Comments (7)
Hello, just to let you know that I'll take this feature into account for the next release, which is WIP.
Still not 100% sure about adding the additional customizable communities for RPKI validation state...
from arouteserver.
I've pushed a branch (still WIP) where I'm addressing this feature request.
4 new BGP communities are added: you can see them here https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/config.d/general.yml#L814-L860
The idea is to cover the 4 communities that are described in the Euro-IX list, so we'll have the 3 RPKI BOV states + a "not performed". The main difference from what I understand from the Euro-IX list is that the 3 custom BOV communities I'm adding will NOT be propagated to the route-server clients, only the "BOV not performed" will be.
The "BOV not performed" is used like this: https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L833-L838 (here's where a possible blackhole policy is implemented, thus BOV is not performed for those routes and the community is attached). Another use case is if BOV is not enabled and the community is configured, so it will be attached to all the routes, to signal the IXP operator's will to not do BOV.
The 3 states communities are used like this: https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L544-L564 Here they are added to the existing RFC8097, but also they are eventually removed from routes that are announced (https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L387-L400).
I'm explicitly dropping the 3 states communities from exported routes because I believe that they would violate the concept of RPKI itself: BOV is something that happens below the umbrella of a cryptographically verified chain of trust, and signals or information that are generated inside that trust boundary should not be conveyed outside of it.
from arouteserver.
The proposed solution was merged into dev, the new communities will be released in 1.10.0.
from arouteserver.
Oh I see... :-(
I can open a new issue if that's better.
That would be great, thanks!
from arouteserver.
Hello @bluikko,
thanks for raising this topic.
The 3 extended communities that ARouteServer uses to track the "RPKI verdict" are those from RFC8097 - BGP Prefix Origin Validation State Extended Community. That RFC was created specifically to document BGP communities used "to carry the origination Autonomous System (AS) validation state inside an autonomous system".
As you said, I agree that
the more difficult points lay in upper layers like "should this be configurable"
In my opinion the code should keep using the current RFC8097 communities to tag the routes with their validation state, hence I think a configurable custom community should not be implemented.
The reasoning behind this is that a RFC was specifically created to categorise those routes; unlike other informational communities (like those used to set the reject reason), those used to carry the validation state of RPKI Origin Validation have been standardized, so I believe it's worth using them.
I see the main motivation is that Alice-LG is not currently able to consume those communities and associate a description to them, but in this case I think it should really be up to its authors to add such a feature.
In any case, while digging into the code to reply to this issue I found a bug, which I fixed in afdb27d. In OpenBGPD, the RFC8097 were not added to the routes at all. Thanks for indirectly triggering the investigation that led to the fix ;-)
from arouteserver.
In my opinion the code should keep using the current RFC8097 communities to tag the routes with their validation state, hence I think a configurable custom community should not be implemented.
I see and you have a good reason behind this opinion. It will not be a problem for me, I will just patch the config after generation.
I see the main motivation is that Alice-LG is not currently able to consume those communities and associate a description to them, but in this case I think it should really be up to its authors to add such a feature.
Totally agreed. However this lack of support points to the fact that RFC8097 is not implemented by most IXPs. They seem to actually follow the Euro-IX guidelines listed in https://www.euro-ix.net/en/forixps/large-bgp-communities/
Just wanted to make you aware of this alternative community scheme in case you are not familiar. It seems to be very popular with IXPs to the point of being the de-facto standard. I did a quick survey of IXP and 7 out of 9 used the Euro-IX scheme, the rest used arouteserver defaults or no scheme.
In any case, while digging into the code to reply to this issue I found a bug, which I fixed in afdb27d. In OpenBGPD, the RFC8097 were not added to the routes at all. Thanks for indirectly triggering the investigation that led to the fix ;-)
That is excellent!!
from arouteserver.
Seems good so far. There is a slight issue on the textual representation of the route server policy:
The bullet points (unordered list items) for the 2 new sections are on their own line, just by themselves, and the text going with that bullet points is on the next line.
The bullet points also seem to have less indentation than the other 2 previous bullet points.
I can open a new issue if that's better.
from arouteserver.
Related Issues (20)
- 4Byte to 2Byte ASN conversion issue for BGP community HOT 9
- bird local preference HOT 2
- import limit is not set if peeringdb not found HOT 2
- Jinja2 / markupsafe version missmatch leads to errors HOT 1
- PeeringDB anonymous API throttling HOT 10
- Allow configuration of the PeeringDB URL
- Add support for peeringdb-py
- __init__() got an unexpected keyword argument 'allowed_methods' after upgrade to 1.16 HOT 9
- Remove RGNET from whois sources HOT 1
- as_macro not added to IX-F JSON if read from PeeringDB HOT 8
- Route-Servers with Peer Active to ASNs that were excluded
- Double "AS" in comment for ASN without IPv6 in ARIN HOT 1
- Deprecate ARIN-WHOIS data source HOT 5
- feature request: add anchors to route server policy textual representation, other minor issues HOT 2
- Add routeserver attribute to IX-F export HOT 5
- Add metadata to policy textual representation
- Max prefix limit exceed shutdown with auto recovery HOT 1
- ipv4 table entry in bird config HOT 3
- PeeringDB AS-set name format should not be used in AS-set IRR object export HOT 6
- Looking Glass Client Configuration HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from arouteserver.