On Fri, May 26, 2017 at 08:01:00PM +0200, Peter Hessler wrote: > Apropos of "I found it", I implemented support for RFC 7607. It's a > super short RFC, but basically it forbids use of AS 0 anywhere. > > OK? >
hi. you probably want to add the rfc to the list in STANDARDS too, after 7606. jmc > > Index: parse.y > =================================================================== > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v > retrieving revision 1.300 > diff -u -p -u -p -r1.300 parse.y > --- parse.y 26 May 2017 14:08:51 -0000 1.300 > +++ parse.y 26 May 2017 17:55:11 -0000 > @@ -3661,6 +3661,11 @@ neighbor_consistent(struct peer *p) > return (-1); > } > > + if (p->conf.remote_as == 0) { > + yyerror("peer AS needs to be not zero"); > + return (-1); > + } > + > /* set default values if they where undefined */ > p->conf.ebgp = (p->conf.remote_as != conf->as); > if (p->conf.announce_type == ANNOUNCE_UNDEF) > Index: rde.c > =================================================================== > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde.c,v > retrieving revision 1.361 > diff -u -p -u -p -r1.361 rde.c > --- rde.c 25 Jan 2017 03:21:55 -0000 1.361 > +++ rde.c 26 May 2017 17:43:30 -0000 > @@ -1102,6 +1102,14 @@ rde_update_dispatch(struct imsg *imsg) > /* shift to NLRI information */ > p += 2 + attrpath_len; > > + /* aspath must not contain AS 0 */ > + if (!aspath_loopfree(asp->aspath, 0)) { > + log_peer_warnx(&peer->conf, "bad AS 0 in UPDATE"); > + rde_update_err(peer, ERR_UPDATE, ERR_UPD_ASPATH, > + NULL, 0); > + goto done; > + } > + > /* aspath needs to be loop free nota bene this is not a hard error */ > if (peer->conf.ebgp && !aspath_loopfree(asp->aspath, conf->as)) > asp->flags |= F_ATTR_LOOP; > Index: session.c > =================================================================== > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/session.c,v > retrieving revision 1.359 > diff -u -p -u -p -r1.359 session.c > --- session.c 13 Feb 2017 14:48:44 -0000 1.359 > +++ session.c 5 May 2017 17:26:16 -0000 > @@ -2017,6 +2017,14 @@ parse_open(struct peer *peer) > memcpy(&short_as, p, sizeof(short_as)); > p += sizeof(short_as); > as = peer->short_as = ntohs(short_as); > + if (as == 0) { > + log_peer_warnx(&peer->conf, > + "peer requests unacceptable AS %u", as); > + session_notification(peer, ERR_OPEN, ERR_OPEN_AS, > + NULL, 0); > + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); > + return (-1); > + } > > memcpy(&oholdtime, p, sizeof(oholdtime)); > p += sizeof(oholdtime); > @@ -2477,6 +2485,14 @@ parse_capabilities(struct peer *peer, u_ > } > memcpy(&remote_as, capa_val, sizeof(remote_as)); > *as = ntohl(remote_as); > + if (*as == 0) { > + log_peer_warnx(&peer->conf, > + "peer requests unacceptable AS %u", *as); > + session_notification(peer, ERR_OPEN, > ERR_OPEN_AS, > + NULL, 0); > + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); > + return (-1); > + } > peer->capa.peer.as4byte = 1; > break; > default: > > > -- > Taxes, n.: > Of life's two certainties, the only one for which you can get > an extension. >