Configurable communities for RPKI status
bluikko opened this issue ยท 7 comments
Currently arouteserver hardcodes three different extended communities for an RPKI status as per the config below.
Currently only the "RPKI invalid" community is configurable. I feel like it could be beneficial to have a configurable RPKI verdict community.
The "site-specific custom configuration files" could not be used because functions cannot be redefined with the same name - so adding for example a footer file that redefines the 2 functions listed below produces a Symbol already defined
error from BIRD.
I will try to find time to look at how difficult it would be to make this configurable but what do other people think about this? Technically it could probably be simple but the more difficult points lay in upper layers like "should this be configurable" and so on. The initial motivation for this was that the alice-lg
looking glass supports only large communities for RPKI status and I suspect it would be easier to change arouteserver instead.
I have only considered BIRD here so far - unfortunately I do not have an OpenBGP instance and don't know anything about how configurable RPKI status would work there. If this would be configurable on BIRD then naturally it would need to be possible on OpenBGP as well...
function add_rpki_community(string comm_name) {
if comm_name = "valid" then {
bgp_ext_community.add((unknown 0x4300, 0, 0));
}
if comm_name = "unknown" then {
bgp_ext_community.add((unknown 0x4300, 0, 1));
}
if comm_name = "invalid" then {
bgp_ext_community.add((unknown 0x4300, 0, 2));
}
}
The community is also used later at
function route_is_rpki_invalid () {
return (unknown 0x4300, 0, 2) ~ bgp_ext_community;
}
Hello @bluikko,
thanks for raising this topic.
The 3 extended communities that ARouteServer uses to track the "RPKI verdict" are those from RFC8097 - BGP Prefix Origin Validation State Extended Community. That RFC was created specifically to document BGP communities used "to carry the origination Autonomous System (AS) validation state inside an autonomous system".
As you said, I agree that
the more difficult points lay in upper layers like "should this be configurable"
In my opinion the code should keep using the current RFC8097 communities to tag the routes with their validation state, hence I think a configurable custom community should not be implemented.
The reasoning behind this is that a RFC was specifically created to categorise those routes; unlike other informational communities (like those used to set the reject reason), those used to carry the validation state of RPKI Origin Validation have been standardized, so I believe it's worth using them.
I see the main motivation is that Alice-LG is not currently able to consume those communities and associate a description to them, but in this case I think it should really be up to its authors to add such a feature.
In any case, while digging into the code to reply to this issue I found a bug, which I fixed in afdb27d. In OpenBGPD, the RFC8097 were not added to the routes at all. Thanks for indirectly triggering the investigation that led to the fix ;-)
In my opinion the code should keep using the current RFC8097 communities to tag the routes with their validation state, hence I think a configurable custom community should not be implemented.
I see and you have a good reason behind this opinion. It will not be a problem for me, I will just patch the config after generation.
I see the main motivation is that Alice-LG is not currently able to consume those communities and associate a description to them, but in this case I think it should really be up to its authors to add such a feature.
Totally agreed. However this lack of support points to the fact that RFC8097 is not implemented by most IXPs. They seem to actually follow the Euro-IX guidelines listed in https://www.euro-ix.net/en/forixps/large-bgp-communities/
Just wanted to make you aware of this alternative community scheme in case you are not familiar. It seems to be very popular with IXPs to the point of being the de-facto standard. I did a quick survey of IXP and 7 out of 9 used the Euro-IX scheme, the rest used arouteserver defaults or no scheme.
In any case, while digging into the code to reply to this issue I found a bug, which I fixed in afdb27d. In OpenBGPD, the RFC8097 were not added to the routes at all. Thanks for indirectly triggering the investigation that led to the fix ;-)
That is excellent!!
Hello, just to let you know that I'll take this feature into account for the next release, which is WIP.
Still not 100% sure about adding the additional customizable communities for RPKI validation state...
I've pushed a branch (still WIP) where I'm addressing this feature request.
4 new BGP communities are added: you can see them here https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/config.d/general.yml#L814-L860
The idea is to cover the 4 communities that are described in the Euro-IX list, so we'll have the 3 RPKI BOV states + a "not performed". The main difference from what I understand from the Euro-IX list is that the 3 custom BOV communities I'm adding will NOT be propagated to the route-server clients, only the "BOV not performed" will be.
The "BOV not performed" is used like this: https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L833-L838 (here's where a possible blackhole policy is implemented, thus BOV is not performed for those routes and the community is attached). Another use case is if BOV is not enabled and the community is configured, so it will be attached to all the routes, to signal the IXP operator's will to not do BOV.
The 3 states communities are used like this: https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L544-L564 Here they are added to the existing RFC8097, but also they are eventually removed from routes that are announced (https://github.com/pierky/arouteserver/blob/rpki_bov_custom_communities/examples/auto-config/bird4.conf#L387-L400).
I'm explicitly dropping the 3 states communities from exported routes because I believe that they would violate the concept of RPKI itself: BOV is something that happens below the umbrella of a cryptographically verified chain of trust, and signals or information that are generated inside that trust boundary should not be conveyed outside of it.
The proposed solution was merged into dev, the new communities will be released in 1.10.0.
Seems good so far. There is a slight issue on the textual representation of the route server policy:
The bullet points (unordered list items) for the 2 new sections are on their own line, just by themselves, and the text going with that bullet points is on the next line.
The bullet points also seem to have less indentation than the other 2 previous bullet points.
I can open a new issue if that's better.
Oh I see... :-(
I can open a new issue if that's better.
That would be great, thanks!