On Tue, Nov 27, 2018 at 04:21:53PM +0100, Job Snijders wrote: > Hi Claudio, > > On Fri, Nov 23, 2018 at 03:55:18PM +0100, Claudio Jeker wrote: > > For origin validation I chacked the source_as in struct rde_aspath > > this is not really the right place. It should be in struct aspath > > since that holds all the ASPATH related stuff. Change this, move > > aspath_match out of util.c back into rde_attr.c and adjust code to use > > the cached value also in match from any source-as XYZ rules. > > This last bit causes a minor behavioural change since the old code > > extracted the last non AS_SET asnumber. The new code follows the ROA > > RFC and returns the rightmost AS for AS_SEQUENCE, the local AS for > > empty paths and AS_NONE (which is 0) for everything else. > > So now 'match from any source-as 0' will return all paths that do not > > have a final AS_SEQUENCE segment. > > > > The reason for this change is that I don't want to have two different > > behaviours for what we call source-as (the one in roa-set and the one on a > > filter). > > Something is off, it seems 'source-as 0' is matching anything that has > an AS_SET attribute set: > > $ bgpctl show rib source-as 0 | head > flags: * = Valid, > = Selected, I = via IBGP, A = Announced, > S = Stale, E = Error > origin validation state: N = not-found, V = valid, ! = invalid > origin: i = IGP, e = EGP, ? = Incomplete > > flags ovs destination gateway lpref med aspath origin > I*> N 5.39.176.0/21 192.147.168.1 100 0 2914 8530 { > 198753 } ? > I*> N 5.101.110.0/24 192.147.168.1 100 0 2914 14061 { > 46652 } i > I*> N 5.175.0.0/19 192.147.168.1 100 0 2914 1299 > 20773 { 8972 } i > I*> N 8.41.202.0/24 192.147.168.1 100 0 2914 13789 > 30372 { 40179 } i > > Similarly, this should return at least 5.39.176.0/21: > > $ bgpctl show rib source-as 8530 > flags: * = Valid, > = Selected, I = via IBGP, A = Announced, > S = Stale, E = Error > origin validation state: N = not-found, V = valid, ! = invalid > origin: i = IGP, e = EGP, ? = Incomplete > > flags ovs destination gateway lpref med aspath origin > I*> N 80.87.16.0/20 192.147.168.1 100 0 2914 8530 ? > I*> N 87.236.128.0/21 192.147.168.1 100 0 2914 8530 ? > I*> N 88.151.152.0/21 192.147.168.1 100 0 2914 8530 ? > I*> N 89.38.120.0/21 192.147.168.1 100 0 2914 8530 i > I*> N 93.115.176.0/20 192.147.168.1 100 0 2914 8530 i > I*> N 185.52.144.0/22 192.147.168.1 100 0 2914 8530 ? >
I implemented source-as the way ROA is defining it. So anything which ends with a AS_SET will return AS_NONE (which is 0). OpenBGPD has no way to have an AS_PATH that has a real 0 in the AS_PATH (those UPDATES are treated as withdraw). Because of this also the 5.39.176.0/21 is no longer matching in 'bgpctl show rib source-as 8530'. I'm a bit on the edge here about where to go and currently prefer to follow a RFC (which in this case is RFC6811). o Route Origin ASN: The origin AS number derived from a Route as follows: * the rightmost AS in the final segment of the AS_PATH attribute in the Route if that segment is of type AS_SEQUENCE, or * the BGP speaker's own AS number if that segment is of type AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, or * the distinguished value "NONE" if the final segment of the AS_PATH attribute is of any other type. As mentioned above I found it strange when behaviour is different because of where it is used. -- :wq Claudio