Tag prefixes/origin ASNs present/not-present in IRRDb¶
Built to test the irrdb.tag_as_set
option.
Two sub-scenarios exist for this test:
- AS-SETs are populated with origin ASNs and prefixes reported below.
- AS-SETs are empty.
Communities:
OK / Not OK Comm prefix OK 64512 prefix NOT OK 64513 origin OK 64514 origin NOT OK 64515 RPKI ROA OK 64516 ARIN Whois OK 64518 route wht list 64517
RPKI ROAs:
prefix ASN 2.4.0.0/16 AS2 2.5.0.0/16 AS2 2.7.0.0/16 AS2 2.0.4.0/24 AS2 3.1.0.0/16 AS3 3.3.0.0/16 AS3 6.0.1.0/24 AS6
ARIN Whois DB entries:
prefix ASN 2.6.0.0/16 AS2 2.7.0.0/16 AS2 3.2.0.0/16 AS3 3.3.0.0/16 AS3 2.0.5.0/24 AS3 6.0.1.0/24 AS6
AS2¶
- allowed objects:
- prefix: 2.0.0.0/16
- origin: [2]
- configuration:
- enforcing: no
- tagging: yes
- white lists:
- prefixes: 2.2.0.0/16
- asns: 21
AS2 announces:
id prefix AS_PATH prefix ok? origin ok? expected result 1 expected result 2 AS2_pref_ok_origin_ok1 2.0.1.0/24 2 yes yes 64512 64514 64513 64515 AS2_pref_ko_origin_ok1 2.1.0.0/24 2 no yes 64513 64514 64513 64515 AS3_pref_ok_origin_ko1 2.0.2.0/24 2 3 yes no 64512 64515 64513 64515 AS3_pref_ko_origin_ko1 3.0.1.0/24 2 3 no no 64513 64515 64513 64515 AS2_pref_wl_origin_ok 2.2.1.0/24 2 yes (WL) yes 64512 64514 64512 64515 AS2_pref_wl_origin_ko 2.2.2.0/24 2 3 yes (WL) no 64512 64515 the same AS2_pref_wl_origin_wl 2.2.3.0/24 2 21 yes (WL) yes (WL) 64512 64514 the same AS2_pref_ko_origin_wl 2.3.1.0/24 2 21 no yes (WL) 64513 64514 the same AS2_pref_ok_origin_wl 2.0.3.0/24 2 21 yes yes (WL) 64512 64514 64513 64514 AS2_roa2 2.5.0.0/16 2 no yes 64513 64514 64516 64513 64515 AS2_arin1 2.6.0.0/16 2 no yes 64513 64514 64518 64513 64515 AS2_roa3_arin2 2.7.0.0/16 2 no yes 64513 64514 64516 64518 64513 64515 AS2_ok_ok_roa3 2.0.4.0/24 2 yes yes 64512 64514 64516 64513 64515 AS2_ok_ok_arin3 2.0.5.0/24 2 yes yes 64512 64514 64518 64513 64515
AS3¶
Not a route server client here, used just to track RPKI ROAs and ARIN Whois DB entries:
AS4¶
- allowed objects:
- prefix: 4.0.0.0/16
- origin: 4
- configuration:
- enforcing: origin only
- tagging: yes
- white lists:
- prefixes: 4.2.0.0/16
- asns: 41
- routes:
- exact 4.4.0.0/16, AS 44
- 4.5.0.0/16, AS 43
- 4.6.0.0/16, no origin AS
AS4 announces:
id prefix AS_PATH prefix ok? origin ok? expected result 1 expected result 2 AS4_pref_ok_origin_ok1 4.0.1.0/24 4 yes yes 64512 64514 rejected AS4_pref_ko_origin_ok1 4.1.0.0/24 4 no yes 64513 64514 rejected AS3_pref_ok_origin_ko2 4.0.2.0/24 4 3 yes no rejected rejected AS3_pref_ko_origin_ko1 3.0.1.0/24 4 3 no no rejected rejected AS4_pref_wl_origin_ok 4.2.1.0/24 4 yes (WL) yes 64512 64514 rejected AS4_pref_wl_origin_ko 4.2.2.0/24 4 3 yes (WL) no rejected rejected AS4_pref_wl_origin_wl 4.2.3.0/24 4 41 yes (WL) yes (WL) 64512 64514 the same AS4_pref_ko_origin_wl 4.3.1.0/24 4 41 no yes (WL) 64513 64514 the same AS4_pref_ok_origin_wl 4.0.3.0/24 4 41 yes yes (WL) 64512 64514 64513 64514 AS4_routewl_1 4.4.0.0/16 4 44 r WL r WL 64513 64515 64517 the same AS4_routewl_2 4.4.1.0/24 4 44 r WL KO r WL rejected rejected AS4_routewl_3 4.5.1.0/24 4 43 r WL r WL 64513 64515 64517 the same AS4_routewl_4 4.5.2.0/24 4 45 r WL r WL KO rejected rejected AS4_routewl_5 4.6.1.0/24 4 45 r WL r WL 64513 64515 64517 the same
AS5¶
- allowed objects (AS-SET from PeeringDB):
- prefix: 5.0.0.0/16
- origin: 5
configuration:
- enforcing: prefix only
- tagging: yes
- white lists:
- prefixes: 5.2.0.0/16
- asns: 51
AS5 announces:
id prefix AS_PATH prefix ok? origin ok? expected result 1 expected results 2 AS5_pref_ok_origin_ok1 5.0.1.0/24 5 yes yes 64512 64514 rejected AS5_pref_ko_origin_ok1 5.1.0.0/24 5 no yes rejected rejected AS3_pref_ok_origin_ko3 5.0.2.0/24 5 3 yes no 64512 64515 rejected AS3_pref_ko_origin_ko1 3.0.1.0/24 5 3 no no rejected rejected AS5_pref_wl_origin_ok 5.2.1.0/24 5 yes (WL) yes 64512 64514 64512 64515 AS5_pref_wl_origin_ko 5.2.2.0/24 5 3 yes (WL) no 64512 64515 the same AS5_pref_wl_origin_wl 5.2.3.0/24 5 51 yes (WL) yes (WL) 64512 64514 the same AS5_pref_ko_origin_wl 5.3.1.0/24 5 51 no yes (WL) rejected rejected AS5_pref_ok_origin_wl 5.0.3.0/24 5 51 yes yes (WL) 64512 64514 rejected
AS6¶
- allowed objects:
- prefix: 6.0.0.0/16
- origin: 6, 3
configuration:
- enforcing: both origin ASN and prefix
- tagging: yes
- white lists:
- routes:
- 3.2.0.0/16+, AS3 (1)
- routes:
AS6 announces:
id prefix AS_PATH prefix ok? origin ok? expected result 1 expected results 2 AS2_roa1 2.4.0.0/16 6 2 no no rejected rejected AS3_roa2 3.1.0.0/16 6 3 ROA yes 64513 64514 64516 rejected AS3_arin1 3.2.1.0/24 6 3 ARIN (1) yes 64513 64514 64518 64513 64515 64517 AS3_roa3_arin2 3.3.0.0/16 6 3 no yes 64513 64514 64516 64518 rejected AS6_ok_ok_roa6_arin6 6.0.1.0/24 6 yes yes 64512 64514 64516 64518 rejected
1) The route white list is used to verify that: - in scenario 1, 3.2.1.0/24 AS3 is accepted and tagged with the ARIN db community, and not because of the white list entry; - in scenario 2, 3.2.1.0/24 AS3 is accepted anyway, but solely because of the route white list