Hi,

I don't know if this is a real bug, but at least it may be brought to
attention
that "announce self" without proper filtering may lead to some unexpected
behaviour.

When configured with "enforce neighbor-as no" (as for connection to an IXP
route server), OpenBGPD seems to accept UPDATE with empty AS_PATH and,
without
proper filtering, announce them back prepended with AS "self" to every
neighbor even if "announce self" as been set on the neighbor definition.


The following 3 BGP routers configuration was used for testing:

- rsix: 10.0.0.1/24 - AS65000, running exabgp 2.0.2
  announcing 199.185.136.0/23 with empty AS_PATH

- ourself: 10.0.0.2/24 - AS65200, running stock OpenBGPD with OpenBSD 5.1
  announcing 192.0.2.0/24 originating from AS65200

- transit: 10.0.0.3/24 - AS65300, running stock OpenBGPD with OpenBSD 5.1
  announcing 0.0.0.0/0 originating from AS65300


the following OpenBGPD/exabgp configuration was used:

# rsix exabgp.conf
  neighbor 10.0.0.2 {
        description "evil or goofy RS";
        router-id 10.0.0.1;
        local-address 10.0.0.1;
        local-as 65000;
        peer-as 65200;

        static {
                route 199.185.136.0/23 {
                        next-hop 10.0.0.1;
                        as-path [  ];
                }
        }
  }
###


# ourself bgpd.conf
  AS 65200
  router-id 10.0.0.2

  network 192.0.2.0/24

  neighbor 10.0.0.1 {
        descr "IXP RS"
        announce self
        remote-as 65000
        enforce neighbor-as no
  }

  neighbor 10.0.0.3 {
        descr "transit provider"
        announce self
        remote-as 65300
  }
###


# transit bgpd.conf
  AS 65300
  router-id 10.0.0.3
  network 0.0.0.0/0

  neighbor 10.0.0.2 {
        descr "customer"
        announce self
        remote-as 65200
  }
###


After starting everything here are the "bgpctl show rib" outputs:

Seen by ourself:

  flags destination          gateway          lpref   med aspath origin
  *>    0.0.0.0/0            10.0.0.3           100     0 65300 i
  AI*>  192.0.2.0/24         0.0.0.0            100     0 i
  *>    199.185.136.0/23     10.0.0.1           100     0 i

- 0.0.0.0/8 through our transit
- announce 192.0.2.0/24 as it's our network
- 199.185.136.0/23 with an empty AS_PATH injected via IXP RS (exabgp)


and seen by transit provider:

  flags destination          gateway          lpref   med aspath origin
  AI*>  0.0.0.0/0            0.0.0.0            100     0 i
  *>    192.0.2.0/24         10.0.0.2           100     0 65200 i
  *>    199.185.136.0/23     10.0.0.1           100     0 65200 i

- announce default route to customer
- received AS65200 announce of 192.0.2.0/24, OK
- 199.185.136.0/23 looks like being originated by AS65200, despite using the
  "announce self" statement, NOK




Here is also a patch attempt that fix this and drop sessions on empty
AS_PATH UPDATE from EBGP peers (I'm not a BGP expert and my C is a bit
rusty, so do not hesitate to drop this ;))


--- rde.c.orig  2012-08-22 18:12:48.000000000 +0200
+++ rde.c       2012-08-22 18:12:48.000000000 +0200
@@ -972,6 +972,17 @@
                        }
                }

+               /* check for empty AS path with ebgp peers */
+               if (asp->flags & F_ATTR_ASPATH &&
+                   asp->aspath->ascnt == 0 &&
+                   peer->conf.ebgp ) {
+                       log_peer_warnx(&peer->conf, "bad path, "
+                           "path empty but not an IBGP peer");
+                       rde_update_err(peer, ERR_UPDATE, ERR_UPD_ASPATH,
+                           NULL, 0);
+                       goto done;
+               }
+
                rde_reflector(peer, asp);
        }

--
Rémi Laurent

  Phone: +352 26 10 30 61
  General Support: supp...@conostix.com
  GPG FP: 27F4 6810 2B0E 1AA0 CDAE  7C7B 3DC9 085A 0FA0 0601

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Reply via email to