On 2017 May 26 (Fri) at 20:01:00 +0200 (+0200), Peter Hessler wrote: :Apropos of "I found it", I implemented support for RFC 7607. It's a :super short RFC, but basically it forbids use of AS 0 anywhere. : :OK? : :
Fixed some denglish in an error message, mention the RFC in the man page, and don't take down the session if we receive AS0 in the path. Index: bgpd.8 =================================================================== RCS file: /cvs/openbsd/src/usr.sbin/bgpd/bgpd.8,v retrieving revision 1.52 diff -u -p -u -p -r1.52 bgpd.8 --- bgpd.8 19 Feb 2017 11:38:24 -0000 1.52 +++ bgpd.8 26 May 2017 18:29:49 -0000 @@ -357,6 +357,16 @@ control socket .Re .Pp .Rs +.%A W. Kumari +.%A R. Bush +.%A H. Schiller +.%A K. Patel +.%D August 2015 +.%R RFC 7607 +.%T Codification of AS 0 Processing +.Re +.Pp +.Rs .%D August 2011 .%R draft-ietf-grow-mrt-17 .%T MRT routing information export format Index: parse.y =================================================================== RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v retrieving revision 1.300 diff -u -p -u -p -r1.300 parse.y --- parse.y 26 May 2017 14:08:51 -0000 1.300 +++ parse.y 26 May 2017 18:15:33 -0000 @@ -3661,6 +3661,11 @@ neighbor_consistent(struct peer *p) return (-1); } + if (p->conf.remote_as == 0) { + yyerror("peer AS may not be zero"); + return (-1); + } + /* set default values if they where undefined */ p->conf.ebgp = (p->conf.remote_as != conf->as); if (p->conf.announce_type == ANNOUNCE_UNDEF) Index: rde_attr.c =================================================================== RCS file: /cvs/openbsd/src/usr.sbin/bgpd/rde_attr.c,v retrieving revision 1.97 diff -u -p -u -p -r1.97 rde_attr.c --- rde_attr.c 24 Jan 2017 04:22:42 -0000 1.97 +++ rde_attr.c 26 May 2017 19:29:04 -0000 @@ -460,6 +460,9 @@ aspath_verify(void *data, u_int16_t len, if (seg_size == 0) /* empty aspath segments are not allowed */ return (AS_ERR_BAD); + + if (aspath_extract(seg, 0) == 0) + return (AS_ERR_BAD); } return (error); /* aspath is valid but probably not loop free */ } Index: session.c =================================================================== RCS file: /cvs/openbsd/src/usr.sbin/bgpd/session.c,v retrieving revision 1.359 diff -u -p -u -p -r1.359 session.c --- session.c 13 Feb 2017 14:48:44 -0000 1.359 +++ session.c 5 May 2017 17:26:16 -0000 @@ -2017,6 +2017,14 @@ parse_open(struct peer *peer) memcpy(&short_as, p, sizeof(short_as)); p += sizeof(short_as); as = peer->short_as = ntohs(short_as); + if (as == 0) { + log_peer_warnx(&peer->conf, + "peer requests unacceptable AS %u", as); + session_notification(peer, ERR_OPEN, ERR_OPEN_AS, + NULL, 0); + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); + return (-1); + } memcpy(&oholdtime, p, sizeof(oholdtime)); p += sizeof(oholdtime); @@ -2477,6 +2485,14 @@ parse_capabilities(struct peer *peer, u_ } memcpy(&remote_as, capa_val, sizeof(remote_as)); *as = ntohl(remote_as); + if (*as == 0) { + log_peer_warnx(&peer->conf, + "peer requests unacceptable AS %u", *as); + session_notification(peer, ERR_OPEN, ERR_OPEN_AS, + NULL, 0); + change_state(peer, STATE_IDLE, EVNT_RCVD_OPEN); + return (-1); + } peer->capa.peer.as4byte = 1; break; default: -- Madam, there's no such thing as a tough child -- if you parboil them first for seven hours, they always come out tender. -- W. C. Fields