Hello, I'm trying to add path-hiding mitigation support to a tool I wrote to build route servers configurations, but I'm facing some issues with a multi RIB configuration like the one attached here.
I'll try to make it simple. AS1 announces 10.0.0.0/24 to the route server; I
want that the route server prevents that route from being announced to AS2.
This is what I got:
'bgpctl show rib 10.0.0.0/24' => empty, no 10.0.0.0/24 found
'bgpctl show rib table toAS1_1 10.0.0.0/24' and 'bgpctl show rib table toAS2_1
10.0.0.0/24' (both toAS1_1 and toAS2_1 tables) => 10.0.0.0/24 is there
# bgpctl show rib detail table toAS2_1 10.0.0.0/24
BGP routing table entry for 10.0.0.0/24
1
Nexthop 192.0.2.11 (via 192.0.2.11) from AS1_1 client (192.0.2.11)
Origin IGP, metric 0, localpref 100, weight 0, external, valid, best
Last update: 00:07:34 ago
AS2 receives 10.0.0.0/24 of course.
Tested with both 6.0 and 6.1.
What am I missing?
I expected that, since the route is blocked inbound, it should not be present
in any RIB other than Adj-RIB.
Maybe this is not a bug and simply I didn't get the point of how multiple RIBs
work in OpenBGPD. In that case any help or pointer would be much appreciated.
Thanks,
--
Pier Carlo Chiodi
AS 999
router-id 192.0.2.2
fib-update no
log updates
nexthop qualify via default
rde rib toAS1_1
rde rib toAS2_1
group "clients" {
neighbor 192.0.2.11 {
rib toAS1_1
softreconfig in yes
descr "AS1_1 client"
remote-as 1
passive
ttl-security no
transparent-as yes
enforce neighbor-as no
announce all
announce as-4byte yes
announce IPv6 none
announce IPv4 unicast
set nexthop no-modify
}
neighbor 192.0.2.21 {
rib toAS2_1
softreconfig in yes
descr "AS2_1 client"
remote-as 2
passive
ttl-security no
transparent-as yes
enforce neighbor-as no
announce all
announce as-4byte yes
announce IPv6 none
announce IPv4 unicast
set nexthop no-modify
}
}
bogons="{ 10.0.0.0/8 prefixlen 8 - 32 }"
deny quick from any prefix $bogons
signature.asc
Description: Digital signature
