arouteserver 0.1.0a2

A Python tool to automatically build (and test) configurations for BGP route servers.

ARouteServer

A Python tool to automatically build (and test) feature-rich configurations for BGP route servers.

How it works

1. Two YAML files provide general policies and clients configurations options:

   cfg:
     rs_as: 999
     router_id: "192.0.2.2"
     add_path: True
     filtering:
       next_hop_policy: "same-as"
     blackhole_filtering:
       policy_ipv4: "rewrite-next-hop"
       ...

   clients:
     - as: 111
       ip:
       - "192.0.2.11"
       - "2001:db8:1:1::11"
       rpsl:
         as_sets:
           - "AS-AS111MAIN"
     ...

2. ARouteServer acquires external information to enrich them: bgpq3 for IRRDb data, PeeringDB for max-prefix limit, …

3. Jinja2 built-in templates are used to render the final route server’s configuration file.

   Currently, only BIRD is supported.

Validation and testing is performed using the built-in live tests framework: Docker instances are used to simulate several scenarios, and more custom scenarios can be built on the basis of the user’s needs. More details on the Live tests section.

Features

• Path hiding mitigation techniques (RFC7947 section 2.3.1).

• Filtering features on by default:

  • NEXT_HOP enforcement (strict / same AS - RFC7948 section 4.8);

  • minimum and maximum IPv4/IPv6 prefix length;

  • maximum AS_PATH length;

  • reject invalid AS_PATHs (containing private/invalid ASNs);

  • reject bogons;

  • prefixes and origin ASNs enforcing via RPSL/IRRdb AS-SETs (RFC7948 section 4.6.2);

  • max-prefix limit based on global or client-specific values or on PeeringDB data.

• Blackhole filtering support:

  • optional NEXT_HOP rewriting;

  • signalling via BGP Communities (BLACKHOLE and custom communities);

  • client-by-client control over propagation.

• Control and informative communities:

  • prefix/origin ASN present/not present in IRRDB data;

  • do (not) announce to any / peer;

  • prepend to any.

• Optional session features on a client-by-client basis:

  • prepend route server ASN;

  • active sessions;

  • GTSM (Generalized TTL Security Mechanism - RFC5082);

  • ADD-PATH capability (RFC7911).

A comprehensive list of features can be found within the comments of the distributed configuration file on GitHub.

More feature are already planned: see the Future work section for more details.

Full documentation

Full documentation can be found on ReadTheDocs: https://arouteserver.readthedocs.org/

Status

Highly experimental!

Bug? Issues?

But also suggestions? New ideas?

Please create an issue on GitHub at https://github.com/pierky/arouteserver/issues

Author

Pier Carlo Chiodi - https://pierky.com

Blog: https://blog.pierky.com Twitter: @pierky

Change log

v0.1.0a2

• Packaging.

• System setup via arouteserver --setup.

v0.1.0a1

First push on GitHub.