A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.
Two YAML files provide general policies and clients configurations options:
cfg: rs_as: 999 router_id: "192.0.2.2" add_path: True filtering: next_hop: policy: "same-as" blackhole_filtering: policy_ipv4: "rewrite-next-hop" ...
clients: - asn: 111 ip: - "192.0.2.11" - "2001:db8:1:1::11" irrdb: as_sets: - "AS-AS111MAIN" ...
ARouteServer acquires external information to enrich them: i.e. bgpq3 for IRRDb data, PeeringDB for max-prefix limit, ...
Jinja2 built-in templates are used to render the final route server's configuration file.
Currently, BIRD (1.6.3), GoBGP (v1.21 and master) and OpenBGPD (OpenBSD 6.0 and 6.1) are supported.
Validation and testing are performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user's needs. More details on the Live tests section.
- Path hiding mitigation techniques (RFC7947 section 2.3.1).
- Filtering features (most enabled by default):
- NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);
- minimum and maximum IPv4/IPv6 prefix length;
- maximum AS_PATH length;
- reject invalid AS_PATHs (containing private/invalid ASNs);
- reject AS_PATHs containing transit-free ASNs;
- RPKI-based filtering (RFC6811);
- reject bogons;
- prefixes and origin ASNs enforcing via RPSL/IRRdb AS-SETs (RFC7948 section 4.6.2);
- max-prefix limit based on global or client-specific values or on PeeringDB data.
- Blackhole filtering support:
- optional NEXT_HOP rewriting;
- signalling via BGP Communities (BLACKHOLE and custom communities);
- client-by-client control over propagation.
- Control and informative communities:
- prefix/origin ASN present/not present in IRRDB data;
- routes RPKI validity state;
- do (not) announce to any / peer;
- prepend to any / peer;
- add NO_EXPORT / NO_ADVERTISE to any / peer;
- custom informational BGP communities.
- Optional session features on a client-by-client basis:
- prepend route server ASN (RFC7947 section 2.2.2.1);
- active sessions;
- GTSM (Generalized TTL Security Mechanism - RFC5082);
- ADD-PATH capability (RFC7911).
- Automatic building of clients list:
- integration with IXP-Manager;
- fetch lists from PeeringDB records and Euro-IX member list JSON files.
- Related tools:
- Invalid routes reporter, to log or report invalid routes and their reject reason.
A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub.
More feature are already planned: see the Future work section for more details.
Full documentation can be found on ReadTheDocs: https://arouteserver.readthedocs.org/
- RIPE74, 10 May 2017, Connect Working Group: video (9:53), slides (PDF)
- Salottino MIX, 30 May 2017: slides
Beta testing, looking for testers and reviewers.
Anyone who wants to share his/her point of view, to review the output configurations or to test them is more than welcome!
But also suggestions? New ideas?
Please create an issue on GitHub or drop me a message.
Pier Carlo Chiodi - https://pierky.com
Blog: https://blog.pierky.com Twitter: @pierky