Hi,
I don't know if this is a real bug, but at least it may be brought to
attention
that "announce self" without proper filtering may lead to some unexpected
behaviour.
When configured with "enforce neighbor-as no" (as for connection to an IXP
route server), OpenBGPD seems to accept UPDATE with empty AS_PATH and,
without
proper filtering, announce them back prepended with AS "self" to every
neighbor even if "announce self" as been set on the neighbor definition.
The following 3 BGP routers configuration was used for testing:
- rsix: 10.0.0.1/24 - AS65000, running exabgp 2.0.2
announcing 199.185.136.0/23 with empty AS_PATH
- ourself: 10.0.0.2/24 - AS65200, running stock OpenBGPD with OpenBSD 5.1
announcing 192.0.2.0/24 originating from AS65200
- transit: 10.0.0.3/24 - AS65300, running stock OpenBGPD with OpenBSD 5.1
announcing 0.0.0.0/0 originating from AS65300
the following OpenBGPD/exabgp configuration was used:
# rsix exabgp.conf
neighbor 10.0.0.2 {
description "evil or goofy RS";
router-id 10.0.0.1;
local-address 10.0.0.1;
local-as 65000;
peer-as 65200;
static {
route 199.185.136.0/23 {
next-hop 10.0.0.1;
as-path [ ];
}
}
}
###
# ourself bgpd.conf
AS 65200
router-id 10.0.0.2
network 192.0.2.0/24
neighbor 10.0.0.1 {
descr "IXP RS"
announce self
remote-as 65000
enforce neighbor-as no
}
neighbor 10.0.0.3 {
descr "transit provider"
announce self
remote-as 65300
}
###
# transit bgpd.conf
AS 65300
router-id 10.0.0.3
network 0.0.0.0/0
neighbor 10.0.0.2 {
descr "customer"
announce self
remote-as 65200
}
###
After starting everything here are the "bgpctl show rib" outputs:
Seen by ourself:
flags destination gateway lpref med aspath origin
*> 0.0.0.0/0 10.0.0.3 100 0 65300 i
AI*> 192.0.2.0/24 0.0.0.0 100 0 i
*> 199.185.136.0/23 10.0.0.1 100 0 i
- 0.0.0.0/8 through our transit
- announce 192.0.2.0/24 as it's our network
- 199.185.136.0/23 with an empty AS_PATH injected via IXP RS (exabgp)
and seen by transit provider:
flags destination gateway lpref med aspath origin
AI*> 0.0.0.0/0 0.0.0.0 100 0 i
*> 192.0.2.0/24 10.0.0.2 100 0 65200 i
*> 199.185.136.0/23 10.0.0.1 100 0 65200 i
- announce default route to customer
- received AS65200 announce of 192.0.2.0/24, OK
- 199.185.136.0/23 looks like being originated by AS65200, despite using the
"announce self" statement, NOK
Here is also a patch attempt that fix this and drop sessions on empty
AS_PATH UPDATE from EBGP peers (I'm not a BGP expert and my C is a bit
rusty, so do not hesitate to drop this ;))
--- rde.c.orig 2012-08-22 18:12:48.000000000 +0200
+++ rde.c 2012-08-22 18:12:48.000000000 +0200
@@ -972,6 +972,17 @@
}
}
+ /* check for empty AS path with ebgp peers */
+ if (asp->flags & F_ATTR_ASPATH &&
+ asp->aspath->ascnt == 0 &&
+ peer->conf.ebgp ) {
+ log_peer_warnx(&peer->conf, "bad path, "
+ "path empty but not an IBGP peer");
+ rde_update_err(peer, ERR_UPDATE, ERR_UPD_ASPATH,
+ NULL, 0);
+ goto done;
+ }
+
rde_reflector(peer, asp);
}
--
Rémi Laurent
Phone: +352 26 10 30 61
General Support: [email protected]
GPG FP: 27F4 6810 2B0E 1AA0 CDAE 7C7B 3DC9 085A 0FA0 0601
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
