On Tue, Nov 27, 2018 at 04:21:53PM +0100, Job Snijders wrote:
> Hi Claudio,
>
> On Fri, Nov 23, 2018 at 03:55:18PM +0100, Claudio Jeker wrote:
> > For origin validation I chacked the source_as in struct rde_aspath
> > this is not really the right place. It should be in struct aspath
> > since that holds all the ASPATH related stuff. Change this, move
> > aspath_match out of util.c back into rde_attr.c and adjust code to use
> > the cached value also in match from any source-as XYZ rules.
> > This last bit causes a minor behavioural change since the old code
> > extracted the last non AS_SET asnumber. The new code follows the ROA
> > RFC and returns the rightmost AS for AS_SEQUENCE, the local AS for
> > empty paths and AS_NONE (which is 0) for everything else.
> > So now 'match from any source-as 0' will return all paths that do not
> > have a final AS_SEQUENCE segment.
> >
> > The reason for this change is that I don't want to have two different
> > behaviours for what we call source-as (the one in roa-set and the one on a
> > filter).
>
> Something is off, it seems 'source-as 0' is matching anything that has
> an AS_SET attribute set:
>
> $ bgpctl show rib source-as 0 | head
> flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
> S = Stale, E = Error
> origin validation state: N = not-found, V = valid, ! = invalid
> origin: i = IGP, e = EGP, ? = Incomplete
>
> flags ovs destination gateway lpref med aspath origin
> I*> N 5.39.176.0/21 192.147.168.1 100 0 2914 8530 {
> 198753 } ?
> I*> N 5.101.110.0/24 192.147.168.1 100 0 2914 14061 {
> 46652 } i
> I*> N 5.175.0.0/19 192.147.168.1 100 0 2914 1299
> 20773 { 8972 } i
> I*> N 8.41.202.0/24 192.147.168.1 100 0 2914 13789
> 30372 { 40179 } i
>
> Similarly, this should return at least 5.39.176.0/21:
>
> $ bgpctl show rib source-as 8530
> flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
> S = Stale, E = Error
> origin validation state: N = not-found, V = valid, ! = invalid
> origin: i = IGP, e = EGP, ? = Incomplete
>
> flags ovs destination gateway lpref med aspath origin
> I*> N 80.87.16.0/20 192.147.168.1 100 0 2914 8530 ?
> I*> N 87.236.128.0/21 192.147.168.1 100 0 2914 8530 ?
> I*> N 88.151.152.0/21 192.147.168.1 100 0 2914 8530 ?
> I*> N 89.38.120.0/21 192.147.168.1 100 0 2914 8530 i
> I*> N 93.115.176.0/20 192.147.168.1 100 0 2914 8530 i
> I*> N 185.52.144.0/22 192.147.168.1 100 0 2914 8530 ?
>
I implemented source-as the way ROA is defining it. So anything which ends
with a AS_SET will return AS_NONE (which is 0). OpenBGPD has no way to
have an AS_PATH that has a real 0 in the AS_PATH (those UPDATES are
treated as withdraw). Because of this also the 5.39.176.0/21 is no longer
matching in 'bgpctl show rib source-as 8530'.
I'm a bit on the edge here about where to go and currently prefer to
follow a RFC (which in this case is RFC6811).
o Route Origin ASN: The origin AS number derived from a Route as
follows:
* the rightmost AS in the final segment of the AS_PATH attribute
in the Route if that segment is of type AS_SEQUENCE, or
* the BGP speaker's own AS number if that segment is of type
AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty,
or
* the distinguished value "NONE" if the final segment of the
AS_PATH attribute is of any other type.
As mentioned above I found it strange when behaviour is different because
of where it is used.
--
:wq Claudio
