CVSROOT: /cvs
Module name: src
Changes by: clau...@cvs.openbsd.org 2018/09/29 02:11:11
Modified files:
usr.sbin/bgpd : bgpd.c bgpd.h config.c parse.y printconf.c
rde.c rde.h rde_attr.c rde_filter.c rde_rib.c
rde_trie.c
Log message:
Implement origin validation in bgpd. This introduces two new tables, the
roa-set for RPKI based origin validation and a origin-set which allows to
lookup a source-as / prefix pair.
For RPKI a config can be built like this:
roa-set {
165.254.255.0/24 source-as 15562
193.0.0.0/21 maxlen 24 source-as 3333
}
deny from any ovs invalid
match from any ovs valid set community local-as:42
match from any ovs not-found set community local-as:43
Origin sets are similar but only match when the source-as / prefix pair is
valid.
match from any origin-set ARINDB set community local-as:44
Committing this now so that further work can be done in tree.
OK benno@, job@
