Hello,

By default we have ksh instead of bash, and the output from round-trip are different than Linux, so:

Thank you,
--z

#!/bin/ksh
peer_ip="$1"

if [ -z "$peer_ip" ]; then
        echo None
        exit
fi

if [ $(echo "$peer_ip" | grep :) ]; then
        ping_ping6="ping6"
else
        ping_ping6="ping"
fi

# if you use '-i 0.2' you'll need super user access
data="`$ping_ping6 -c 3 -i 1.2 -n -q -w 1 $peer_ip 2>&1`" || (>&2 echo -en "None"; exit;)

echo "$data" | grep "0 received" &>/dev/null

avg=`echo "$data" | grep "min/avg/max/" | egrep -o " [0-9\.\/]+ ms" | cut -d '/' -f 2`
echo $avg

RPKI can be used to do Origin Validation and reject invalid announcements, but RPKI can also be used in context of provisioning & creation of whitelists.

If we take as example http://irrexplorer.nlnog.net/search/23.179.0.0/24 - for this prefix there is no IRR route object, but there is a RPKI ROA which states what the authorised origin AS is and this matches what is observed in the DFZ. I'd prefer to accept such a prefix from AS neighbor 6939.

In other words, we should treat RPKI ROAs as if they are IRR route objects.

Implementation suggestion: we can use rtrsub to generate a yml file of all such RPKI ROAs, and if arouteserver is expanding ASNs into route objects (after having expanded AS-SETS into ASNs), it also does a lookup in that yml file.

Using v1.3.0 under OpenBSD 6.8 I'm unable to utilize the YAML !include functionality. I'm guessing this is my own error but haven't been able to debug why

rs-sfo02$ pip3.8 freeze | grep arouteserver
arouteserver==1.3.0

rs-sfo02$ pip3.8 list|egrep '(Jinja2|nose|PyYAML|packaging|six)'
Jinja2       2.11.2
nose         1.3.7
packaging    19.2
PyYAML       5.3.1
six          1.15.0

rs-sfo02$ cat general-openbgpd.conf                                                                                                              
cfg:
  router_id: 206.197.187.254
  path_hiding: false
  !include general-shared.yml

rs-sfo02$ head -10 general-shared.yml                                                                                                            
  rs_as: 63055
  filtering:
    next_hop:
      policy: strict
    ipv4_pref_len:
      max: 24
      min: 8
...
rs-sfo02$ arouteserver html -o test.html --cfg general-openbgpd.conf  
ERROR:root:An error occurred while reading program configuration at general-openbgpd.conf: while scanning a simple key
  in "<unicode string>", line 4, column 1:
    !include general-shared.yml
    ^
could not find expected ':'
  in "<unicode string>", line 5, column 1:
    
    ^
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/pierky/arouteserver/config/program.py", line 109, in load
    cfg_from_file = yaml.safe_load(f.read())
  File "/usr/local/lib/python3.8/site-packages/yaml/__init__.py", line 162, in safe_load
    return load(stream, SafeLoader)
  File "/usr/local/lib/python3.8/site-packages/yaml/__init__.py", line 114, in load
    return loader.get_single_data()
  File "/usr/local/lib/python3.8/site-packages/yaml/constructor.py", line 49, in get_single_data
    node = self.get_single_node()
  File "/usr/local/lib/python3.8/site-packages/yaml/composer.py", line 36, in get_single_node
    document = self.compose_document()
  File "/usr/local/lib/python3.8/site-packages/yaml/composer.py", line 55, in compose_document
    node = self.compose_node(None, None)
  File "/usr/local/lib/python3.8/site-packages/yaml/composer.py", line 84, in compose_node
    node = self.compose_mapping_node(anchor)
  File "/usr/local/lib/python3.8/site-packages/yaml/composer.py", line 127, in compose_mapping_node
    while not self.check_event(MappingEndEvent):
  File "/usr/local/lib/python3.8/site-packages/yaml/parser.py", line 98, in check_event
    self.current_event = self.state()
  File "/usr/local/lib/python3.8/site-packages/yaml/parser.py", line 428, in parse_block_mapping_key
    if self.check_token(KeyToken):
  File "/usr/local/lib/python3.8/site-packages/yaml/scanner.py", line 115, in check_token
    while self.need_more_tokens():
  File "/usr/local/lib/python3.8/site-packages/yaml/scanner.py", line 152, in need_more_tokens
    self.stale_possible_simple_keys()
  File "/usr/local/lib/python3.8/site-packages/yaml/scanner.py", line 291, in stale_possible_simple_keys
    raise ScannerError("while scanning a simple key", key.mark,
yaml.scanner.ScannerError: while scanning a simple key
  in "<unicode string>", line 4, column 1:
    !include general-shared.yml
    ^
could not find expected ':'
  in "<unicode string>", line 5, column 1:
    
    ^
ERROR:root:An error occurred: please refer to the log for details.

The ARIN whois dump URL http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2 now gives a 404. Probably because http://irrexplorer.nlnog.net/ now redirects to a irrexplorer.dashcare.nl site.

Let say ASN1 advertises prefix 2.0.0.0/24 and they pass RPKI check. If there is an old or malicious IRRDB entry for 2.0.0.0/24 to ASN2 which also gets advertised to the route server(passing irrdb check but not rpki), is there anything to make sure that the RPKI validated prefix will have higher preference?

When I look at the bird config I don't see a protection for that situation.

Is it worth it to set a higher than default local preference which will protect an RPKI verified prefix vs a potential hijack attempt on the route server bgp table?

Reminder for @job to paste the arin csv here

job: is there a way to accept a specific prefix from one peer if no route object exists?
job: like when we know the announcement is correct, but they can't figure out how to make a route object
...
pierky: I can introduce a client-level "white_list_prefix"
pierky: it should have highest priority
pierky: if a prefix is in white_list_pref other checks will be skipped

Python 2.7 is scheduled to be deprecated quite soon. I propose to drop support for python2.7 and simplify the code and make this a python3-only project.

Since a few days PeeringDB has a special flag info_never_via_route_servers that network operators can use to indicate that any route announcements containing their ASN anywhere in the AS_PATH propagated via route servers, should be rejected.

PeeringDB feature description: peeringdb/peeringdb#394

Example of an ASN that marked itself as 'never via route servers' https://www.peeringdb.com/api/net?asn=2914

All ASNs that marked themselves as info_never_via_route_servers = True should be added to the cfg.filtering.transit_free configuration leaf.

Arouteserver should honor this flag by default

Error Unknown instruction 8574 in same (~) from BIRD when neighbors are established and trying to reload config with "birdc6 configure".

It looks like BIRD has fixed the problem but probably only pre-release version: http://bird.network.cz/pipermail/bird-users/2017-January/010880.html

I modified my bird6.conf import policy for peer:
From:
if net !~ [2000::/3+] then
To:
if !(net ~ [2000::/3+]) then

It appears to work correctly after the change:
It rejected the prefix it was intended to match: prefix is not in IPv6 Global Unicast space - REJECTING 9ff2:1::/32

When using blackhole_filtering.policy_ipv6 = rewrite-next-hop, the IPv6 address configured in rewrite_next_hop_ipv6 seems to be set correctly in the route that leaves the route server but actually it is not included into the BGP UPDATE and instead it is replaced with the route server's address.

After REUSE_INSTANCES=1 nosetests -vs tests/live_tests/scenarios/global/test_openbgpd6.py -m test_071_blackholed_prefixes_as_seen_by_enabled_clients_BLACKHOLE:

bgpctl -n show rib detail out neighbor 2001:db8:1:1::11 2a02:0:3::1/128

BGP routing table entry for 2a02:0:3::1/128
    2
    Nexthop 2001:db8:1:1::66 (via 2001:db8:1:1::66) from
2001:db8:1:1::21 (192.0.2.21)
    Origin IGP, metric 0, localpref 100, weight 0, external, valid, best
    Last update: 00:00:27 ago
    Communities: NO_EXPORT BLACKHOLE

From the output of tcpdump on AS1_1:

 Multi-Protocol Reach NLRI (14), length: 55, Flags [O]:
     AFI: IPv6 (2), SAFI: Unicast (1)
     nexthop: 2001:db8:1:1::2, nh-length: 16, no SNPA
     2a02:0:3::2/128
     2a02:0:3::1/128

bgpd.conf.txt
bgpd-vdn.txt

(Feature request)

Please consider integration with ALTDB as well as RADB for mantaining the AS SET of the IX route servers.

Workflow:

1. Arouteserver is provided with route server's AS SET. E.g: AS137251:AS-Peers as well as details like IRR which is being used.

2. When a new peer is added to clients.yml and config is generated, arouteserver also updates the AS SET.

This would provide the basis for various networks peer at the RS to generate the filtering config for the routes learnt via RS.

I propose the logging classes in templates/bird/header.j2 be configurable, with the default value of all:

log "/var/log/bird.log" all;
log syslog all;

Perhaps something like:

• cfg.logging.file: defaults to all, a string can be given to replace it. Another option would be to accept a list that gets processed into a BIRD configuration syntax list.
• cfg.logging.syslog: same as above.

I can volunteer to make a PR for it if other people consider it useful.

If not, I guess I will just use a custom header.j2.

Edit: I feel that value of all for syslog is actually redundant since the file already catches trace level messages. Trace level messages can have a large volume.

It would be good to tag announcements that were accepted solely becaues of white_list_pref with a special community, so we can easily find those announcements and see where we need to help our participants.

Ideally the special tag is not present on white_list_pref announcements if they were accepted because a valid IRR object came into existence.

Allow setting custom BGP communities to track reject codes.

https://www.euro-ix.net/en/forixps/large-bgp-communities/

Imagine we add 2914 to transit_free['asns'] but 2914 wishes to peer with an arouteserver instance - the _2914_ prefixes should be accepted on the direct 2914 sessions but not on any other sessions.

AKA - pop 2914 from transit_free_asns list on the direct 2914 sessions - but not other sessions

I consider https://tools.ietf.org/html/draft-ietf-sidrops-route-server-rpki-light an extremely insecure mode of operation. We should not encourage such "outsourced security", especially not in places where people highly depend on the convenience provided by a route server.

I'd pull out the feature until it actually makes it to RFC status, which at this point is questionable.

Hello!

Is there any possibility that arouteserver can be used to validate that the client YAML file contains correct syntax without actually building the output configuration file (which can be time-consuming)?

Thanks!

dataset vs. datased

(BIRD and OpenBGPD) the builtin method based on RIPE RPKI Validator cache export file: the URL of a local and trusted instance of RPKI Validator should be provided to ensure that a cryptographically validated datased is used. By default, the URL of the public instance is used.

There are a number of changes in OpenBSD 6.4, the only relevant change for arouteserver is that the announce all directive has been removed. The templates should not print announce all if the target is OpenBSD 6.4 or higher

https://www.openbsd.org/faq/current.html#r20180613

Intro

https://tools.ietf.org/html/draft-ietf-grow-bgp-gshut-06 (gshut for short) introduces a well-known BGP community 65535:0 to signal to an adjacent network that the path will disappear due to upcoming maintenance, and as such they should hunt for other paths.

Implementing the receiving side is straight forward:

function allow_graceful_shutdown() {
    if (65535, 0) ~ bgp_community then {
        bgp_local_pref = 0;
    }
}

And then just add the appropriate allow_graceful_shutdown(); calls to the filters. I think this can be enabled by default.

This way route server participants can use the graceful shutdown mechanism to signal to the route server that soon the path through them will be unavailable and the route server should select another path (if there is any).

Implementing the sending side

A graceful shutdown of the route server itself would look as following:

1. attach the 65535:0 BGP community to all route announcements towards all clients
2. wait a number of minutes to allow time for a) bird to load the config, and b) re-announce all routes to all participants with the added community, and c) allow the clients to reconverge. (say, 10 minutes)
3. actually shut down the bird daemons

Perhaps a wrapper script would easiest to do the three steps described above.

This issue is used to track the problem raised by @job with #14.

When no AS-SETs are configured for a client nor for its ASN, the AS-SET from the PeeringDB record can be used to build IRR-based filters. Until now, if the AS-SET fetched from PeeringDB is empty/non-existent, also the resulting filter is empty.

From the docs OpenBGPD: RFC8097 BGP communities tagging not yet implemented - however since 6.4 you can set 'ext-community ovs (valid | not-found | invalid)'

see http://man.openbsd.org/bgpd.conf

I have the following configuration

    max_prefix:
      action: "restart"
      restart_after: 15
      peering_db: True

but some of the IX participants fill into peeringdb their exact route announcement count rather than a recommendation on what others should configure. I think arouteserver should add "absolute 100" and then also increase with say 15%. This will prevent flapping with the small ones

With a minimal configuration like below, arouteserver should query PeeringDB for the AS-SET and use the one found there rather than only expand AS15169.

clients:
  - asn: 15169
    ip:
    - "206.126.225.128"
    - "2001:504:2f::1:5169:1"

Using AS-GOOGLE instead of AS15169 should be the behaviour if cfg.filtering.peering_db: True

Noticed because my usual shell prompt in $PS1 has "\u" in it to show my username, the presence of "\u" in any environment variable causes arouteserver to fail like this:

$ export FOO='\u'
$ arouteserver show_config 
ARouteServer 2019-10-06 17:39:04,919 ERROR An unexpected error occurred: bad escape \u at position 0

Please consider reporting this issue to the author using the URL below, including the following traceback and some hints on how to reproduce it: https://github.com/pierky/arouteserver/issues

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/sre_parse.py", line 1021, in parse_template
    this = chr(ESCAPES[this][1])
KeyError: '\\u'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/arouteserver", line 64, in <module>
    if main():
  File "/usr/local/bin/arouteserver", line 53, in main
    return cmd.run()
  File "/usr/local/lib/python3.7/site-packages/pierky/arouteserver/commands/show_config.py", line 46, in run
    self.show_config(current_config_path, sys.stdout)
  File "/usr/local/lib/python3.7/site-packages/pierky/arouteserver/commands/show_config.py", line 70, in show_config
    distrib._load_from_yaml("cfg:\n"
  File "/usr/local/lib/python3.7/site-packages/pierky/arouteserver/config/base.py", line 87, in _load_from_yaml
    expanded_doc = expand_env_vars(expanded_doc)
  File "/usr/local/lib/python3.7/site-packages/pierky/arouteserver/config/base.py", line 81, in expand_env_vars
    res = re.sub("\$\{" + v + "\}", os.environ[v], res)
  File "/usr/local/lib/python3.7/re.py", line 192, in sub
    return _compile(pattern, flags).sub(repl, string, count)
  File "/usr/local/lib/python3.7/re.py", line 309, in _subx
    template = _compile_repl(template, pattern)
  File "/usr/local/lib/python3.7/re.py", line 300, in _compile_repl
    return sre_parse.parse_template(repl, pattern)
  File "/usr/local/lib/python3.7/sre_parse.py", line 1024, in parse_template
    raise s.error('bad escape %s' % this, len(this))
re.error: bad escape \u at position 0

We should support openbgpd too next to BIRD. In terms of features OpenBGPD & BIRD are alike, but configuration method is different.

For IPv6 the space essentially is 0.0.0.0/0 - but for ipv6 the global unicast space is confined within 2000::/3 , even if someone registers 8000::/13 it should be rejected

I see IXPs deploying arouteserver with the following config

cfg:
  filtering:
    irrd:   
      enforce_origin_in_as_set: False
      enforce_prefix_in_as_set: False

I think this defeats the entire purpose of using aroutserver. Both options shouldn't be user configurable - if people want to produce non-filtering route servers they can look elsewhere. By making it user configurable, two things happen: an entire exchange goes unfiltered, which is useless - and it enables exchanges to make exceptions per participant, an extremely unhealthy proposition.

I understand flexibility is a nice thing to have, but in this case the flexibility only offers poor choices and as such I'd argue that it is simply removed.

Currently there is no easy way to run arouteserver html with the docker image.

It took me some time looking at documentation and run.sh on how to make it work. I would expect that many people would like to generate the textual representation HTML file so there could be an easy way to do it.

One way would be to just simply hard-code a path and if that path exists then run the arouteserver html as an extra step in run.sh.

I add an untested PR for a possible PoC for this. Let's discuss if people feel that this feature should exist.

this fixed it for me:

{%                              for asn in asns %}{{ asn }}{% if not loop.last %}{{ " " }}{% else %}{{ "\n" }}{% endif %}{% endfor %}

but is perhaps not the prettiest, result is:

# AS-PCH, used by client AS3856_1, client AS3856_2, client AS42_1, client AS42_2
as-set "AS_SET_AS_PCH_asns" {
27 42 187 297 715 3856 10886 11893
13202 16327 16668 19281 20539 21312 21556 24999
25505 27678 32978 32979 35160 38052 42530 44876
45170 45494 48892 50843 51874 51972 52234 52304
52306 54145 54390 60313 197058

}

(notice trailing newline before })

I had to try a few combinations of input formats to get the configure command to accept my comma-separated list of local networks.

`List of local networks

A list of local IPv4/IPv6 networks must be provided here: routes announced by
route server clients for these prefixes will be filtered out.

Please enter a comma-separated list of local networks: 206.71.10.0/24, 2001:504:45:10::/64
Invalid input: a list of IP prefixes is expected. ' 2001:504:45:10::/64' is invalid.
Please enter a comma-separated list of local networks: 206.71.10.0/24, 2001:504:45:10::0/64
Invalid input: a list of IP prefixes is expected. ' 2001:504:45:10::0/64' is invalid.
Please enter a comma-separated list of local networks: 206.71.10.0/24, 2001:504:45:10::
Invalid input: a list of IP prefixes is expected. ' 2001:504:45:10::' is invalid.
Please enter a comma-separated list of local networks: 206.71.10.0/24,2001:504:45:10::/64`

Maybe something to silently discard the entered spaces or an example of the desired format.

Hi there,

Nice work, I just started working with it. I got a problem due to missing bgpq3, which I wasn't aware was a thing before :) Maybe can be declared as requirement? Cheers,

David

ARouteServer 2019-06-07 16:02:53,447 ERROR Error while retrieving origin ASNs from AS-RIPENCC for client AS3333_1: Can't get list of authorized ASNs for AS-RIPENCC: [Errno 2] No such file or directory: 'bgpq3': 'bgpq3' - Command: bgpq3 -h rr.ntt.net -S RIPE,APNIC,AFRINIC,ARIN,NTTCOM,ALTDB,BBOI,BELL,JPIRR,LEVEL3,RADB,RGNET,SAVVIS,TC -3 -j -f 1 -l asn_list AS-RIPENCC

Hi There,

Thank you for the useful software. I tried generating bird config and got "Symbol too long" from bird.

Steps to reproduce:

• Standard general.yml, clients.yml generated with arouteserver clients-from-peeringdb
• bird startup fails with: Symbols too long. Looking for definition in birds github yields:
  conf/conf.h #define SYM_MAX_LEN 64
• Offending line in my case is:
  dgaray@desktop-07:~/containers/configs$ grep
  AS_SET_RIPE__AS12779_AS_CUSTOMERS_RIPE__AS12779_AS_CUSTOMERS_V6_asns rs_bird.conf define AS_SET_RIPE__AS12779_AS_CUSTOMERS_RIPE__AS12779_AS_CUSTOMERS_V6_asns = [ if bgp_path.last_nonaggregated ~ AS_SET_RIPE__AS12779_AS_CUSTOMERS_RIPE__AS12779_AS_CUSTOMERS_V6_asns then

As workaround I just made the string shorter, perhaps arouteserver can include this symbol length validation as part of code generation?

Cheers,

David

Since arouteserver's inception a few things have improved:

• Both BIRD and OpenBGPD now support static RPKI ROA tables
• NTT hosts a production service at HTTPS url https://rpki.gin.ntt.net/api/export.json

We can move towards very easy RPKI Origin Validation deployment for folks. There is no need for them to run their own validator (unless they want to) or to use RTR (unless they want to). This greatly simplifies deployment for the average IXP.

Out of the box we can make arouteserver a IRR & RPKI validating routeserver which I think is an incredibly good step forward in the 'secure by default' paradigm.

Has https and monitoring

The Brazil NIR "NIC.BR" (the exclusive source for resources in Brazil, by delegation from LACNIC) does not have a traditional IRR. Instead a WHOIS database is used which in concept is similar to ARIN-WHOIS, but in terms of quality seems to be more accurate.

Registro.br (under the umbrella of NIC.BR) publishes a computer parse-able dump of the WHOIS registry which can be consumed to construct BGP filters.

The dump is published every weekday here: ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt

the format is as following, a like like this:

AS6543|Ecospar Serv. e Part. Ltda.|35.809.342/0001-31|2804:69c::/32|200.219.0.0/21

can be transformed to the following IRR format:

route6: 2804:69c::/32
origin: AS6543
source: REGISTROBR

route: 200.219.0.0/21
origin: AS6543
source: REGISTROBR

To include the list of the BGP communities used as reject codes into the HTML file generated by ARouteServer.

Release 0.12.0 should contain a simple wrapper around softreconfig in yes to make it apply only to openbsd version 6.1 - but i don't see that installed after running setup-templates.

(arouteserver) $ pip freeze | grep arouteserver
arouteserver==0.12.0

(arouteserver) $ arouteserver setup-templates
Installing templates into /home/job/arouteserver/templates...

Creating /home/job/arouteserver/templates... already exists
Populating /home/job/arouteserver/templates...
Creating /home/job/arouteserver/templates/bird... already exists
Populating /home/job/arouteserver/templates/bird...
- clients.j2... skipped (same content)
- common.j2... skipped (same content)
- header.j2... skipped (same content)
- irrdb.j2... skipped (same content)
- macros.j2... skipped (same content)
- main.j2... skipped (same content)
- rpki.j2... skipped (same content)
Creating /home/job/arouteserver/templates/html... already exists
Populating /home/job/arouteserver/templates/html...
- macros.j2... skipped (same content)
- main.j2... skipped (same content)
Creating /home/job/arouteserver/templates/openbgpd... already exists
Populating /home/job/arouteserver/templates/openbgpd...
- clients.j2... skipped (same content)
- filters.j2... skipped (same content)
- header.j2... skipped (same content)
- irrdb.j2... skipped (same content)
- macros.j2... skipped (same content)
- main.j2... skipped (same content)
Creating /home/job/arouteserver/templates/template-context... already exists
Populating /home/job/arouteserver/templates/template-context...
- main.j2... skipped (same content)

(arouteserver) $ grep -A 1 -B 1 softreconfig /home/job/arouteserver/templates/openbgpd/clients.j2

                softreconfig in yes
{%      if client.description %}
(arouteserver) $

Currently arouteserver hardcodes three different extended communities for an RPKI status as per the config below.

Currently only the "RPKI invalid" community is configurable. I feel like it could be beneficial to have a configurable RPKI verdict community.

The "site-specific custom configuration files" could not be used because functions cannot be redefined with the same name - so adding for example a footer file that redefines the 2 functions listed below produces a Symbol already defined error from BIRD.

I will try to find time to look at how difficult it would be to make this configurable but what do other people think about this? Technically it could probably be simple but the more difficult points lay in upper layers like "should this be configurable" and so on. The initial motivation for this was that the alice-lg looking glass supports only large communities for RPKI status and I suspect it would be easier to change arouteserver instead.

I have only considered BIRD here so far - unfortunately I do not have an OpenBGP instance and don't know anything about how configurable RPKI status would work there. If this would be configurable on BIRD then naturally it would need to be possible on OpenBGP as well...

function add_rpki_community(string comm_name) {
	if comm_name = "valid" then {
		bgp_ext_community.add((unknown 0x4300, 0, 0));
	}
	if comm_name = "unknown" then {
		bgp_ext_community.add((unknown 0x4300, 0, 1));
	}
	if comm_name = "invalid" then {
		bgp_ext_community.add((unknown 0x4300, 0, 2));
	}
}

The community is also used later at

function route_is_rpki_invalid () {
        return (unknown 0x4300, 0, 2) ~ bgp_ext_community;
}

Has it been considered to support other BGP implementations as a route-server?

E.g.

• FRR

Other than stated in the documentation

By default, ARouteServer looks for this [arouteserver.yml] file in ~/arouteserver and /etc/arouteserver/

ARouteServer raises en error “Configuration file not found”. This is likely because self.cfg is replaced with self.default which has cfg_dir=None (pierky/arouteserver/config/program.py:44). Expected behavior is to look for arouteserver.yml at the specified locations.

Workaround is to specify optional parameter --cfg and path to arouteserver.yml.

Job Snijders pointed me to AMS-IX’s use of RPSL-VIA (which he drafted) as a way to solve an issue I was having. I have been looking at using arouteserver to automate my prefix filters for my IXes.

Does arouteserver support the use of RPSL-VIA? I didn’t see it explicitly mentioned.

https://ams-ix.net/technical/specifications-descriptions/ams-ix-route-servers

http://datatracker.ietf.org/doc/draft-ietf-grow-rpsl-via/?include_text=1

Per AMS-IX's documentation, it looks like if implemented, a network's IRR entry could block prefixes on a specific IX. That would be mighty convenient.

There is some problem with the HTML template: the "Reject reasons" table is rendered wrong.

At least on a 1920x1080 screen (no scaling) all the rows after the first are split with a newline after "ID" column:

The configuration for reject reasons is using default values from the docker image run. One notable difference to https://arouteserver.readthedocs.io/en/latest/_static/examples_rich.html is that the example does not include any of the communities: it just includes ID and reason.

Using Chromium 90 on Windows.

Will try to take a look at this in more detail at some point.

I have an arouteserver openbgpd instance

$ egrep -A1 "\"tag\"|reject_cause" rs2.yml
      policy: "tag"

    reject_cause:
      lrg: rs_as:9:dyn_val

but it appears the bgpd configuration bits that actually set those communities are not present:

job@rs2:~/snapshots$ grep 53339:9 /etc/bgpd.conf
job@rs2:~/snapshots$

Any idea what I've done wrong?

When a network that is advertising is aggregating like this using aggregation. bgp_path.last returns a 0 so the origin as checks naturally fail when checking AS0 agains the IRRDB lists.

In my generated bird.conf I replaced bgp_path.last with bgp_path.last_nonaggregated which didn't seem to cause any problems and fixed the rejected routes in my small set of routes. So naturally if I change every occurrence of bgp_path.last to bgp_path.last_nonaggregated in the whole repo it should fix this problem :)

Dear Pier,

While doing some load testing experiments, I tried to generate 10k and 5k client configuration files. I get an error from stdout (see below), but no error log. Note: ~2.7k clients config generation do work, though.

I tried configuring log.ini in the config.d/ folder, but somehow didn't see any results (I configured: keys=stderr,/var/log/arouteserver.log, and with keys=stderr,file, with no joy).

Printout is:

ARouteServer 2019-06-29 16:05:33,433 INFO RPKI ROAs: 89343 total, 6347 from not allowed TAs, 70199 used for IPv4 ARouteServer 2019-06-29 16:05:33,644 INFO Updating entries from the ARIN Whois DB dump... ARouteServer 2019-06-29 16:05:37,073 INFO Updating entries from the Registro.br Whois DB dump... ARouteServer 2019-06-29 16:05:37,489 ERROR An error occurred: please refer to the log for details.

Clients file enclosed for background info. Any suggestions on how to troubleshoot further this issue
logs.zip
?
Br,

David

experiments.zip

`(arouteserver) root@arouteserver:~# arouteserver setup
ARouteServer setup

Where do you want configuration files and templates to be stored? (default: ~/arouteserver)
Do you confirm you want ARouteServer files to be stored at /root/arouteserver? [YES/no] YES
Invalid choice: YES - must be one of yes, no.

Setup aborted: destination directory not confirmed
(arouteserver) root@arouteserver:~# arouteserver setup
ARouteServer setup

Where do you want configuration files and templates to be stored? (default: ~/arouteserver)
Do you confirm you want ARouteServer files to be stored at /root/arouteserver? [YES/no] yes
Installing configuration files into /root/arouteserver...
`