Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add -o option to only use a specific source for an AS-SET or Route Set #70

Merged
merged 10 commits into from
Nov 3, 2022
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
*\.in
*\.log
*\.o
.deps
.libs
83 changes: 64 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@

The
**bgpq4**
utility used to generate configurations (prefix-lists, extended
utility is used to generate configurations (prefix-lists, extended
access-lists, policy-statement terms and as-path lists) based on IRR data.

The options are as follows:
It's options are as follows:

**-4**

Expand Down Expand Up @@ -162,7 +162,7 @@ The options are as follows:

**-W** *len*

> generate as-path strings of no more than len items (use 0 for inifinity).
> generate as-path strings of no more than len items (use 0 for infinity).

**-U**

Expand Down Expand Up @@ -342,28 +342,70 @@ be in one line (sometimes it makes sense):

# NOTES ON SOURCES

By default
*bgpq4*
trusts to data from all databases mirrored into NTT's IRR service.
Unfortunately, not all these databases are equal in how much can we
trust their data.
By default *bgpq4* trusts data from all databases mirrored into NTT's IRR service.
Unfortunately, not all these databases are equal in how much can we trust their
data.
RIR maintained databases (AFRINIC, ARIN, APNIC, LACNIC and RIPE)
shall be trusted more than the others because they are indeed have the
knowledge about which address space allocated to this or that ASn,
other databases lack this knowledge and can (and, actually, do) contain
some stale data: noone but RIRs care to remove outdated route-objects
when address space revoked from one ASn and allocated to another.
In order to keep their filters both compact and actual,
*bgpq4 users*
are encouraged to use '-S' flag to limit database sources to only
ones they trust.
shall be trusted more than the others because they have the knowledge about
which address space is allocated to each ASN, other databases lack this
knowledge and can (and actually do) contain some stale data: nobody but RIRs
care to remove outdated route-objects when address space is revoked from one
ASN and allocated to another. In order to keep their filters both compact and
current, *bgpq4 users* are encouraged to use one of two method to limit
database sources to only ones they trust.

One option is to use the '-S' flag. This limits all queries to a specific data
source. For example, the following command tells IIRd to only use data from
the RIPE RIR DB to build the prefix list for the AS-SET:

$./bgpq4 -S RIPE AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21

Be aware though, than an AS-SET may contain members from other data sources.
In this case IRRd won't respond to the bgpq4 query will all the prefixes in the
AS-SET tree. Make sure to use the '-S' flag with all the data sources required
for the AS-SET being expanded:

$./bgpq4 -S RIPE,ARIN AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21
ip prefix-list NN permit 208.86.232.0/24
ip prefix-list NN permit 208.86.233.0/24
ip prefix-list NN permit 208.86.234.0/24
ip prefix-list NN permit 208.86.235.0/24

The other option is to specify a source for an AS-SET or Route Set using the
"::" notation. When bgpq4 detects this, it will look for "::" in the specified
AS-SET or RS on the CLI, and in all members of the AS-SET/RS, and for each
member with a data source specified in "::" format, it will set the IRRd data
source to the given value, query the AS-SET/RS, then reset the data sources back
to the default list for the next object in the tree.

$./bgpq4 RIPE::AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21
ip prefix-list NN permit 208.86.232.0/22
ip prefix-list NN permit 208.86.232.0/24
ip prefix-list NN permit 208.86.233.0/24
ip prefix-list NN permit 208.86.234.0/24
ip prefix-list NN permit 208.86.235.0/24

In comparison to the '-S' flag, this method return all the prefixes under the
AS-SET, but the root of the tree "AS-VOSTRON" was queries from RIPE only. None
of the member objects used the "::" notation so they were queries from the
default source list (which is all sources).


General recommendations:

Use minimal set of RIR databases (only those in which you and your
customers have registered route-objects).

Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted source: these records
Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted sources: these records
were created in database but for address space allocated to different RIR,
so the NONAUTH databases have no chance to confirm validity of this route
object.
Expand All @@ -380,6 +422,9 @@ object.
ip prefix-list NN permit 45.65.184.0/22
[...]

When known, use the "::" notation to speicy the authortative data source for
an AS-SET or RS instead of the -S flag.

# PERFORMANCE

To improve \`bgpq4\` performance when expanding extra-large AS-SETs you
Expand Down Expand Up @@ -430,7 +475,7 @@ In order to create a distribution archive, run:
When everything is OK,
**bgpq4**
generates access-list to standard output and exits with status == 0.
In case of errors they are printed to stderr and program exits with
In case of errors they are printed to stderr and the program exits with
non-zero status.

# AUTHORS
Expand Down
Loading