TRUE, FALSE, RT, RO, UNKNOWN, GENERIC,
FROM, GW, NET, PROTO, SOURCE, SCOPE, DEST, IFNAME, IFINDEX, WEIGHT, GW_MPLS, GW_MPLS_STACK, ONLINK,
PREFERENCE,
- ROA_CHECK,
+ ROA_CHECK, ASPA_CHECK,
DEFINED,
ADD, DELETE, RESET,
PREPEND,
| ROA_CHECK '(' rtable ')' { $$ = f_new_inst(FI_ROA_CHECK_IMPLICIT, $3); }
| ROA_CHECK '(' rtable ',' term ',' term ')' { $$ = f_new_inst(FI_ROA_CHECK_EXPLICIT, $5, $7, $3); }
+ | ASPA_CHECK '(' rtable ',' term ')' { $$ = f_new_inst(FI_ASPA_CHECK_EXPLICIT, $5, $3); }
| FORMAT '(' term ')' { $$ = f_new_inst(FI_FORMAT, $3); }
[T_ENUM_RTC] = "enum rtc",
[T_ENUM_RTD] = "enum rtd",
[T_ENUM_ROA] = "enum roa",
+ [T_ENUM_ASPA] = "enum aspa",
[T_ENUM_NETTYPE] = "enum nettype",
[T_ENUM_RA_PREFERENCE] = "enum ra_preference",
[T_ENUM_AF] = "enum af",
T_ENUM_RA_PREFERENCE = 0x37,
T_ENUM_AF = 0x38,
T_ENUM_MPLS_POLICY = 0x39,
+ T_ENUM_ASPA = 0x3a,
/* new enums go here */
T_ENUM_EMPTY = 0x3f, /* Special hack for atomic_aggr */
}
+ INST(FI_ASPA_CHECK_EXPLICIT, 1, 1) { /* ASPA Check */
+ NEVER_CONSTANT;
+ ARG(1, T_PATH);
+ RTC(2);
+ struct rtable *table = rtc->table;
+
+ if (!table)
+ runtime("Missing ASPA table");
+
+ if (table->addr_type != NET_ASPA)
+ runtime("Table type must be ASPA");
+
+ RESULT(T_ENUM_ASPA, i, [[ aspa_check(table, v1.val.ad) ]]);
+ }
+
INST(FI_FROM_HEX, 1, 1) { /* Convert hex text to bytestring */
ARG(1, T_STRING);
CF_ENUM(T_ENUM_SCOPE, SCOPE_, HOST, LINK, SITE, ORGANIZATION, UNIVERSE, UNDEFINED)
CF_ENUM(T_ENUM_RTD, RTD_, UNICAST, BLACKHOLE, UNREACHABLE, PROHIBIT)
CF_ENUM(T_ENUM_ROA, ROA_, UNKNOWN, VALID, INVALID)
+CF_ENUM(T_ENUM_ASPA, ASPA_, UNKNOWN, VALID, INVALID)
CF_ENUM_PX(T_ENUM_AF, AF_, AFI_, IPV4, IPV6)
CF_ENUM(T_ENUM_MPLS_POLICY, MPLS_POLICY_, NONE, STATIC, PREFIX, AGGREGATE, VRF)
#include "lib/net.h"
struct ea_list;
+struct adata;
struct protocol;
struct proto;
struct rte_src;
net *net_get(rtable *tab, const net_addr *addr);
net *net_route(rtable *tab, const net_addr *n);
int net_roa_check(rtable *tab, const net_addr *n, u32 asn);
+int aspa_check(rtable *tab, const struct adata *path);
rte *rte_find(net *net, struct rte_src *src);
rte *rte_get_temp(struct rta *, struct rte_src *src);
void rte_update2(struct channel *c, const net_addr *n, rte *new, struct rte_src *src);
#define ROA_VALID 1
#define ROA_INVALID 2
+#define ASPA_UNKNOWN 0
+#define ASPA_VALID 1
+#define ASPA_INVALID 2
+#define ASPA_CONTAINS_CONFED 3
+
#endif
#undef FW
}
+/**
+ * aspa_check - check validity of AS Path in an ASPA table
+ * @tab: ASPA table
+ * @path: AS Path to check
+ *
+ * Implements draft-ietf-sidrops-aspa-verification-16.
+ */
+int aspa_check(rtable *tab, const adata *path)
+{
+ struct lp_state lps;
+ lp_save(tmp_linpool, &lps);
+
+ /* No support for confed paths */
+ if (as_path_contains_confed(path))
+ return ASPA_CONTAINS_CONFED;
+
+ /* Normalize the AS Path: drop stuffings */
+ uint len = as_path_getlen(path);
+ u32 *asns = alloca(sizeof(u32) * len);
+ uint ppos = 0;
+ int nsz = 0;
+ while (as_path_walk(path, &ppos, &asns[nsz]))
+ if ((nsz == 0) || (asns[nsz] != asns[nsz-1]))
+ nsz++;
+
+ /* Find the provider blocks for every AS on the path
+ * and check allowed directions */
+ bool *up = alloca(sizeof(bool) * nsz);
+ bool *down = alloca(sizeof(bool) * nsz);
+ bool unknown_flag = false;
+
+ for (int ap=0; ap<nsz; ap++)
+ {
+ net_addr_union nau = { .aspa = NET_ADDR_ASPA(asns[ap]), };
+ net *n = net_find(tab, &nau.n);
+ if (!n || !n->routes)
+ {
+ /* No ASPA for this ASN, therefore UNKNOWN */
+ unknown_flag = up[ap] = down[ap] = true;
+ continue;
+ }
+
+ up[ap] = down[ap] = false;
+
+ for (rte *e = n->routes; e; e = e->next)
+ {
+ if (!rte_is_valid(e))
+ continue;
+
+ eattr *ea = ea_find(e->attrs->eattrs, EA_ASPA_PROVIDERS);
+ if (!ea)
+ continue;
+
+ for (uint i=0; i * sizeof(u32) < ea->u.ptr->length; i++)
+ {
+ if ((ap > 0) && ((u32 *) ea->u.ptr->data)[i] == asns[ap-1])
+ down[ap] = true;
+ if ((ap + 1 < nsz) && ((u32 *) ea->u.ptr->data)[i] == asns[ap+1])
+ up[ap] = true;
+
+ if (down[ap] || up[ap])
+ goto peering_found;
+ }
+ }
+peering_found:;
+ }
+
+ /* Check whether the topology is first ramp up and then ramp down. */
+ int up_end = 0;
+ while (up_end < nsz && up[up_end])
+ up_end++;
+
+ int down_end = nsz - 1;
+ while (down_end > 0 && down[down_end])
+ down_end--;
+
+ /* A significant overlap of obvious unknowns or misconfigured ASPAs. */
+ if (up_end - down_end >= 2)
+ return ASPA_UNKNOWN;
+
+ /* The path has either a single transit provider, or a peering pair on top */
+ else if (up_end - down_end >= 0)
+ return unknown_flag ? ASPA_UNKNOWN : ASPA_VALID;
+
+ /* There is a gap between valid ramp up and valid ramp down */
+ else
+ return ASPA_INVALID;
+}
+
/**
* rte_find - find a route
* @net: network node
projects / thirdparty / bird.git / commitdiff
