misunderstanding or incorrectly implemented filter?
Ondrej Zajicek
santiago at crfreenet.org
Sat Oct 5 03:23:18 CEST 2019
On Fri, Oct 04, 2019 at 10:19:00PM +0000, Christoph wrote:
> Hello,
>
> (please keep me in CC)
>
> we use filters from
> https://bgpfilterguide.nlnog.net/
>
> One of the first functions checks for bogon ASNs
> way before the RPKI ROA check:
>
> > filter transit_in {
> >
> > reject_bogon_asns();
> [...]
> > if (net.type = NET_IP4) then {
> > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
> > {
> > print "Reject RPKI INVALID announcement ", net, " by AS", bgp_path.last;
> > reject;
> > }
> > }
> [...]
>
>
> My assumption was that an announcement from AS0 would never end up
> at the RPKI ROA check since it is already tested and rejected earlier at
> the reject_bogon_asns() function
> but then I found log entries suggesting otherwise:
>
> > Reject RPKI INVALID announcement 200.124.231.0/24 by AS0
>
> So I was wondering:
> - Did I incorrectly assume first match wins?
> - Is the reject_bogon_asns() function not working as intended?
Hello
bgp_path.last returns 0 if the last item is AS_SET. There are most likely
no AS0 in the path.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list