IRRtoolset 4.8.2 and RPSLng
Dimitrios Kalogeras dkalo at noc.ntua.gr
Tue Feb 15 16:38:39 CET 2005
Hi to all of you,
I apologize for the cross posting but I believe this is of interest to
all of you.
We have noticed some problems with the IRRtoolset regarding the
interpretation of RPSLng from RtConfig.
The command used for Rtconfig is :
RtConfig -h whois.ripe.net -p 43 -protocol ripe -cisco_use_prefix_lists
A small template used for RtConfig was :
@RtConfig set cisco_map_first_no = 10
@RtConfig set cisco_map_increment_by = 10
@RtConfig set cisco_max_preference = 220
! Parameters
@RtConfig set cisco_prefix_acl_no = 130
@RtConfig set cisco_aspath_acl_no = 130
@RtConfig set cisco_pktfilter_acl_no = 130
@RtConfig set cisco_community_acl_no = 130
@RtConfig set cisco_access_list_no = 130
! ***** Specify each peer's incoming filter ****
! GEANT
@RtConfig set cisco_map_name = "bgp-geant-%d-%d-in"
@RtConfig import AS5408 195.251.27.255 AS20965 62.40.103.57
@RtConfig set cisco_map_name = "bgp-geant-%d-%d-out"
@RtConfig export AS5408 195.251.27.255 AS20965 62.40.103.57
@RtConfig set cisco_map_name = "bgp-geant-bkp-%d-%d-in"
@RtConfig import AS5408 195.251.27.255 AS20965 62.40.103.201
@RtConfig set cisco_map_name = "bgp-geant-bkp-%d-%d-out"
@RtConfig export AS5408 195.251.27.255 AS20965 62.40.103.201
Problems:
a) In lines with mp-import and afi ipv4.unicast there is error
generation although the RIPE RPSLng accepts the object !!!
In some cases if we download the object and execute the
RtConfig -h whois.ripe.net -p 43 -protocol ripe -cisco_use_prefix_lists
-f < saved object
there is no problem !!!
b) When we use the switch -cisco_eliminate_dup_map_parts the result is
wrong when the policy has multiple address_families defined.
c) It is not possible to generate route-maps when the template have IPv6
address like "
@RtConfig export AS5408 2001:648:2FFF:1:: AS20965 2001:798:2017:10AA::1
if in the RIPE as object we have defined our on IPv6 attachment point.
Instead to in order to generate IPv6 route maps we define
@RtConfig export AS5408 195.251.27.255 AS20965 2001:798:2017:10AA::1
int the RtConfig templates !!!
This results in Ipv6 route-maps generated !!
d) The RPSLng robot of RIPE is broken. We intentionally provide a wrong
object and the RIPE robot passed it without a problem !!!
In our definition
....
mp-import: # GRNET Clients -------------------------------------------
# Import Policy:
# Accept all routes that:
# (a) has the appropriate AS path and
# (b) originates from the client (or someone behind the client)
# For these routes, according to the advertised communities:
# (i) set the appropriate local preference and
# (ii) prepend
#---------------------------------------------------------------------
afi any
from prng-as5408-grnet-clients
accept (PeerAS OR PeerAS:AS-TO-GRNET)
AND
<^PeerAS+PeerAS:AS-TO-GRNET*$>;
REFINE {
from AS-ANY action pref=100; accept community.contains(5408:120);
from AS-ANY action pref=110; accept community.contains(5408:110);
from AS-ANY action pref=111; accept community.contains(5408:109);
from AS-ANY action pref=100; accept ANY;
} REFINE {
from AS-ANY action
aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408);
accept community.contains(5408:2005);
from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408);
accept community.contains(5408:2003);
from AS-ANY accept ANY;
}
When we provided
....
mp-import: # GRNET Clients -------------------------------------------
# Import Policy:
# Accept all routes that:
# (a) has the appropriate AS path and
# (b) originates from the client (or someone behind the client)
# For these routes, according to the advertised communities:
# (i) set the appropriate local preference and
# (ii) prepend
#---------------------------------------------------------------------
afi any
from prng-as5408-grnet-clients
accept (PeerAS OR PeerAS:AS-TO-GRNET)
AND
REFINE {
from AS-ANY action pref=100; accept community.contains(5408:120);
from AS-ANY action pref=110; accept community.contains(5408:110);
from AS-ANY action pref=111; accept community.contains(5408:109);
from AS-ANY action pref=100; accept ANY;
} REFINE {
from AS-ANY action
aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408);
accept community.contains(5408:2005);
from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408);
accept community.contains(5408:2003);
from AS-ANY accept ANY;
}
responded in the webupdates with no errors !!!
Regards,
Dimitrios
.PS
Our current policy is in the RIPE database is :
aut-num: AS5408
as-name: GR-NET
descr: Greek Research and Technology Network
remarks: ##############################################################
+# ROUTING POLICY FOR GRNET #
+######################################################################
+
+
+ ===================================
+ BGP Communities supported by GRNET:
+ ===================================
+
+
+ List of all BGP communites used by GRNET:
+ -----------------------------------------
+ NO_EXPORT
+ NO_ADVERTISE
+ 5480:666 Blackhole this route (for /32 only)
+ 5408:120 Primary connection, choose first
+ 5408:110 Secondary connection, choose second
+ 5408:109 Trinary connection, choose third
+ 5408:2005 Prepend 5 times
+ 5408:4001 Do not announce to AIX
+ 5408:4005 Do not announce to GEANT
+ 5408:4010 Seeren Routes (export to RoEdunet)
+
+
+
+ BGP communities appended/removed automatically by GRNET:
+ --------------------------------------------------------
+ 5408:4001 is appended to all routes received by GEANT
+ 5408:4005 is appended to all routes received by AIX Peers
+ 5408:4010 is appended to all routes received by SEEREN Peers
+ 5408:4010 is removed from all non-Seeren routes received by GRNET
+
+
+ BGP communities available to GRNET clients:
+ -------------------------------------------
+ 5408:120 Primary connection, choose first
+ 5408:110 Secondary connection, choose second
+ 5408:109 Trinary connection, choose third
+ 5480:666 Blackhole this route (for /32 only)
+ 5408:2005 Prepend 5 times
+ 5408:4001 Do not announce to AIX
+ 5408:4005 Do not announce to GEANT
+ !!! NO OTHER 5408:* SHOULD BE USED BY GRNET CLIENTS !!!
+
+
+ BGP communities available to SEEREN Peers:
+ ------------------------------------------
+ 5480:666 Blackhole this route (for /32 only)
+ 5408:2005 Prepend 5 times
+ 5408:4001 Do not announce to AIX
+ 5408:4005 Do not announce to GEANT
+ !!! NO OTHER 5408:* SHOULD BE USED BY SEEREN Peers !!!
+
+
+ BGP communities available to AIX Peers:
+ ------------------------------------------
+ 5408:2005 Prepend 5 times
+ !!! NO OTHER 5408:* SHOULD BE USED BY AIX Peers !!!
+
+
+
+
+######################################################################
+
remarks: === IMPORT POLICY ============================================
+
mp-import: # iBGP (AS5408) -------------------------------------------
# accept all routes
# (Note: Although this is not described here,
# the border router with SEEREN clears 5408:4010 from iBGP)
#---------------------------------------------------------------------
afi any
from prng-as5408-ibgp
accept ANY;
mp-import: # GEANT AS20965 -------------------------------------------
# GEANT is the Internet Upstream for GRNET
# Import Policy:
# Accept all routes
# Set Local Preference 100 for primary, 90 for backup
# Append community for not announcement to AIX
#---------------------------------------------------------------------
# IPv4 unicast and multicast
afi ipv4
from AS20965 62.40.103.57
action pref=120; community.append(5408:4001);
from AS20965 62.40.103.201
action pref=130; community.append(5408:4001);
accept ANY;
mp-import: # IPv6 unicast
afi ipv6.unicast
from AS20965 2001:798:2017:10AA::1
action pref=120; community.append(5408:4001);
from AS20965 2001:798:2017:10AA::9
action pref=130; community.append(5408:4001);
accept ANY;
mp-import: # RoEdunet (AS2614) ---------------------------------------
# RoEdunet is the Backup Upstream for SEEREN peers only!
# Import Policy:
# Accept all ipv4 unicast routes
# Set Local Preference of RoEdunet routes to 50
#---------------------------------------------------------------------
afi ipv4.unicast
from AS2614
action pref=170;
accept ANY;
mp-import: # OteGlobe (AS12713) --------------------------------------
# Peering for Seeren SCS VPN purposes only
# Import Policy:
# Only allow connection networks (62.75.33.228/27),
# PE loopbacks (62.75.26.216/29) and CE loopbacks
#---------------------------------------------------------------------
afi ipv4.unicast
from AS12713
action pref=70; # High preference;
community.append(NO_ADVERTISE);
accept {62.75.33.228/27^+, 62.75.26.216/29^+,
147.91.0.112/32, 193.254.1.242/32,
194.141.252.13/32, 194.149.130.249/32};
mp-import: # Blackhole Routing for GRNET & SEEREN Clients ------------
# this command is not supported by RPSL and the RIPE database :-(
# we are implementing it, though
#---------------------------------------------------------------------
afi any.unicast
from AS-ANY
action community.append(NO_EXPORT);
# next-hop = x.x.x.x;
accept community.contains(5408:666) AND
(PeerAS OR PeerAS:AS-TO-GRNET) AND
{0.0.0.0/0^32} AND
<^PeerAS+PeerAS:AS-TO-GRNET*$>;
REFINE {
from prng-as5408-grnet-clients accept ANY;
from prng-as5408-seeren accept ANY;
}
mp-import: # GRNET Clients -------------------------------------------
# Import Policy:
# Accept all routes that:
# (a) has the appropriate AS path and
# (b) originates from the client (or someone behind the client)
# For these routes, according to the advertised communities:
# (i) set the appropriate local preference and
# (ii) prepend
#---------------------------------------------------------------------
afi any
from prng-as5408-grnet-clients
accept (PeerAS OR PeerAS:AS-TO-GRNET)
AND
<^PeerAS+PeerAS:AS-TO-GRNET*$>;
REFINE {
from AS-ANY action pref=100; accept community.contains(5408:120);
from AS-ANY action pref=110; accept community.contains(5408:110);
from AS-ANY action pref=111; accept community.contains(5408:109);
from AS-ANY action pref=100; accept ANY;
} REFINE {
from AS-ANY action
aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408);
accept community.contains(5408:2005);
from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408);
accept community.contains(5408:2003);
from AS-ANY accept ANY;
}
mp-import: # SEEREN Peers ---------------------------------------------
# Import Policy:
# Accept all ipv4 unicast and ipv6 unicast routes that
# (a) has the appropriate AS path and
# (b) originates from the peer (or someone behind that peer)
# For these routes, according to the advertised communities:
# (i) set the appropriate local preference
# (ii) append the community for announcement to RoEdunet and
# (ii) prepend
#---------------------------------------------------------------------
afi any.unicast
from prng-as5408-seeren
action pref=100; community.append(5408:4010);
accept (PeerAS OR PeerAS:AS-TO-GRNET) AND
<^PeerAS+PeerAS:AS-TO-GRNET*$>;
REFINE {
from AS-ANY action
aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408);
accept community.contains(5408:2005);
from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408);
accept community.contains(5408:2003);
from AS-ANY accept ANY;
}
mp-import: # AIX Peers ------------------------------------------------
# Import Policy:
# Accept all routes that
# (a) has the appropriate AS path and
# (b) originates from the peer (or someone behind that peer)
# For these routes, according to the advertised communities:
# (i) set the appropriate local preference
# (ii) append the community for not announcement to Geant and
# (ii) prepend
#---------------------------------------------------------------------
afi ipv4
from prng-as5408-aix
action pref=100; community.append(5408:4005);
accept (PeerAS OR PeerAS:AS-TO-AIX) AND
<^PeerAS+PeerAS:AS-TO-AIX*$>;
REFINE {
from AS-ANY action
aspath.prepend(AS5408,AS5408,AS5408,AS5408,AS5408);
accept community.contains(5408:2005);
from AS-ANY action aspath.prepend(AS5408,AS5408,AS5408);
accept community.contains(5408:2003);
from AS-ANY accept ANY;
}
mp-import: # K-ROOT mirror @ AIX --------------------------------------
# Import Policy:
# Accept K-Root routes and
# append the community for not announcement to GEANT
#---------------------------------------------------------------------
afi ipv4.unicast
from AS25152
action pref=100; community.append(5408:4005);
accept {193.0.14.0/24, 195.251.59.0/28}
+
remarks: === EXPORT POLICY ============================================
+
mp-export: # iBGP (AS5408) --------------------------------------------
# Export Policy:
# Do not propagate RoEdunet routes via iBGP
#---------------------------------------------------------------------
afi any
to prng-as5408-ibgp
announce (NOT <^AS2614>);
EXCEPT {
to prng-as5408-ibgp-part
announce NOT community.contains(5408:4001);
}
mp-export: # GEANT (AS20965) ------------------------------------------
# Export Policy:
# Announce all routes except from those with community (5408:4005)
#---------------------------------------------------------------------
afi any
to AS20965
announce NOT community.contains(5408:4005);
mp-export: # RoEdunet (AS2614) ----------------------------------------
# RoEdunet is the Backup Upstream for SEEREN peers only!
# Export Policy:
# Announce only IPv4 unicast routes with 5408:4010 community
#---------------------------------------------------------------------
afi ipv4.unicast
to AS2614
announce community.contains(5408:4010);
mp-export: # OteGlobe (AS12713) Peering for Seeren VPN purposes -------
# Export Policy:
# Only announce CE loopback
#---------------------------------------------------------------------
afi ipv4.unicast
to AS12713
announce {194.177.210.40/32};
mp-export: # AIX Peers ------------------------------------------------
# Export Policy:
# Announce all routes except from those with community (5408:4001)
#---------------------------------------------------------------------
afi ipv4.unicast
to prng-as5408-aix
announce NOT community.contains(5408:4001);
mp-export: # GRNET Clients & Seeren Peers -----------------------------
# Export Policy:
# Announce either all routes or a partial routing table
#---------------------------------------------------------------------
afi any
to prng-as5408-grnet-firt
announce ANY;
EXCEPT {
to prng-as5408-grnet-part
announce NOT community.contains(5408:4001);
}
+
remarks: ##############################################################
+# END OF ROUTING POLICY FOR GRNET #
+######################################################################
+
admin-c: GN28-RIPE
tech-c: GN28-RIPE
mnt-by: GRNET-NOC
changed: D.Kalogeras at noc.ntua.gr 19990622
changed: D.Kalogeras at noc.ntua.gr 20031120
changed: D.Kalogeras at noc.ntua.gr 20031128
changed: D.Kalogeras at noc.ntua.gr 20031201
changed: A.Polyrakis at noc.ntua.gr 20031218
changed: A.Polyrakis at noc.ntua.gr 20041202
changed: A.Polyrakis at noc.ntua.gr 20050203
changed: D.Kalogeras at noc.ntua.gr 20050215
source: RIPE
--
--
Dimitrios K. Kalogeras
Electrical Engineer Ph.D.
Network Manager
NTUA/GR-Net Network Management Center
_____________________________________
icq: 11887484
voice: +30-210-772 1863
fax: +30-210-772 1866
e-mail: D.Kalogeras at noc.ntua.gr
pub 1024D/F2A69A72 2002-12-13 Dimitrios Kalogeras <D.Kalogeras at noc.ntua.gr>
Key fingerprint = 64C5 646D 8D33 A3FF 14D1 66C6 5127 54CC F2A6 9A72
[ rpslng Archives ]