Peter Hessler(phess...@openbsd.org) on 2017.05.26 21:40:49 +0200:
> On 2017 May 26 (Fri) at 20:01:00 +0200 (+0200), Peter Hessler wrote:
> :Apropos of "I found it", I implemented support for RFC 7607. It's a
> :super short RFC, but basically it forbids use of AS 0 anywhere.
> :
> :OK?
> :
> :
>
> Fixed some denglish in an error message, mention the RFC in the man
> page, and don't take down the session if we receive AS0 in the path.
>
>
> Index: bgpd.8
> ===================================================================
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.8,v
> retrieving revision 1.52
> diff -u -p -u -p -r1.52 bgpd.8
> --- bgpd.8 19 Feb 2017 11:38:24 -0000 1.52
> +++ bgpd.8 26 May 2017 18:29:49 -0000
> @@ -357,6 +357,16 @@ control socket
> .Re
> .Pp
> .Rs
> +.%A W. Kumari
> +.%A R. Bush
> +.%A H. Schiller
> +.%A K. Patel
> +.%D August 2015
> +.%R RFC 7607
> +.%T Codification of AS 0 Processing
diff is ok, but please consider this:
i think we should limit the list to the features we support so
that users can check if a certain something should work or not.
this is not a feature, this is a protocol clarification/stability issue.
otherwise the list gets longer and useless.
if you leave this out, put a /* rfc 7607 */ comment next to the
aspath_extract() below.
> +.Re
> +.Pp
> +.Rs
> .%D August 2011
> .%R draft-ietf-grow-mrt-17
> .%T MRT routing information export format
> Index: parse.y
> ===================================================================
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v
> retrieving revision 1.300
> diff -u -p -u -p -r1.300 parse.y
> --- parse.y 26 May 2017 14:08:51 -0000 1.300
> +++ parse.y 26 May 2017 18:15:33 -0000
> @@ -3661,6 +3661,11 @@ neighbor_consistent(struct peer *p)
> return (-1);
> }
>
> + if (p->conf.remote_as == 0) {
> + yyerror("peer AS may not be zero");
> + return (-1);
> + }
> +
> /* set default values if they where undefined */
> p->conf.ebgp = (p->conf.remote_as != conf->as);
> if (p->conf.announce_type == ANNOUNCE_UNDEF)
> Index: rde_attr.c
> ===================================================================
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde_attr.c,v
> retrieving revision 1.97
> diff -u -p -u -p -r1.97 rde_attr.c
> --- rde_attr.c 24 Jan 2017 04:22:42 -0000 1.97
> +++ rde_attr.c 26 May 2017 19:29:04 -0000
> @@ -460,6 +460,9 @@ aspath_verify(void *data, u_int16_t len,
> if (seg_size == 0)
> /* empty aspath segments are not allowed */
> return (AS_ERR_BAD);
> +
> + if (aspath_extract(seg, 0) == 0)
> + return (AS_ERR_BAD);
> }
> return (error); /* aspath is valid but probably not loop free */
> }
> Index: session.c
> ===================================================================
> RCS file: /cvs/openbsd/src/usr.sbin/bgpd/session.c,v
> retrieving revision 1.359
> diff -u -p -u -p -r1.359 session.c
> --- session.c 13 Feb 2017 14:48:44 -0000 1.359
> +++ session.c 5 May 2017 17:26:16 -0000
> @@ -2017,6 +2017,14 @@ parse_open(struct peer *peer)
> memcpy(&short_as, p, sizeof(short_as));
> p += sizeof(short_as);
> as = peer->short_as = ntohs(short_as);
> + if (as == 0) {
> + log_peer_warnx(&peer->conf,
> + "peer requests unacceptable AS %u", as);
> + session_notification(peer, ERR_OPEN, ERR_OPEN_AS,
> + NULL, 0);
> + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN);
> + return (-1);
> + }
>
> memcpy(&oholdtime, p, sizeof(oholdtime));
> p += sizeof(oholdtime);
> @@ -2477,6 +2485,14 @@ parse_capabilities(struct peer *peer, u_
> }
> memcpy(&remote_as, capa_val, sizeof(remote_as));
> *as = ntohl(remote_as);
> + if (*as == 0) {
> + log_peer_warnx(&peer->conf,
> + "peer requests unacceptable AS %u", *as);
> + session_notification(peer, ERR_OPEN,
> ERR_OPEN_AS,
> + NULL, 0);
> + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN);
> + return (-1);
> + }
> peer->capa.peer.as4byte = 1;
> break;
> default:
>
>
>
>
> --
> Madam, there's no such thing as a tough child -- if you parboil them
> first for seven hours, they always come out tender.
> -- W. C. Fields
>
