Re: bgpd roa-set backend

Fri, 14 Sep 2018 08:28:06 -0700 

Dear Claudio,

On Fri, Sep 14, 2018 at 04:59:51PM +0200, Claudio Jeker wrote:
> This diff extends the existing trie code for prefix-set to also work with
> roa-set. Unlike prefix-set there is no need for a prefixlen mask during
> lookup, instead the source-as needs to be checked and also if the
> prefixlen of the prefix is allowed.
> The lookup can return 3 states:
> ROA_UNKNONW: prefix is not covered by any entry
> ROA_VALID: prefix is covered and the source-as matches as does the prefixlen
> ROA_INVALID: there was a covering ROA entry that did not match source-as
>       or prefixlen

I didn't test yet - but from your above description I have these three
questions.

Given this ROA file with two entries: 

    prefix 80.128.0.0/11 maxlen 11 source-as 0
    prefix 80.128.0.0/11 maxlen 11 source-as 3320

1/ The following announcement "80.128.0.0/11 AS_PATH 2914_3320" received
via (E)BGP must result in ROA_VALID state. An announcement must be
considered ROA_VALID if it correctly matches /any/ of the configured
ROAs. So the presence of "80.128.0.0/11 maxlen 11 source-as 0" should
not invalidate any other ROA. Does this match your understanding too?

> The source-as check is done with an as_set and should therefor scale
> well.  In general these lookups need to be quick since all prefixes
> will go through roa lookups.

2/ I take it that (iff a ROA file is defined) any and all announcements
will go through the lookup? (I think this is good.)

3/ If the contents of the roa_file are change, and a 'bgpctl reload' is
issued - the validation state should be reevaluated. For instance if we
start with:

    prefix 80.128.0.0/11 maxlen 11 source-as 0
    prefix 80.128.0.0/11 maxlen 11 source-as 3320

and have announcement 80.128.0.0/11 AS_PATH 2914_3320 (ROA_VALID) in
Loc-RIB, the moment the ROA file is changed to:

    prefix 80.128.0.0/11 maxlen 11 source-as 0
    prefix 80.128.0.0/11 maxlen 11 source-as 666

the announcement 80.128.0.0/11 AS_PATH 2914_3320 should become
ROA_INVALID. Should we get to the point where we can filter based on
validation state, and I configured something like:

    deny from ebgp validation-state invalid

The 80.128.0.0/11 AS_PATH 2914_3320 announcement should become an
infeasible/rejected path.

> The frontend code (parse.y and imsg passing) is missing, since this is
> already fairly large and it is tested by the unit tests I decided to
> send this out as an idividual step.

yes.

Kind regards,

Job

Reply via email to