Tag prefixes/origin ASNs present/not-present in IRRDb

Built to test the irrdb.tag_as_set option.

Two sub-scenarios exist for this test:

  1. AS-SETs are populated with origin ASNs and prefixes reported below.

  2. AS-SETs are empty.

Communities:

OK / Not OK

Comm

prefix OK

64512

prefix NOT OK

64513

origin OK

64514

origin NOT OK

64515

RPKI ROA OK

64516

ARIN Whois OK

64518

route wht list

64517

RPKI ROAs:

prefix

ASN

2.4.0.0/16

AS2

2.5.0.0/16

AS2

2.7.0.0/16

AS2

2.0.4.0/24

AS2

3.1.0.0/16

AS3

3.3.0.0/16

AS3

6.0.1.0/24

AS6

ARIN Whois DB entries:

prefix

ASN

2.6.0.0/16

AS2

2.7.0.0/16

AS2

3.2.0.0/16

AS3

3.3.0.0/16

AS3

2.0.5.0/24

AS3

6.0.1.0/24

AS6

AS2

  • allowed objects:

    • prefix: 2.0.0.0/16

    • origin: [2]

  • configuration:

    • enforcing: no

    • tagging: yes

  • white lists:

    • prefixes: 2.2.0.0/16

    • asns: 21

AS2 announces:

id

prefix

AS_PATH

prefix ok?

origin ok?

expected result 1

expected result 2

AS2_pref_ok_origin_ok1

2.0.1.0/24

2

yes

yes

64512 64514

64513 64515

AS2_pref_ko_origin_ok1

2.1.0.0/24

2

no

yes

64513 64514

64513 64515

AS3_pref_ok_origin_ko1

2.0.2.0/24

2 3

yes

no

64512 64515

64513 64515

AS3_pref_ko_origin_ko1

3.0.1.0/24

2 3

no

no

64513 64515

64513 64515

AS2_pref_wl_origin_ok

2.2.1.0/24

2

yes (WL)

yes

64512 64514

64512 64515

AS2_pref_wl_origin_ko

2.2.2.0/24

2 3

yes (WL)

no

64512 64515

the same

AS2_pref_wl_origin_wl

2.2.3.0/24

2 21

yes (WL)

yes (WL)

64512 64514

the same

AS2_pref_ko_origin_wl

2.3.1.0/24

2 21

no

yes (WL)

64513 64514

the same

AS2_pref_ok_origin_wl

2.0.3.0/24

2 21

yes

yes (WL)

64512 64514

64513 64514

AS2_roa2

2.5.0.0/16

2

no

yes

64513 64514 64516

64513 64515

AS2_arin1

2.6.0.0/16

2

no

yes

64513 64514 64518

64513 64515

AS2_roa3_arin2

2.7.0.0/16

2

no

yes

64513 64514 64516 64518

64513 64515

AS2_ok_ok_roa3

2.0.4.0/24

2

yes

yes

64512 64514 64516

64513 64515

AS2_ok_ok_arin3

2.0.5.0/24

2

yes

yes

64512 64514 64518

64513 64515

AS3

Not a route server client here, used just to track RPKI ROAs and ARIN Whois DB entries:

AS4

  • allowed objects:

    • prefix: 4.0.0.0/16

    • origin: 4

  • configuration:

    • enforcing: origin only

    • tagging: yes

  • white lists:

    • prefixes: 4.2.0.0/16

    • asns: 41

    • routes:

      • exact 4.4.0.0/16, AS 44

      • 4.5.0.0/16, AS 43

      • 4.6.0.0/16, no origin AS

AS4 announces:

id

prefix

AS_PATH

prefix ok?

origin ok?

expected result 1

expected result 2

AS4_pref_ok_origin_ok1

4.0.1.0/24

4

yes

yes

64512 64514

rejected

AS4_pref_ko_origin_ok1

4.1.0.0/24

4

no

yes

64513 64514

rejected

AS3_pref_ok_origin_ko2

4.0.2.0/24

4 3

yes

no

rejected

rejected

AS3_pref_ko_origin_ko1

3.0.1.0/24

4 3

no

no

rejected

rejected

AS4_pref_wl_origin_ok

4.2.1.0/24

4

yes (WL)

yes

64512 64514

rejected

AS4_pref_wl_origin_ko

4.2.2.0/24

4 3

yes (WL)

no

rejected

rejected

AS4_pref_wl_origin_wl

4.2.3.0/24

4 41

yes (WL)

yes (WL)

64512 64514

the same

AS4_pref_ko_origin_wl

4.3.1.0/24

4 41

no

yes (WL)

64513 64514

the same

AS4_pref_ok_origin_wl

4.0.3.0/24

4 41

yes

yes (WL)

64512 64514

64513 64514

AS4_routewl_1

4.4.0.0/16

4 44

r WL

r WL

64513 64515 64517

the same

AS4_routewl_2

4.4.1.0/24

4 44

r WL KO

r WL

rejected

rejected

AS4_routewl_3

4.5.1.0/24

4 43

r WL

r WL

64513 64515 64517

the same

AS4_routewl_4

4.5.2.0/24

4 45

r WL

r WL KO

rejected

rejected

AS4_routewl_5

4.6.1.0/24

4 45

r WL

r WL

64513 64515 64517

the same

AS5

  • allowed objects (AS-SET from PeeringDB):

    • prefix: 5.0.0.0/16

    • origin: 5

configuration:

  • enforcing: prefix only

  • tagging: yes

  • white lists:

    • prefixes: 5.2.0.0/16

    • asns: 51

AS5 announces:

id

prefix

AS_PATH

prefix ok?

origin ok?

expected result 1

expected results 2

AS5_pref_ok_origin_ok1

5.0.1.0/24

5

yes

yes

64512 64514

rejected

AS5_pref_ko_origin_ok1

5.1.0.0/24

5

no

yes

rejected

rejected

AS3_pref_ok_origin_ko3

5.0.2.0/24

5 3

yes

no

64512 64515

rejected

AS3_pref_ko_origin_ko1

3.0.1.0/24

5 3

no

no

rejected

rejected

AS5_pref_wl_origin_ok

5.2.1.0/24

5

yes (WL)

yes

64512 64514

64512 64515

AS5_pref_wl_origin_ko

5.2.2.0/24

5 3

yes (WL)

no

64512 64515

the same

AS5_pref_wl_origin_wl

5.2.3.0/24

5 51

yes (WL)

yes (WL)

64512 64514

the same

AS5_pref_ko_origin_wl

5.3.1.0/24

5 51

no

yes (WL)

rejected

rejected

AS5_pref_ok_origin_wl

5.0.3.0/24

5 51

yes

yes (WL)

64512 64514

rejected

AS6

  • allowed objects:

    • prefix: 6.0.0.0/16

    • origin: 6, 3

configuration:

  • enforcing: both origin ASN and prefix

  • tagging: yes

  • white lists:

    • routes:

      • 3.2.0.0/16+, AS3 (1)

AS6 announces:

id

prefix

AS_PATH

prefix ok?

origin ok?

expected result 1

expected results 2

AS2_roa1

2.4.0.0/16

6 2

no

no

rejected

rejected

AS3_roa2

3.1.0.0/16

6 3

ROA

yes

64513 64514 64516

rejected

AS3_arin1

3.2.1.0/24

6 3

ARIN (1)

yes

64513 64514 64518

64513 64515 64517

AS3_roa3_arin2

3.3.0.0/16

6 3

no

yes

64513 64514 64516 64518

rejected

AS6_ok_ok_roa6_arin6

6.0.1.0/24

6

yes

yes

64512 64514 64516 64518

rejected

1) The route white list is used to verify that: - in scenario 1, 3.2.1.0/24 AS3 is accepted and tagged with the ARIN db community, and not because of the white list entry; - in scenario 2, 3.2.1.0/24 AS3 is accepted anyway, but solely because of the route white list