mirrors/bgpq4
1
0
Fork 0
mirror of https://github.com/bgp/bgpq4 synced 2025-02-28 08:53:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Parse 'SOURCE::' to only use a specific source for an AS-SET or Route Set

Browse Source 
This extension allows operators to specify what IRR source to use when expanding an AS-SET.

For example: `bgpq4 RIPE::AS15562:AS-SNIJDERS`

The notation is also used in databases like PeeringDB.

Authored-by: James Bensley <jwbensley@gmail.com>
This commit is contained in:
James Bensley
2022-11-03 11:09:29 +01:00
committed by GitHub
parent 24c3e08f0e
commit 08b81f7d19
5 changed files with 384 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
README.md
View File

@@ -27,10 +27,10 @@
The
**bgpq4**
utility used to generate configurations (prefix-lists, extended
utility is used to generate configurations (prefix-lists, extended
access-lists, policy-statement terms and as-path lists) based on IRR data.
The options are as follows:
It's options are as follows:
**-4**
@@ -162,7 +162,7 @@ The options are as follows:
**-W** *len*
> generate as-path strings of no more than len items (use 0 for inifinity).
> generate as-path strings of no more than len items (use 0 for infinity).
**-U**
@@ -342,28 +342,70 @@ be in one line (sometimes it makes sense):
# NOTES ON SOURCES
By default
*bgpq4*
trusts to data from all databases mirrored into NTT's IRR service.
Unfortunately, not all these databases are equal in how much can we
trust their data.
By default *bgpq4* trusts data from all databases mirrored into NTT's IRR service.
Unfortunately, not all these databases are equal in how much can we trust their
data.
RIR maintained databases (AFRINIC, ARIN, APNIC, LACNIC and RIPE)
shall be trusted more than the others because they are indeed have the
knowledge about which address space allocated to this or that ASn,
other databases lack this knowledge and can (and, actually, do) contain
some stale data: noone but RIRs care to remove outdated route-objects
when address space revoked from one ASn and allocated to another.
In order to keep their filters both compact and actual,
*bgpq4 users*
are encouraged to use '-S' flag to limit database sources to only
ones they trust.
shall be trusted more than the others because they have the knowledge about
which address space is allocated to each ASN, other databases lack this
knowledge and can (and actually do) contain some stale data: nobody but RIRs
care to remove outdated route-objects when address space is revoked from one
ASN and allocated to another. In order to keep their filters both compact and
current, *bgpq4 users* are encouraged to use one of two method to limit
database sources to only ones they trust.
One option is to use the '-S' flag. This limits all queries to a specific data
source. For example, the following command tells IIRd to only use data from
the RIPE RIR DB to build the prefix list for the AS-SET:
$./bgpq4 -S RIPE AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21
Be aware though, than an AS-SET may contain members from other data sources.
In this case IRRd won't respond to the bgpq4 query will all the prefixes in the
AS-SET tree. Make sure to use the '-S' flag with all the data sources required
for the AS-SET being expanded:
$./bgpq4 -S RIPE,ARIN AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21
ip prefix-list NN permit 208.86.232.0/24
ip prefix-list NN permit 208.86.233.0/24
ip prefix-list NN permit 208.86.234.0/24
ip prefix-list NN permit 208.86.235.0/24
The other option is to specify a source for an AS-SET or Route Set using the
"::" notation. When bgpq4 detects this, it will look for "::" in the specified
AS-SET or RS on the CLI, and in all members of the AS-SET/RS, and for each
member with a data source specified in "::" format, it will set the IRRd data
source to the given value, query the AS-SET/RS, then reset the data sources back
to the default list for the next object in the tree.
$./bgpq4 RIPE::AS-VOSTRON
no ip prefix-list NN
ip prefix-list NN permit 89.21.224.0/19
ip prefix-list NN permit 134.0.64.0/21
ip prefix-list NN permit 208.86.232.0/22
ip prefix-list NN permit 208.86.232.0/24
ip prefix-list NN permit 208.86.233.0/24
ip prefix-list NN permit 208.86.234.0/24
ip prefix-list NN permit 208.86.235.0/24
In comparison to the '-S' flag, this method return all the prefixes under the
AS-SET, but the root of the tree "AS-VOSTRON" was queries from RIPE only. None
of the member objects used the "::" notation so they were queries from the
default source list (which is all sources).
General recommendations:
Use minimal set of RIR databases (only those in which you and your
customers have registered route-objects).
Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted source: these records
Avoid using ARIN-NONAUTH and RIPE-NONAUTH as trusted sources: these records
were created in database but for address space allocated to different RIR,
so the NONAUTH databases have no chance to confirm validity of this route
object.
@@ -380,6 +422,9 @@ object.
ip prefix-list NN permit 45.65.184.0/22
[...]
When known, use the "::" notation to speicy the authortative data source for
an AS-SET or RS instead of the -S flag.
# PERFORMANCE
To improve \`bgpq4\` performance when expanding extra-large AS-SETs you
@@ -430,7 +475,7 @@ In order to create a distribution archive, run:
When everything is OK,
**bgpq4**
generates access-list to standard output and exits with status == 0.
In case of errors they are printed to stderr and program exits with
In case of errors they are printed to stderr and the program exits with
non-zero status.
# AUTHORS