Git Product home page Git Product logo

Comments (3)

pierky avatar pierky commented on July 28, 2024 1

If you want to test it it's already available in the latest pre-release version on PyPi test:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple --pre --upgrade arouteserver

from arouteserver.

pierky avatar pierky commented on July 28, 2024

Here it is...

arouteserver/config.d/general.yml

Lines 223 to 260 in 566f313

use_rpki_roas_as_route_objects:
# With regards of prefix validation, when this option is
# enabled ARouteServer uses RPKI ROAs as if they were route
# objects.
# Routes whose origin ASN is authorized by a client's AS-SET
# but whose prefix has not a corresponding route object will
# be accepted if a covering ROA exists for that origin
# ASN. In this case, if 'tag_as_set' is True, these routes
# are tagged with the 'prefix_validated_via_rpki_roas'
# community.
#
# This option is used only when 'enforce_origin_in_as_set'
# and 'enforce_prefix_in_as_set' are both set to True.
# Set this to True to enable this feature.
#
# Default: False
enabled: False
# The source used to gather RPKI ROAs.
#
# Can be one of the following options:
# - 'rtrlib': ROAs are loaded using the external program
# rtrllib (https://github.com/rtrlib/bird-rtrlib-cli).
# The name of the table where send the ROAs to is 'RPKI'.
# - 'ripe-rpki-validator-cache': ROAs are fetched via
# HTTP from the RIPE RPKI Validator cache
# (http://localcert.ripe.net:8088/export).
#
# Please note that this method is far from guaranteeing
# that a cryptographically validated datased is retrieved
# from a trusted cache.
#
# OpenBGPD: only the 'ripe-rpki-validator-cache' source
# is currently supported.
#
# Default: ripe-rpki-validator-cache
source: "ripe-rpki-validator-cache"

OpenBGPD:

arouteserver/examples/rich/openbgpd.conf

Lines 147 to 154 in 566f313

# RPKI ROAs used as route objects
# Add the soo:65535:1 ext community to routes whose
# origin ASN has a ROA for the announced prefix.
# It will be used later during IRRDB validation in
# case the origin ASN is authorized by a client's
# AS-SET but the prefix is not.
match from group clients source-as 10745 prefix { 2001:500:30::/48, 2001:500:4::/48, 192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24 } set ext-community soo 65535:1
match from group clients source-as 3333 prefix { 193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21, 2001:67c:2e8::/48, 193.0.22.0/23, 2001:610:240::/42, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22 prefixlen 22 - 26 } set ext-community soo 65535:1

And if a route has its origin ASN authorized by an AS-SET, then...

arouteserver/examples/rich/openbgpd.conf

Lines 254 to 259 in 566f313

# routes which carry a soo:65535:1 community have the prefix validated by a ROA
match from 192.0.2.22 ext-community soo 65535:1 set community 65530:2
match from 192.0.2.22 ext-community soo 65535:1 set large-community 999:65530:2
match from 192.0.2.22 ext-community soo 65535:1 set { community delete NO_ADVERTISE ext-community delete soo 65535:1 }

BIRD:

arouteserver/examples/rich/bird4.conf

Lines 21 to 28 in 566f313

# RPKI ROAs used as route objects
define RPKI_ROAs_as_route_objects_AS10745 = [
192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24
];
define RPKI_ROAs_as_route_objects_AS3333 = [
193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21,
193.0.22.0/23, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22{22,26}
];

arouteserver/examples/rich/bird4.conf

Lines 1569 to 1577 in 566f313

# This function verifies if there is such a ROA for the
# current route's origin ASN to validate the announced prefix.
function prefix_in_rpki_roas_as_route_objects() {
case bgp_path.last {
10745: return net ~ RPKI_ROAs_as_route_objects_AS10745;
3333: return net ~ RPKI_ROAs_as_route_objects_AS3333;
}
return false;
}

arouteserver/examples/rich/bird4.conf

Lines 1866 to 1873 in 566f313

# Origin ASN is valid, prefix is not: check if a RPKI ROAs exists.
if !reject_because_of_bad_origin && reject_because_of_bad_prefix && prefix_in_rpki_roas_as_route_objects() then {
bgp_community.add((65530, 2));
bgp_large_community.add((999, 65530, 2));
return true;
}

Any feedback?

from arouteserver.

job avatar job commented on July 28, 2024

Guess we'll have to test this to provide you with good feedback! :)

from arouteserver.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.