/arouteserver

A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

ARouteServer

Documentation Build Status

A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.

How it works

  1. Two YAML files provide general policies and clients configurations options:

    cfg:
  rs_as: 999
  router_id: "192.0.2.2"
  add_path: True
  filtering:
    next_hop_policy: "same-as"
  blackhole_filtering:
    policy_ipv4: "rewrite-next-hop"
    ...
    clients:
  - asn: 111
    ip:
    - "192.0.2.11"
    - "2001:db8:1:1::11"
    rpsl:
      as_sets:
        - "AS-AS111MAIN"
  ...

  2. ARouteServer acquires external information to enrich them: bgpq3 for IRRDb data, PeeringDB for max-prefix limit, ...

  3. Jinja2 built-in templates are used to render the final route server's configuration file.

    Currently, only BIRD is supported.

Validation and testing are performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user's needs. More details on the Live tests section.

Features

  • Path hiding mitigation techniques (RFC7947 section 2.3.1).
  • Filtering features on by default:
    • NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);
    • minimum and maximum IPv4/IPv6 prefix length;
    • maximum AS_PATH length;
    • reject invalid AS_PATHs (containing private/invalid ASNs);
    • reject AS_PATHs containing transit-free ASNs;
    • reject bogons;
    • prefixes and origin ASNs enforcing via RPSL/IRRdb AS-SETs (RFC7948 section 4.6.2);
    • max-prefix limit based on global or client-specific values or on PeeringDB data.
  • Blackhole filtering support:
    • optional NEXT_HOP rewriting;
    • signalling via BGP Communities (BLACKHOLE and custom communities);
    • client-by-client control over propagation.
  • Control and informative communities:
    • prefix/origin ASN present/not present in IRRDB data;
    • do (not) announce to any / peer;
    • prepend to any.
  • Optional session features on a client-by-client basis:
    • prepend route server ASN;
    • active sessions;
    • GTSM (Generalized TTL Security Mechanism - RFC5082);
    • ADD-PATH capability (RFC7911).

A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub.

More feature are already planned: see the Future work section for more details.

Full documentation

Full documentation can be found on ReadTheDocs: https://arouteserver.readthedocs.org/

Status

Highly experimental! Please consider it as a toy, far from being production ready. Looking for advices and testers.

Bug? Issues?

But also suggestions? New ideas?

Please create an issue on GitHub at https://github.com/pierky/arouteserver/issues

Author

Pier Carlo Chiodi - https://pierky.com

Blog: https://blog.pierky.com Twitter: @pierky