IRRtoolset 4.8.2 and RPSLng
Dimitrios Kalogeras dkalo at noc.ntua.gr
Tue Feb 15 16:38:39 CET 2005
Hi to all of you, I apologize for the cross posting but I believe this is of interest to all of you. We have noticed some problems with the IRRtoolset regarding the interpretation of RPSLng from RtConfig. The command used for Rtconfig is : RtConfig -h whois.ripe.net -p 43 -protocol ripe -cisco_use_prefix_lists A small template used for RtConfig was : @RtConfig set cisco_map_first_no = 10 @RtConfig set cisco_map_increment_by = 10 @RtConfig set cisco_max_preference = 220 ! Parameters @RtConfig set cisco_prefix_acl_no = 130 @RtConfig set cisco_aspath_acl_no = 130 @RtConfig set cisco_pktfilter_acl_no = 130 @RtConfig set cisco_community_acl_no = 130 @RtConfig set cisco_access_list_no = 130 ! ***** Specify each peer's incoming filter **** ! GEANT @RtConfig set cisco_map_name = "bgp-geant-%d-%d-in" @RtConfig import AS5408 195.251.27.255 AS20965 62.40.103.57 @RtConfig set cisco_map_name = "bgp-geant-%d-%d-out" @RtConfig export AS5408 195.251.27.255 AS20965 62.40.103.57 @RtConfig set cisco_map_name = "bgp-geant-bkp-%d-%d-in" @RtConfig import AS5408 195.251.27.255 AS20965 62.40.103.201 @RtConfig set cisco_map_name = "bgp-geant-bkp-%d-%d-out" @RtConfig export AS5408 195.251.27.255 AS20965 62.40.103.201 Problems: a) In lines with mp-import and afi ipv4.unicast there is error generation although the RIPE RPSLng accepts the object !!! In some cases if we download the object and execute the RtConfig -h whois.ripe.net -p 43 -protocol ripe -cisco_use_prefix_lists -f < saved object there is no problem !!! b) When we use the switch -cisco_eliminate_dup_map_parts the result is wrong when the policy has multiple address_families defined. c) It is not possible to generate route-maps when the template have IPv6 address like " @RtConfig export AS5408 2001:648:2FFF:1:: AS20965 2001:798:2017:10AA::1 if in the RIPE as object we have defined our on IPv6 attachment point. Instead to in order to generate IPv6 route maps we define @RtConfig export AS5408 195.251.27.255 AS20965 2001:798:2017:10AA::1 int the RtConfig templates !!! This results in Ipv6 route-maps generated !! d) The RPSLng robot of RIPE is broken. We intentionally provide a wrong object and the RIPE robot passed it without a problem !!! In our definition .... mp-import: # GRNET Clients ------------------------------------------- # Import Policy: # Accept all routes that: # (a) has the appropriate AS path and # (b) originates from the client (or someone behind the client) # For these routes, according to the advertised communities: # (i) set the appropriate local preference and # (ii) prepend #--------------------------------------------------------------------- afi any from prng-as5408-grnet-clients accept (PeerAS OR PeerAS:AS-TO-GRNET) AND <^PeerAS+PeerAS:AS-TO-GRNET*$>; REFINE { from AS-ANY action pref=100; accept community.contains(5408:120); from AS-ANY action pref=110; accept community.contains(5408:110); from AS-ANY action pref=111; accept community.contains(5408:109); from AS-ANY action pref=100; accept ANY; } REFINE { from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408); accept community.contains(5408:2005); from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408); accept community.contains(5408:2003); from AS-ANY accept ANY; } When we provided .... mp-import: # GRNET Clients ------------------------------------------- # Import Policy: # Accept all routes that: # (a) has the appropriate AS path and # (b) originates from the client (or someone behind the client) # For these routes, according to the advertised communities: # (i) set the appropriate local preference and # (ii) prepend #--------------------------------------------------------------------- afi any from prng-as5408-grnet-clients accept (PeerAS OR PeerAS:AS-TO-GRNET) AND REFINE { from AS-ANY action pref=100; accept community.contains(5408:120); from AS-ANY action pref=110; accept community.contains(5408:110); from AS-ANY action pref=111; accept community.contains(5408:109); from AS-ANY action pref=100; accept ANY; } REFINE { from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408); accept community.contains(5408:2005); from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408); accept community.contains(5408:2003); from AS-ANY accept ANY; } responded in the webupdates with no errors !!! Regards, Dimitrios .PS Our current policy is in the RIPE database is : aut-num: AS5408 as-name: GR-NET descr: Greek Research and Technology Network remarks: ############################################################## +# ROUTING POLICY FOR GRNET # +###################################################################### + + + =================================== + BGP Communities supported by GRNET: + =================================== + + + List of all BGP communites used by GRNET: + ----------------------------------------- + NO_EXPORT + NO_ADVERTISE + 5480:666 Blackhole this route (for /32 only) + 5408:120 Primary connection, choose first + 5408:110 Secondary connection, choose second + 5408:109 Trinary connection, choose third + 5408:2005 Prepend 5 times + 5408:4001 Do not announce to AIX + 5408:4005 Do not announce to GEANT + 5408:4010 Seeren Routes (export to RoEdunet) + + + + BGP communities appended/removed automatically by GRNET: + -------------------------------------------------------- + 5408:4001 is appended to all routes received by GEANT + 5408:4005 is appended to all routes received by AIX Peers + 5408:4010 is appended to all routes received by SEEREN Peers + 5408:4010 is removed from all non-Seeren routes received by GRNET + + + BGP communities available to GRNET clients: + ------------------------------------------- + 5408:120 Primary connection, choose first + 5408:110 Secondary connection, choose second + 5408:109 Trinary connection, choose third + 5480:666 Blackhole this route (for /32 only) + 5408:2005 Prepend 5 times + 5408:4001 Do not announce to AIX + 5408:4005 Do not announce to GEANT + !!! NO OTHER 5408:* SHOULD BE USED BY GRNET CLIENTS !!! + + + BGP communities available to SEEREN Peers: + ------------------------------------------ + 5480:666 Blackhole this route (for /32 only) + 5408:2005 Prepend 5 times + 5408:4001 Do not announce to AIX + 5408:4005 Do not announce to GEANT + !!! NO OTHER 5408:* SHOULD BE USED BY SEEREN Peers !!! + + + BGP communities available to AIX Peers: + ------------------------------------------ + 5408:2005 Prepend 5 times + !!! NO OTHER 5408:* SHOULD BE USED BY AIX Peers !!! + + + + +###################################################################### + remarks: === IMPORT POLICY ============================================ + mp-import: # iBGP (AS5408) ------------------------------------------- # accept all routes # (Note: Although this is not described here, # the border router with SEEREN clears 5408:4010 from iBGP) #--------------------------------------------------------------------- afi any from prng-as5408-ibgp accept ANY; mp-import: # GEANT AS20965 ------------------------------------------- # GEANT is the Internet Upstream for GRNET # Import Policy: # Accept all routes # Set Local Preference 100 for primary, 90 for backup # Append community for not announcement to AIX #--------------------------------------------------------------------- # IPv4 unicast and multicast afi ipv4 from AS20965 62.40.103.57 action pref=120; community.append(5408:4001); from AS20965 62.40.103.201 action pref=130; community.append(5408:4001); accept ANY; mp-import: # IPv6 unicast afi ipv6.unicast from AS20965 2001:798:2017:10AA::1 action pref=120; community.append(5408:4001); from AS20965 2001:798:2017:10AA::9 action pref=130; community.append(5408:4001); accept ANY; mp-import: # RoEdunet (AS2614) --------------------------------------- # RoEdunet is the Backup Upstream for SEEREN peers only! # Import Policy: # Accept all ipv4 unicast routes # Set Local Preference of RoEdunet routes to 50 #--------------------------------------------------------------------- afi ipv4.unicast from AS2614 action pref=170; accept ANY; mp-import: # OteGlobe (AS12713) -------------------------------------- # Peering for Seeren SCS VPN purposes only # Import Policy: # Only allow connection networks (62.75.33.228/27), # PE loopbacks (62.75.26.216/29) and CE loopbacks #--------------------------------------------------------------------- afi ipv4.unicast from AS12713 action pref=70; # High preference; community.append(NO_ADVERTISE); accept {62.75.33.228/27^+, 62.75.26.216/29^+, 147.91.0.112/32, 193.254.1.242/32, 194.141.252.13/32, 194.149.130.249/32}; mp-import: # Blackhole Routing for GRNET & SEEREN Clients ------------ # this command is not supported by RPSL and the RIPE database :-( # we are implementing it, though #--------------------------------------------------------------------- afi any.unicast from AS-ANY action community.append(NO_EXPORT); # next-hop = x.x.x.x; accept community.contains(5408:666) AND (PeerAS OR PeerAS:AS-TO-GRNET) AND {0.0.0.0/0^32} AND <^PeerAS+PeerAS:AS-TO-GRNET*$>; REFINE { from prng-as5408-grnet-clients accept ANY; from prng-as5408-seeren accept ANY; } mp-import: # GRNET Clients ------------------------------------------- # Import Policy: # Accept all routes that: # (a) has the appropriate AS path and # (b) originates from the client (or someone behind the client) # For these routes, according to the advertised communities: # (i) set the appropriate local preference and # (ii) prepend #--------------------------------------------------------------------- afi any from prng-as5408-grnet-clients accept (PeerAS OR PeerAS:AS-TO-GRNET) AND <^PeerAS+PeerAS:AS-TO-GRNET*$>; REFINE { from AS-ANY action pref=100; accept community.contains(5408:120); from AS-ANY action pref=110; accept community.contains(5408:110); from AS-ANY action pref=111; accept community.contains(5408:109); from AS-ANY action pref=100; accept ANY; } REFINE { from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408); accept community.contains(5408:2005); from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408); accept community.contains(5408:2003); from AS-ANY accept ANY; } mp-import: # SEEREN Peers --------------------------------------------- # Import Policy: # Accept all ipv4 unicast and ipv6 unicast routes that # (a) has the appropriate AS path and # (b) originates from the peer (or someone behind that peer) # For these routes, according to the advertised communities: # (i) set the appropriate local preference # (ii) append the community for announcement to RoEdunet and # (ii) prepend #--------------------------------------------------------------------- afi any.unicast from prng-as5408-seeren action pref=100; community.append(5408:4010); accept (PeerAS OR PeerAS:AS-TO-GRNET) AND <^PeerAS+PeerAS:AS-TO-GRNET*$>; REFINE { from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408); accept community.contains(5408:2005); from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408); accept community.contains(5408:2003); from AS-ANY accept ANY; } mp-import: # AIX Peers ------------------------------------------------ # Import Policy: # Accept all routes that # (a) has the appropriate AS path and # (b) originates from the peer (or someone behind that peer) # For these routes, according to the advertised communities: # (i) set the appropriate local preference # (ii) append the community for not announcement to Geant and # (ii) prepend #--------------------------------------------------------------------- afi ipv4 from prng-as5408-aix action pref=100; community.append(5408:4005); accept (PeerAS OR PeerAS:AS-TO-AIX) AND <^PeerAS+PeerAS:AS-TO-AIX*$>; REFINE { from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408); accept community.contains(5408:2005); from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408); accept community.contains(5408:2003); from AS-ANY accept ANY; } mp-import: # K-ROOT mirror @ AIX -------------------------------------- # Import Policy: # Accept K-Root routes and # append the community for not announcement to GEANT #--------------------------------------------------------------------- afi ipv4.unicast from AS25152 action pref=100; community.append(5408:4005); accept {193.0.14.0/24, 195.251.59.0/28} + remarks: === EXPORT POLICY ============================================ + mp-export: # iBGP (AS5408) -------------------------------------------- # Export Policy: # Do not propagate RoEdunet routes via iBGP #--------------------------------------------------------------------- afi any to prng-as5408-ibgp announce (NOT <^AS2614>); EXCEPT { to prng-as5408-ibgp-part announce NOT community.contains(5408:4001); } mp-export: # GEANT (AS20965) ------------------------------------------ # Export Policy: # Announce all routes except from those with community (5408:4005) #--------------------------------------------------------------------- afi any to AS20965 announce NOT community.contains(5408:4005); mp-export: # RoEdunet (AS2614) ---------------------------------------- # RoEdunet is the Backup Upstream for SEEREN peers only! # Export Policy: # Announce only IPv4 unicast routes with 5408:4010 community #--------------------------------------------------------------------- afi ipv4.unicast to AS2614 announce community.contains(5408:4010); mp-export: # OteGlobe (AS12713) Peering for Seeren VPN purposes ------- # Export Policy: # Only announce CE loopback #--------------------------------------------------------------------- afi ipv4.unicast to AS12713 announce {194.177.210.40/32}; mp-export: # AIX Peers ------------------------------------------------ # Export Policy: # Announce all routes except from those with community (5408:4001) #--------------------------------------------------------------------- afi ipv4.unicast to prng-as5408-aix announce NOT community.contains(5408:4001); mp-export: # GRNET Clients & Seeren Peers ----------------------------- # Export Policy: # Announce either all routes or a partial routing table #--------------------------------------------------------------------- afi any to prng-as5408-grnet-firt announce ANY; EXCEPT { to prng-as5408-grnet-part announce NOT community.contains(5408:4001); } + remarks: ############################################################## +# END OF ROUTING POLICY FOR GRNET # +###################################################################### + admin-c: GN28-RIPE tech-c: GN28-RIPE mnt-by: GRNET-NOC changed: D.Kalogeras at noc.ntua.gr 19990622 changed: D.Kalogeras at noc.ntua.gr 20031120 changed: D.Kalogeras at noc.ntua.gr 20031128 changed: D.Kalogeras at noc.ntua.gr 20031201 changed: A.Polyrakis at noc.ntua.gr 20031218 changed: A.Polyrakis at noc.ntua.gr 20041202 changed: A.Polyrakis at noc.ntua.gr 20050203 changed: D.Kalogeras at noc.ntua.gr 20050215 source: RIPE -- -- Dimitrios K. Kalogeras Electrical Engineer Ph.D. Network Manager NTUA/GR-Net Network Management Center _____________________________________ icq: 11887484 voice: +30-210-772 1863 fax: +30-210-772 1866 e-mail: D.Kalogeras at noc.ntua.gr pub 1024D/F2A69A72 2002-12-13 Dimitrios Kalogeras <D.Kalogeras at noc.ntua.gr> Key fingerprint = 64C5 646D 8D33 A3FF 14D1 66C6 5127 54CC F2A6 9A72
[ rpslng Archives ]