ARouteServer

A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.

How it works

  1. Two YAML files provide general policies and clients configurations options:

    cfg:
      rs_as: 64496
      router_id: "192.0.2.2"
      add_path: True
      filtering:
        next_hop:
          policy: "same-as"
      blackhole_filtering:
        policy_ipv4: "rewrite-next-hop"
        ...
    
    clients:
      - asn: 64511
        ip:
        - "192.0.2.11"
        - "2001:db8:1:1::11"
        irrdb:
          as_sets:
            - "RIPE::AS-FOO"
      ...
    
  2. ARouteServer acquires external information to enrich them: i.e. bgpq3 for IRR data, PeeringDB for max-prefix limit and AS-SETs, …

  3. Jinja2 built-in templates are used to render the final route server’s configuration file.

    Currently, BIRD (1.6.3 and 1.6.4) and OpenBGPD (OpenBSD 6.0 up to 6.3) are supported, with almost feature parity between them.

Validation and testing are performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user’s needs. More details on the Live tests section.

Features

  • Path hiding mitigation techniques (RFC7947 section 2.3.1).
  • Basic filters (mostly enabled by default):
    • NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);
    • minimum and maximum IPv4/IPv6 prefix length;
    • maximum AS_PATH length;
    • reject invalid AS_PATHs (containing private/invalid ASNs);
    • reject AS_PATHs containing transit-free ASNs;
    • reject bogons;
    • max-prefix limit based on global or client-specific values or on PeeringDB data.
  • Prefixes and origin ASNs validation (also in tag-only mode):
    • IRR-based filters (RFC7948 section 4.6.2);
    • AS-SETs configured manually or fetched from PeeringDB;
    • support for IRR sources (RIPE::AS-FOO, RADB::AS-BAR);
    • white lists support;
    • extended dataset for filters generation:
      • RPKI ROAs used as route objects;
      • Origin AS from ARIN Whois database dump;
    • RPKI-based filtering (BGP Prefix Origin Validation).
  • Blackhole filtering support:
    • optional NEXT_HOP rewriting;
    • signalling via BGP Communities (BLACKHOLE and custom communities);
    • client-by-client control over propagation.
  • Graceful shutdown support:
    • honor the GRACEFUL_SHUTDOWN BGP community received from clients (draft-ietf-grow-bgp-gshut-11);
    • allow to perform a graceful shutdown of the route server itself.
  • Control and informative communities:
    • prefix/origin ASN present/not present in IRRDBs data;
    • do (not) announce to any / peer / on RTT basis;
    • prepend to any / peer / on RTT basis;
    • add NO_EXPORT / NO_ADVERTISE to any / peer;
    • custom informational BGP communities.
  • Optional session features on a client-by-client basis:
  • Automatic building of clients list:
  • IX-F Member Export JSON files creation.
  • Related tools:

A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub or on the documentation web page.

More feature are already planned: see the Future work section for more details.

Presentations

  • RIPE74, 10 May 2017, Connect Working Group: video (9:53), slides (PDF)
  • Salottino MIX, 30 May 2017: slides

Mentions / endorsements:

  • Job Snijders, LINX99, 20 November 2017: slides

Who is using ARouteServer?

Are you using it? Do you want to be listed here? Drop me a message!

Status

Beta testing, looking for testers and reviewers.

Anyone who wants to share his/her point of view, to review the output configurations or to test them is more than welcome!

Bug? Issues? Support requests?

But also suggestions? New ideas?

Please create an issue on GitHub or drop me a message.

A Slack channel is also available on the network.toCode() community: arouteserver.

Author

Pier Carlo Chiodi - https://pierky.com

Blog: https://blog.pierky.com Twitter: @pierky