A Python tool to automatically build (and test) configurations for BGP route servers.
Project description
ARouteServer
A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.
How it works
Two YAML files provide general policies and clients configurations options:
cfg: rs_as: 999 router_id:"192.0.2.2"add_path: True filtering: next_hop_policy:"same-as"blackhole_filtering: policy_ipv4:"rewrite-next-hop"...clients: - asn: 111 ip: -"192.0.2.11"-"2001:db8:1:1::11"rpsl: as_sets: -"AS-AS111MAIN"...ARouteServer acquires external information to enrich them: bgpq3 for IRRDb data, PeeringDB for max-prefix limit, …
Jinja2 built-in templates are used to render the final route server’s configuration file.
Currently, only BIRD is supported.
Validation and testing are performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user’s needs. More details on the Live tests section.
Features
Path hiding mitigation techniques (RFC7947 section 2.3.1).
Filtering features (most enabled by default):
NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);
minimum and maximum IPv4/IPv6 prefix length;
maximum AS_PATH length;
reject invalid AS_PATHs (containing private/invalid ASNs);
reject AS_PATHs containing transit-free ASNs;
RPKI-based filtering/tagging RFC6811;
reject bogons;
prefixes and origin ASNs enforcing via RPSL/IRRdb AS-SETs (RFC7948 section 4.6.2);
max-prefix limit based on global or client-specific values or on PeeringDB data.
Blackhole filtering support:
optional NEXT_HOP rewriting;
signalling via BGP Communities (BLACKHOLE and custom communities);
client-by-client control over propagation.
Control and informative communities:
prefix/origin ASN present/not present in IRRDB data;
prefix RPKI status;
do (not) announce to any / peer;
prepend to any / peer.
Optional session features on a client-by-client basis:
prepend route server ASN (RFC7947 section 2.2.2.1);
active sessions;
GTSM (Generalized TTL Security Mechanism - RFC5082);
ADD-PATH capability (RFC7911).
A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub.
More feature are already planned: see the Future work section for more details.
Full documentation
Full documentation can be found on ReadTheDocs: https://arouteserver.readthedocs.org/
Status
Highly experimental! Please consider it as a toy, far from being production ready. Looking for advices and testers.
Bug? Issues?
But also suggestions? New ideas?
Please create an issue on GitHub at https://github.com/pierky/arouteserver/issues
Change log
v0.1.0a10
New command to build textual representations of configurations: html.
v0.1.0a9
New command to initialize a custom live test scenario: init-scenario.
v0.1.0a8
New feature: selective path prepending via BGP communities.
The control_communities general option has been removed: it was redundant.
v0.1.0a7
Improved communities configuration and handling.
Fix issue on standard communities matching against 32-bit ASNs.
Fix issue on IPv6 prefix validation.
v0.1.0a6
New feature: RPKI-based filtering/tagging.
v0.1.0a5
New feature: transit-free ASNs filtering.
Program command line: subcommands + clients-from-peeringdb.
More logging and some warning.
v0.1.0a4
Fix issue with GTSM default value.
Add default route to bogons.
Better as-sets handling and cache handling.
Config syntax change: clients ‘as’ -> ‘asn’.
AS-SETs at AS-level.
Live tests: path hiding mitigation scenario.
Improvements in templates.
v0.1.0a3
Fix some cache issues.
v0.1.0a2
Packaging.
System setup via arouteserver --setup.
v0.1.0a1
First push on GitHub.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
