On Fri, Oct 04, 2019 at 10:19:00PM +0000, Christoph wrote: > Hello, > > (please keep me in CC) > > we use filters from > https://bgpfilterguide.nlnog.net/ > > One of the first functions checks for bogon ASNs > way before the RPKI ROA check: > > > filter transit_in { > > > > reject_bogon_asns(); > [...] > > if (net.type = NET_IP4) then { > > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then > > { > > print "Reject RPKI INVALID announcement ", net, " by > > AS", bgp_path.last; > > reject; > > } > > } > [...] > > > My assumption was that an announcement from AS0 would never end up > at the RPKI ROA check since it is already tested and rejected earlier at > the reject_bogon_asns() function > but then I found log entries suggesting otherwise:
> > > Reject RPKI INVALID announcement 200.124.231.0/24 by AS0 > > So I was wondering: > - Did I incorrectly assume first match wins? > - Is the reject_bogon_asns() function not working as intended? Hello bgp_path.last returns 0 if the last item is AS_SET. There are most likely no AS0 in the path. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: [email protected]) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
