs not-found + Large Communities: 999:65508:999 + +BGP routing table entry for 3.0.5.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Ext. Communities: ovs not-found + Large Communities: 999:0:999 + +BGP routing table entry for 3.0.6.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 0:1 + Ext. Communities: ovs not-found + +BGP routing table entry for 3.0.7.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 0:999 + Ext. Communities: ovs not-found + Large Communities: 999:65501:1 + +BGP routing table entry for 3.0.8.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65521:1 + Ext. Communities: ovs not-found + +BGP routing table entry for 3.0.9.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Ext. Communities: ovs not-found + Large Communities: 999:65522:1 + +BGP routing table entry for 3.0.10.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65523:1 + Ext. Communities: ovs not-found + +BGP routing table entry for 3.0.11.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor AS3_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65521:65521 65522:65522 65523:65523 + Ext. Communities: ovs not-found + +BGP routing table entry for 22.0.10.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:12 65524:2 + Ext. Communities: ovs not-found rt 65524:2 + +BGP routing table entry for 192.168.8.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor AS2_1 client (192.0.2.41) + Origin IGP, metric 0, localpref 1, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65520:0 65520:2 65524:2 + Ext. Communities: ovs not-found rt 65524:2 diff --git a/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain2.ok b/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain2.ok new file mode 100644 index 00000000000..472c1983547 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/ixp.rdomain2.ok @@ -0,0 +1,73 @@ + +BGP routing table entry for 2.0.3.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 2.0.5.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 2.0.11.0/24 + 2 + Nexthop 192.0.2.66 (via 192.0.2.66) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 BLACKHOLE NO_EXPORT + Large Communities: 999:65530:4 + +BGP routing table entry for 2.0.12.0/24 + 2 + Nexthop 192.0.2.66 (via 192.0.2.66) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 BLACKHOLE NO_EXPORT + Large Communities: 999:65530:4 + +BGP routing table entry for 2.0.13.0/24 + 2 + Nexthop 192.0.2.66 (via 192.0.2.66) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: 65530:4 BLACKHOLE NO_EXPORT + Large Communities: 999:65530:4 + +BGP routing table entry for 2.0.15.0/24 + 2 + Nexthop 192.0.2.21 (via 192.0.2.21) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 3.0.3.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: NO_EXPORT + +BGP routing table entry for 3.0.4.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + Communities: NO_ADVERTISE + +BGP routing table entry for 3.0.7.0/24 + 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 3.0.8.0/24 + 3 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 3.0.9.0/24 + 3 3 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 3.0.10.0/24 + 3 3 3 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best + +BGP routing table entry for 3.0.11.0/24 + 3 3 + Nexthop 192.0.2.31 (via 192.0.2.31) Neighbor 192.0.2.2 (192.0.2.2) + Origin IGP, metric 0, localpref 100, weight 0, ovs not-found, avs unknown, external, valid, best diff --git a/regress/usr.sbin/bgpd/integrationtests/ixp.sh b/regress/usr.sbin/bgpd/integrationtests/ixp.sh new file mode 100644 index 00000000000..ae4b1d152e4 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/ixp.sh @@ -0,0 +1,101 @@ +#!/bin/ksh +# $OpenBSD: ixp.sh,v 1.1 2023/10/12 09:18:56 claudio Exp $ + +set -e + +BGPD=$1 +BGPDCONFIGDIR=$2 +RDOMAIN1=$3 +RDOMAIN2=$4 +PAIR1=$5 +PAIR2=$6 + +RDOMAINS="${RDOMAIN1} ${RDOMAIN2}" +PAIRS="${PAIR1} ${PAIR2}" +PAIR1IP=192.0.2.2 +PAIR2IP=192.0.2.11 +PAIR2IP2=192.0.2.21 +PAIR2IP3=192.0.2.31 +PAIR2IP4=192.0.2.41 + +error_notify() { + echo cleanup + pfctl -q -t bgpd_integ_test -T kill + pkill -T ${RDOMAIN1} bgpd || true + pkill -T ${RDOMAIN2} bgpd || true + sleep 1 + ifconfig ${PAIR2} destroy || true + ifconfig ${PAIR1} destroy || true + route -qn -T ${RDOMAIN1} flush || true + route -qn -T ${RDOMAIN2} flush || true + ifconfig lo${RDOMAIN1} destroy || true + ifconfig lo${RDOMAIN2} destroy || true + if [ $1 -ne 0 ]; then + echo FAILED + exit 1 + else + echo SUCCESS + fi +} + +if [ "$(id -u)" -ne 0 ]; then + echo need root privileges >&2 + exit 1 +fi + +trap 'error_notify $?' EXIT + +echo check if rdomains are busy +for n in ${RDOMAINS}; do + if /sbin/ifconfig | grep -v "^lo${n}:" | grep " rdomain ${n} "; then + echo routing domain ${n} is already used >&2 + exit 1 + fi +done + +echo check if interfaces are busy +for n in ${PAIRS}; do + /sbin/ifconfig "${n}" >/dev/null 2>&1 && \ + ( echo interface ${n} is already used >&2; exit 1 ) +done + +set -x + +echo setup +ifconfig ${PAIR1} rdomain ${RDOMAIN1} ${PAIR1IP}/24 up +ifconfig ${PAIR2} rdomain ${RDOMAIN2} ${PAIR2IP}/24 up +ifconfig ${PAIR2} alias ${PAIR2IP2}/32 +ifconfig ${PAIR2} alias ${PAIR2IP3}/32 +ifconfig ${PAIR2} alias ${PAIR2IP4}/32 +ifconfig ${PAIR1} patch ${PAIR2} +ifconfig lo${RDOMAIN1} inet 127.0.0.1/8 +ifconfig lo${RDOMAIN2} inet 127.0.0.1/8 + +echo run bgpds +route -T ${RDOMAIN1} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.ixp.rdomain1.conf +sleep 2 +route -T ${RDOMAIN2} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.ixp.rdomain2_1.conf +route -T ${RDOMAIN2} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.ixp.rdomain2_2.conf +route -T ${RDOMAIN2} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.ixp.rdomain2_3.conf +route -T ${RDOMAIN2} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.ixp.rdomain2_4.conf + +sleep 3 + +route -T ${RDOMAIN1} exec bgpctl show rib detail | grep -v 'Last update:' | \ + tee ixp.rdomain1.out +sleep .2 +diff -u ${BGPDCONFIGDIR}/ixp.rdomain1.ok ixp.rdomain1.out +echo OK + +route -T ${RDOMAIN2} exec bgpctl show rib detail | grep -v 'Last update:' | \ + tee ixp.rdomain2.out +sleep .2 +diff -u ${BGPDCONFIGDIR}/ixp.rdomain2.ok ixp.rdomain2.out +echo OK + +exit 0 -- 2.20.1