Hello, (please keep me in CC)
we use filters from https://bgpfilterguide.nlnog.net/ One of the first functions checks for bogon ASNs way before the RPKI ROA check: > filter transit_in { > > reject_bogon_asns(); [...] > if (net.type = NET_IP4) then { > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then > { > print "Reject RPKI INVALID announcement ", net, " by > AS", bgp_path.last; > reject; > } > } [...] My assumption was that an announcement from AS0 would never end up at the RPKI ROA check since it is already tested and rejected earlier at the reject_bogon_asns() function but then I found log entries suggesting otherwise: > Reject RPKI INVALID announcement 200.124.231.0/24 by AS0 So I was wondering: - Did I incorrectly assume first match wins? - Is the reject_bogon_asns() function not working as intended? > define BOGON_ASNS = [ 0, # RFC 7607 > 23456, # RFC 4893 AS_TRANS > 64496..64511, # RFC 5398 and > documentation/example ASNs > 64512..65534, # RFC 6996 Private ASNs > 65535, # RFC 7300 Last 16 bit ASN > 65536..65551, # RFC 5398 and > documentation/example ASNs > 65552..131071, # RFC IANA reserved ASNs > 4200000000..4294967294, # RFC 6996 Private ASNs > 4294967295 # RFC 7300 Last 32 bit ASN > ]; > function reject_bogon_asns() > int set bogon_asns; > { > bogon_asns = BOGON_ASNS; > if ( bgp_path ~ bogon_asns ) then { > print "Reject: bogon AS_PATH: ", net, " ", bgp_path; > reject; > } > } thanks, Christoph
