A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.
How it works¶
Two YAML files provide general policies and clients configurations options:
cfg: rs_as: 999 router_id: "192.0.2.2" add_path: True filtering: next_hop: policy: "same-as" blackhole_filtering: policy_ipv4: "rewrite-next-hop" ...
clients: - asn: 111 ip: - "192.0.2.11" - "2001:db8:1:1::11" irrdb: as_sets: - "AS-AS111MAIN" ...
Jinja2 built-in templates are used to render the final route server’s configuration file.
Currently, BIRD (1.6.3) and OpenBGPD (OpenBSD 6.0 and 6.1) are supported.
Validation and testing are performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user’s needs. More details on the Live tests section.
- Path hiding mitigation techniques (RFC7947 section 2.3.1).
- Filtering features (most enabled by default):
- NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);
- minimum and maximum IPv4/IPv6 prefix length;
- maximum AS_PATH length;
- reject invalid AS_PATHs (containing private/invalid ASNs);
- reject AS_PATHs containing transit-free ASNs;
- RPKI-based filtering (RFC6811);
- reject bogons;
- prefixes and origin ASNs enforcing via RPSL/IRRdb AS-SETs (RFC7948 section 4.6.2);
- max-prefix limit based on global or client-specific values or on PeeringDB data.
- Blackhole filtering support:
- optional NEXT_HOP rewriting;
- signalling via BGP Communities (BLACKHOLE and custom communities);
- client-by-client control over propagation.
- Control and informative communities:
- prefix/origin ASN present/not present in IRRDB data;
- routes RPKI validity state;
- do (not) announce to any / peer;
- prepend to any / peer;
- add NO_EXPORT / NO_ADVERTISE to any / peer.
- Optional session features on a client-by-client basis:
- Automatic building of clients list:
A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub.
More feature are already planned: see the Future work section for more details.
Beta testing, looking for testers and reviewers.
Anyone who wants to share his/her point of view, to review the output configurations or to test them is more than welcome!