BIRD - RoA with aggregated prefixes - issue

Javor Kliachev jkliachev at neterra.net
Mon Jul 13 08:32:16 CEST 2020



Hello, 

We're using BIRD 1.6.4 as Route Server. 


Recently we have implemented ROA prefix validation but we have hit the issue with prefixes that are aggregated only. 

What do I mean: When the prefix is aggregate and has something like 1234 { 10, 20 } in AS_PATH in last asn, bgp_path.last value returns zero ( 0 ). As result of this we just discarding such prefixes. 

Our approach is the following: 

1) We're using static RoA tables with prefixes for example: 

roa table r1234 { 
roa 10.10.10.0/24 max 32 as 1234; 
roa 10.10.11.0/24 max 32 as 1234; 
roa 10.10.12.0/24 max 32 as 1234; 
} 

2) Then create a different function for each member like this and applying it on each protocol BGP as latest function: 


function AS1234_roa() { 

if roa_check(r1234, net, bgp_path.last) = ROA_INVALID then { 

print "ROA check failed: invalid prefix - ", net, " origin ASN ", bgp_path.last , " - AS-PATH", bgp_path , " via ", proto; return false; 

} 

if roa_check(r1234, net, bgp_path.last) = ROA_UNKNOWN then { 

print "ROA check failed: unallowed prefix - ", net, " origin ASN ", bgp_path.last , " - AS-PATH", bgp_path , " via ", proto; return false; 

} 
return true; 
} 


Could someone BIRD developer to suggest some solution for this issue? 
Thanks in advance! 

Best~ 
-- 
--- 
Javor Kliachev 
Senior Engineer IP Services 
office: +359 2 974 33 11 
mobile: +359 885 98 84 95 
[ http://www.neterra.net/ | www.neterra.net ] [ https://bg.linkedin.com/pub/javor-kliachev/11/b46/843 |    ] 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200713/c8a42b39/attachment.htm>


More information about the Bird-users mailing list