diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 7848d7f5..d90382f6 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -68,9 +68,9 @@ jobs: run: | echo "$DOCKER_PASSWORD" | docker login --username "$DOCKER_USERNAME" --password-stdin docker pull pierky/bird:1.6.8 - docker pull pierky/bird:2.0.9 - docker pull pierky/openbgpd:7.3 + docker pull pierky/bird:2.0.10 docker pull pierky/openbgpd:7.4 + docker pull pierky/openbgpd:7.5 docker pull pierky/exabgp:4.2.7 docker pull nlnetlabs/routinator:v0.8.3 env: diff --git a/README.rst b/README.rst index ca994ac6..be0b5de3 100644 --- a/README.rst +++ b/README.rst @@ -43,7 +43,7 @@ How it works #. `Jinja2`_ built-in templates are used to render the final route server's configuration file. - Currently, **BIRD** (>= 1.6.3 up to 1.6.8), **BIRD v2** (starting from 2.0.7) and **OpenBGPD** (OpenBSD 6.1 up to 7.4 and also OpenBGPD Portable 6.5p1 up to 7.4) are supported, with almost `feature parity `__ between them. + Currently, **BIRD** (>= 1.6.3 up to 1.6.8), **BIRD v2** (starting from 2.0.7) and **OpenBGPD** (OpenBSD 6.1 up to 7.5 and also OpenBGPD Portable 6.5p1 up to 7.5) are supported, with almost `feature parity `__ between them. **Validation** and testing of the configurations generated with this tool are performed using the built-in **live tests** framework: `Docker`_ instances are used to simulate several scenarios and to validate the behaviour of the route server after configuring it with ARouteServer. More details on the `Live tests `__ section. diff --git a/config.d/arouteserver.yml b/config.d/arouteserver.yml index 5e4f05fd..73aa6c71 100644 --- a/config.d/arouteserver.yml +++ b/config.d/arouteserver.yml @@ -63,7 +63,7 @@ # Sources used by bgpq4/bgpq3. # (-S argument). -#bgpq3_sources: "RIPE,APNIC,AFRINIC,ARIN,NTTCOM,ALTDB,BBOI,BELL,JPIRR,LEVEL3,RADB,RGNET,TC" +#bgpq3_sources: "RIPE,APNIC,AFRINIC,ARIN,NTTCOM,ALTDB,BBOI,BELL,JPIRR,LEVEL3,RADB,TC" # Path to the program used to determine the RTT of peers. # diff --git a/config.d/general.yml b/config.d/general.yml index 21c949bf..aec641ef 100644 --- a/config.d/general.yml +++ b/config.d/general.yml @@ -70,10 +70,10 @@ cfg: gtsm: False # Use ADD-PATH (RFC7911). - # The route server will be configure as "able to send multiple + # The route server will be configured as "able to send multiple # paths to its peer". # - # OpenBGPD: not supported. + # OpenBGPD: supported only from version 7.5. # # Can be overwritten on a client-by-client basis. # diff --git a/docs/EXAMPLES.rst b/docs/EXAMPLES.rst index 01b55045..378e7756 100644 --- a/docs/EXAMPLES.rst +++ b/docs/EXAMPLES.rst @@ -111,7 +111,7 @@ A list of BGP communities is also automatically built. limitations Which BGP daemon will be used? [bird/openbgpd] bird - Which version? [1.6.3/1.6.4/1.6.6/1.6.7/1.6.8/2.0.7/2.0.7+b962967e/2.0.8/2.0.9] 1.6.8 + Which version? [1.6.3/1.6.4/1.6.6/1.6.7/1.6.8/2.0.7/2.0.7+b962967e/2.0.8/2.0.9/2.0.10] 1.6.8 Router server's ASN =================== diff --git a/docs/FEATURES.rst b/docs/FEATURES.rst index 0a2fe76c..ddb21f7b 100644 --- a/docs/FEATURES.rst +++ b/docs/FEATURES.rst @@ -33,7 +33,7 @@ How it works #. `Jinja2`_ built-in templates are used to render the final route server's configuration file. - Currently, **BIRD** (>= 1.6.3 up to 1.6.8), **BIRD v2** (starting from 2.0.7) and **OpenBGPD** (OpenBSD 6.1 up to 7.4 and also OpenBGPD Portable 6.5p1 up to 7.4) are supported, with almost `feature parity `__ between them. + Currently, **BIRD** (>= 1.6.3 up to 1.6.8), **BIRD v2** (starting from 2.0.7) and **OpenBGPD** (OpenBSD 6.1 up to 7.5 and also OpenBGPD Portable 6.5p1 up to 7.5) are supported, with almost `feature parity `__ between them. **Validation** and testing of the configurations generated with this tool are performed using the built-in **live tests** framework: `Docker`_ instances are used to simulate several scenarios and to validate the behaviour of the route server after configuring it with ARouteServer. More details on the `Live tests `__ section. diff --git a/docs/GENERAL.rst b/docs/GENERAL.rst index 756606a1..67781852 100644 --- a/docs/GENERAL.rst +++ b/docs/GENERAL.rst @@ -134,11 +134,11 @@ General options: ``cfg`` - ``add_path``: Use ADD-PATH (RFC7911). - The route server will be configure as "able to send multiple + The route server will be configured as "able to send multiple paths to its peer". - OpenBGPD: not supported. + OpenBGPD: supported only from version 7.5. Can be overwritten on a client-by-client basis. diff --git a/docs/SUPPORTED_SPEAKERS_CI.txt b/docs/SUPPORTED_SPEAKERS_CI.txt index 929b4467..5ba9a7db 100644 --- a/docs/SUPPORTED_SPEAKERS_CI.txt +++ b/docs/SUPPORTED_SPEAKERS_CI.txt @@ -7,7 +7,7 @@ Total test cases per BGP speaker **BGP speaker** **Total** **Passed ✔** **Failed ✖** **Skipped** BIRD 816 807 0 9 BIRD v2 820 811 0 9 -OpenBGPD 7.4 442 435 0 7 +OpenBGPD 7.5 442 439 0 3 =============== ========= ============ ============ =========== Scenarios @@ -17,7 +17,7 @@ Scenarios ++++++++++++++++++++++++++++++++++ ========================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS_PATH too long ✔ ✔ ✔ RPKI INVALID route ✔ ✔ ✔ bogon prefix ✔ ✔ ✔ @@ -44,7 +44,7 @@ transit-free ASN in AS_PATH ✔ ✔ ✔ ++++++++++++++++++++++++++++++++++ ========================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS_PATH too long ✔ ✔ ✔ RPKI INVALID route ✔ ✔ ✔ bogon prefix ✔ ✔ ✔ @@ -71,7 +71,7 @@ BGP communities, IPv4 +++++++++++++++++++++ =============================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** announce to AS1 only (ext) ✔ ✔ ✔ announce to AS1 only (lrg) ✔ ✔ ✔ announce to AS1 only (std) ✔ ✔ ✔ @@ -89,7 +89,7 @@ BGP communities, IPv6 +++++++++++++++++++++ =============================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** announce to AS1 only (ext) ✔ ✔ ✔ announce to AS1 only (lrg) ✔ ✔ ✔ announce to AS1 only (std) ✔ ✔ ✔ @@ -107,7 +107,7 @@ BOV custom comms, IPv4 ++++++++++++++++++++++ =================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, AS2 invalid prefix, bad ASN ✔ ✔ RPKI, AS2 valid prefix, exact match ✔ ✔ log contains errors ✔ ✔ @@ -118,7 +118,7 @@ BOV custom comms, IPv6 ++++++++++++++++++++++ =================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, AS2 invalid prefix, bad ASN ✔ ✔ RPKI, AS2 valid prefix, exact match ✔ ✔ log contains errors ✔ ✔ @@ -129,7 +129,7 @@ RPKI INVALID tagging, IPv4 ++++++++++++++++++++++++++ ==================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, AS2 invalid prefix, bad ASN ✔ ✔ RPKI, AS2 invalid prefix, bad length ✔ ✔ RPKI, AS2 unknown prefix ✔ ✔ @@ -148,7 +148,7 @@ RPKI INVALID tagging, IPv6 ++++++++++++++++++++++++++ ==================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, AS2 invalid prefix, bad ASN ✔ ✔ RPKI, AS2 invalid prefix, bad length ✔ ✔ RPKI, AS2 unknown prefix ✔ ✔ @@ -167,7 +167,7 @@ RTR protocol ++++++++++++ ================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** check the RTR session is up ✔ ✔ log contains errors ✔ ✔ restart OpenBGPD to speed up RTR session establishment ✔ @@ -181,7 +181,7 @@ default config, IPv4 ++++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ ✔ ✔ =================== ======== =========== ================ @@ -189,7 +189,7 @@ default config, IPv6 ++++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ ✔ ✔ =================== ======== =========== ================ @@ -197,7 +197,7 @@ examples, rich config, IPv4 +++++++++++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ ✔ ✔ =================== ======== =========== ================ @@ -205,7 +205,7 @@ examples, rich config, IPv6 +++++++++++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ ✔ ✔ =================== ======== =========== ================ @@ -213,7 +213,7 @@ global scenario, IPv4 +++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ ✔ @@ -295,7 +295,7 @@ prefixes received by clients: AS1_1 prefixes received by clients: AS1_2 ✔ ✔ ✔ prefixes received by clients: AS2 ✔ ✔ ✔ prefixes received by clients: AS3 ✔ ✔ ✔ -prefixes received by clients: AS3 (with ADD-PATH) ✔ ✔ skip +prefixes received by clients: AS3 (with ADD-PATH) ✔ ✔ ✔ reconfigure ✔ ✔ ✔ session configured via local include files ✔ ✔ ✔ =============================================================================== ======== =========== ================ @@ -304,7 +304,7 @@ global scenario, IPv4, tag ++++++++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ @@ -395,7 +395,7 @@ global scenario, IPv4, tag&reject +++++++++++++++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ @@ -486,7 +486,7 @@ global scenario, IPv6 +++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ ✔ @@ -568,7 +568,7 @@ prefixes received by clients: AS1_1 prefixes received by clients: AS1_2 ✔ ✔ ✔ prefixes received by clients: AS2 ✔ ✔ ✔ prefixes received by clients: AS3 ✔ ✔ ✔ -prefixes received by clients: AS3 (with ADD-PATH) ✔ ✔ skip +prefixes received by clients: AS3 (with ADD-PATH) ✔ ✔ ✔ reconfigure ✔ ✔ ✔ session configured via local include files ✔ ✔ ✔ =============================================================================== ======== =========== ================ @@ -577,7 +577,7 @@ global scenario, IPv6, tag ++++++++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ @@ -668,7 +668,7 @@ global scenario, IPv6, tag&reject +++++++++++++++++++++++++++++++++ =============================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** RPKI, blackhole request for a covered prefix ✔ ✔ RPKI, invalid prefix (bad ASN) not propagated to clients ✔ ✔ RPKI, invalid prefix (bad ASN) received by rs ✔ ✔ @@ -759,7 +759,7 @@ gshut, IPv4 +++++++++++ ==================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** clients receive routes tagged with GRACEFUL_SHUTDOWN ✔ ✔ ✔ log contains errors ✔ ✔ ✔ reconfigure ✔ ✔ ✔ @@ -769,7 +769,7 @@ gshut, IPv6 +++++++++++ ==================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** clients receive routes tagged with GRACEFUL_SHUTDOWN ✔ ✔ ✔ log contains errors ✔ ✔ ✔ reconfigure ✔ ✔ ✔ @@ -779,7 +779,7 @@ hooks example, IPv4 +++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ =================== ======== =========== ================ @@ -787,7 +787,7 @@ hooks example, IPv6 +++++++++++++++++++ =================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** log contains errors ✔ =================== ======== =========== ================ @@ -795,7 +795,7 @@ max-prefix, IPv4 ++++++++++++++++ ================================================================ ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS5 session is down (max-prefix hit, action == shutdown) ✔ ✔ clients log max-prefix notification ✔ log contains errors ✔ ✔ ✔ @@ -815,7 +815,7 @@ max-prefix, IPv6 ++++++++++++++++ ================================================================ ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS5 session is down (max-prefix hit, action == shutdown) ✔ ✔ clients log max-prefix notification ✔ log contains errors ✔ ✔ ✔ @@ -835,10 +835,10 @@ path hiding, mitigation off, IPv4 +++++++++++++++++++++++++++++++++ =================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS1 wants rs to not announce to AS3 and AS4 ✔ ✔ ✔ AS3 does not receive prefix at all ✔ ✔ ✔ -AS4 receives the prefix via AS2 because of ADD-PATH ✔ ✔ skip +AS4 receives the prefix via AS2 because of ADD-PATH ✔ ✔ ✔ log contains errors ✔ ✔ ✔ reconfigure ✔ ✔ ✔ rs should have best toward AS1 ✔ ✔ ✔ @@ -849,10 +849,10 @@ path hiding, mitigation off, IPv6 +++++++++++++++++++++++++++++++++ =================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS1 wants rs to not announce to AS3 and AS4 ✔ ✔ ✔ AS3 does not receive prefix at all ✔ ✔ ✔ -AS4 receives the prefix via AS2 because of ADD-PATH ✔ ✔ skip +AS4 receives the prefix via AS2 because of ADD-PATH ✔ ✔ ✔ log contains errors ✔ ✔ ✔ reconfigure ✔ ✔ ✔ rs should have best toward AS1 ✔ ✔ ✔ @@ -863,7 +863,7 @@ path hiding, mitigation on, IPv4 ++++++++++++++++++++++++++++++++ ======================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** 2nd best is withdrawn and AS3 should not see it anymore skip skip ✔ AS1 wants rs to not announce to AS3 and AS4 ✔ ✔ ✔ AS3 and AS4 don't receive prefix via AS1 ✔ ✔ ✔ @@ -878,7 +878,7 @@ path hiding, mitigation on, IPv6 ++++++++++++++++++++++++++++++++ ======================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** 2nd best is withdrawn and AS3 should not see it anymore skip skip ✔ AS1 wants rs to not announce to AS3 and AS4 ✔ ✔ ✔ AS3 and AS4 don't receive prefix via AS1 ✔ ✔ ✔ @@ -893,7 +893,7 @@ tag prefix/origin empty AS-SET, IPv4 ++++++++++++++++++++++++++++++++++++ ====================================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ✔ ✔ ✔ AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ✔ ✔ ✔ AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ✔ ✔ ✔ @@ -935,7 +935,7 @@ tag prefix/origin empty AS-SET, IPv6 ++++++++++++++++++++++++++++++++++++ ====================================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ✔ ✔ ✔ AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ✔ ✔ ✔ AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ✔ ✔ ✔ @@ -977,7 +977,7 @@ tag prefix/origin in AS-SET, IPv4 +++++++++++++++++++++++++++++++++ ======================================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ✔ ✔ ✔ AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ✔ ✔ ✔ AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ✔ ✔ ✔ @@ -1028,7 +1028,7 @@ tag prefix/origin in AS-SET, IPv6 +++++++++++++++++++++++++++++++++ ======================================================================================== ======== =========== ================ -**Test** **BIRD** **BIRD v2** **OpenBGPD 7.4** +**Test** **BIRD** **BIRD v2** **OpenBGPD 7.5** AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ✔ ✔ ✔ AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ✔ ✔ ✔ AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ✔ ✔ ✔ diff --git a/docs/SUPPORTED_SPEAKERS_FEATURES.txt b/docs/SUPPORTED_SPEAKERS_FEATURES.txt index 7ee90484..2ff9b185 100644 --- a/docs/SUPPORTED_SPEAKERS_FEATURES.txt +++ b/docs/SUPPORTED_SPEAKERS_FEATURES.txt @@ -76,7 +76,7 @@ GTSM (Generalized TTL Security Mechanism) Yes Yes ---------------------------------------------------------- ------------ ------------ ------------ ------------ Multihop sessions Yes :sup:`2` Yes :sup:`2` Yes Yes ---------------------------------------------------------- ------------ ------------ ------------ ------------ -ADD_PATH capability (RFC7911) Yes Yes N/A N/A +ADD_PATH capability (RFC7911) Yes Yes Yes Yes ---------------------------------------------------------- ------------ ------------ ------------ ------------ ========================================================== ============ ============ ============ ============ diff --git a/examples/auto-config/README.rst b/examples/auto-config/README.rst index 5497722c..18da2eaa 100644 --- a/examples/auto-config/README.rst +++ b/examples/auto-config/README.rst @@ -22,7 +22,7 @@ A list of BGP communities is also automatically built. limitations Which BGP daemon will be used? [bird/openbgpd] bird - Which version? [1.6.3/1.6.4/1.6.6/1.6.7/1.6.8/2.0.7/2.0.7+b962967e/2.0.8/2.0.9] 1.6.8 + Which version? [1.6.3/1.6.4/1.6.6/1.6.7/1.6.8/2.0.7/2.0.7+b962967e/2.0.8/2.0.9/2.0.10] 1.6.8 Router server's ASN =================== diff --git a/examples/auto-config/bird4.conf b/examples/auto-config/bird4.conf index 63533e28..8ba00d76 100644 --- a/examples/auto-config/bird4.conf +++ b/examples/auto-config/bird4.conf @@ -65,7 +65,7 @@ define AS_SET_AS_RIPENCC_asns = [ define AS_SET_AS_RIPENCC_prefixes_4 = [ 23.128.24.0/24{24,32}, 27.0.0.0/24{24,32}, 27.50.0.0/22{22,32}, 39.0.1.0/24{24,32}, - 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/23{24,32}, + 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/24{24,32}, 93.175.148.0/22{24,32}, 93.175.152.0/23{24,32}, 103.1.0.0/22{22,32}, 103.1.4.0/24{24,32}, 106.0.1.0/24{24,32}, 193.0.0.0/21{21,32}, 193.0.10.0/23{23,32}, 193.0.12.0/23{23,32}, 193.0.18.0/23{23,32}, 193.0.20.0/22{23,32}, 193.0.24.0/21{21,32} @@ -74,10 +74,10 @@ define AS_SET_AS_RIPENCC_prefixes_4 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_4 = [ - 199.43.0.0/24{24,32}, 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32} + 192.136.136.0/24{24,32}, 199.43.0.0/24{24,32}, 192.149.252.0/24{24,32} ]; define ARIN_Whois_db_AS12654_4 = [ - 23.128.124.0/24{24,32}, 23.128.24.0/24{24,32}, 23.128.125.0/24{24,32}, 23.128.25.0/24{24,32} + 23.128.25.0/24{24,32}, 23.128.124.0/24{24,32}, 23.128.125.0/24{24,32}, 23.128.24.0/24{24,32} ]; @@ -813,7 +813,7 @@ filter receive_from_AS10745_1 { { tag_and_reject(8, 10745); reject "AS_PATH [", bgp_path ,"] contains transit-free ASN - REJECTING ", net; } # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then { tag_and_reject(15, 10745); reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; } @@ -1035,7 +1035,7 @@ filter receive_from_AS3333_1 { { tag_and_reject(8, 3333); reject "AS_PATH [", bgp_path ,"] contains transit-free ASN - REJECTING ", net; } # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then { tag_and_reject(15, 3333); reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; } diff --git a/examples/auto-config/openbgpd.conf b/examples/auto-config/openbgpd.conf index 86cfdae8..8f59a10a 100644 --- a/examples/auto-config/openbgpd.conf +++ b/examples/auto-config/openbgpd.conf @@ -71,7 +71,7 @@ prefix-set "AS_SET_AS_RIPENCC_prefixes" { 84.205.64.0/19 prefixlen 24 - 32 89.116.100.0/24 prefixlen 24 - 32 93.175.144.0/24 prefixlen 24 - 32 - 93.175.146.0/23 prefixlen 24 - 32 + 93.175.146.0/24 prefixlen 24 - 32 93.175.148.0/22 prefixlen 24 - 32 93.175.152.0/23 prefixlen 24 - 32 103.1.0.0/22 prefixlen 22 - 32 @@ -85,7 +85,7 @@ prefix-set "AS_SET_AS_RIPENCC_prefixes" { 193.0.24.0/21 prefixlen 21 - 32 2001:67c:64::/48 prefixlen 48 - 128 2001:67c:2e8::/48 prefixlen 48 - 128 - 2001:7fb:fd02::/47 prefixlen 48 - 128 + 2001:7fb:fd02::/48 prefixlen 48 - 128 2001:7fb:fd04::/48 prefixlen 48 - 128 2001:7fb:fe00::/45 prefixlen 48 - 128 2001:7fb:fe0a::/47 prefixlen 48 - 128 @@ -237,7 +237,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/examples/bird_hooks/bird4.conf b/examples/bird_hooks/bird4.conf index 8af9506b..ed2b876f 100644 --- a/examples/bird_hooks/bird4.conf +++ b/examples/bird_hooks/bird4.conf @@ -567,7 +567,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -769,7 +769,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/bird_hooks/bird6.conf b/examples/bird_hooks/bird6.conf index 4cf41078..148466bb 100644 --- a/examples/bird_hooks/bird6.conf +++ b/examples/bird_hooks/bird6.conf @@ -605,7 +605,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/default/bird4.conf b/examples/default/bird4.conf index 9ad5c00a..eae2f694 100644 --- a/examples/default/bird4.conf +++ b/examples/default/bird4.conf @@ -301,7 +301,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -465,7 +465,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/default/bird6.conf b/examples/default/bird6.conf index 724b7936..38dbc473 100644 --- a/examples/default/bird6.conf +++ b/examples/default/bird6.conf @@ -339,7 +339,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/default/bird_v2.conf b/examples/default/bird_v2.conf index 016d0074..0a70c86f 100644 --- a/examples/default/bird_v2.conf +++ b/examples/default/bird_v2.conf @@ -419,7 +419,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -594,7 +594,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -773,7 +773,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/default/openbgpd.conf b/examples/default/openbgpd.conf index c30df96f..14dc1d43 100644 --- a/examples/default/openbgpd.conf +++ b/examples/default/openbgpd.conf @@ -185,7 +185,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/examples/default/template-context b/examples/default/template-context index c8703078..b96372e0 100644 --- a/examples/default/template-context +++ b/examples/default/template-context @@ -1050,31 +1050,22 @@ registrobr_whois_db_records never_via_route_servers_asns ---------------------------- +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 2914 - 29169 - 16509 @@ -1082,56 +1073,69 @@ never_via_route_servers_asns - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1142,15 +1146,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1158,7 +1161,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1169,24 +1171,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1195,33 +1191,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1229,7 +1221,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1237,17 +1228,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/default/template-context4 b/examples/default/template-context4 index 7bc6b599..05cfde4a 100644 --- a/examples/default/template-context4 +++ b/examples/default/template-context4 @@ -1020,31 +1020,22 @@ registrobr_whois_db_records never_via_route_servers_asns ---------------------------- +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 2914 - 29169 - 16509 @@ -1052,56 +1043,69 @@ never_via_route_servers_asns - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1112,15 +1116,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1128,7 +1131,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1139,24 +1141,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1165,33 +1161,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1199,7 +1191,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1207,17 +1198,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/default/template-context6 b/examples/default/template-context6 index 0b9cde9a..afcd5dc4 100644 --- a/examples/default/template-context6 +++ b/examples/default/template-context6 @@ -969,31 +969,22 @@ registrobr_whois_db_records never_via_route_servers_asns ---------------------------- +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 2914 - 29169 - 16509 @@ -1001,56 +992,69 @@ never_via_route_servers_asns - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1061,15 +1065,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1077,7 +1080,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1088,24 +1090,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1114,33 +1110,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1148,7 +1140,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1156,17 +1147,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/rich/bird4.conf b/examples/rich/bird4.conf index 746399b2..dfe478e3 100644 --- a/examples/rich/bird4.conf +++ b/examples/rich/bird4.conf @@ -65,7 +65,7 @@ define AS_SET_AS_RIPENCC_asns = [ define AS_SET_AS_RIPENCC_prefixes_4 = [ 23.128.24.0/24{24,32}, 27.0.0.0/24{24,32}, 27.50.0.0/22{22,32}, 39.0.1.0/24{24,32}, - 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/23{24,32}, + 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/24{24,32}, 93.175.148.0/22{24,32}, 93.175.152.0/23{24,32}, 103.1.0.0/22{22,32}, 103.1.4.0/24{24,32}, 106.0.1.0/24{24,32}, 193.0.0.0/21{21,32}, 193.0.10.0/23{23,32}, 193.0.12.0/23{23,32}, 193.0.18.0/23{23,32}, 193.0.20.0/22{23,32}, 193.0.24.0/21{21,32} @@ -74,10 +74,10 @@ define AS_SET_AS_RIPENCC_prefixes_4 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_4 = [ - 199.43.0.0/24{24,32}, 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32} + 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32}, 199.43.0.0/24{24,32} ]; define ARIN_Whois_db_AS12654_4 = [ - 23.128.124.0/24{24,32}, 23.128.125.0/24{24,32}, 23.128.24.0/24{24,32}, 23.128.25.0/24{24,32} + 23.128.125.0/24{24,32}, 23.128.25.0/24{24,32}, 23.128.24.0/24{24,32}, 23.128.124.0/24{24,32} ]; @@ -1758,7 +1758,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -1978,7 +1978,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/rich/bird6.conf b/examples/rich/bird6.conf index 062905a8..cbeb32fb 100644 --- a/examples/rich/bird6.conf +++ b/examples/rich/bird6.conf @@ -45,7 +45,7 @@ define AS_SET_AS10745_prefixes_6 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_6 = [ - 2001:500:4::/48{48,128}, 2001:500:110::/48{48,128} + 2001:500:110::/48{48,128}, 2001:500:4::/48{48,128} ]; @@ -1772,7 +1772,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/rich/bird_v2.conf b/examples/rich/bird_v2.conf index ce6261e9..6cb4a0b9 100644 --- a/examples/rich/bird_v2.conf +++ b/examples/rich/bird_v2.conf @@ -82,13 +82,13 @@ define AS_SET_AS_RIPENCC_asns = [ define AS_SET_AS_RIPENCC_prefixes_4 = [ 23.128.24.0/24{24,32}, 27.0.0.0/24{24,32}, 27.50.0.0/22{22,32}, 39.0.1.0/24{24,32}, - 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/23{24,32}, + 84.205.64.0/19{24,32}, 89.116.100.0/24{24,32}, 93.175.144.0/24{24,32}, 93.175.146.0/24{24,32}, 93.175.148.0/22{24,32}, 93.175.152.0/23{24,32}, 103.1.0.0/22{22,32}, 103.1.4.0/24{24,32}, 106.0.1.0/24{24,32}, 193.0.0.0/21{21,32}, 193.0.10.0/23{23,32}, 193.0.12.0/23{23,32}, 193.0.18.0/23{23,32}, 193.0.20.0/22{23,32}, 193.0.24.0/21{21,32} ]; define AS_SET_AS_RIPENCC_prefixes_6 = [ - 2001:67c:64::/48{48,128}, 2001:67c:2e8::/48{48,128}, 2001:7fb:fd02::/47{48,128}, 2001:7fb:fd04::/48{48,128}, + 2001:67c:64::/48{48,128}, 2001:67c:2e8::/48{48,128}, 2001:7fb:fd02::/48{48,128}, 2001:7fb:fd04::/48{48,128}, 2001:7fb:fe00::/45{48,128}, 2001:7fb:fe0a::/47{48,128}, 2001:7fb:fe0c::/46{48,128}, 2001:7fb:fe10::/48{48,128}, 2001:7fb:fe12::/47{48,128}, 2001:7fb:fe14::/46{48,128}, 2001:7fb:fe18::/48{48,128}, 2001:7fb:ff00::/45{48,128}, 2001:7fb:ff0a::/47{48,128}, 2001:7fb:ff0c::/46{48,128}, 2001:7fb:ff10::/48{48,128}, 2001:7fb:ff12::/47{48,128}, @@ -98,13 +98,13 @@ define AS_SET_AS_RIPENCC_prefixes_6 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_4 = [ - 199.43.0.0/24{24,32}, 192.149.252.0/24{24,32}, 192.136.136.0/24{24,32} + 192.136.136.0/24{24,32}, 199.43.0.0/24{24,32}, 192.149.252.0/24{24,32} ]; define ARIN_Whois_db_AS10745_6 = [ - 2001:500:110::/48{48,128}, 2001:500:4::/48{48,128} + 2001:500:4::/48{48,128}, 2001:500:110::/48{48,128} ]; define ARIN_Whois_db_AS12654_4 = [ - 23.128.25.0/24{24,32}, 23.128.24.0/24{24,32}, 23.128.125.0/24{24,32}, 23.128.124.0/24{24,32} + 23.128.125.0/24{24,32}, 23.128.124.0/24{24,32}, 23.128.24.0/24{24,32}, 23.128.25.0/24{24,32} ]; # no IPv6 prefixes found in the ARIN Whois database for ASAS12654 @@ -1940,7 +1940,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2165,7 +2165,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2399,7 +2399,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/examples/rich/openbgpd.conf b/examples/rich/openbgpd.conf index 185cd848..4394b08c 100644 --- a/examples/rich/openbgpd.conf +++ b/examples/rich/openbgpd.conf @@ -71,7 +71,7 @@ prefix-set "AS_SET_AS_RIPENCC_prefixes" { 84.205.64.0/19 prefixlen 24 - 32 89.116.100.0/24 prefixlen 24 - 32 93.175.144.0/24 prefixlen 24 - 32 - 93.175.146.0/23 prefixlen 24 - 32 + 93.175.146.0/24 prefixlen 24 - 32 93.175.148.0/22 prefixlen 24 - 32 93.175.152.0/23 prefixlen 24 - 32 103.1.0.0/22 prefixlen 22 - 32 @@ -85,7 +85,7 @@ prefix-set "AS_SET_AS_RIPENCC_prefixes" { 193.0.24.0/21 prefixlen 21 - 32 2001:67c:64::/48 prefixlen 48 - 128 2001:67c:2e8::/48 prefixlen 48 - 128 - 2001:7fb:fd02::/47 prefixlen 48 - 128 + 2001:7fb:fd02::/48 prefixlen 48 - 128 2001:7fb:fd04::/48 prefixlen 48 - 128 2001:7fb:fe00::/45 prefixlen 48 - 128 2001:7fb:fe0a::/47 prefixlen 48 - 128 @@ -115,7 +115,11 @@ group "clients" { neighbor 192.0.2.22 { remote-as 10745 - rde evaluate all + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default passive ttl-security yes @@ -126,6 +130,7 @@ group "clients" { announce as-4byte yes announce IPv6 none announce IPv4 unicast + announce add-path send best plus 5 set nexthop no-modify } @@ -134,7 +139,11 @@ group "clients" { neighbor 2001:db8:1:1::22 { remote-as 10745 - rde evaluate all + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default passive ttl-security yes @@ -145,6 +154,7 @@ group "clients" { announce as-4byte yes announce IPv6 unicast announce IPv4 none + announce add-path send best plus 5 set nexthop no-modify } @@ -153,7 +163,11 @@ group "clients" { neighbor 192.0.2.11 { remote-as 3333 - rde evaluate all + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default passive ttl-security yes @@ -164,6 +178,7 @@ group "clients" { announce as-4byte yes announce IPv6 none announce IPv4 unicast + announce add-path send best plus 5 set nexthop no-modify } @@ -240,7 +255,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/examples/rich/template-context b/examples/rich/template-context index 74e5f479..0621733c 100644 --- a/examples/rich/template-context +++ b/examples/rich/template-context @@ -1118,9 +1118,9 @@ irrdb_info prefix: 93.175.144.0 - comment: null exact: false - ge: 24 + ge: null le: 32 - length: 23 + length: 24 max_length: 32 prefix: 93.175.146.0 - comment: null @@ -1216,9 +1216,9 @@ irrdb_info prefix: '2001:67c:2e8::' - comment: null exact: false - ge: 48 + ge: null le: 128 - length: 47 + length: 48 max_length: 128 prefix: '2001:7fb:fd02::' - comment: null @@ -1399,29 +1399,29 @@ AS10745: max_length: 32 prefix: 199.43.0.0 - exact: false - ge: 48 - le: 128 - length: 48 - max_length: 128 - prefix: '2001:500:110::' + ge: 24 + le: 32 + length: 24 + max_length: 32 + prefix: 192.136.136.0 - exact: false ge: 48 le: 128 length: 48 max_length: 128 prefix: '2001:500:4::' -- exact: false - ge: 24 - le: 32 - length: 24 - max_length: 32 - prefix: 192.136.136.0 - exact: false ge: 24 le: 32 length: 24 max_length: 32 prefix: 192.149.252.0 +- exact: false + ge: 48 + le: 128 + length: 48 + max_length: 128 + prefix: '2001:500:110::' AS12654: - exact: false ge: 24 @@ -1434,13 +1434,13 @@ AS12654: le: 32 length: 24 max_length: 32 - prefix: 23.128.24.0 + prefix: 23.128.125.0 - exact: false ge: 24 le: 32 length: 24 max_length: 32 - prefix: 23.128.125.0 + prefix: 23.128.24.0 - exact: false ge: 24 le: 32 @@ -1458,86 +1458,90 @@ never_via_route_servers_asns ---------------------------- - 2914 - 3491 +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 29169 - 16509 - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1548,15 +1552,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1564,7 +1567,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1575,24 +1577,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1601,33 +1597,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1635,7 +1627,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1643,17 +1634,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/rich/template-context4 b/examples/rich/template-context4 index 37eff644..b2491f70 100644 --- a/examples/rich/template-context4 +++ b/examples/rich/template-context4 @@ -1088,9 +1088,9 @@ irrdb_info prefix: 93.175.144.0 - comment: null exact: false - ge: 24 + ge: null le: 32 - length: 23 + length: 24 max_length: 32 prefix: 93.175.146.0 - comment: null @@ -1225,7 +1225,7 @@ AS10745: le: 32 length: 24 max_length: 32 - prefix: 199.43.0.0 + prefix: 192.149.252.0 - exact: false ge: 24 le: 32 @@ -1237,14 +1237,14 @@ AS10745: le: 32 length: 24 max_length: 32 - prefix: 192.149.252.0 + prefix: 199.43.0.0 AS12654: - exact: false ge: 24 le: 32 length: 24 max_length: 32 - prefix: 23.128.24.0 + prefix: 23.128.124.0 - exact: false ge: 24 le: 32 @@ -1256,13 +1256,13 @@ AS12654: le: 32 length: 24 max_length: 32 - prefix: 23.128.124.0 + prefix: 23.128.25.0 - exact: false ge: 24 le: 32 length: 24 max_length: 32 - prefix: 23.128.25.0 + prefix: 23.128.24.0 registrobr_whois_db_records @@ -1274,86 +1274,90 @@ never_via_route_servers_asns ---------------------------- - 2914 - 3491 +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 29169 - 16509 - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1364,15 +1368,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1380,7 +1383,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1391,24 +1393,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1417,33 +1413,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1451,7 +1443,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1459,17 +1450,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/rich/template-context6 b/examples/rich/template-context6 index 462c2dba..0e1d3075 100644 --- a/examples/rich/template-context6 +++ b/examples/rich/template-context6 @@ -1024,86 +1024,90 @@ never_via_route_servers_asns ---------------------------- - 2914 - 3491 +- 34209 - 6079 -- 7843 -- 1299 -- 3257 - 3265 +- 11670 - 8607 -- 6805 - 12322 - 6730 - 13030 - 3320 -- 1273 - 174 - 680 +- 8455 - 2152 -- 6830 - 3292 -- 5511 -- 8365 +- 35836 - 21396 -- 8075 -- 39326 -- 6908 -- 11164 -- 5432 - 29169 - 16509 - 20161 - 11260 - 34108 +- 7843 - 20115 - 39651 -- 48237 - 9908 - 15692 -- 47377 - 10013 - 8943 - 5391 +- 48237 - 37271 -- 714 - 12353 -- 8455 +- 6908 - 40029 -- 57433 -- 57866 +- 6830 - 36459 -- 52965 -- 7155 -- 13760 -- 263328 +- 51530 +- 1273 +- 57433 +- 39326 +- 27947 +- 714 +- 62567 +- 8075 +- 3257 +- 11164 - 12822 +- 35900 +- 5511 +- 7155 +- 6805 +- 47377 +- 57866 - 46450 -- 17012 - 263801 +- 17012 - 63290 +- 8365 +- 5432 - 278 -- 62567 - 202793 - 33983 - 134022 +- 43470 - 3754 +- 3630 - 135706 - 264424 - 132563 -- 11670 -- 3630 - 7862 - 48408 +- 137207 - 24282 -- 52973 - 265630 - 37529 - 131996 - 132829 -- 27947 -- 34209 +- 19237 +- 23961 - 263856 - 135848 -- 19237 +- 147059 +- 24800 +- 62623 - 137610 - 34587 - 138023 @@ -1114,15 +1118,14 @@ never_via_route_servers_asns - 396477 - 262191 - 54295 +- 18520 +- 14295 - 138953 -- 268952 - 58768 - 1955 - 328572 - 49127 - 393573 -- 18520 -- 14295 - 393684 - 269156 - 207353 @@ -1130,7 +1133,6 @@ never_via_route_servers_asns - 270544 - 328582 - 267442 -- 269535 - 48265 - 328445 - 60412 @@ -1141,24 +1143,18 @@ never_via_route_servers_asns - 57468 - 212953 - 270407 -- 269574 - 133317 - 271053 - 270828 - 271172 -- 271203 -- 270653 -- 62623 - 140287 - 212706 - 212623 -- 43470 - 269367 - 36165 - 202561 - 213202 - 141120 -- 35836 - 141411 - 262888 - 131398 @@ -1167,33 +1163,29 @@ never_via_route_servers_asns - 53859 - 269654 - 141892 +- 1299 - 267214 - 62164 - 263686 - 269906 -- 52946 -- 200807 - 30967 - 141091 - 11290 - 141140 - 271200 - 13032 -- 51530 - 31764 - 142369 -- 137207 -- 270796 - 142348 - 23888 +- 398203 - 141856 - 146846 - 146958 -- 398203 - 139667 +- 49922 - 47583 - 60757 -- 268772 - 269512 - 141134 - 212539 @@ -1201,7 +1193,6 @@ never_via_route_servers_asns - 55244 - 49910 - 92 -- 147059 - 136874 - 40063 - 149296 @@ -1209,17 +1200,17 @@ never_via_route_servers_asns - 210030 - 51630 - 272018 -- 146904 - 396304 - 269190 -- 208548 -- 35900 - 265337 - 201978 - 208425 - 212512 - 142164 - 149663 -- 23961 - 149826 - 210715 +- 206275 +- 272124 +- 61756 +- 267561 diff --git a/examples/rpki_rtr/bird_v2.conf b/examples/rpki_rtr/bird_v2.conf index 42b28768..65de2f92 100644 --- a/examples/rpki_rtr/bird_v2.conf +++ b/examples/rpki_rtr/bird_v2.conf @@ -63,8 +63,8 @@ define AS_SET_AS1_asns = [ ]; define AS_SET_AS1_prefixes_4 = [ - 4.36.110.0/24, 5.34.192.0/21, 5.34.200.0/22, 87.248.135.0/24, - 88.218.16.0/24, 178.208.184.0/24, 178.253.55.0/24, 199.48.180.0/24 + 4.36.110.0/24, 88.218.16.0/24, 178.208.184.0/24, 178.253.38.0/24, + 178.253.55.0/24, 185.255.126.0/24, 199.48.180.0/24 ]; # no IPv6 prefixes found for AS1 @@ -470,7 +470,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -648,7 +648,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -830,7 +830,7 @@ filter receive_from_AS1_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -1008,7 +1008,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/pierky/arouteserver/builder.py b/pierky/arouteserver/builder.py index 5fc27193..feb16f47 100644 --- a/pierky/arouteserver/builder.py +++ b/pierky/arouteserver/builder.py @@ -534,8 +534,6 @@ def _are_there_32bit_clients(self): return False def enrich_config(self): - errors = False - # Unique ASNs from clients list. clients_asns = {} @@ -604,12 +602,10 @@ def enrich_config(self): try: enricher.enrich() except ARouteServerError as e: - errors = True if str(e): logging.error(str(e)) - if errors: - raise BuilderError() + raise BuilderError() def _include_local_file(self, local_file_id): raise NotImplementedError() @@ -801,7 +797,8 @@ class BIRDConfigBuilder(ConfigBuilder): IGNORABLE_ISSUES = ConfigBuilder.IGNORABLE_ISSUES + ["max_prefix_count_rejected_routes", "ipv6_link_local_next_hop"] AVAILABLE_VERSION = ["1.6.3", "1.6.4", "1.6.6", "1.6.7", "1.6.8", - "2.0.7", "2.0.7+b962967e", "2.0.8", "2.0.9"] + "2.0.7", "2.0.7+b962967e", "2.0.8", "2.0.9", + "2.0.10"] DEFAULT_VERSION = "1.6.8" def validate_bgpspeaker_specific_configuration(self): @@ -956,7 +953,7 @@ class OpenBGPDConfigBuilder(ConfigBuilder): LOCAL_FILES_BASE_DIR = "/etc/bgpd" AVAILABLE_VERSION = ["6.0", "6.1", "6.2", "6.3", "6.4", "6.5", "6.6", "6.7", - "6.8", "6.9", "7.0", "7.1", "7.2", "7.3", "7.4"] + "6.8", "6.9", "7.0", "7.1", "7.2", "7.3", "7.4", "7.5"] DEFAULT_VERSION = AVAILABLE_VERSION[-1] IGNORABLE_ISSUES = ConfigBuilder.IGNORABLE_ISSUES + \ @@ -1047,12 +1044,14 @@ def validate_bgpspeaker_specific_configuration(self): if not max_prefix_count_rejected_routes: max_prefix_count_rejected_routes_clients.append(client["ip"]) - if add_path_clients: + if add_path_clients and \ + version.parse(self.target_version) < version.parse("7.5"): + clients = add_path_clients cnt = len(clients) if not self.process_compatibility_issue( "add_path", - "ADD_PATH not supported by OpenBGPD but " + "ADD_PATH not supported by OpenBGPD < 7.5 but " "enabled for the following clients: {}{}.".format( ", ".join(clients[:3]), "" if cnt <= 3 else " and {} more".format(cnt - 3) diff --git a/pierky/arouteserver/irrdb.py b/pierky/arouteserver/irrdb.py index 46551dbd..e030818c 100644 --- a/pierky/arouteserver/irrdb.py +++ b/pierky/arouteserver/irrdb.py @@ -117,8 +117,7 @@ class IRRDBInfo(CachedObject, AS_SET_Bundle): BGPQ3_DEFAULT_HOST = ["rr.ntt.net", "rr1.ntt.net"] BGPQ3_DEFAULT_SOURCES = ("RIPE,APNIC,AFRINIC,ARIN,NTTCOM,ALTDB," - "BBOI,BELL,JPIRR,LEVEL3,RADB,RGNET," - "TC") + "BBOI,BELL,JPIRR,LEVEL3,RADB,TC") BGPQ3_DEFAULT_TIMEOUT = 120 EXPIRY_TIME_TAG = "irr_as_sets" diff --git a/pierky/arouteserver/tests/live_tests/bird.py b/pierky/arouteserver/tests/live_tests/bird.py index 8f5f48f1..a0c8b109 100644 --- a/pierky/arouteserver/tests/live_tests/bird.py +++ b/pierky/arouteserver/tests/live_tests/bird.py @@ -327,11 +327,11 @@ def _birdcl(self, cmd): class BIRD2Instance(BIRDInstance): - DOCKER_IMAGE = "pierky/bird:2.0.9" + DOCKER_IMAGE = "pierky/bird:2.0.10" TAG = "bird2" - TARGET_VERSION = "2.0.9" + TARGET_VERSION = "2.0.10" def _get_start_cmd(self): return "bird -c /etc/bird/bird.conf -d" diff --git a/pierky/arouteserver/tests/live_tests/openbgpd.py b/pierky/arouteserver/tests/live_tests/openbgpd.py index 625a5c27..43ff8279 100644 --- a/pierky/arouteserver/tests/live_tests/openbgpd.py +++ b/pierky/arouteserver/tests/live_tests/openbgpd.py @@ -597,5 +597,15 @@ class OpenBGPD74PortableInstance(OpenBGPDPortableInstance): TARGET_VERSION = "7.4" -OpenBGPDPortablePreviousInstance = OpenBGPD73PortableInstance -OpenBGPDPortableLatestInstance = OpenBGPD74PortableInstance +class OpenBGPD75PortableInstance(OpenBGPDPortableInstance): + + DOCKER_IMAGE = "pierky/openbgpd:7.5" + + TAG = "openbgpd75p" + + BGP_SPEAKER_VERSION = "7.5" + TARGET_VERSION = "7.5" + + +OpenBGPDPortablePreviousInstance = OpenBGPD74PortableInstance +OpenBGPDPortableLatestInstance = OpenBGPD75PortableInstance diff --git a/templates/fingerprints.yml b/templates/fingerprints.yml index 14ba9345..9a96c62a 100644 --- a/templates/fingerprints.yml +++ b/templates/fingerprints.yml @@ -16,7 +16,7 @@ md: macros.j2: bb4c38f830831d476840c228ede6de8cc778de55b74b2882451b1ce980a47cea56b0f9426236dc5c0f844af4fbc73642e85efb510b24b26ddc96ab1206942c88 main.j2: be98308fd4c8f4992e58cebcdd41b6bbb59122763bbbf1c3d74dc5e980db59aabd716e8d809a5bee05b60be6530e4704026cb054235c1f4c35b23d450f9bd59b openbgpd: - clients.j2: 3b487fc2a699172d272fd253538feb1b4258bbb00e66c0a2ad743ee7b12350f0f634866a16118de1be9113bbe96ce1843db38c5249993d47156e40396b88d6c7 + clients.j2: 5518aff8ce7e928f449867ca9edce5a11c7dee879279b6a9db1037425f96c1faa5c0bbb6f6b1ad5eb415554be59273ab91225852db4037fbe475e4cceba439c1 filters.j2: 67230b4a9841be775a0edb724f408a651c42469c1535b360c3b0ee3af5bff2929964540514d64ac320116f2c0faed22c089f51d647c455b9316dd3975d583d2d header.j2: 9b6700145069c22bb51f0a694f984da3babecc2528555e2afa8f50d347424508fe8a9868fffae956bf1a7801545fcd278cb08bece8855ead71ad262c181496d0 irrdb.j2: a41aff6077c4b7ddd8ae03f0ac33f3ff47c9812350204d929a8b02fe63d023a813e802a7c9183528058b55d7502f7aeaef77a65acc906022586510f37453b88a diff --git a/templates/openbgpd/clients.j2 b/templates/openbgpd/clients.j2 index 7a1a5ae2..b39573ab 100644 --- a/templates/openbgpd/clients.j2 +++ b/templates/openbgpd/clients.j2 @@ -27,7 +27,15 @@ group "clients" { remote-as {{ client.asn }} {% if cfg.path_hiding and "6.9"|target_version_ge %} +{% if "7.5"|target_version_ge and client.cfg.add_path %} + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default +{% else %} rde evaluate all +{% endif %} {% endif %} {% if "6.1"|target_version_le %} @@ -85,6 +93,9 @@ group "clients" { announce IPv6 unicast announce IPv4 none {% endif %} +{% if "7.5"|target_version_ge and client.cfg.add_path %} + announce add-path send best plus 5 +{% endif %} set nexthop no-modify diff --git a/tests/last b/tests/last index 78abfe5f..a0264ca2 100644 --- a/tests/last +++ b/tests/last @@ -247,7 +247,7 @@ RTT getter parser: new line only ... ok RTT getter parser: none ... ok ---------------------------------------------------------------------- -Ran 247 tests in 69.193s +Ran 247 tests in 68.563s OK External resources: ARIN Whois database dump ... ok @@ -267,10 +267,9 @@ External resources: prefixes from AS-SET via bgpq3 ... ok External resources: prefixes from AS-SET via bgpq4 ... ok ---------------------------------------------------------------------- -Ran 15 tests in 48.378s +Ran 15 tests in 48.245s OK -Error: No such network: arouteserver Live test, BIRD, hooks example, IPv4: setting instances up... Live test, BIRD, hooks example, IPv4: instances setup ... ok Live test, BIRD, hooks example, IPv4: log contains errors ... ok @@ -285,7 +284,7 @@ Live test, BIRD, hooks example, IPv6: dumping routes... Live test, BIRD, hooks example, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.145s +Ran 4 tests in 14.255s OK Live test, BIRD, BGP communities, IPv4: setting instances up... @@ -324,7 +323,7 @@ Live test, BIRD, BGP communities, IPv6: dumping routes... Live test, BIRD, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 64.614s +Ran 26 tests in 64.025s OK Live test, BIRD, default config, IPv4: setting instances up... @@ -341,7 +340,7 @@ Live test, BIRD, default config, IPv6: dumping routes... Live test, BIRD, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.273s +Ran 4 tests in 15.047s OK Live test, BIRD, global scenario, IPv4: setting instances up... @@ -882,7 +881,7 @@ Live test, BIRD, global scenario, IPv6, tag&reject: dumping routes... Live test, BIRD, global scenario, IPv6, tag&reject: stopping instances... ---------------------------------------------------------------------- -Ran 512 tests in 511.947s +Ran 512 tests in 509.215s OK (SKIP=6) Live test, BIRD, gshut, IPv4: setting instances up... @@ -905,7 +904,7 @@ Live test, BIRD, gshut, IPv6: dumping routes... Live test, BIRD, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 44.442s +Ran 10 tests in 44.425s OK Live test, BIRD, max-prefix, IPv4: setting instances up... @@ -944,7 +943,7 @@ Live test, BIRD, max-prefix, IPv6: dumping routes... Live test, BIRD, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 168.860s +Ran 26 tests in 165.497s OK Live test, BIRD, path hiding, mitigation off, IPv4: setting instances up... @@ -1003,7 +1002,7 @@ Live test, BIRD, path hiding, mitigation on, IPv6: dumping routes... Live test, BIRD, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 174.651s +Ran 38 tests in 174.239s OK (SKIP=2) Live test, BIRD, examples, rich config, IPv4: setting instances up... @@ -1020,7 +1019,7 @@ Live test, BIRD, examples, rich config, IPv6: dumping routes... Live test, BIRD, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 25.134s +Ran 4 tests in 26.304s OK Live test, BIRD, RPKI INVALID tagging, IPv4: setting instances up... @@ -1061,7 +1060,7 @@ Live test, BIRD, RPKI INVALID tagging, IPv6: dumping routes... Live test, BIRD, RPKI INVALID tagging, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 28 tests in 79.266s +Ran 28 tests in 83.631s OK Live test, BIRD, BOV custom comms, IPv4: setting instances up... @@ -1086,7 +1085,7 @@ Live test, BIRD, BOV custom comms, IPv6: dumping routes... Live test, BIRD, BOV custom comms, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 12 tests in 45.940s +Ran 12 tests in 46.496s OK Live test, BIRD, tag prefix/origin in AS-SET, IPv4: setting instances up... @@ -1273,7 +1272,7 @@ Live test, BIRD, tag prefix/origin empty AS-SET, IPv6: dumping routes... Live test, BIRD, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 165.136s +Ran 166 tests in 168.950s OK Live test, BIRD, 'tag' reject policy scenario, IPv4: setting instances up... @@ -1330,7 +1329,7 @@ Live test, BIRD, 'tag' reject policy scenario, IPv6: dumping routes... Live test, BIRD, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 116.715s +Ran 44 tests in 114.618s OK (SKIP=1) Live test, BIRD v2, BGP communities, IPv4: setting instances up... @@ -1369,7 +1368,7 @@ Live test, BIRD v2, BGP communities, IPv6: dumping routes... Live test, BIRD v2, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 63.231s +Ran 26 tests in 63.218s OK Live test, BIRD v2, default config, IPv4: setting instances up... @@ -1386,7 +1385,7 @@ Live test, BIRD v2, default config, IPv6: dumping routes... Live test, BIRD v2, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.338s +Ran 4 tests in 14.591s OK Live test, BIRD v2, global scenario, IPv4: setting instances up... @@ -1927,7 +1926,7 @@ Live test, BIRD v2, global scenario, IPv6, tag&reject: dumping routes... Live test, BIRD v2, global scenario, IPv6, tag&reject: stopping instances... ---------------------------------------------------------------------- -Ran 512 tests in 501.144s +Ran 512 tests in 499.002s OK (SKIP=6) Live test, BIRD v2, gshut, IPv4: setting instances up... @@ -1950,7 +1949,7 @@ Live test, BIRD v2, gshut, IPv6: dumping routes... Live test, BIRD v2, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 44.005s +Ran 10 tests in 44.138s OK Live test, BIRD v2, max-prefix, IPv4: setting instances up... @@ -1989,7 +1988,7 @@ Live test, BIRD v2, max-prefix, IPv6: dumping routes... Live test, BIRD v2, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 168.092s +Ran 26 tests in 165.985s OK Live test, BIRD v2, path hiding, mitigation off, IPv4: setting instances up... @@ -2048,7 +2047,7 @@ Live test, BIRD v2, path hiding, mitigation on, IPv6: dumping routes... Live test, BIRD v2, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 173.813s +Ran 38 tests in 171.075s OK (SKIP=2) Live test, BIRD v2, examples, rich config, IPv4: setting instances up... @@ -2065,7 +2064,7 @@ Live test, BIRD v2, examples, rich config, IPv6: dumping routes... Live test, BIRD v2, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 26.346s +Ran 4 tests in 24.751s OK Live test, BIRD v2, RPKI INVALID tagging, IPv4: setting instances up... @@ -2106,7 +2105,7 @@ Live test, BIRD v2, RPKI INVALID tagging, IPv6: dumping routes... Live test, BIRD v2, RPKI INVALID tagging, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 28 tests in 79.234s +Ran 28 tests in 77.980s OK Live test, BIRD v2, BOV custom comms, IPv4: setting instances up... @@ -2131,7 +2130,7 @@ Live test, BIRD v2, BOV custom comms, IPv6: dumping routes... Live test, BIRD v2, BOV custom comms, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 12 tests in 45.809s +Ran 12 tests in 44.362s OK Live test, BIRD v2, RTR protocol: setting instances up... @@ -2148,7 +2147,7 @@ Live test, BIRD v2, RTR protocol: dumping routes... Live test, BIRD v2, RTR protocol: stopping instances... ---------------------------------------------------------------------- -Ran 8 tests in 41.164s +Ran 8 tests in 40.609s OK Live test, BIRD v2, tag prefix/origin in AS-SET, IPv4: setting instances up... @@ -2335,7 +2334,7 @@ Live test, BIRD v2, tag prefix/origin empty AS-SET, IPv6: dumping routes... Live test, BIRD v2, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 166.310s +Ran 166 tests in 163.047s OK Live test, BIRD v2, 'tag' reject policy scenario, IPv4: setting instances up... @@ -2392,65 +2391,245 @@ Live test, BIRD v2, 'tag' reject policy scenario, IPv6: dumping routes... Live test, BIRD v2, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 116.248s +Ran 44 tests in 114.054s OK (SKIP=1) -Live test, OpenBGPD 7.4, BGP communities, IPv4: setting instances up... -Live test, OpenBGPD 7.4, BGP communities, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS131073 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS131073 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community scrubbed ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, BGP communities, IPv4: dumping routes... -Live test, OpenBGPD 7.4, BGP communities, IPv4: stopping instances... -Live test, OpenBGPD 7.4, BGP communities, IPv6: setting instances up... -Live test, OpenBGPD 7.4, BGP communities, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS131073 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS131073 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community scrubbed ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, BGP communities, IPv6: dumping routes... -Live test, OpenBGPD 7.4, BGP communities, IPv6: stopping instances... +Live test, OpenBGPD 7.5, BGP communities, IPv4: setting instances up... +Live test, OpenBGPD 7.5, BGP communities, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS131073 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS131073 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community scrubbed ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, BGP communities, IPv4: dumping routes... +Live test, OpenBGPD 7.5, BGP communities, IPv4: stopping instances... +Live test, OpenBGPD 7.5, BGP communities, IPv6: setting instances up... +Live test, OpenBGPD 7.5, BGP communities, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS131073 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS131073 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community scrubbed ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, BGP communities, IPv6: dumping routes... +Live test, OpenBGPD 7.5, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 67.294s +Ran 26 tests in 66.482s OK -Live test, OpenBGPD 7.4, default config, IPv4: setting instances up... -Live test, OpenBGPD 7.4, default config, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, default config, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, default config, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, default config, IPv4: dumping routes... -Live test, OpenBGPD 7.4, default config, IPv4: stopping instances... -Live test, OpenBGPD 7.4, default config, IPv6: setting instances up... -Live test, OpenBGPD 7.4, default config, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, default config, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, default config, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, default config, IPv6: dumping routes... -Live test, OpenBGPD 7.4, default config, IPv6: stopping instances... +Live test, OpenBGPD 7.5, default config, IPv4: setting instances up... +Live test, OpenBGPD 7.5, default config, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, default config, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, default config, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, default config, IPv4: dumping routes... +Live test, OpenBGPD 7.5, default config, IPv4: stopping instances... +Live test, OpenBGPD 7.5, default config, IPv6: setting instances up... +Live test, OpenBGPD 7.5, default config, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, default config, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, default config, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, default config, IPv6: dumping routes... +Live test, OpenBGPD 7.5, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 11.854s +Ran 4 tests in 11.577s OK +Live test, OpenBGPD 7.5, global scenario, IPv4: setting instances up... +Live test, OpenBGPD 7.5, global scenario, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: session configured via local include files ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_arin_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_registrobr_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs: non-client NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: not IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: AS_PATH len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: bogon ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: client blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: global blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: left-most ASN ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: prefix not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid prefix-len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: unknown NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: default route ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes not received by clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: bogon (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: global blacklist (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, blackhole request for a covered prefix ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad ASN) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad length) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, valid prefix received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, valid prefix propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes from AS101 received by its upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes from AS101 received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities as seen by AS101 upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: other communities not scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: other communities not scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (lrg cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (std cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (std_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes not seen by not enabled clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: gshut by an enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: gshut by a not enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, announce to AS1 only ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, don't announce to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, announce to all except AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend once to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend twice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend thrice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend once to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend twice to AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend thrice to AS1, once to others ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, NO_EXPORT to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, NO_EXPORT to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RFC1997 NO_EXPORT ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, blackhole, not peers > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 5 ms + AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers <= 5 and > 100 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, only peers <= 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, only peers <= 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, global scenario, IPv4: dumping routes... +Live test, OpenBGPD 7.5, global scenario, IPv4: stopping instances... +Live test, OpenBGPD 7.5, global scenario, IPv6: setting instances up... +Live test, OpenBGPD 7.5, global scenario, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: session configured via local include files ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_arin_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_registrobr_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs: non-client NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: not IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: AS_PATH len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: bogon ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: client blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: global blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: left-most ASN ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: prefix not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid prefix-len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: unknown NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: default route ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes not received by clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: bogon (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: global blacklist (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, blackhole request for a covered prefix ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad ASN) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad length) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, valid prefix received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, valid prefix propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes from AS101 received by its upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes from AS101 received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities as seen by AS101 upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: other communities not scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: other communities not scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (lrg cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (std cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (std_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes not seen by not enabled clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: gshut by an enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: gshut by a not enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, announce to AS1 only ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, don't announce to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, announce to all except AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend once to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend twice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend thrice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend once to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend twice to AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend thrice to AS1, once to others ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, NO_EXPORT to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, NO_EXPORT to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RFC1997 NO_EXPORT ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, blackhole, not peers > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 5 ms + AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers <= 5 and > 100 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, only peers <= 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, only peers <= 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, global scenario, IPv6: dumping routes... +Live test, OpenBGPD 7.5, global scenario, IPv6: stopping instances... Live test, OpenBGPD 7.4, global scenario, IPv4: setting instances up... Live test, OpenBGPD 7.4, global scenario, IPv4: instances setup ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: sessions are up ... ok @@ -2535,7 +2714,7 @@ Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD +Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD < 7.5 Live test, OpenBGPD 7.4, global scenario, IPv4: reconfigure ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: log contains errors ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: dumping rs config... @@ -2625,577 +2804,397 @@ Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD +Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD < 7.5 Live test, OpenBGPD 7.4, global scenario, IPv6: reconfigure ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: log contains errors ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: dumping rs config... Live test, OpenBGPD 7.4, global scenario, IPv6: dumping routes... Live test, OpenBGPD 7.4, global scenario, IPv6: stopping instances... -Live test, OpenBGPD 7.3, global scenario, IPv4: setting instances up... -Live test, OpenBGPD 7.3, global scenario, IPv4: instances setup ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: session configured via local include files ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_arin_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_registrobr_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs: non-client NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: not IPv6 global unicast space ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: AS_PATH len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: bogon ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: client blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: global blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: left-most ASN ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: origin not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: prefix not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid prefix-len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: unknown NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: default route ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes not received by clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: bogon (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: global blacklist (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, blackhole request for a covered prefix ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad ASN) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad length) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, valid prefix received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, valid prefix propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes from AS101 received by its upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes from AS101 received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities as seen by AS101 upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: other communities not scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: other communities not scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (lrg cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (std cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (std_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes not seen by not enabled clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: gshut by an enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: gshut by a not enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, announce to AS1 only ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, don't announce to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, announce to all except AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend once to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend twice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend thrice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend once to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend twice to AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend thrice to AS1, once to others ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, NO_EXPORT to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, NO_EXPORT to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RFC1997 NO_EXPORT ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, blackhole, not peers > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 5 ms + AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers <= 5 and > 100 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, only peers <= 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, only peers <= 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.3, global scenario, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: dumping rs config... -Live test, OpenBGPD 7.3, global scenario, IPv4: dumping routes... -Live test, OpenBGPD 7.3, global scenario, IPv4: stopping instances... -Live test, OpenBGPD 7.3, global scenario, IPv6: setting instances up... -Live test, OpenBGPD 7.3, global scenario, IPv6: instances setup ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: session configured via local include files ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_arin_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_registrobr_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs: non-client NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: not IPv6 global unicast space ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: AS_PATH len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: bogon ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: client blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: global blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: left-most ASN ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: origin not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: prefix not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid prefix-len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: unknown NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: default route ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes not received by clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: bogon (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: global blacklist (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, blackhole request for a covered prefix ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad ASN) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad length) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, valid prefix received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, valid prefix propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes from AS101 received by its upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes from AS101 received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities as seen by AS101 upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: other communities not scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: other communities not scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (lrg cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (std cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (std_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes not seen by not enabled clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: gshut by an enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: gshut by a not enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, announce to AS1 only ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, don't announce to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, announce to all except AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend once to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend twice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend thrice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend once to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend twice to AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend thrice to AS1, once to others ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, NO_EXPORT to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, NO_EXPORT to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RFC1997 NO_EXPORT ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, blackhole, not peers > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 5 ms + AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers <= 5 and > 100 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, only peers <= 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, only peers <= 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.3, global scenario, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: dumping rs config... -Live test, OpenBGPD 7.3, global scenario, IPv6: dumping routes... -Live test, OpenBGPD 7.3, global scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 344 tests in 334.500s - -OK (SKIP=8) -Live test, OpenBGPD 7.4, gshut, IPv4: setting instances up... -Live test, OpenBGPD 7.4, gshut, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, gshut, IPv4: dumping routes... -Live test, OpenBGPD 7.4, gshut, IPv4: stopping instances... -Live test, OpenBGPD 7.4, gshut, IPv6: setting instances up... -Live test, OpenBGPD 7.4, gshut, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, gshut, IPv6: dumping routes... -Live test, OpenBGPD 7.4, gshut, IPv6: stopping instances... +Ran 344 tests in 329.423s + +OK (SKIP=6) +Live test, OpenBGPD 7.5, gshut, IPv4: setting instances up... +Live test, OpenBGPD 7.5, gshut, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, gshut, IPv4: dumping routes... +Live test, OpenBGPD 7.5, gshut, IPv4: stopping instances... +Live test, OpenBGPD 7.5, gshut, IPv6: setting instances up... +Live test, OpenBGPD 7.5, gshut, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, gshut, IPv6: dumping routes... +Live test, OpenBGPD 7.5, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 49.293s +Ran 10 tests in 49.272s OK -Live test, OpenBGPD 7.4, max-prefix, IPv4: setting instances up... -Live test, OpenBGPD 7.4, max-prefix, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: sessions are down ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: clients log max-prefix notification ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, max-prefix, IPv4: dumping routes... -Live test, OpenBGPD 7.4, max-prefix, IPv4: stopping instances... -Live test, OpenBGPD 7.4, max-prefix, IPv6: setting instances up... -Live test, OpenBGPD 7.4, max-prefix, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: sessions are down ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: clients log max-prefix notification ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, max-prefix, IPv6: dumping routes... -Live test, OpenBGPD 7.4, max-prefix, IPv6: stopping instances... +Live test, OpenBGPD 7.5, max-prefix, IPv4: setting instances up... +Live test, OpenBGPD 7.5, max-prefix, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: sessions are down ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: clients log max-prefix notification ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, max-prefix, IPv4: dumping routes... +Live test, OpenBGPD 7.5, max-prefix, IPv4: stopping instances... +Live test, OpenBGPD 7.5, max-prefix, IPv6: setting instances up... +Live test, OpenBGPD 7.5, max-prefix, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: sessions are down ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: clients log max-prefix notification ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, max-prefix, IPv6: dumping routes... +Live test, OpenBGPD 7.5, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 363.605s +Ran 10 tests in 358.497s OK -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS3 does not receive prefix at all ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS4 receives the prefix via AS2 because of ADD-PATH ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS3 and AS4 don't receive prefix via AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: 2nd best is withdrawn and AS3 should not see it anymore ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS3 does not receive prefix at all ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS4 receives the prefix via AS2 because of ADD-PATH ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS3 and AS4 don't receive prefix via AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: 2nd best is withdrawn and AS3 should not see it anymore ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS3 does not receive prefix at all ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS4 receives the prefix via AS2 because of ADD-PATH ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS3 and AS4 don't receive prefix via AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: 2nd best is withdrawn and AS3 should not see it anymore ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS3 does not receive prefix at all ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS4 receives the prefix via AS2 because of ADD-PATH ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS3 and AS4 don't receive prefix via AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: 2nd best is withdrawn and AS3 should not see it anymore ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 192.769s +Ran 38 tests in 192.492s -OK (SKIP=2) -Live test, OpenBGPD 7.4, examples, rich config, IPv4: setting instances up... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: dumping routes... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: stopping instances... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: setting instances up... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: dumping routes... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: stopping instances... +OK +Live test, OpenBGPD 7.5, examples, rich config, IPv4: setting instances up... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: dumping routes... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: stopping instances... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: setting instances up... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: dumping routes... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 21.778s +Ran 4 tests in 22.056s OK -Live test, OpenBGPD 7.4, RTR protocol: setting instances up... -Live test, OpenBGPD 7.4, RTR protocol: instances setup ... ok -Live test, OpenBGPD 7.4, RTR protocol: sessions are up ... ok -Live test, OpenBGPD 7.4, RTR protocol: route accepted because validator not running ... ok -Live test, OpenBGPD 7.4, RTR protocol: spin up the validator ... ok -Live test, OpenBGPD 7.4, RTR protocol: restart OpenBGPD to speed up RTR session establishment ... ok -Live test, OpenBGPD 7.4, RTR protocol: check the RTR session is up ... ok -Live test, OpenBGPD 7.4, RTR protocol: route dropped after spinning the validator up ... ok -Live test, OpenBGPD 7.4, RTR protocol: log contains errors ... ok -Live test, OpenBGPD 7.4, RTR protocol: dumping rs config... -Live test, OpenBGPD 7.4, RTR protocol: dumping routes... -Live test, OpenBGPD 7.4, RTR protocol: stopping instances... +Live test, OpenBGPD 7.5, RTR protocol: setting instances up... +Live test, OpenBGPD 7.5, RTR protocol: instances setup ... ok +Live test, OpenBGPD 7.5, RTR protocol: sessions are up ... ok +Live test, OpenBGPD 7.5, RTR protocol: route accepted because validator not running ... ok +Live test, OpenBGPD 7.5, RTR protocol: spin up the validator ... ok +Live test, OpenBGPD 7.5, RTR protocol: restart OpenBGPD to speed up RTR session establishment ... ok +Live test, OpenBGPD 7.5, RTR protocol: check the RTR session is up ... ok +Live test, OpenBGPD 7.5, RTR protocol: route dropped after spinning the validator up ... ok +Live test, OpenBGPD 7.5, RTR protocol: log contains errors ... ok +Live test, OpenBGPD 7.5, RTR protocol: dumping rs config... +Live test, OpenBGPD 7.5, RTR protocol: dumping routes... +Live test, OpenBGPD 7.5, RTR protocol: stopping instances... ---------------------------------------------------------------------- -Ran 8 tests in 43.511s +Ran 8 tests in 43.032s OK -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 ARIN Whois DB: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 no enforcement, prefix and origin not in AS-SET ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 origin enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 prefix enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 ARIN Whois DB: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 no enforcement, prefix and origin not in AS-SET ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 origin enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 prefix enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 ARIN Whois DB: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 no enforcement, prefix and origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 origin enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 prefix enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 ARIN Whois DB: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 no enforcement, prefix and origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 origin enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 prefix enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 177.003s +Ran 166 tests in 173.555s OK -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: setting instances up... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: AS_PATH too long ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: bogon prefix ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: bogon prefix, wrong announcing ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix in client's blacklist ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: local black list ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix is not in IPv6 global unicast space ... SKIP: IPv6 only test -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: origin not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid left-most ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix length ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: RPKI INVALID route ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: transit-free ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: good routes not received ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: dumping routes... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: stopping instances... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: setting instances up... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: AS_PATH too long ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: bogon prefix ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: bogon prefix, wrong announcing ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix in client's blacklist ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: local black list ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix is not in IPv6 global unicast space ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: origin not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid left-most ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix length ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: RPKI INVALID route ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: transit-free ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: good routes not received ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: dumping routes... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: stopping instances... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: setting instances up... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: AS_PATH too long ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: bogon prefix ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: bogon prefix, wrong announcing ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix in client's blacklist ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: local black list ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix is not in IPv6 global unicast space ... SKIP: IPv6 only test +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: origin not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid left-most ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix length ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: RPKI INVALID route ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: transit-free ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: good routes not received ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: dumping routes... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: stopping instances... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: setting instances up... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: AS_PATH too long ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: bogon prefix ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: bogon prefix, wrong announcing ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix in client's blacklist ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: local black list ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix is not in IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: origin not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid left-most ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix length ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: RPKI INVALID route ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: transit-free ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: good routes not received ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: dumping routes... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 121.095s +Ran 44 tests in 124.940s OK (SKIP=1) diff --git a/tests/last.json b/tests/last.json index 1cf68ec2..5fe29e1e 100644 --- a/tests/last.json +++ b/tests/last.json @@ -1 +1 @@ -{"unique_test_cases": 2639} +{"unique_test_cases": 2643} diff --git a/tests/last_results/extres.last b/tests/last_results/extres.last index 75f470a1..a8f55924 100644 --- a/tests/last_results/extres.last +++ b/tests/last_results/extres.last @@ -15,6 +15,6 @@ External resources: prefixes from AS-SET via bgpq3 ... ok External resources: prefixes from AS-SET via bgpq4 ... ok ---------------------------------------------------------------------- -Ran 15 tests in 48.378s +Ran 15 tests in 48.245s OK diff --git a/tests/last_results/live_bird_hooks_example_bird1.last b/tests/last_results/live_bird_hooks_example_bird1.last index fc1ee66e..92337cca 100644 --- a/tests/last_results/live_bird_hooks_example_bird1.last +++ b/tests/last_results/live_bird_hooks_example_bird1.last @@ -1,4 +1,3 @@ -Error: No such network: arouteserver Live test, BIRD, hooks example, IPv4: setting instances up... Live test, BIRD, hooks example, IPv4: instances setup ... ok Live test, BIRD, hooks example, IPv4: log contains errors ... ok @@ -13,6 +12,6 @@ Live test, BIRD, hooks example, IPv6: dumping routes... Live test, BIRD, hooks example, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.145s +Ran 4 tests in 14.255s OK diff --git a/tests/last_results/live_communities_bird1.last b/tests/last_results/live_communities_bird1.last index d8defb41..d3fafc0d 100644 --- a/tests/last_results/live_communities_bird1.last +++ b/tests/last_results/live_communities_bird1.last @@ -34,6 +34,6 @@ Live test, BIRD, BGP communities, IPv6: dumping routes... Live test, BIRD, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 64.614s +Ran 26 tests in 64.025s OK diff --git a/tests/last_results/live_communities_bird2.last b/tests/last_results/live_communities_bird2.last index f58a78c1..16fe8ed2 100644 --- a/tests/last_results/live_communities_bird2.last +++ b/tests/last_results/live_communities_bird2.last @@ -34,6 +34,6 @@ Live test, BIRD v2, BGP communities, IPv6: dumping routes... Live test, BIRD v2, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 63.231s +Ran 26 tests in 63.218s OK diff --git a/tests/last_results/live_communities_openbgpd_portable.last b/tests/last_results/live_communities_openbgpd_portable.last index f01d5453..4713e203 100644 --- a/tests/last_results/live_communities_openbgpd_portable.last +++ b/tests/last_results/live_communities_openbgpd_portable.last @@ -1,39 +1,39 @@ -Live test, OpenBGPD 7.4, BGP communities, IPv4: setting instances up... -Live test, OpenBGPD 7.4, BGP communities, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS1 only (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS131073 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: announce to AS131073 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: custom BGP community scrubbed ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, BGP communities, IPv4: dumping routes... -Live test, OpenBGPD 7.4, BGP communities, IPv4: stopping instances... -Live test, OpenBGPD 7.4, BGP communities, IPv6: setting instances up... -Live test, OpenBGPD 7.4, BGP communities, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS1 only (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS131073 only (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: announce to AS131073 only (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (ext) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (lrg) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community (std) ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: custom BGP community scrubbed ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, BGP communities, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, BGP communities, IPv6: dumping routes... -Live test, OpenBGPD 7.4, BGP communities, IPv6: stopping instances... +Live test, OpenBGPD 7.5, BGP communities, IPv4: setting instances up... +Live test, OpenBGPD 7.5, BGP communities, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS1 only (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS131073 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: announce to AS131073 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: custom BGP community scrubbed ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, BGP communities, IPv4: dumping routes... +Live test, OpenBGPD 7.5, BGP communities, IPv4: stopping instances... +Live test, OpenBGPD 7.5, BGP communities, IPv6: setting instances up... +Live test, OpenBGPD 7.5, BGP communities, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS1 only (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS131073 only (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: announce to AS131073 only (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (ext) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (lrg) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community (std) ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: custom BGP community scrubbed ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, BGP communities, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, BGP communities, IPv6: dumping routes... +Live test, OpenBGPD 7.5, BGP communities, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 67.294s +Ran 26 tests in 66.482s OK diff --git a/tests/last_results/live_default_bird1.last b/tests/last_results/live_default_bird1.last index fe60f41a..cfb8af3c 100644 --- a/tests/last_results/live_default_bird1.last +++ b/tests/last_results/live_default_bird1.last @@ -12,6 +12,6 @@ Live test, BIRD, default config, IPv6: dumping routes... Live test, BIRD, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.273s +Ran 4 tests in 15.047s OK diff --git a/tests/last_results/live_default_bird2.last b/tests/last_results/live_default_bird2.last index 417e549b..f14f1280 100644 --- a/tests/last_results/live_default_bird2.last +++ b/tests/last_results/live_default_bird2.last @@ -12,6 +12,6 @@ Live test, BIRD v2, default config, IPv6: dumping routes... Live test, BIRD v2, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 15.338s +Ran 4 tests in 14.591s OK diff --git a/tests/last_results/live_default_openbgpd_portable.last b/tests/last_results/live_default_openbgpd_portable.last index 2215a18f..4c72ec3a 100644 --- a/tests/last_results/live_default_openbgpd_portable.last +++ b/tests/last_results/live_default_openbgpd_portable.last @@ -1,17 +1,17 @@ -Live test, OpenBGPD 7.4, default config, IPv4: setting instances up... -Live test, OpenBGPD 7.4, default config, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, default config, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, default config, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, default config, IPv4: dumping routes... -Live test, OpenBGPD 7.4, default config, IPv4: stopping instances... -Live test, OpenBGPD 7.4, default config, IPv6: setting instances up... -Live test, OpenBGPD 7.4, default config, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, default config, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, default config, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, default config, IPv6: dumping routes... -Live test, OpenBGPD 7.4, default config, IPv6: stopping instances... +Live test, OpenBGPD 7.5, default config, IPv4: setting instances up... +Live test, OpenBGPD 7.5, default config, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, default config, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, default config, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, default config, IPv4: dumping routes... +Live test, OpenBGPD 7.5, default config, IPv4: stopping instances... +Live test, OpenBGPD 7.5, default config, IPv6: setting instances up... +Live test, OpenBGPD 7.5, default config, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, default config, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, default config, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, default config, IPv6: dumping routes... +Live test, OpenBGPD 7.5, default config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 11.854s +Ran 4 tests in 11.577s OK diff --git a/tests/last_results/live_global_bird1.last b/tests/last_results/live_global_bird1.last index 777595f9..8421e0d6 100644 --- a/tests/last_results/live_global_bird1.last +++ b/tests/last_results/live_global_bird1.last @@ -536,6 +536,6 @@ Live test, BIRD, global scenario, IPv6, tag&reject: dumping routes... Live test, BIRD, global scenario, IPv6, tag&reject: stopping instances... ---------------------------------------------------------------------- -Ran 512 tests in 511.947s +Ran 512 tests in 509.215s OK (SKIP=6) diff --git a/tests/last_results/live_global_bird2.last b/tests/last_results/live_global_bird2.last index d4efbeac..1f968b87 100644 --- a/tests/last_results/live_global_bird2.last +++ b/tests/last_results/live_global_bird2.last @@ -536,6 +536,6 @@ Live test, BIRD v2, global scenario, IPv6, tag&reject: dumping routes... Live test, BIRD v2, global scenario, IPv6, tag&reject: stopping instances... ---------------------------------------------------------------------- -Ran 512 tests in 501.144s +Ran 512 tests in 499.002s OK (SKIP=6) diff --git a/tests/last_results/live_global_openbgpd_portable.last b/tests/last_results/live_global_openbgpd_portable.last index 791bef2f..62efed92 100644 --- a/tests/last_results/live_global_openbgpd_portable.last +++ b/tests/last_results/live_global_openbgpd_portable.last @@ -1,3 +1,183 @@ +Live test, OpenBGPD 7.5, global scenario, IPv4: setting instances up... +Live test, OpenBGPD 7.5, global scenario, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: session configured via local include files ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_arin_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_registrobr_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: good prefixes received by rs: non-client NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: not IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: AS_PATH len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: bogon ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: client blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: global blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: left-most ASN ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: prefix not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: invalid prefix-len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: unknown NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: default route ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes not received by clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: bogon (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad prefixes received by rs: global blacklist (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, blackhole request for a covered prefix ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad ASN) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad length) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, valid prefix received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: RPKI, valid prefix propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes from AS101 received by its upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes from AS101 received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities as seen by AS101 upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: bad communities scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: other communities not scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: other communities not scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (lrg cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackhole filtering requests as seen by rs (std cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes as seen by enabled clients (std_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: blackholed prefixes not seen by not enabled clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: gshut by an enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: gshut by a not enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, announce to AS1 only ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, don't announce to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, announce to all except AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend once to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend twice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend thrice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend once to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend twice to AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, prepend thrice to AS1, once to others ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, NO_EXPORT to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, NO_EXPORT to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RFC1997 NO_EXPORT ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, blackhole, not peers > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers > 5 ms + AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, not peers <= 5 and > 100 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, only peers <= 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, only peers <= 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, global scenario, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, global scenario, IPv4: dumping routes... +Live test, OpenBGPD 7.5, global scenario, IPv4: stopping instances... +Live test, OpenBGPD 7.5, global scenario, IPv6: setting instances up... +Live test, OpenBGPD 7.5, global scenario, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: session configured via local include files ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_arin_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_registrobr_bulk_whois_data ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: good prefixes received by rs: non-client NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: not IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRRdb white-list ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: AS_PATH len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: bogon ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: client blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: global blacklist ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: left-most ASN ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: prefix not in AS-SET ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: invalid prefix-len ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: unknown NEXT_HOP ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: default route ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes not received by clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: bogon (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad prefixes received by rs: global blacklist (wrong tag) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, blackhole request for a covered prefix ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad ASN) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad length) received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, valid prefix received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: RPKI, valid prefix propagated to clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes from AS101 received by its upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes from AS101 received by rs ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities as seen by AS101 upstreams ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: bad communities scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: other communities not scrubbed by rs (lrg) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: other communities not scrubbed by rs (std) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (lrg cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackhole filtering requests as seen by rs (std cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes as seen by enabled clients (std_cust) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: blackholed prefixes not seen by not enabled clients ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: gshut by an enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: gshut by a not enabled client ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, announce to AS1 only ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, don't announce to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, announce to all except AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend once to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend twice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend thrice to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend once to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend twice to AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, prepend thrice to AS1, once to others ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, NO_EXPORT to AS1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, NO_EXPORT to any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RFC1997 NO_EXPORT ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, blackhole, not peers > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers > 5 ms + AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, not peers <= 5 and > 100 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, only peers <= 15 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, only peers <= 5 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS3 ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, global scenario, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, global scenario, IPv6: dumping routes... +Live test, OpenBGPD 7.5, global scenario, IPv6: stopping instances... Live test, OpenBGPD 7.4, global scenario, IPv4: setting instances up... Live test, OpenBGPD 7.4, global scenario, IPv4: instances setup ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: sessions are up ... ok @@ -82,7 +262,7 @@ Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD +Live test, OpenBGPD 7.4, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD < 7.5 Live test, OpenBGPD 7.4, global scenario, IPv4: reconfigure ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: log contains errors ... ok Live test, OpenBGPD 7.4, global scenario, IPv4: dumping rs config... @@ -172,194 +352,14 @@ Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS2 ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD +Live test, OpenBGPD 7.4, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD < 7.5 Live test, OpenBGPD 7.4, global scenario, IPv6: reconfigure ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: log contains errors ... ok Live test, OpenBGPD 7.4, global scenario, IPv6: dumping rs config... Live test, OpenBGPD 7.4, global scenario, IPv6: dumping routes... Live test, OpenBGPD 7.4, global scenario, IPv6: stopping instances... -Live test, OpenBGPD 7.3, global scenario, IPv4: setting instances up... -Live test, OpenBGPD 7.3, global scenario, IPv4: instances setup ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: session configured via local include files ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_arin_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_registrobr_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: good prefixes received by rs: non-client NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: not IPv6 global unicast space ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: AS_PATH len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: bogon ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: client blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: global blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: left-most ASN ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: origin not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: prefix not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: invalid prefix-len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: unknown NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: default route ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes not received by clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: bogon (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad prefixes received by rs: global blacklist (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, blackhole request for a covered prefix ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad ASN) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad length) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, valid prefix received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: RPKI, valid prefix propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes from AS101 received by its upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes from AS101 received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities as seen by AS101 upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: bad communities scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: other communities not scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: other communities not scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (lrg cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackhole filtering requests as seen by rs (std cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes as seen by enabled clients (std_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: blackholed prefixes not seen by not enabled clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: gshut by an enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: gshut by a not enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, announce to AS1 only ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, don't announce to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, announce to all except AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend once to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend twice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend thrice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend once to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend twice to AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, prepend thrice to AS1, once to others ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, NO_EXPORT to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, NO_EXPORT to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RFC1997 NO_EXPORT ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, blackhole, not peers > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers > 5 ms + AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, not peers <= 5 and > 100 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, only peers <= 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, only peers <= 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.3, global scenario, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.3, global scenario, IPv4: dumping rs config... -Live test, OpenBGPD 7.3, global scenario, IPv4: dumping routes... -Live test, OpenBGPD 7.3, global scenario, IPv4: stopping instances... -Live test, OpenBGPD 7.3, global scenario, IPv6: setting instances up... -Live test, OpenBGPD 7.3, global scenario, IPv6: instances setup ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: session configured via local include files ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_arin_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_registrobr_bulk_whois_data ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: exact ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes because of use_rpki_roas_as_route_objects: covering ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: good prefixes received by rs: non-client NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: not IPv6 global unicast space ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRRdb white-list ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: AS_SET origin, RFC6907 7.1.9 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, BIRD ... SKIP: BIRD specific -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: IRR check for AS_SET origin, OpenBGPD ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: AS_PATH len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: bogon ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: client blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: global blacklist ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: left-most ASN ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (asns list) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: never via route servers ASN in AS-PATH (PeeringDB) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: origin not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: prefix not in AS-SET ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: invalid prefix-len ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: transit-free ASN in AS-PATH from a transit peer ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: unknown NEXT_HOP ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: RPKI ROAs as route objects failed ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: default route ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes not received by clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: bogon (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad prefixes received by rs: global blacklist (wrong tag) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, blackhole request for a covered prefix ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad ASN) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad length) received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, invalid prefix (bad ASN) not propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, valid prefix received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: RPKI, valid prefix propagated to clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes from AS101 received by its upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes from AS101 received by rs ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities as seen by AS101 upstreams ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: bad communities scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: other communities not scrubbed by rs (lrg) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: other communities not scrubbed by rs (std) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (lrg cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackhole filtering requests as seen by rs (std cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (BLACKHOLE) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (lrg_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes as seen by enabled clients (std_cust) ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: blackholed prefixes not seen by not enabled clients ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: gshut by an enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: gshut by a not enabled client ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, announce to AS1 only ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, don't announce to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, announce to all except AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend once to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend twice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend thrice to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend once to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend twice to AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, prepend thrice to AS1, once to others ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, NO_EXPORT to AS1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, NO_EXPORT to any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RFC1997 NO_EXPORT ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, blackhole, not peers > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers > 5 ms + AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, not peers <= 5 and > 100 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, only peers <= 15 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, only peers <= 5 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, ext comms, prepend 1x > 10 ms, 2x > 20 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, prepend 3x > 100 ms, 2x > 10 ms ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: control communities, RTT, prepend 3x <= 5 ms, 2x <= 20 ms, 1x any ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS3 ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: prefixes received by clients: AS3 (with ADD-PATH) ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.3, global scenario, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.3, global scenario, IPv6: dumping rs config... -Live test, OpenBGPD 7.3, global scenario, IPv6: dumping routes... -Live test, OpenBGPD 7.3, global scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 344 tests in 334.500s +Ran 344 tests in 329.423s -OK (SKIP=8) +OK (SKIP=6) diff --git a/tests/last_results/live_gshut_bird1.last b/tests/last_results/live_gshut_bird1.last index 418415b3..4d0856d1 100644 --- a/tests/last_results/live_gshut_bird1.last +++ b/tests/last_results/live_gshut_bird1.last @@ -18,6 +18,6 @@ Live test, BIRD, gshut, IPv6: dumping routes... Live test, BIRD, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 44.442s +Ran 10 tests in 44.425s OK diff --git a/tests/last_results/live_gshut_bird2.last b/tests/last_results/live_gshut_bird2.last index f871e942..e433400f 100644 --- a/tests/last_results/live_gshut_bird2.last +++ b/tests/last_results/live_gshut_bird2.last @@ -18,6 +18,6 @@ Live test, BIRD v2, gshut, IPv6: dumping routes... Live test, BIRD v2, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 44.005s +Ran 10 tests in 44.138s OK diff --git a/tests/last_results/live_gshut_openbgpd_portable.last b/tests/last_results/live_gshut_openbgpd_portable.last index 1006335d..ec46baf6 100644 --- a/tests/last_results/live_gshut_openbgpd_portable.last +++ b/tests/last_results/live_gshut_openbgpd_portable.last @@ -1,23 +1,23 @@ -Live test, OpenBGPD 7.4, gshut, IPv4: setting instances up... -Live test, OpenBGPD 7.4, gshut, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, gshut, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, gshut, IPv4: dumping routes... -Live test, OpenBGPD 7.4, gshut, IPv4: stopping instances... -Live test, OpenBGPD 7.4, gshut, IPv6: setting instances up... -Live test, OpenBGPD 7.4, gshut, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, gshut, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, gshut, IPv6: dumping routes... -Live test, OpenBGPD 7.4, gshut, IPv6: stopping instances... +Live test, OpenBGPD 7.5, gshut, IPv4: setting instances up... +Live test, OpenBGPD 7.5, gshut, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, gshut, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, gshut, IPv4: dumping routes... +Live test, OpenBGPD 7.5, gshut, IPv4: stopping instances... +Live test, OpenBGPD 7.5, gshut, IPv6: setting instances up... +Live test, OpenBGPD 7.5, gshut, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: clients receive routes tagged with GRACEFUL_SHUTDOWN ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, gshut, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, gshut, IPv6: dumping routes... +Live test, OpenBGPD 7.5, gshut, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 49.293s +Ran 10 tests in 49.272s OK diff --git a/tests/last_results/live_max_prefix_bird1.last b/tests/last_results/live_max_prefix_bird1.last index f59e4560..4fdcc454 100644 --- a/tests/last_results/live_max_prefix_bird1.last +++ b/tests/last_results/live_max_prefix_bird1.last @@ -34,6 +34,6 @@ Live test, BIRD, max-prefix, IPv6: dumping routes... Live test, BIRD, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 168.860s +Ran 26 tests in 165.497s OK diff --git a/tests/last_results/live_max_prefix_bird2.last b/tests/last_results/live_max_prefix_bird2.last index 1b429229..2bee3272 100644 --- a/tests/last_results/live_max_prefix_bird2.last +++ b/tests/last_results/live_max_prefix_bird2.last @@ -34,6 +34,6 @@ Live test, BIRD v2, max-prefix, IPv6: dumping routes... Live test, BIRD v2, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 26 tests in 168.092s +Ran 26 tests in 165.985s OK diff --git a/tests/last_results/live_max_prefix_openbgpd_portable.last b/tests/last_results/live_max_prefix_openbgpd_portable.last index fa336ef6..11f19c8f 100644 --- a/tests/last_results/live_max_prefix_openbgpd_portable.last +++ b/tests/last_results/live_max_prefix_openbgpd_portable.last @@ -1,23 +1,23 @@ -Live test, OpenBGPD 7.4, max-prefix, IPv4: setting instances up... -Live test, OpenBGPD 7.4, max-prefix, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: sessions are down ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: clients log max-prefix notification ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, max-prefix, IPv4: dumping routes... -Live test, OpenBGPD 7.4, max-prefix, IPv4: stopping instances... -Live test, OpenBGPD 7.4, max-prefix, IPv6: setting instances up... -Live test, OpenBGPD 7.4, max-prefix, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: sessions are down ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: clients log max-prefix notification ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, max-prefix, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, max-prefix, IPv6: dumping routes... -Live test, OpenBGPD 7.4, max-prefix, IPv6: stopping instances... +Live test, OpenBGPD 7.5, max-prefix, IPv4: setting instances up... +Live test, OpenBGPD 7.5, max-prefix, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: sessions are down ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: clients log max-prefix notification ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, max-prefix, IPv4: dumping routes... +Live test, OpenBGPD 7.5, max-prefix, IPv4: stopping instances... +Live test, OpenBGPD 7.5, max-prefix, IPv6: setting instances up... +Live test, OpenBGPD 7.5, max-prefix, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: sessions are down ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: clients log max-prefix notification ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, max-prefix, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, max-prefix, IPv6: dumping routes... +Live test, OpenBGPD 7.5, max-prefix, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 10 tests in 363.605s +Ran 10 tests in 358.497s OK diff --git a/tests/last_results/live_path_hiding_bird1.last b/tests/last_results/live_path_hiding_bird1.last index 604c4347..bb686c0f 100644 --- a/tests/last_results/live_path_hiding_bird1.last +++ b/tests/last_results/live_path_hiding_bird1.last @@ -54,6 +54,6 @@ Live test, BIRD, path hiding, mitigation on, IPv6: dumping routes... Live test, BIRD, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 174.651s +Ran 38 tests in 174.239s OK (SKIP=2) diff --git a/tests/last_results/live_path_hiding_bird2.last b/tests/last_results/live_path_hiding_bird2.last index fa48cf58..e0c3f0d4 100644 --- a/tests/last_results/live_path_hiding_bird2.last +++ b/tests/last_results/live_path_hiding_bird2.last @@ -54,6 +54,6 @@ Live test, BIRD v2, path hiding, mitigation on, IPv6: dumping routes... Live test, BIRD v2, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 173.813s +Ran 38 tests in 171.075s OK (SKIP=2) diff --git a/tests/last_results/live_path_hiding_openbgpd_portable.last b/tests/last_results/live_path_hiding_openbgpd_portable.last index f5c17ba7..c42ef11b 100644 --- a/tests/last_results/live_path_hiding_openbgpd_portable.last +++ b/tests/last_results/live_path_hiding_openbgpd_portable.last @@ -1,59 +1,59 @@ -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS3 does not receive prefix at all ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: AS4 receives the prefix via AS2 because of ADD-PATH ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv4: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: AS3 and AS4 don't receive prefix via AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: 2nd best is withdrawn and AS3 should not see it anymore ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv4: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS3 does not receive prefix at all ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: AS4 receives the prefix via AS2 because of ADD-PATH ... SKIP: ADD-PATH not supported by OpenBGPD -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation off, IPv6: stopping instances... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: setting instances up... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: rs should receive prefix from both AS1 and AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: rs should have best toward AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: AS3 and AS4 don't receive prefix via AS1 ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: 2nd best is withdrawn and AS3 should not see it anymore ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: dumping routes... -Live test, OpenBGPD 7.4, path hiding, mitigation on, IPv6: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS3 does not receive prefix at all ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: AS4 receives the prefix via AS2 because of ADD-PATH ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv4: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: AS3 and AS4 don't receive prefix via AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: 2nd best is withdrawn and AS3 should not see it anymore ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv4: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS3 does not receive prefix at all ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: AS4 receives the prefix via AS2 because of ADD-PATH ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation off, IPv6: stopping instances... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: setting instances up... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: rs should receive prefix from both AS1 and AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: rs should have best toward AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS1 wants rs to not announce to AS3 and AS4 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS3 and AS4 receive prefix with sub-optimal path via AS2 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: AS3 and AS4 don't receive prefix via AS1 ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: 2nd best is withdrawn and AS3 should not see it anymore ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: dumping routes... +Live test, OpenBGPD 7.5, path hiding, mitigation on, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 38 tests in 192.769s +Ran 38 tests in 192.492s -OK (SKIP=2) +OK diff --git a/tests/last_results/live_rich_example_bird1.last b/tests/last_results/live_rich_example_bird1.last index 07e68c16..66db6cbc 100644 --- a/tests/last_results/live_rich_example_bird1.last +++ b/tests/last_results/live_rich_example_bird1.last @@ -12,6 +12,6 @@ Live test, BIRD, examples, rich config, IPv6: dumping routes... Live test, BIRD, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 25.134s +Ran 4 tests in 26.304s OK diff --git a/tests/last_results/live_rich_example_bird2.last b/tests/last_results/live_rich_example_bird2.last index bcb5f830..fceac3e1 100644 --- a/tests/last_results/live_rich_example_bird2.last +++ b/tests/last_results/live_rich_example_bird2.last @@ -12,6 +12,6 @@ Live test, BIRD v2, examples, rich config, IPv6: dumping routes... Live test, BIRD v2, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 26.346s +Ran 4 tests in 24.751s OK diff --git a/tests/last_results/live_rich_example_openbgpd_portable.last b/tests/last_results/live_rich_example_openbgpd_portable.last index 35a6c403..3be63f53 100644 --- a/tests/last_results/live_rich_example_openbgpd_portable.last +++ b/tests/last_results/live_rich_example_openbgpd_portable.last @@ -1,17 +1,17 @@ -Live test, OpenBGPD 7.4, examples, rich config, IPv4: setting instances up... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: dumping routes... -Live test, OpenBGPD 7.4, examples, rich config, IPv4: stopping instances... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: setting instances up... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, examples, rich config, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: dumping routes... -Live test, OpenBGPD 7.4, examples, rich config, IPv6: stopping instances... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: setting instances up... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: dumping routes... +Live test, OpenBGPD 7.5, examples, rich config, IPv4: stopping instances... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: setting instances up... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, examples, rich config, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: dumping routes... +Live test, OpenBGPD 7.5, examples, rich config, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 4 tests in 21.778s +Ran 4 tests in 22.056s OK diff --git a/tests/last_results/live_rpki_bird1.last b/tests/last_results/live_rpki_bird1.last index f5e62eb1..8db2f85d 100644 --- a/tests/last_results/live_rpki_bird1.last +++ b/tests/last_results/live_rpki_bird1.last @@ -36,6 +36,6 @@ Live test, BIRD, RPKI INVALID tagging, IPv6: dumping routes... Live test, BIRD, RPKI INVALID tagging, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 28 tests in 79.266s +Ran 28 tests in 83.631s OK diff --git a/tests/last_results/live_rpki_bird2.last b/tests/last_results/live_rpki_bird2.last index d498d24d..3c8412f7 100644 --- a/tests/last_results/live_rpki_bird2.last +++ b/tests/last_results/live_rpki_bird2.last @@ -36,6 +36,6 @@ Live test, BIRD v2, RPKI INVALID tagging, IPv6: dumping routes... Live test, BIRD v2, RPKI INVALID tagging, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 28 tests in 79.234s +Ran 28 tests in 77.980s OK diff --git a/tests/last_results/live_rpki_bov_comms_bird1.last b/tests/last_results/live_rpki_bov_comms_bird1.last index dc82d14f..23f41a98 100644 --- a/tests/last_results/live_rpki_bov_comms_bird1.last +++ b/tests/last_results/live_rpki_bov_comms_bird1.last @@ -20,6 +20,6 @@ Live test, BIRD, BOV custom comms, IPv6: dumping routes... Live test, BIRD, BOV custom comms, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 12 tests in 45.940s +Ran 12 tests in 46.496s OK diff --git a/tests/last_results/live_rpki_bov_comms_bird2.last b/tests/last_results/live_rpki_bov_comms_bird2.last index ab43359e..416b061f 100644 --- a/tests/last_results/live_rpki_bov_comms_bird2.last +++ b/tests/last_results/live_rpki_bov_comms_bird2.last @@ -20,6 +20,6 @@ Live test, BIRD v2, BOV custom comms, IPv6: dumping routes... Live test, BIRD v2, BOV custom comms, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 12 tests in 45.809s +Ran 12 tests in 44.362s OK diff --git a/tests/last_results/live_rpki_rtr_example_bird2.last b/tests/last_results/live_rpki_rtr_example_bird2.last index 4216a6d5..5ea22317 100644 --- a/tests/last_results/live_rpki_rtr_example_bird2.last +++ b/tests/last_results/live_rpki_rtr_example_bird2.last @@ -12,6 +12,6 @@ Live test, BIRD v2, RTR protocol: dumping routes... Live test, BIRD v2, RTR protocol: stopping instances... ---------------------------------------------------------------------- -Ran 8 tests in 41.164s +Ran 8 tests in 40.609s OK diff --git a/tests/last_results/live_rpki_rtr_example_openbgpd_portable.last b/tests/last_results/live_rpki_rtr_example_openbgpd_portable.last index 84287cb5..0e7bab0e 100644 --- a/tests/last_results/live_rpki_rtr_example_openbgpd_portable.last +++ b/tests/last_results/live_rpki_rtr_example_openbgpd_portable.last @@ -1,17 +1,17 @@ -Live test, OpenBGPD 7.4, RTR protocol: setting instances up... -Live test, OpenBGPD 7.4, RTR protocol: instances setup ... ok -Live test, OpenBGPD 7.4, RTR protocol: sessions are up ... ok -Live test, OpenBGPD 7.4, RTR protocol: route accepted because validator not running ... ok -Live test, OpenBGPD 7.4, RTR protocol: spin up the validator ... ok -Live test, OpenBGPD 7.4, RTR protocol: restart OpenBGPD to speed up RTR session establishment ... ok -Live test, OpenBGPD 7.4, RTR protocol: check the RTR session is up ... ok -Live test, OpenBGPD 7.4, RTR protocol: route dropped after spinning the validator up ... ok -Live test, OpenBGPD 7.4, RTR protocol: log contains errors ... ok -Live test, OpenBGPD 7.4, RTR protocol: dumping rs config... -Live test, OpenBGPD 7.4, RTR protocol: dumping routes... -Live test, OpenBGPD 7.4, RTR protocol: stopping instances... +Live test, OpenBGPD 7.5, RTR protocol: setting instances up... +Live test, OpenBGPD 7.5, RTR protocol: instances setup ... ok +Live test, OpenBGPD 7.5, RTR protocol: sessions are up ... ok +Live test, OpenBGPD 7.5, RTR protocol: route accepted because validator not running ... ok +Live test, OpenBGPD 7.5, RTR protocol: spin up the validator ... ok +Live test, OpenBGPD 7.5, RTR protocol: restart OpenBGPD to speed up RTR session establishment ... ok +Live test, OpenBGPD 7.5, RTR protocol: check the RTR session is up ... ok +Live test, OpenBGPD 7.5, RTR protocol: route dropped after spinning the validator up ... ok +Live test, OpenBGPD 7.5, RTR protocol: log contains errors ... ok +Live test, OpenBGPD 7.5, RTR protocol: dumping rs config... +Live test, OpenBGPD 7.5, RTR protocol: dumping routes... +Live test, OpenBGPD 7.5, RTR protocol: stopping instances... ---------------------------------------------------------------------- -Ran 8 tests in 43.511s +Ran 8 tests in 43.032s OK diff --git a/tests/last_results/live_tag_as_set_bird1.last b/tests/last_results/live_tag_as_set_bird1.last index 583b8616..66ee0cd2 100644 --- a/tests/last_results/live_tag_as_set_bird1.last +++ b/tests/last_results/live_tag_as_set_bird1.last @@ -182,6 +182,6 @@ Live test, BIRD, tag prefix/origin empty AS-SET, IPv6: dumping routes... Live test, BIRD, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 165.136s +Ran 166 tests in 168.950s OK diff --git a/tests/last_results/live_tag_as_set_bird2.last b/tests/last_results/live_tag_as_set_bird2.last index 01912994..5681139a 100644 --- a/tests/last_results/live_tag_as_set_bird2.last +++ b/tests/last_results/live_tag_as_set_bird2.last @@ -182,6 +182,6 @@ Live test, BIRD v2, tag prefix/origin empty AS-SET, IPv6: dumping routes... Live test, BIRD v2, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 166.310s +Ran 166 tests in 163.047s OK diff --git a/tests/last_results/live_tag_as_set_openbgpd_portable.last b/tests/last_results/live_tag_as_set_openbgpd_portable.last index d4c75873..9957c020 100644 --- a/tests/last_results/live_tag_as_set_openbgpd_portable.last +++ b/tests/last_results/live_tag_as_set_openbgpd_portable.last @@ -1,187 +1,187 @@ -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 ARIN Whois DB: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv4: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 no enforcement, prefix and origin not in AS-SET ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 origin enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 prefix enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv4: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 prefix ko origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko, origin ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 ARIN Whois DB: ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin in AS-SET, IPv6: stopping instances... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: setting instances up... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 no enforcement, prefix and origin not in AS-SET ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 origin enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 prefix enforcement ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (exact) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: ko ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: dumping routes... -Live test, OpenBGPD 7.4, tag prefix/origin empty AS-SET, IPv6: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 route filtered (prefix ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 RPKI ROAs as route objects: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 ARIN Whois DB: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv4: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 no enforcement, prefix and origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 origin enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 prefix enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 RPKI ROAs as route objects: ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv4: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 prefix ko origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko, origin ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 route filtered (prefix ko) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 prefix ok origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 RPKI ROAs as route objects: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 ARIN Whois DB: ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/ prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/ prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforce (w/ comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin in AS-SET, IPv6: stopping instances... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: setting instances up... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 no enforcement, prefix and origin not in AS-SET ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 origin enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 prefix enforcement ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (exact) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (more spec) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, reject (origin KO) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 route white list, ok (origin any) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS4 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ko, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix ok, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin ok ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS5 white list, prefix WL, origin WL ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 RPKI ROAs as route objects: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: invalid origin ASN ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 RPKI ROAs as route objects: ko ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 ARIN Whois DB: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 ARIN Whois DB: ok (solely because of route white list) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ARIN: tag only (w/o prefix_validated_via_arin_whois_db_dump) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 prefix ok, origin ok, ROA: tag only (w/o prefix_validated_via_rpki_roas) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS2 ROA + ARIN Whois DB: tag only (w/o comms [arin_whois_db_dump, rpki_roas]) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 prefix ok, origin ok, ROA + ARIN: rejected ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: AS6 ROA + ARIN Whois DB: enforced (rejected) ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: dumping routes... +Live test, OpenBGPD 7.5, tag prefix/origin empty AS-SET, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 166 tests in 177.003s +Ran 166 tests in 173.555s OK diff --git a/tests/last_results/live_tag_reject_policy_bird1.last b/tests/last_results/live_tag_reject_policy_bird1.last index cdf8429b..d0a99b95 100644 --- a/tests/last_results/live_tag_reject_policy_bird1.last +++ b/tests/last_results/live_tag_reject_policy_bird1.last @@ -52,6 +52,6 @@ Live test, BIRD, 'tag' reject policy scenario, IPv6: dumping routes... Live test, BIRD, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 116.715s +Ran 44 tests in 114.618s OK (SKIP=1) diff --git a/tests/last_results/live_tag_reject_policy_bird2.last b/tests/last_results/live_tag_reject_policy_bird2.last index e121badd..4d950fe2 100644 --- a/tests/last_results/live_tag_reject_policy_bird2.last +++ b/tests/last_results/live_tag_reject_policy_bird2.last @@ -52,6 +52,6 @@ Live test, BIRD v2, 'tag' reject policy scenario, IPv6: dumping routes... Live test, BIRD v2, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 116.248s +Ran 44 tests in 114.054s OK (SKIP=1) diff --git a/tests/last_results/live_tag_reject_policy_openbgpd_portable.last b/tests/last_results/live_tag_reject_policy_openbgpd_portable.last index 9bdcb77e..66098030 100644 --- a/tests/last_results/live_tag_reject_policy_openbgpd_portable.last +++ b/tests/last_results/live_tag_reject_policy_openbgpd_portable.last @@ -1,57 +1,57 @@ -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: setting instances up... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: instances setup ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: sessions are up ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: AS_PATH too long ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: bogon prefix ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: bogon prefix, wrong announcing ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix in client's blacklist ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: local black list ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix is not in IPv6 global unicast space ... SKIP: IPv6 only test -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: origin not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: invalid left-most ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix length ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefix not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: RPKI INVALID route ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: transit-free ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: good routes not received ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: reconfigure ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: log contains errors ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: dumping rs config... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: dumping routes... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv4: stopping instances... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: setting instances up... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: instances setup ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: sessions are up ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: AS_PATH too long ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: bogon prefix ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: bogon prefix, wrong announcing ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix in client's blacklist ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid NEXT_HOP ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: local black list ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix is not in IPv6 global unicast space ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: origin not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: invalid left-most ASN ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix length ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefix not in as-macro ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: RPKI INVALID route ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: transit-free ASN in AS_PATH ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: good routes not received ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_1 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS2 ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: reconfigure ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: log contains errors ... ok -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: dumping rs config... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: dumping routes... -Live test, OpenBGPD 7.4, 'tag' reject policy scenario, IPv6: stopping instances... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: setting instances up... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: instances setup ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: sessions are up ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: AS_PATH too long ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: bogon prefix ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: bogon prefix, wrong announcing ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix in client's blacklist ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: local black list ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix is not in IPv6 global unicast space ... SKIP: IPv6 only test +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: origin not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: invalid left-most ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix length ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefix not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: RPKI INVALID route ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: transit-free ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: good routes not received ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: reconfigure ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: log contains errors ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: dumping rs config... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: dumping routes... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv4: stopping instances... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: setting instances up... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: instances setup ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: sessions are up ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: AS_PATH too long ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: bogon prefix ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: bogon prefix, wrong announcing ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix in client's blacklist ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid NEXT_HOP ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: local black list ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix is not in IPv6 global unicast space ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: origin not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: invalid left-most ASN ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix length ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefix not in as-macro ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: RPKI INVALID route ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: transit-free ASN in AS_PATH ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: good routes not received ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_1 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS1_2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: prefixes received by clients: AS2 ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: reconfigure ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: log contains errors ... ok +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: dumping rs config... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: dumping routes... +Live test, OpenBGPD 7.5, 'tag' reject policy scenario, IPv6: stopping instances... ---------------------------------------------------------------------- -Ran 44 tests in 121.095s +Ran 44 tests in 124.940s OK (SKIP=1) diff --git a/tests/last_results/static.last b/tests/last_results/static.last index 46492424..ae1b8b97 100644 --- a/tests/last_results/static.last +++ b/tests/last_results/static.last @@ -247,6 +247,6 @@ RTT getter parser: new line only ... ok RTT getter parser: none ... ok ---------------------------------------------------------------------- -Ran 247 tests in 69.193s +Ran 247 tests in 68.563s OK diff --git a/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..b171bc60 --- /dev/null +++ b/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,1887 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.33 { + remote-as 131073 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::33 { + remote-as 131073 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# cust_comm1 +match from group clients set community delete 65501:65501 +match from group clients set ext-community delete rt 65501:65501 +match from group clients set large-community delete 999:65501:65501 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.33 set ext-community rt 65520:131073 + +match from 2001:db8:1:1::33 set ext-community rt 65520:131073 + +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.22 set ext-community rt 65520:2 + +match from 2001:db8:1:1::22 set ext-community rt 65520:2 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS131073_1, inbound + + + +# NEXT_HOP +match from 192.0.2.33 set community NO_ADVERTISE +match from 192.0.2.33 nexthop 192.0.2.33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.33 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.33 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.33 peer-as != 131073' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.33 peer-as != 131073 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.33 AS 23456' - reject code: 7 +allow quick from 192.0.2.33 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.33 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.33 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.33 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.33 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.33 set ext-community delete rt 65520:131073 + + + +allow quick from 192.0.2.33 + + + +# --------------------------------------------- +# client AS131073_1, outbound + +deny quick to 192.0.2.33 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.33 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.33 + +# do_not_announce_to_any +deny to 192.0.2.33 community 0:999 +deny to 192.0.2.33 ext-community rt 0:999 +deny to 192.0.2.33 large-community 999:0:999 + +# do_not_announce_to_peer +# Warning: must skip 0:peer_as because peer_as > 65535 (131073) +deny quick to 192.0.2.33 ext-community rt 0:131073 +deny quick to 192.0.2.33 large-community 999:0:131073 + +# announce_to_peer +# Warning: must skip 999:peer_as because peer_as > 65535 (131073) +allow to 192.0.2.33 ext-community rt 999:131073 +allow to 192.0.2.33 large-community 999:999:131073 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS131073_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::33 set community NO_ADVERTISE +match from 2001:db8:1:1::33 nexthop 2001:db8:1:1::33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::33 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::33 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::33 peer-as != 131073' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::33 peer-as != 131073 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::33 set ext-community delete rt 65520:131073 + + + +allow quick from 2001:db8:1:1::33 + + + +# --------------------------------------------- +# client AS131073_2, outbound + +deny quick to 2001:db8:1:1::33 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::33 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::33 + +# do_not_announce_to_any +deny to 2001:db8:1:1::33 community 0:999 +deny to 2001:db8:1:1::33 ext-community rt 0:999 +deny to 2001:db8:1:1::33 large-community 999:0:999 + +# do_not_announce_to_peer +# Warning: must skip 0:peer_as because peer_as > 65535 (131073) +deny quick to 2001:db8:1:1::33 ext-community rt 0:131073 +deny quick to 2001:db8:1:1::33 large-community 999:0:131073 + +# announce_to_peer +# Warning: must skip 999:peer_as because peer_as > 65535 (131073) +allow to 2001:db8:1:1::33 ext-community rt 999:131073 +allow to 2001:db8:1:1::33 large-community 999:999:131073 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_1, inbound + + +# Attach custom BGP communities +# cust_comm1 +match from 192.0.2.11 set community 65501:65501 +match from 192.0.2.11 set ext-community rt 65501:65501 +match from 192.0.2.11 set large-community 999:65501:65501 + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.11 community 999:1 +allow to 192.0.2.11 ext-community rt 999:1 +allow to 192.0.2.11 large-community 999:999:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + +# Attach custom BGP communities +# cust_comm1 +match from 2001:db8:1:1::11 set community 65501:65501 +match from 2001:db8:1:1::11 set ext-community rt 65501:65501 +match from 2001:db8:1:1::11 set large-community 999:65501:65501 + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_any +deny to 2001:db8:1:1::11 community 0:999 +deny to 2001:db8:1:1::11 ext-community rt 0:999 +deny to 2001:db8:1:1::11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 +deny quick to 2001:db8:1:1::11 ext-community rt 0:1 +deny quick to 2001:db8:1:1::11 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::11 community 999:1 +allow to 2001:db8:1:1::11 ext-community rt 999:1 +allow to 2001:db8:1:1::11 large-community 999:999:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.22 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +allow quick from 192.0.2.22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.22 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + +# do_not_announce_to_any +deny to 192.0.2.22 community 0:999 +deny to 192.0.2.22 ext-community rt 0:999 +deny to 192.0.2.22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.22 community 0:2 +deny quick to 192.0.2.22 ext-community rt 0:2 +deny quick to 192.0.2.22 large-community 999:0:2 + +# announce_to_peer +allow to 192.0.2.22 community 999:2 +allow to 192.0.2.22 ext-community rt 999:2 +allow to 192.0.2.22 large-community 999:999:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::22 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::22 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::22 + +# do_not_announce_to_any +deny to 2001:db8:1:1::22 community 0:999 +deny to 2001:db8:1:1::22 ext-community rt 0:999 +deny to 2001:db8:1:1::22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::22 community 0:2 +deny quick to 2001:db8:1:1::22 ext-community rt 0:2 +deny quick to 2001:db8:1:1::22 large-community 999:0:2 + +# announce_to_peer +allow to 2001:db8:1:1::22 community 999:2 +allow to 2001:db8:1:1::22 ext-community rt 999:2 +allow to 2001:db8:1:1::22 large-community 999:999:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# announce_to_peer +match to group clients set community delete 999:* +match to group clients set ext-community delete rt 999:* +match to group clients set large-community delete 999:999:* + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..b171bc60 --- /dev/null +++ b/tests/live_tests/scenarios/communities/configs/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,1887 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.33 { + remote-as 131073 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::33 { + remote-as 131073 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# cust_comm1 +match from group clients set community delete 65501:65501 +match from group clients set ext-community delete rt 65501:65501 +match from group clients set large-community delete 999:65501:65501 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.33 set ext-community rt 65520:131073 + +match from 2001:db8:1:1::33 set ext-community rt 65520:131073 + +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.22 set ext-community rt 65520:2 + +match from 2001:db8:1:1::22 set ext-community rt 65520:2 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS131073_1, inbound + + + +# NEXT_HOP +match from 192.0.2.33 set community NO_ADVERTISE +match from 192.0.2.33 nexthop 192.0.2.33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.33 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.33 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.33 peer-as != 131073' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.33 peer-as != 131073 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.33 AS 23456' - reject code: 7 +allow quick from 192.0.2.33 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.33 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.33 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.33 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.33 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.33 set ext-community delete rt 65520:131073 + + + +allow quick from 192.0.2.33 + + + +# --------------------------------------------- +# client AS131073_1, outbound + +deny quick to 192.0.2.33 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.33 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.33 + +# do_not_announce_to_any +deny to 192.0.2.33 community 0:999 +deny to 192.0.2.33 ext-community rt 0:999 +deny to 192.0.2.33 large-community 999:0:999 + +# do_not_announce_to_peer +# Warning: must skip 0:peer_as because peer_as > 65535 (131073) +deny quick to 192.0.2.33 ext-community rt 0:131073 +deny quick to 192.0.2.33 large-community 999:0:131073 + +# announce_to_peer +# Warning: must skip 999:peer_as because peer_as > 65535 (131073) +allow to 192.0.2.33 ext-community rt 999:131073 +allow to 192.0.2.33 large-community 999:999:131073 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS131073_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::33 set community NO_ADVERTISE +match from 2001:db8:1:1::33 nexthop 2001:db8:1:1::33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::33 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::33 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::33 peer-as != 131073' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::33 peer-as != 131073 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::33 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::33 set ext-community delete rt 65520:131073 + + + +allow quick from 2001:db8:1:1::33 + + + +# --------------------------------------------- +# client AS131073_2, outbound + +deny quick to 2001:db8:1:1::33 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::33 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::33 + +# do_not_announce_to_any +deny to 2001:db8:1:1::33 community 0:999 +deny to 2001:db8:1:1::33 ext-community rt 0:999 +deny to 2001:db8:1:1::33 large-community 999:0:999 + +# do_not_announce_to_peer +# Warning: must skip 0:peer_as because peer_as > 65535 (131073) +deny quick to 2001:db8:1:1::33 ext-community rt 0:131073 +deny quick to 2001:db8:1:1::33 large-community 999:0:131073 + +# announce_to_peer +# Warning: must skip 999:peer_as because peer_as > 65535 (131073) +allow to 2001:db8:1:1::33 ext-community rt 999:131073 +allow to 2001:db8:1:1::33 large-community 999:999:131073 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_1, inbound + + +# Attach custom BGP communities +# cust_comm1 +match from 192.0.2.11 set community 65501:65501 +match from 192.0.2.11 set ext-community rt 65501:65501 +match from 192.0.2.11 set large-community 999:65501:65501 + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.11 community 999:1 +allow to 192.0.2.11 ext-community rt 999:1 +allow to 192.0.2.11 large-community 999:999:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + +# Attach custom BGP communities +# cust_comm1 +match from 2001:db8:1:1::11 set community 65501:65501 +match from 2001:db8:1:1::11 set ext-community rt 65501:65501 +match from 2001:db8:1:1::11 set large-community 999:65501:65501 + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_any +deny to 2001:db8:1:1::11 community 0:999 +deny to 2001:db8:1:1::11 ext-community rt 0:999 +deny to 2001:db8:1:1::11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 +deny quick to 2001:db8:1:1::11 ext-community rt 0:1 +deny quick to 2001:db8:1:1::11 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::11 community 999:1 +allow to 2001:db8:1:1::11 ext-community rt 999:1 +allow to 2001:db8:1:1::11 large-community 999:999:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.22 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +allow quick from 192.0.2.22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.22 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + +# do_not_announce_to_any +deny to 192.0.2.22 community 0:999 +deny to 192.0.2.22 ext-community rt 0:999 +deny to 192.0.2.22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.22 community 0:2 +deny quick to 192.0.2.22 ext-community rt 0:2 +deny quick to 192.0.2.22 large-community 999:0:2 + +# announce_to_peer +allow to 192.0.2.22 community 999:2 +allow to 192.0.2.22 ext-community rt 999:2 +allow to 192.0.2.22 large-community 999:999:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::22 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::22 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::22 + +# do_not_announce_to_any +deny to 2001:db8:1:1::22 community 0:999 +deny to 2001:db8:1:1::22 ext-community rt 0:999 +deny to 2001:db8:1:1::22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::22 community 0:2 +deny quick to 2001:db8:1:1::22 ext-community rt 0:2 +deny quick to 2001:db8:1:1::22 large-community 999:0:2 + +# announce_to_peer +allow to 2001:db8:1:1::22 community 999:2 +allow to 2001:db8:1:1::22 ext-community rt 999:2 +allow to 2001:db8:1:1::22 large-community 999:999:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# announce_to_peer +match to group clients set community delete 999:* +match to group clients set ext-community delete rt 999:* +match to group clients set large-community delete 999:999:* + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..5da2643f --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,28 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.6.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS131073.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS131073.txt new file mode 100644 index 00000000..8600918f --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS131073.txt @@ -0,0 +1,28 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.6.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..0cb7d282 --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,7 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..d7d39207 --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,49 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: 0:999, 999:1 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: + ext comms: rt:0:999, rt:999:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: + ext comms: + lrg comms: 999:0:999, 999:999:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: 0:999 + ext comms: rt:999:131073 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: + ext comms: + lrg comms: 999:0:999, 999:999:131073 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.6.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.22 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..99f3fa19 --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS1.txt @@ -0,0 +1,28 @@ +2a00:1::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:2::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:3::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS131073.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS131073.txt new file mode 100644 index 00000000..ff54ced5 --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS131073.txt @@ -0,0 +1,28 @@ +2a00:4::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:1::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..6f4f0803 --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt @@ -0,0 +1,7 @@ +2a01:1::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..fff34e4e --- /dev/null +++ b/tests/live_tests/scenarios/communities/routes/BGPCommunitiesScenario_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,49 @@ +2a00:1::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: 0:999, 999:1 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:2::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: + ext comms: rt:0:999, rt:999:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:3::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: + ext comms: + lrg comms: 999:0:999, 999:999:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:4::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: 0:999 + ext comms: rt:999:131073 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: + ext comms: + lrg comms: 999:0:999, 999:999:131073 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a00:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::22 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:1::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65501:65501 + ext comms: rt:65501:65501 + lrg comms: 999:65501:65501 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv4/openbgpd75p.conf b/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv4/openbgpd75p.conf new file mode 100644 index 00000000..c47a7620 --- /dev/null +++ b/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv4/openbgpd75p.conf @@ -0,0 +1,1273 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS3333, used by client AS3333_1 +as-set "AS_SET_AS3333_asns" { + 3333 +} +prefix-set "AS_SET_AS3333_prefixes" { + 193.0.0.0/21 +} + +# AS10745, used by client AS10745_1, client AS10745_2 +as-set "AS_SET_AS10745_asns" { + 10745 +} +prefix-set "AS_SET_AS10745_prefixes" { + 199.43.0.0/24 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db:1:1::22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.11 { + remote-as 3333 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.22 set ext-community rt 65520:10745 + +match from 2001:db:1:1::22 set ext-community rt 65520:10745 + +match from 192.0.2.11 set ext-community rt 65520:3333 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS10745_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +allow quick from 192.0.2.22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_1, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_1, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.22 set ext-community delete rt 65520:10745 + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS10745_1, outbound + +deny quick to 192.0.2.22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS10745_2, inbound + + + +# NEXT_HOP +match from 2001:db:1:1::22 set community NO_ADVERTISE +match from 2001:db:1:1::22 nexthop 2001:db:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db:1:1::22 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db:1:1::22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db:1:1::22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db:1:1::22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db:1:1::22 AS 23456' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db:1:1::22 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db:1:1::22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_2, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db:1:1::22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db:1:1::22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_2, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db:1:1::22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db:1:1::22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db:1:1::22 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db:1:1::22 set ext-community delete rt 65520:10745 + + + +allow quick from 2001:db:1:1::22 + + + +# --------------------------------------------- +# client AS10745_2, outbound + +deny quick to 2001:db:1:1::22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db:1:1::22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db:1:1::22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3333_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 3333' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 3333 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS3333_1, AS3333: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS3333_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS3333 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS3333_1, AS3333: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS3333_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS3333 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:3333 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS3333_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv6/openbgpd75p.conf b/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv6/openbgpd75p.conf new file mode 100644 index 00000000..423372e3 --- /dev/null +++ b/tests/live_tests/scenarios/default/configs/DefaultConfigScenarioOpenBGPD_IPv6/openbgpd75p.conf @@ -0,0 +1,1273 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS3333, used by client AS3333_1 +as-set "AS_SET_AS3333_asns" { + 3333 +} +prefix-set "AS_SET_AS3333_prefixes" { + 2001:67c:2e8::/48 +} + +# AS10745, used by client AS10745_1, client AS10745_2 +as-set "AS_SET_AS10745_asns" { + 10745 +} +prefix-set "AS_SET_AS10745_prefixes" { + 2001:500:4::/48 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db:1:1::22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.11 { + remote-as 3333 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.22 set ext-community rt 65520:10745 + +match from 2001:db:1:1::22 set ext-community rt 65520:10745 + +match from 192.0.2.11 set ext-community rt 65520:3333 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS10745_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +allow quick from 192.0.2.22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_1, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_1, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.22 set ext-community delete rt 65520:10745 + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS10745_1, outbound + +deny quick to 192.0.2.22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS10745_2, inbound + + + +# NEXT_HOP +match from 2001:db:1:1::22 set community NO_ADVERTISE +match from 2001:db:1:1::22 nexthop 2001:db:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db:1:1::22 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db:1:1::22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db:1:1::22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db:1:1::22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db:1:1::22 AS 23456' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db:1:1::22 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db:1:1::22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db:1:1::22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_2, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db:1:1::22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db:1:1::22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_2, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db:1:1::22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db:1:1::22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db:1:1::22 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db:1:1::22 set ext-community delete rt 65520:10745 + + + +allow quick from 2001:db:1:1::22 + + + +# --------------------------------------------- +# client AS10745_2, outbound + +deny quick to 2001:db:1:1::22 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db:1:1::22 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db:1:1::22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3333_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 3333' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 3333 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS3333_1, AS3333: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS3333_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS3333 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS3333_1, AS3333: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS3333_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS3333 + + + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:3333 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS3333_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/default/routes/DefaultConfigScenarioOpenBGPD_IPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/default/routes/DefaultConfigScenarioOpenBGPD_IPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/default/routes/DefaultConfigScenarioOpenBGPD_IPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/default/routes/DefaultConfigScenarioOpenBGPD_IPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/global/base.py b/tests/live_tests/scenarios/global/base.py index c2864394..d19cd325 100644 --- a/tests/live_tests/scenarios/global/base.py +++ b/tests/live_tests/scenarios/global/base.py @@ -13,6 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +from packaging import version import unittest from pierky.arouteserver.builder import OpenBGPDConfigBuilder, BIRDConfigBuilder @@ -20,9 +21,7 @@ from pierky.arouteserver.tests.live_tests.base import LiveScenario, \ LiveScenario_TagRejectPolicy, \ LiveScenario_TagAndRejectRejectPolicy -from pierky.arouteserver.tests.live_tests.openbgpd import OpenBGPDInstance, \ - OpenBGPDPreviousInstance, \ - OpenBGPDLatestInstance +from pierky.arouteserver.tests.live_tests.openbgpd import OpenBGPDInstance from pierky.arouteserver.tests.live_tests.bird import BIRDInstance from pierky.arouteserver.tests.live_tests.exabgp import ExaBGPInstance from pierky.arouteserver.tests.live_tests.instances import Route @@ -1094,7 +1093,8 @@ def test_100_prefixes_received_by_clients_AS3_with_ADD_PATH(self): """{}: prefixes received by clients: AS3 (with ADD-PATH)""" if isinstance(self.rs, OpenBGPDInstance): - raise unittest.SkipTest("ADD-PATH not supported by OpenBGPD") + if version.parse(self.rs.TARGET_VERSION) < version.parse("7.5"): + raise unittest.SkipTest("ADD-PATH not supported by OpenBGPD < 7.5") # AS3 has prepend_rs_as, so all the prefixes received from the rs # have AS_PATH "999 x" diff --git a/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..83e740d6 --- /dev/null +++ b/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,10262 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS222, used by client AS222_1, client AS222_2 +# no origin ASNs found for AS222 +# no prefixes found for AS222 + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" { + 1 101 103 104 +} +prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" { + 1.0.0.0/8 prefixlen 8 - 32 + 128.0.0.0/7 prefixlen 7 - 32 + 101.0.0.0/16 prefixlen 16 - 32 + 103.0.0.0/16 prefixlen 16 - 32 +} + +# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1, client AS2_2 +as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" { + 2 101 103 +} +prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" { + 2.0.0.0/16 prefixlen 16 - 32 + 101.0.0.0/16 prefixlen 16 - 32 + 103.0.0.0/16 prefixlen 16 - 32 +} + +# WHITE_LIST_AS1_2, used by client AS1_2 white list +as-set "AS_SET_WHITE_LIST_AS1_2_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_2_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + +# AS-AS222, used by client AS222_1, client AS222_2 +as-set "AS_SET_AS_AS222_asns" { + 333 +} +prefix-set "AS_SET_AS_AS222_prefixes" { + 222.0.0.0/8 prefixlen 8 - 32 +} + +# AS1, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS1_1, used by client AS1_1 white list +as-set "AS_SET_WHITE_LIST_AS1_1_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + # RTT: 0.1 ms (normalized value: 1) + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + # RTT: 5 ms (normalized value: 5) + neighbor 192.0.2.12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + # RTT: 17.3 ms (normalized value: 17) + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + # RTT: 123.8 ms (normalized value: 124) + neighbor 192.0.2.31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + # RTT: 600 ms (normalized value: 600) + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + +include "/etc/bgpd/post-clients.local" + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + +prefix-set "global_black_list_pref" { + 192.0.2.0/24 prefixlen 24 - 32 + 2001:db8::/32 prefixlen 32 - 128 + +} + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + +# never via route-servers ASNs +as-set "neverviarouteserver" { + 666, 777 +} + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 65530:0 +match from group clients set large-community delete 999:65530:0 + +# origin_present_in_as_set +match from group clients set community delete 65530:1 +match from group clients set large-community delete 999:65530:1 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 65530:3 +match from group clients set large-community delete 999:65530:3 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 65530:2 +match from group clients set large-community delete 999:65530:2 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# rpki_bgp_origin_validation_not_performed +match from group clients set community delete 65530:4 +match from group clients set large-community delete 999:65530:4 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 101.3.0.0/16 maxlen 24 source-as 105 expires 4102444799 + 101.2.0.0/17 source-as 101 expires 4102444799 + 101.2.128.0/17 maxlen 24 source-as 101 expires 4102444799 + 101.0.128.0/20 maxlen 23 source-as 101 expires 4102444799 + 101.0.8.0/24 source-as 101 expires 4102444799 + 101.0.9.0/24 source-as 102 expires 4102444799 + 222.1.1.0/24 source-as 333 expires 4102444799 + 3101:3::/32 maxlen 48 source-as 105 expires 4102444799 + 3101:0:8000::/33 maxlen 34 source-as 101 expires 4102444799 + 3101:2:8000::/33 maxlen 48 source-as 101 expires 4102444799 + 3101:2::/33 source-as 101 expires 4102444799 + 3101:0:8::/48 source-as 101 expires 4102444799 + 3101:0:9::/48 source-as 102 expires 4102444799 + 3222:0:1::/48 source-as 333 expires 4102444799 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +# Since RPKI-based Origin Validation is already performed above, +# use the origin validation state to identify valid routes. +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + +# ARIN Whois records used for preifx validation +# --------------------------------------------- + +# Add the $INTCOMM_PREF_OK_ARINDB ext community to routes whose +# origin ASN has an ARIN Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "ARINDB" { +104.0.0.0/23 prefixlen 23 - 32 source-as 104 +3104::/32 prefixlen 32 - 128 source-as 104 +} +match from group clients origin-set ARINDB set ext-community $INTCOMM_PREF_OK_ARINDB + +# NIC.BR Whois records used for preifx validation +# ----------------------------------------------- + +# Add the $INTCOMM_PREF_OK_REGISTROBRDB ext community to routes whose +# origin ASN has a NIC.BR Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "REGISTROBRDB" { +104.1.1.0/24 prefixlen 24 - 32 source-as 104 +3104:1:1::/48 prefixlen 48 - 128 source-as 104 +} +match from group clients origin-set REGISTROBRDB set ext-community $INTCOMM_PREF_OK_REGISTROBRDB + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.12 set ext-community rt 65520:1 + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + +match from 192.0.2.222 set ext-community rt 65520:222 + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1 +allow quick from group clients max-as-len 6 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: global blacklist +# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3 +allow quick from group clients prefix-set global_black_list_pref set { + localpref 1 + community 65520:0 + community 65520:3 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_1 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.11 community BLACKHOLE set community 65530:4 +match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.11 community BLACKHOLE +allow quick from 192.0.2.11 community 65534:0 +allow quick from 192.0.2.11 large-community 65534:0:0 + + +match from 192.0.2.11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.11 community 65534:0 set community BLACKHOLE +match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.11 community 65507:999 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.11 community 65509:1 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# do_not_announce_to_peers_with_rtt_lower_than 5 ms +deny to 192.0.2.11 community 64530:5 +deny to 192.0.2.11 ext-community rt 64530:5 +deny to 192.0.2.11 large-community 999:64530:5 + + +# do_not_announce_to_peers_with_rtt_lower_than 10 ms +deny to 192.0.2.11 community 64530:10 +deny to 192.0.2.11 ext-community rt 64530:10 +deny to 192.0.2.11 large-community 999:64530:10 + + +# do_not_announce_to_peers_with_rtt_lower_than 15 ms +deny to 192.0.2.11 community 64530:15 +deny to 192.0.2.11 ext-community rt 64530:15 +deny to 192.0.2.11 large-community 999:64530:15 + + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 192.0.2.11 community 64530:20 +deny to 192.0.2.11 ext-community rt 64530:20 +deny to 192.0.2.11 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 192.0.2.11 community 64530:30 +deny to 192.0.2.11 ext-community rt 64530:30 +deny to 192.0.2.11 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 192.0.2.11 community 64530:50 +deny to 192.0.2.11 ext-community rt 64530:50 +deny to 192.0.2.11 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 192.0.2.11 community 64530:100 +deny to 192.0.2.11 ext-community rt 64530:100 +deny to 192.0.2.11 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 192.0.2.11 community 64530:200 +deny to 192.0.2.11 ext-community rt 64530:200 +deny to 192.0.2.11 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.11 community 64530:500 +deny to 192.0.2.11 ext-community rt 64530:500 +deny to 192.0.2.11 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 5 ms +allow to 192.0.2.11 community 64532:5 +allow to 192.0.2.11 ext-community rt 64532:5 +allow to 192.0.2.11 large-community 999:64532:5 + + +# announce_to_peers_with_rtt_lower_than 10 ms +allow to 192.0.2.11 community 64532:10 +allow to 192.0.2.11 ext-community rt 64532:10 +allow to 192.0.2.11 large-community 999:64532:10 + + +# announce_to_peers_with_rtt_lower_than 15 ms +allow to 192.0.2.11 community 64532:15 +allow to 192.0.2.11 ext-community rt 64532:15 +allow to 192.0.2.11 large-community 999:64532:15 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 192.0.2.11 community 64532:20 +allow to 192.0.2.11 ext-community rt 64532:20 +allow to 192.0.2.11 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 192.0.2.11 community 64532:30 +allow to 192.0.2.11 ext-community rt 64532:30 +allow to 192.0.2.11 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 192.0.2.11 community 64532:50 +allow to 192.0.2.11 ext-community rt 64532:50 +allow to 192.0.2.11 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 192.0.2.11 community 64532:100 +allow to 192.0.2.11 ext-community rt 64532:100 +allow to 192.0.2.11 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 192.0.2.11 community 64532:200 +allow to 192.0.2.11 ext-community rt 64532:200 +allow to 192.0.2.11 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.11 community 64532:500 +allow to 192.0.2.11 ext-community rt 64532:500 +allow to 192.0.2.11 large-community 999:64532:500 + + +# announce_to_peer +allow to 192.0.2.11 community 65501:1 +allow to 192.0.2.11 ext-community rt 65501:1 +allow to 192.0.2.11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 source-as as-set AS_SET_WHITE_LIST_AS1_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 prefix-set AS_SET_WHITE_LIST_AS1_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::11 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::11 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::11 community BLACKHOLE +allow quick from 2001:db8:1:1::11 community 65534:0 +allow quick from 2001:db8:1:1::11 large-community 65534:0:0 + + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::11 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::11 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::11 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::11 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::11 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::11 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::11 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::11 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_any +deny to 2001:db8:1:1::11 community 0:999 +deny to 2001:db8:1:1::11 ext-community rt 0:999 +deny to 2001:db8:1:1::11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 +deny quick to 2001:db8:1:1::11 ext-community rt 0:1 +deny quick to 2001:db8:1:1::11 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::11 community 65501:1 +allow to 2001:db8:1:1::11 ext-community rt 65501:1 +allow to 2001:db8:1:1::11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_3, inbound + + + +# NEXT_HOP +match from 192.0.2.12 set community NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.11 set community delete NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.12 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.12 AS 23456' - reject code: 7 +allow quick from 192.0.2.12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.12 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_3, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_3, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.12 community BLACKHOLE set community 65530:4 +match from 192.0.2.12 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.12 community BLACKHOLE +allow quick from 192.0.2.12 community 65534:0 +allow quick from 192.0.2.12 large-community 65534:0:0 + + +match from 192.0.2.12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.12 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.12 + + + +# --------------------------------------------- +# client AS1_3, outbound + +deny quick to 192.0.2.12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 192.0.2.12 community BLACKHOLE +deny quick to 192.0.2.12 community 65534:0 +deny quick to 192.0.2.12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.12 community 65507:999 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.12 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.12 community 65509:1 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.12 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.12 + +# do_not_announce_to_any +deny to 192.0.2.12 community 0:999 +deny to 192.0.2.12 ext-community rt 0:999 +deny to 192.0.2.12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.12 community 0:1 +deny quick to 192.0.2.12 ext-community rt 0:1 +deny quick to 192.0.2.12 large-community 999:0:1 + +# do_not_announce_to_peers_with_rtt_lower_than 5 ms +deny to 192.0.2.12 community 64530:5 +deny to 192.0.2.12 ext-community rt 64530:5 +deny to 192.0.2.12 large-community 999:64530:5 + + +# do_not_announce_to_peers_with_rtt_lower_than 10 ms +deny to 192.0.2.12 community 64530:10 +deny to 192.0.2.12 ext-community rt 64530:10 +deny to 192.0.2.12 large-community 999:64530:10 + + +# do_not_announce_to_peers_with_rtt_lower_than 15 ms +deny to 192.0.2.12 community 64530:15 +deny to 192.0.2.12 ext-community rt 64530:15 +deny to 192.0.2.12 large-community 999:64530:15 + + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 192.0.2.12 community 64530:20 +deny to 192.0.2.12 ext-community rt 64530:20 +deny to 192.0.2.12 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 192.0.2.12 community 64530:30 +deny to 192.0.2.12 ext-community rt 64530:30 +deny to 192.0.2.12 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 192.0.2.12 community 64530:50 +deny to 192.0.2.12 ext-community rt 64530:50 +deny to 192.0.2.12 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 192.0.2.12 community 64530:100 +deny to 192.0.2.12 ext-community rt 64530:100 +deny to 192.0.2.12 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 192.0.2.12 community 64530:200 +deny to 192.0.2.12 ext-community rt 64530:200 +deny to 192.0.2.12 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.12 community 64530:500 +deny to 192.0.2.12 ext-community rt 64530:500 +deny to 192.0.2.12 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 5 ms +allow to 192.0.2.12 community 64532:5 +allow to 192.0.2.12 ext-community rt 64532:5 +allow to 192.0.2.12 large-community 999:64532:5 + + +# announce_to_peers_with_rtt_lower_than 10 ms +allow to 192.0.2.12 community 64532:10 +allow to 192.0.2.12 ext-community rt 64532:10 +allow to 192.0.2.12 large-community 999:64532:10 + + +# announce_to_peers_with_rtt_lower_than 15 ms +allow to 192.0.2.12 community 64532:15 +allow to 192.0.2.12 ext-community rt 64532:15 +allow to 192.0.2.12 large-community 999:64532:15 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 192.0.2.12 community 64532:20 +allow to 192.0.2.12 ext-community rt 64532:20 +allow to 192.0.2.12 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 192.0.2.12 community 64532:30 +allow to 192.0.2.12 ext-community rt 64532:30 +allow to 192.0.2.12 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 192.0.2.12 community 64532:50 +allow to 192.0.2.12 ext-community rt 64532:50 +allow to 192.0.2.12 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 192.0.2.12 community 64532:100 +allow to 192.0.2.12 ext-community rt 64532:100 +allow to 192.0.2.12 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 192.0.2.12 community 64532:200 +allow to 192.0.2.12 ext-community rt 64532:200 +allow to 192.0.2.12 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.12 community 64532:500 +allow to 192.0.2.12 ext-community rt 64532:500 +allow to 192.0.2.12 large-community 999:64532:500 + + +# announce_to_peer +allow to 192.0.2.12 community 65501:1 +allow to 192.0.2.12 ext-community rt 65501:1 +allow to 192.0.2.12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_4, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::12 set community NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::12 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_4, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_4, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::12 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::12 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::12 community BLACKHOLE +allow quick from 2001:db8:1:1::12 community 65534:0 +allow quick from 2001:db8:1:1::12 large-community 65534:0:0 + + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::12 + + + +# --------------------------------------------- +# client AS1_4, outbound + +deny quick to 2001:db8:1:1::12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 2001:db8:1:1::12 community BLACKHOLE +deny quick to 2001:db8:1:1::12 community 65534:0 +deny quick to 2001:db8:1:1::12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::12 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::12 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::12 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::12 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::12 + +# do_not_announce_to_any +deny to 2001:db8:1:1::12 community 0:999 +deny to 2001:db8:1:1::12 ext-community rt 0:999 +deny to 2001:db8:1:1::12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::12 community 0:1 +deny quick to 2001:db8:1:1::12 ext-community rt 0:1 +deny quick to 2001:db8:1:1::12 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::12 community 65501:1 +allow to 2001:db8:1:1::12 ext-community rt 65501:1 +allow to 2001:db8:1:1::12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_1, inbound + + + +# NEXT_HOP +match from 192.0.2.222 set community NO_ADVERTISE +match from 192.0.2.222 nexthop 192.0.2.222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.222 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.222 AS 23456' - reject code: 7 +allow quick from 192.0.2.222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.222 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_1, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 192.0.2.222 source-as as-set AS_SET_AS_AS222_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS222 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_1, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 192.0.2.222 prefix-set AS_SET_AS_AS222_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS222 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 192.0.2.222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.222 community BLACKHOLE set community 65530:4 +match from 192.0.2.222 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.222 community BLACKHOLE +allow quick from 192.0.2.222 community 65534:0 +allow quick from 192.0.2.222 large-community 65534:0:0 + + +match from 192.0.2.222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.222 set ext-community delete rt 65520:222 + + + +allow quick from 192.0.2.222 + + + +# --------------------------------------------- +# client AS222_1, outbound + +deny quick to 192.0.2.222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.222 community 65534:0 set community BLACKHOLE +match to 192.0.2.222 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.222 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.222 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.222 community 65507:999 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.222 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.222 community 65509:222 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65509:222 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.222 community 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.222 + +# do_not_announce_to_any +deny to 192.0.2.222 community 0:999 +deny to 192.0.2.222 ext-community rt 0:999 +deny to 192.0.2.222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.222 community 0:222 +deny quick to 192.0.2.222 ext-community rt 0:222 +deny quick to 192.0.2.222 large-community 999:0:222 + +# announce_to_peer +allow to 192.0.2.222 community 65501:222 +allow to 192.0.2.222 ext-community rt 65501:222 +allow to 192.0.2.222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::222 set community NO_ADVERTISE +match from 2001:db8:1:1::222 nexthop 2001:db8:1:1::222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::222 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_2, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 2001:db8:1:1::222 source-as as-set AS_SET_AS_AS222_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS222 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_2, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 2001:db8:1:1::222 prefix-set AS_SET_AS_AS222_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS222 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::222 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::222 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::222 community BLACKHOLE +allow quick from 2001:db8:1:1::222 community 65534:0 +allow quick from 2001:db8:1:1::222 large-community 65534:0:0 + + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + + +allow quick from 2001:db8:1:1::222 + + + +# --------------------------------------------- +# client AS222_2, outbound + +deny quick to 2001:db8:1:1::222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::222 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::222 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::222 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::222 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::222 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::222 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::222 community 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::222 community 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::222 + +# do_not_announce_to_any +deny to 2001:db8:1:1::222 community 0:999 +deny to 2001:db8:1:1::222 ext-community rt 0:999 +deny to 2001:db8:1:1::222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::222 community 0:222 +deny quick to 2001:db8:1:1::222 ext-community rt 0:222 +deny quick to 2001:db8:1:1::222 large-community 999:0:222 + +# announce_to_peer +allow to 2001:db8:1:1::222 community 65501:222 +allow to 2001:db8:1:1::222 ext-community rt 65501:222 +allow to 2001:db8:1:1::222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 192.0.2.21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.21 community BLACKHOLE set community 65530:4 +match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.21 community BLACKHOLE +allow quick from 192.0.2.21 community 65534:0 +allow quick from 192.0.2.21 large-community 65534:0:0 + + +match from 192.0.2.21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.21 community 65534:0 set community BLACKHOLE +match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.21 community 65507:999 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.21 community 65509:2 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_any +deny to 192.0.2.21 community 0:999 +deny to 192.0.2.21 ext-community rt 0:999 +deny to 192.0.2.21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 +deny quick to 192.0.2.21 ext-community rt 0:2 +deny quick to 192.0.2.21 large-community 999:0:2 + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 192.0.2.21 community 64530:20 +deny to 192.0.2.21 ext-community rt 64530:20 +deny to 192.0.2.21 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 192.0.2.21 community 64530:30 +deny to 192.0.2.21 ext-community rt 64530:30 +deny to 192.0.2.21 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 192.0.2.21 community 64530:50 +deny to 192.0.2.21 ext-community rt 64530:50 +deny to 192.0.2.21 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 192.0.2.21 community 64530:100 +deny to 192.0.2.21 ext-community rt 64530:100 +deny to 192.0.2.21 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 192.0.2.21 community 64530:200 +deny to 192.0.2.21 ext-community rt 64530:200 +deny to 192.0.2.21 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.21 community 64530:500 +deny to 192.0.2.21 ext-community rt 64530:500 +deny to 192.0.2.21 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 192.0.2.21 community 64532:20 +allow to 192.0.2.21 ext-community rt 64532:20 +allow to 192.0.2.21 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 192.0.2.21 community 64532:30 +allow to 192.0.2.21 ext-community rt 64532:30 +allow to 192.0.2.21 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 192.0.2.21 community 64532:50 +allow to 192.0.2.21 ext-community rt 64532:50 +allow to 192.0.2.21 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 192.0.2.21 community 64532:100 +allow to 192.0.2.21 ext-community rt 64532:100 +allow to 192.0.2.21 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 192.0.2.21 community 64532:200 +allow to 192.0.2.21 ext-community rt 64532:200 +allow to 192.0.2.21 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.21 community 64532:500 +allow to 192.0.2.21 ext-community rt 64532:500 +allow to 192.0.2.21 large-community 999:64532:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 192.0.2.21 community 64531:5 +deny to 192.0.2.21 ext-community rt 64531:5 +deny to 192.0.2.21 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 192.0.2.21 community 64531:10 +deny to 192.0.2.21 ext-community rt 64531:10 +deny to 192.0.2.21 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 192.0.2.21 community 64531:15 +deny to 192.0.2.21 ext-community rt 64531:15 +deny to 192.0.2.21 large-community 999:64531:15 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 192.0.2.21 community 64533:5 +allow to 192.0.2.21 ext-community rt 64533:5 +allow to 192.0.2.21 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 192.0.2.21 community 64533:10 +allow to 192.0.2.21 ext-community rt 64533:10 +allow to 192.0.2.21 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 192.0.2.21 community 64533:15 +allow to 192.0.2.21 ext-community rt 64533:15 +allow to 192.0.2.21 large-community 999:64533:15 + + +# announce_to_peer +allow to 192.0.2.21 community 65501:2 +allow to 192.0.2.21 ext-community rt 65501:2 +allow to 192.0.2.21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::21 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::21 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::21 community BLACKHOLE +allow quick from 2001:db8:1:1::21 community 65534:0 +allow quick from 2001:db8:1:1::21 large-community 65534:0:0 + + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::21 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::21 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::21 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::21 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::21 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::21 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::21 community 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::21 community 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_any +deny to 2001:db8:1:1::21 community 0:999 +deny to 2001:db8:1:1::21 ext-community rt 0:999 +deny to 2001:db8:1:1::21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 +deny quick to 2001:db8:1:1::21 ext-community rt 0:2 +deny quick to 2001:db8:1:1::21 large-community 999:0:2 + +# announce_to_peer +allow to 2001:db8:1:1::21 community 65501:2 +allow to 2001:db8:1:1::21 ext-community rt 65501:2 +allow to 2001:db8:1:1::21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8 +allow quick from 192.0.2.31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_1_black_list_pref_ipv4" { + 3.0.1.0/24 prefixlen 24 - 32 + +} +# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11 +allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 192.0.2.31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 192.0.2.31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.31 community BLACKHOLE set community 65530:4 +match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.31 community BLACKHOLE +allow quick from 192.0.2.31 community 65534:0 +allow quick from 192.0.2.31 large-community 65534:0:0 + + +match from 192.0.2.31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.31 community 65534:0 set community BLACKHOLE +match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.31 community 65507:999 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.31 community 65509:3 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_any +deny to 192.0.2.31 community 0:999 +deny to 192.0.2.31 ext-community rt 0:999 +deny to 192.0.2.31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 +deny quick to 192.0.2.31 ext-community rt 0:3 +deny quick to 192.0.2.31 large-community 999:0:3 + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 192.0.2.31 community 64530:200 +deny to 192.0.2.31 ext-community rt 64530:200 +deny to 192.0.2.31 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.31 community 64530:500 +deny to 192.0.2.31 ext-community rt 64530:500 +deny to 192.0.2.31 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 192.0.2.31 community 64532:200 +allow to 192.0.2.31 ext-community rt 64532:200 +allow to 192.0.2.31 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.31 community 64532:500 +allow to 192.0.2.31 ext-community rt 64532:500 +allow to 192.0.2.31 large-community 999:64532:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 192.0.2.31 community 64531:5 +deny to 192.0.2.31 ext-community rt 64531:5 +deny to 192.0.2.31 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 192.0.2.31 community 64531:10 +deny to 192.0.2.31 ext-community rt 64531:10 +deny to 192.0.2.31 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 192.0.2.31 community 64531:15 +deny to 192.0.2.31 ext-community rt 64531:15 +deny to 192.0.2.31 large-community 999:64531:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 192.0.2.31 community 64531:20 +deny to 192.0.2.31 ext-community rt 64531:20 +deny to 192.0.2.31 large-community 999:64531:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 192.0.2.31 community 64531:30 +deny to 192.0.2.31 ext-community rt 64531:30 +deny to 192.0.2.31 large-community 999:64531:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 192.0.2.31 community 64531:50 +deny to 192.0.2.31 ext-community rt 64531:50 +deny to 192.0.2.31 large-community 999:64531:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 192.0.2.31 community 64531:100 +deny to 192.0.2.31 ext-community rt 64531:100 +deny to 192.0.2.31 large-community 999:64531:100 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 192.0.2.31 community 64533:5 +allow to 192.0.2.31 ext-community rt 64533:5 +allow to 192.0.2.31 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 192.0.2.31 community 64533:10 +allow to 192.0.2.31 ext-community rt 64533:10 +allow to 192.0.2.31 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 192.0.2.31 community 64533:15 +allow to 192.0.2.31 ext-community rt 64533:15 +allow to 192.0.2.31 large-community 999:64533:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 192.0.2.31 community 64533:20 +allow to 192.0.2.31 ext-community rt 64533:20 +allow to 192.0.2.31 large-community 999:64533:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 192.0.2.31 community 64533:30 +allow to 192.0.2.31 ext-community rt 64533:30 +allow to 192.0.2.31 large-community 999:64533:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 192.0.2.31 community 64533:50 +allow to 192.0.2.31 ext-community rt 64533:50 +allow to 192.0.2.31 large-community 999:64533:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 192.0.2.31 community 64533:100 +allow to 192.0.2.31 ext-community rt 64533:100 +allow to 192.0.2.31 large-community 999:64533:100 + + +# announce_to_peer +allow to 192.0.2.31 community 65501:3 +allow to 192.0.2.31 ext-community rt 65501:3 +allow to 192.0.2.31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS { 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_2_black_list_pref_ipv6" { + 2a03:0:1::/48 prefixlen 48 - 128 + +} +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6' - reject code: 11 +allow quick from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::31 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::31 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::31 community BLACKHOLE +allow quick from 2001:db8:1:1::31 community 65534:0 +allow quick from 2001:db8:1:1::31 large-community 65534:0:0 + + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::31 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::31 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::31 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::31 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::31 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::31 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::31 community 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::31 community 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_any +deny to 2001:db8:1:1::31 community 0:999 +deny to 2001:db8:1:1::31 ext-community rt 0:999 +deny to 2001:db8:1:1::31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 +deny quick to 2001:db8:1:1::31 ext-community rt 0:3 +deny quick to 2001:db8:1:1::31 large-community 999:0:3 + +# announce_to_peer +allow to 2001:db8:1:1::31 community 65501:3 +allow to 2001:db8:1:1::31 ext-community rt 65501:3 +allow to 2001:db8:1:1::31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 192.0.2.41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 192.0.2.41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.41 community BLACKHOLE set community 65530:4 +match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.41 community BLACKHOLE +allow quick from 192.0.2.41 community 65534:0 +allow quick from 192.0.2.41 large-community 65534:0:0 + + +match from 192.0.2.41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.41 community 65534:0 set community BLACKHOLE +match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.41 community 65507:999 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.41 community 65509:4 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_any +deny to 192.0.2.41 community 0:999 +deny to 192.0.2.41 ext-community rt 0:999 +deny to 192.0.2.41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 +deny quick to 192.0.2.41 ext-community rt 0:4 +deny quick to 192.0.2.41 large-community 999:0:4 + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 192.0.2.41 community 64531:5 +deny to 192.0.2.41 ext-community rt 64531:5 +deny to 192.0.2.41 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 192.0.2.41 community 64531:10 +deny to 192.0.2.41 ext-community rt 64531:10 +deny to 192.0.2.41 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 192.0.2.41 community 64531:15 +deny to 192.0.2.41 ext-community rt 64531:15 +deny to 192.0.2.41 large-community 999:64531:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 192.0.2.41 community 64531:20 +deny to 192.0.2.41 ext-community rt 64531:20 +deny to 192.0.2.41 large-community 999:64531:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 192.0.2.41 community 64531:30 +deny to 192.0.2.41 ext-community rt 64531:30 +deny to 192.0.2.41 large-community 999:64531:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 192.0.2.41 community 64531:50 +deny to 192.0.2.41 ext-community rt 64531:50 +deny to 192.0.2.41 large-community 999:64531:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 192.0.2.41 community 64531:100 +deny to 192.0.2.41 ext-community rt 64531:100 +deny to 192.0.2.41 large-community 999:64531:100 + + +# do_not_announce_to_peers_with_rtt_higher_than 200 ms +deny to 192.0.2.41 community 64531:200 +deny to 192.0.2.41 ext-community rt 64531:200 +deny to 192.0.2.41 large-community 999:64531:200 + + +# do_not_announce_to_peers_with_rtt_higher_than 500 ms +deny to 192.0.2.41 community 64531:500 +deny to 192.0.2.41 ext-community rt 64531:500 +deny to 192.0.2.41 large-community 999:64531:500 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 192.0.2.41 community 64533:5 +allow to 192.0.2.41 ext-community rt 64533:5 +allow to 192.0.2.41 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 192.0.2.41 community 64533:10 +allow to 192.0.2.41 ext-community rt 64533:10 +allow to 192.0.2.41 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 192.0.2.41 community 64533:15 +allow to 192.0.2.41 ext-community rt 64533:15 +allow to 192.0.2.41 large-community 999:64533:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 192.0.2.41 community 64533:20 +allow to 192.0.2.41 ext-community rt 64533:20 +allow to 192.0.2.41 large-community 999:64533:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 192.0.2.41 community 64533:30 +allow to 192.0.2.41 ext-community rt 64533:30 +allow to 192.0.2.41 large-community 999:64533:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 192.0.2.41 community 64533:50 +allow to 192.0.2.41 ext-community rt 64533:50 +allow to 192.0.2.41 large-community 999:64533:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 192.0.2.41 community 64533:100 +allow to 192.0.2.41 ext-community rt 64533:100 +allow to 192.0.2.41 large-community 999:64533:100 + + +# announce_to_peers_with_rtt_higher_than 200 ms +allow to 192.0.2.41 community 64533:200 +allow to 192.0.2.41 ext-community rt 64533:200 +allow to 192.0.2.41 large-community 999:64533:200 + + +# announce_to_peers_with_rtt_higher_than 500 ms +allow to 192.0.2.41 community 64533:500 +allow to 192.0.2.41 ext-community rt 64533:500 +allow to 192.0.2.41 large-community 999:64533:500 + + +# announce_to_peer +allow to 192.0.2.41 community 65501:4 +allow to 192.0.2.41 ext-community rt 65501:4 +allow to 192.0.2.41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::41 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::41 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::41 community BLACKHOLE +allow quick from 2001:db8:1:1::41 community 65534:0 +allow quick from 2001:db8:1:1::41 large-community 65534:0:0 + + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::41 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::41 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::41 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::41 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::41 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::41 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::41 community 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::41 community 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_any +deny to 2001:db8:1:1::41 community 0:999 +deny to 2001:db8:1:1::41 ext-community rt 0:999 +deny to 2001:db8:1:1::41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 +deny quick to 2001:db8:1:1::41 ext-community rt 0:4 +deny quick to 2001:db8:1:1::41 large-community 999:0:4 + +# announce_to_peer +allow to 2001:db8:1:1::41 community 65501:4 +allow to 2001:db8:1:1::41 ext-community rt 65501:4 +allow to 2001:db8:1:1::41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + + + +# Scrub communities from outbound routes +# add_noadvertise_to_any +match to group clients set community delete 65508:999 +match to group clients set ext-community delete rt 65508:999 +match to group clients set large-community delete 999:65508:999 + +# add_noadvertise_to_peer +match to group clients set community delete 65510:* +match to group clients set ext-community delete rt 65510:* +match to group clients set large-community delete 999:65510:* + +# add_noexport_to_any +match to group clients set community delete 65507:999 +match to group clients set ext-community delete rt 65507:999 +match to group clients set large-community delete 999:65507:999 + +# add_noexport_to_peer +match to group clients set community delete 65509:* +match to group clients set ext-community delete rt 65509:* +match to group clients set large-community delete 999:65509:* + +# announce_to_peer +match to group clients set community delete 65501:* +match to group clients set ext-community delete rt 65501:* +match to group clients set large-community delete 999:65501:* + +# announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64533:* +match to group clients set ext-community delete rt 64533:* +match to group clients set large-community delete 999:64533:* + +# announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64532:* +match to group clients set ext-community delete rt 64532:* +match to group clients set large-community delete 999:64532:* + +# blackholing +match to group clients set community delete 65534:0 +match to group clients set large-community delete 65534:0:0 + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# do_not_announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64531:* +match to group clients set ext-community delete rt 64531:* +match to group clients set large-community delete 999:64531:* + +# do_not_announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64530:* +match to group clients set ext-community delete rt 64530:* +match to group clients set large-community delete 999:64530:* + +# prepend_once_to_any +match to group clients set community delete 65521:65521 +match to group clients set ext-community delete rt 65521:65521 +match to group clients set large-community delete 999:65521:65521 + +# prepend_once_to_peer +match to group clients set community delete 65521:* +match to group clients set ext-community delete rt 65521:* +match to group clients set large-community delete 999:65521:* + +# prepend_once_to_peers_with_rtt_higher_than +match to group clients set community delete 64537:* +match to group clients set ext-community delete rt 64537:* +match to group clients set large-community delete 999:64537:* + +# prepend_once_to_peers_with_rtt_lower_than +match to group clients set community delete 64534:* +match to group clients set ext-community delete rt 64534:* +match to group clients set large-community delete 999:64534:* + +# prepend_thrice_to_any +match to group clients set community delete 65523:65523 +match to group clients set ext-community delete rt 65523:65523 +match to group clients set large-community delete 999:65523:65523 + +# prepend_thrice_to_peer +match to group clients set community delete 65523:* +match to group clients set ext-community delete rt 65523:* +match to group clients set large-community delete 999:65523:* + +# prepend_thrice_to_peers_with_rtt_higher_than +match to group clients set community delete 64539:* +match to group clients set ext-community delete rt 64539:* +match to group clients set large-community delete 999:64539:* + +# prepend_thrice_to_peers_with_rtt_lower_than +match to group clients set community delete 64536:* +match to group clients set ext-community delete rt 64536:* +match to group clients set large-community delete 999:64536:* + +# prepend_twice_to_any +match to group clients set community delete 65522:65522 +match to group clients set ext-community delete rt 65522:65522 +match to group clients set large-community delete 999:65522:65522 + +# prepend_twice_to_peer +match to group clients set community delete 65522:* +match to group clients set ext-community delete rt 65522:* +match to group clients set large-community delete 999:65522:* + +# prepend_twice_to_peers_with_rtt_higher_than +match to group clients set community delete 64538:* +match to group clients set ext-community delete rt 64538:* +match to group clients set large-community delete 999:64538:* + +# prepend_twice_to_peers_with_rtt_lower_than +match to group clients set community delete 64535:* +match to group clients set ext-community delete rt 64535:* +match to group clients set large-community delete 999:64535:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities +match to group clients set { + community delete 65521:65521 + ext-community delete rt 65521:65521 + large-community delete 999:65521:65521 + +} +match to group clients set { + community delete 65521:* + ext-community delete rt 65521:* + large-community delete 999:65521:* + +} +match to group clients set { + community delete 64537:* + ext-community delete rt 64537:* + large-community delete 999:64537:* + +} +match to group clients set { + community delete 64534:* + ext-community delete rt 64534:* + large-community delete 999:64534:* + +} +match to group clients set { + community delete 65523:65523 + ext-community delete rt 65523:65523 + large-community delete 999:65523:65523 + +} +match to group clients set { + community delete 65523:* + ext-community delete rt 65523:* + large-community delete 999:65523:* + +} +match to group clients set { + community delete 64539:* + ext-community delete rt 64539:* + large-community delete 999:64539:* + +} +match to group clients set { + community delete 64536:* + ext-community delete rt 64536:* + large-community delete 999:64536:* + +} +match to group clients set { + community delete 65522:65522 + ext-community delete rt 65522:65522 + large-community delete 999:65522:65522 + +} +match to group clients set { + community delete 65522:* + ext-community delete rt 65522:* + large-community delete 999:65522:* + +} +match to group clients set { + community delete 64538:* + ext-community delete rt 64538:* + large-community delete 999:64538:* + +} +match to group clients set { + community delete 64535:* + ext-community delete rt 64535:* + large-community delete 999:64535:* + +} + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +include "/etc/bgpd/post-filters.local" + + diff --git a/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..13a51472 --- /dev/null +++ b/tests/live_tests/scenarios/global/configs/BasicScenario_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,10262 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS222, used by client AS222_1, client AS222_2 +# no origin ASNs found for AS222 +# no prefixes found for AS222 + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" { + 1 101 103 104 +} +prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" { + 2a01::/32 prefixlen 32 - 128 + 2a99::/16 prefixlen 16 - 128 + 3101::/32 prefixlen 32 - 128 + 3103::/32 prefixlen 32 - 128 +} + +# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1, client AS2_2 +as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" { + 2 101 103 +} +prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" { + 2a02::/32 prefixlen 32 - 128 + 3101::/32 prefixlen 32 - 128 + 3103::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS1_2, used by client AS1_2 white list +as-set "AS_SET_WHITE_LIST_AS1_2_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_2_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + +# AS-AS222, used by client AS222_1, client AS222_2 +as-set "AS_SET_AS_AS222_asns" { + 333 +} +prefix-set "AS_SET_AS_AS222_prefixes" { + 3222::/32 prefixlen 32 - 128 +} + +# AS1, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS1_1, used by client AS1_1 white list +as-set "AS_SET_WHITE_LIST_AS1_1_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + # RTT: 0.1 ms (normalized value: 1) + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + # RTT: 5 ms (normalized value: 5) + neighbor 2001:db8:1:1::12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + # RTT: 17.3 ms (normalized value: 17) + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + # RTT: 123.8 ms (normalized value: 124) + neighbor 2001:db8:1:1::31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + # RTT: 600 ms (normalized value: 600) + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + +include "/etc/bgpd/post-clients.local" + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + +prefix-set "global_black_list_pref" { + 192.0.2.0/24 prefixlen 24 - 32 + 2001:db8::/32 prefixlen 32 - 128 + +} + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + +# never via route-servers ASNs +as-set "neverviarouteserver" { + 666, 777 +} + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 65530:0 +match from group clients set large-community delete 999:65530:0 + +# origin_present_in_as_set +match from group clients set community delete 65530:1 +match from group clients set large-community delete 999:65530:1 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 65530:3 +match from group clients set large-community delete 999:65530:3 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 65530:2 +match from group clients set large-community delete 999:65530:2 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# rpki_bgp_origin_validation_not_performed +match from group clients set community delete 65530:4 +match from group clients set large-community delete 999:65530:4 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 101.3.0.0/16 maxlen 24 source-as 105 expires 4102444799 + 101.2.0.0/17 source-as 101 expires 4102444799 + 101.2.128.0/17 maxlen 24 source-as 101 expires 4102444799 + 101.0.128.0/20 maxlen 23 source-as 101 expires 4102444799 + 101.0.8.0/24 source-as 101 expires 4102444799 + 101.0.9.0/24 source-as 102 expires 4102444799 + 222.1.1.0/24 source-as 333 expires 4102444799 + 3101:3::/32 maxlen 48 source-as 105 expires 4102444799 + 3101:0:8000::/33 maxlen 34 source-as 101 expires 4102444799 + 3101:2:8000::/33 maxlen 48 source-as 101 expires 4102444799 + 3101:2::/33 source-as 101 expires 4102444799 + 3101:0:8::/48 source-as 101 expires 4102444799 + 3101:0:9::/48 source-as 102 expires 4102444799 + 3222:0:1::/48 source-as 333 expires 4102444799 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +# Since RPKI-based Origin Validation is already performed above, +# use the origin validation state to identify valid routes. +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + +# ARIN Whois records used for preifx validation +# --------------------------------------------- + +# Add the $INTCOMM_PREF_OK_ARINDB ext community to routes whose +# origin ASN has an ARIN Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "ARINDB" { +104.0.0.0/23 prefixlen 23 - 32 source-as 104 +3104::/32 prefixlen 32 - 128 source-as 104 +} +match from group clients origin-set ARINDB set ext-community $INTCOMM_PREF_OK_ARINDB + +# NIC.BR Whois records used for preifx validation +# ----------------------------------------------- + +# Add the $INTCOMM_PREF_OK_REGISTROBRDB ext community to routes whose +# origin ASN has a NIC.BR Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "REGISTROBRDB" { +104.1.1.0/24 prefixlen 24 - 32 source-as 104 +3104:1:1::/48 prefixlen 48 - 128 source-as 104 +} +match from group clients origin-set REGISTROBRDB set ext-community $INTCOMM_PREF_OK_REGISTROBRDB + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.12 set ext-community rt 65520:1 + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + +match from 192.0.2.222 set ext-community rt 65520:222 + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1 +allow quick from group clients max-as-len 6 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: global blacklist +# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3 +allow quick from group clients prefix-set global_black_list_pref set { + localpref 1 + community 65520:0 + community 65520:3 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_1 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.11 community BLACKHOLE set community 65530:4 +match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.11 community BLACKHOLE +allow quick from 192.0.2.11 community 65534:0 +allow quick from 192.0.2.11 large-community 65534:0:0 + + +match from 192.0.2.11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.11 community 65534:0 set community BLACKHOLE +match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.11 community 65507:999 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.11 community 65509:1 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.11 community 65501:1 +allow to 192.0.2.11 ext-community rt 65501:1 +allow to 192.0.2.11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 source-as as-set AS_SET_WHITE_LIST_AS1_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 prefix-set AS_SET_WHITE_LIST_AS1_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::11 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::11 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::11 community BLACKHOLE +allow quick from 2001:db8:1:1::11 community 65534:0 +allow quick from 2001:db8:1:1::11 large-community 65534:0:0 + + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::11 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::11 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::11 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::11 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::11 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::11 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::11 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::11 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_any +deny to 2001:db8:1:1::11 community 0:999 +deny to 2001:db8:1:1::11 ext-community rt 0:999 +deny to 2001:db8:1:1::11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 +deny quick to 2001:db8:1:1::11 ext-community rt 0:1 +deny quick to 2001:db8:1:1::11 large-community 999:0:1 + +# do_not_announce_to_peers_with_rtt_lower_than 5 ms +deny to 2001:db8:1:1::11 community 64530:5 +deny to 2001:db8:1:1::11 ext-community rt 64530:5 +deny to 2001:db8:1:1::11 large-community 999:64530:5 + + +# do_not_announce_to_peers_with_rtt_lower_than 10 ms +deny to 2001:db8:1:1::11 community 64530:10 +deny to 2001:db8:1:1::11 ext-community rt 64530:10 +deny to 2001:db8:1:1::11 large-community 999:64530:10 + + +# do_not_announce_to_peers_with_rtt_lower_than 15 ms +deny to 2001:db8:1:1::11 community 64530:15 +deny to 2001:db8:1:1::11 ext-community rt 64530:15 +deny to 2001:db8:1:1::11 large-community 999:64530:15 + + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 2001:db8:1:1::11 community 64530:20 +deny to 2001:db8:1:1::11 ext-community rt 64530:20 +deny to 2001:db8:1:1::11 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 2001:db8:1:1::11 community 64530:30 +deny to 2001:db8:1:1::11 ext-community rt 64530:30 +deny to 2001:db8:1:1::11 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 2001:db8:1:1::11 community 64530:50 +deny to 2001:db8:1:1::11 ext-community rt 64530:50 +deny to 2001:db8:1:1::11 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 2001:db8:1:1::11 community 64530:100 +deny to 2001:db8:1:1::11 ext-community rt 64530:100 +deny to 2001:db8:1:1::11 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 2001:db8:1:1::11 community 64530:200 +deny to 2001:db8:1:1::11 ext-community rt 64530:200 +deny to 2001:db8:1:1::11 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 2001:db8:1:1::11 community 64530:500 +deny to 2001:db8:1:1::11 ext-community rt 64530:500 +deny to 2001:db8:1:1::11 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 5 ms +allow to 2001:db8:1:1::11 community 64532:5 +allow to 2001:db8:1:1::11 ext-community rt 64532:5 +allow to 2001:db8:1:1::11 large-community 999:64532:5 + + +# announce_to_peers_with_rtt_lower_than 10 ms +allow to 2001:db8:1:1::11 community 64532:10 +allow to 2001:db8:1:1::11 ext-community rt 64532:10 +allow to 2001:db8:1:1::11 large-community 999:64532:10 + + +# announce_to_peers_with_rtt_lower_than 15 ms +allow to 2001:db8:1:1::11 community 64532:15 +allow to 2001:db8:1:1::11 ext-community rt 64532:15 +allow to 2001:db8:1:1::11 large-community 999:64532:15 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 2001:db8:1:1::11 community 64532:20 +allow to 2001:db8:1:1::11 ext-community rt 64532:20 +allow to 2001:db8:1:1::11 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 2001:db8:1:1::11 community 64532:30 +allow to 2001:db8:1:1::11 ext-community rt 64532:30 +allow to 2001:db8:1:1::11 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 2001:db8:1:1::11 community 64532:50 +allow to 2001:db8:1:1::11 ext-community rt 64532:50 +allow to 2001:db8:1:1::11 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 2001:db8:1:1::11 community 64532:100 +allow to 2001:db8:1:1::11 ext-community rt 64532:100 +allow to 2001:db8:1:1::11 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 2001:db8:1:1::11 community 64532:200 +allow to 2001:db8:1:1::11 ext-community rt 64532:200 +allow to 2001:db8:1:1::11 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 2001:db8:1:1::11 community 64532:500 +allow to 2001:db8:1:1::11 ext-community rt 64532:500 +allow to 2001:db8:1:1::11 large-community 999:64532:500 + + +# announce_to_peer +allow to 2001:db8:1:1::11 community 65501:1 +allow to 2001:db8:1:1::11 ext-community rt 65501:1 +allow to 2001:db8:1:1::11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_3, inbound + + + +# NEXT_HOP +match from 192.0.2.12 set community NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.11 set community delete NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.12 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.12 AS 23456' - reject code: 7 +allow quick from 192.0.2.12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.12 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_3, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_3, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.12 community BLACKHOLE set community 65530:4 +match from 192.0.2.12 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.12 community BLACKHOLE +allow quick from 192.0.2.12 community 65534:0 +allow quick from 192.0.2.12 large-community 65534:0:0 + + +match from 192.0.2.12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.12 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.12 + + + +# --------------------------------------------- +# client AS1_3, outbound + +deny quick to 192.0.2.12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 192.0.2.12 community BLACKHOLE +deny quick to 192.0.2.12 community 65534:0 +deny quick to 192.0.2.12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.12 community 65507:999 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.12 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.12 community 65509:1 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.12 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.12 + +# do_not_announce_to_any +deny to 192.0.2.12 community 0:999 +deny to 192.0.2.12 ext-community rt 0:999 +deny to 192.0.2.12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.12 community 0:1 +deny quick to 192.0.2.12 ext-community rt 0:1 +deny quick to 192.0.2.12 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.12 community 65501:1 +allow to 192.0.2.12 ext-community rt 65501:1 +allow to 192.0.2.12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_4, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::12 set community NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::12 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_4, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_4, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::12 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::12 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::12 community BLACKHOLE +allow quick from 2001:db8:1:1::12 community 65534:0 +allow quick from 2001:db8:1:1::12 large-community 65534:0:0 + + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::12 + + + +# --------------------------------------------- +# client AS1_4, outbound + +deny quick to 2001:db8:1:1::12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 2001:db8:1:1::12 community BLACKHOLE +deny quick to 2001:db8:1:1::12 community 65534:0 +deny quick to 2001:db8:1:1::12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::12 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::12 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::12 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::12 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::12 + +# do_not_announce_to_any +deny to 2001:db8:1:1::12 community 0:999 +deny to 2001:db8:1:1::12 ext-community rt 0:999 +deny to 2001:db8:1:1::12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::12 community 0:1 +deny quick to 2001:db8:1:1::12 ext-community rt 0:1 +deny quick to 2001:db8:1:1::12 large-community 999:0:1 + +# do_not_announce_to_peers_with_rtt_lower_than 5 ms +deny to 2001:db8:1:1::12 community 64530:5 +deny to 2001:db8:1:1::12 ext-community rt 64530:5 +deny to 2001:db8:1:1::12 large-community 999:64530:5 + + +# do_not_announce_to_peers_with_rtt_lower_than 10 ms +deny to 2001:db8:1:1::12 community 64530:10 +deny to 2001:db8:1:1::12 ext-community rt 64530:10 +deny to 2001:db8:1:1::12 large-community 999:64530:10 + + +# do_not_announce_to_peers_with_rtt_lower_than 15 ms +deny to 2001:db8:1:1::12 community 64530:15 +deny to 2001:db8:1:1::12 ext-community rt 64530:15 +deny to 2001:db8:1:1::12 large-community 999:64530:15 + + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 2001:db8:1:1::12 community 64530:20 +deny to 2001:db8:1:1::12 ext-community rt 64530:20 +deny to 2001:db8:1:1::12 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 2001:db8:1:1::12 community 64530:30 +deny to 2001:db8:1:1::12 ext-community rt 64530:30 +deny to 2001:db8:1:1::12 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 2001:db8:1:1::12 community 64530:50 +deny to 2001:db8:1:1::12 ext-community rt 64530:50 +deny to 2001:db8:1:1::12 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 2001:db8:1:1::12 community 64530:100 +deny to 2001:db8:1:1::12 ext-community rt 64530:100 +deny to 2001:db8:1:1::12 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 2001:db8:1:1::12 community 64530:200 +deny to 2001:db8:1:1::12 ext-community rt 64530:200 +deny to 2001:db8:1:1::12 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 2001:db8:1:1::12 community 64530:500 +deny to 2001:db8:1:1::12 ext-community rt 64530:500 +deny to 2001:db8:1:1::12 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 5 ms +allow to 2001:db8:1:1::12 community 64532:5 +allow to 2001:db8:1:1::12 ext-community rt 64532:5 +allow to 2001:db8:1:1::12 large-community 999:64532:5 + + +# announce_to_peers_with_rtt_lower_than 10 ms +allow to 2001:db8:1:1::12 community 64532:10 +allow to 2001:db8:1:1::12 ext-community rt 64532:10 +allow to 2001:db8:1:1::12 large-community 999:64532:10 + + +# announce_to_peers_with_rtt_lower_than 15 ms +allow to 2001:db8:1:1::12 community 64532:15 +allow to 2001:db8:1:1::12 ext-community rt 64532:15 +allow to 2001:db8:1:1::12 large-community 999:64532:15 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 2001:db8:1:1::12 community 64532:20 +allow to 2001:db8:1:1::12 ext-community rt 64532:20 +allow to 2001:db8:1:1::12 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 2001:db8:1:1::12 community 64532:30 +allow to 2001:db8:1:1::12 ext-community rt 64532:30 +allow to 2001:db8:1:1::12 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 2001:db8:1:1::12 community 64532:50 +allow to 2001:db8:1:1::12 ext-community rt 64532:50 +allow to 2001:db8:1:1::12 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 2001:db8:1:1::12 community 64532:100 +allow to 2001:db8:1:1::12 ext-community rt 64532:100 +allow to 2001:db8:1:1::12 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 2001:db8:1:1::12 community 64532:200 +allow to 2001:db8:1:1::12 ext-community rt 64532:200 +allow to 2001:db8:1:1::12 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 2001:db8:1:1::12 community 64532:500 +allow to 2001:db8:1:1::12 ext-community rt 64532:500 +allow to 2001:db8:1:1::12 large-community 999:64532:500 + + +# announce_to_peer +allow to 2001:db8:1:1::12 community 65501:1 +allow to 2001:db8:1:1::12 ext-community rt 65501:1 +allow to 2001:db8:1:1::12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_1, inbound + + + +# NEXT_HOP +match from 192.0.2.222 set community NO_ADVERTISE +match from 192.0.2.222 nexthop 192.0.2.222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.222 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.222 AS 23456' - reject code: 7 +allow quick from 192.0.2.222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.222 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_1, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 192.0.2.222 source-as as-set AS_SET_AS_AS222_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS222 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_1, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 192.0.2.222 prefix-set AS_SET_AS_AS222_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS222 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 192.0.2.222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.222 community BLACKHOLE set community 65530:4 +match from 192.0.2.222 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.222 community BLACKHOLE +allow quick from 192.0.2.222 community 65534:0 +allow quick from 192.0.2.222 large-community 65534:0:0 + + +match from 192.0.2.222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.222 set ext-community delete rt 65520:222 + + + +allow quick from 192.0.2.222 + + + +# --------------------------------------------- +# client AS222_1, outbound + +deny quick to 192.0.2.222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.222 community 65534:0 set community BLACKHOLE +match to 192.0.2.222 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.222 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.222 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.222 community 65507:999 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.222 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.222 community 65509:222 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65509:222 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.222 community 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.222 + +# do_not_announce_to_any +deny to 192.0.2.222 community 0:999 +deny to 192.0.2.222 ext-community rt 0:999 +deny to 192.0.2.222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.222 community 0:222 +deny quick to 192.0.2.222 ext-community rt 0:222 +deny quick to 192.0.2.222 large-community 999:0:222 + +# announce_to_peer +allow to 192.0.2.222 community 65501:222 +allow to 192.0.2.222 ext-community rt 65501:222 +allow to 192.0.2.222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::222 set community NO_ADVERTISE +match from 2001:db8:1:1::222 nexthop 2001:db8:1:1::222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::222 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_2, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 2001:db8:1:1::222 source-as as-set AS_SET_AS_AS222_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS222 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_2, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +match from 2001:db8:1:1::222 prefix-set AS_SET_AS_AS222_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS222 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + +# route authorized by a client's white list? +match from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::222 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::222 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::222 community BLACKHOLE +allow quick from 2001:db8:1:1::222 community 65534:0 +allow quick from 2001:db8:1:1::222 large-community 65534:0:0 + + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + + +allow quick from 2001:db8:1:1::222 + + + +# --------------------------------------------- +# client AS222_2, outbound + +deny quick to 2001:db8:1:1::222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::222 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::222 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::222 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::222 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::222 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::222 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::222 community 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::222 community 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::222 + +# do_not_announce_to_any +deny to 2001:db8:1:1::222 community 0:999 +deny to 2001:db8:1:1::222 ext-community rt 0:999 +deny to 2001:db8:1:1::222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::222 community 0:222 +deny quick to 2001:db8:1:1::222 ext-community rt 0:222 +deny quick to 2001:db8:1:1::222 large-community 999:0:222 + +# announce_to_peer +allow to 2001:db8:1:1::222 community 65501:222 +allow to 2001:db8:1:1::222 ext-community rt 65501:222 +allow to 2001:db8:1:1::222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 192.0.2.21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.21 community BLACKHOLE set community 65530:4 +match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.21 community BLACKHOLE +allow quick from 192.0.2.21 community 65534:0 +allow quick from 192.0.2.21 large-community 65534:0:0 + + +match from 192.0.2.21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.21 community 65534:0 set community BLACKHOLE +match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.21 community 65507:999 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.21 community 65509:2 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_any +deny to 192.0.2.21 community 0:999 +deny to 192.0.2.21 ext-community rt 0:999 +deny to 192.0.2.21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 +deny quick to 192.0.2.21 ext-community rt 0:2 +deny quick to 192.0.2.21 large-community 999:0:2 + +# announce_to_peer +allow to 192.0.2.21 community 65501:2 +allow to 192.0.2.21 ext-community rt 65501:2 +allow to 192.0.2.21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_REGISTROBRDB community have the prefix validated by a NICBR Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_REGISTROBRDB set ext-community delete $INTCOMM_IRR_REJECT + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::21 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::21 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::21 community BLACKHOLE +allow quick from 2001:db8:1:1::21 community 65534:0 +allow quick from 2001:db8:1:1::21 large-community 65534:0:0 + + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::21 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::21 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::21 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::21 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::21 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::21 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::21 community 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::21 community 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_any +deny to 2001:db8:1:1::21 community 0:999 +deny to 2001:db8:1:1::21 ext-community rt 0:999 +deny to 2001:db8:1:1::21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 +deny quick to 2001:db8:1:1::21 ext-community rt 0:2 +deny quick to 2001:db8:1:1::21 large-community 999:0:2 + +# do_not_announce_to_peers_with_rtt_lower_than 20 ms +deny to 2001:db8:1:1::21 community 64530:20 +deny to 2001:db8:1:1::21 ext-community rt 64530:20 +deny to 2001:db8:1:1::21 large-community 999:64530:20 + + +# do_not_announce_to_peers_with_rtt_lower_than 30 ms +deny to 2001:db8:1:1::21 community 64530:30 +deny to 2001:db8:1:1::21 ext-community rt 64530:30 +deny to 2001:db8:1:1::21 large-community 999:64530:30 + + +# do_not_announce_to_peers_with_rtt_lower_than 50 ms +deny to 2001:db8:1:1::21 community 64530:50 +deny to 2001:db8:1:1::21 ext-community rt 64530:50 +deny to 2001:db8:1:1::21 large-community 999:64530:50 + + +# do_not_announce_to_peers_with_rtt_lower_than 100 ms +deny to 2001:db8:1:1::21 community 64530:100 +deny to 2001:db8:1:1::21 ext-community rt 64530:100 +deny to 2001:db8:1:1::21 large-community 999:64530:100 + + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 2001:db8:1:1::21 community 64530:200 +deny to 2001:db8:1:1::21 ext-community rt 64530:200 +deny to 2001:db8:1:1::21 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 2001:db8:1:1::21 community 64530:500 +deny to 2001:db8:1:1::21 ext-community rt 64530:500 +deny to 2001:db8:1:1::21 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 20 ms +allow to 2001:db8:1:1::21 community 64532:20 +allow to 2001:db8:1:1::21 ext-community rt 64532:20 +allow to 2001:db8:1:1::21 large-community 999:64532:20 + + +# announce_to_peers_with_rtt_lower_than 30 ms +allow to 2001:db8:1:1::21 community 64532:30 +allow to 2001:db8:1:1::21 ext-community rt 64532:30 +allow to 2001:db8:1:1::21 large-community 999:64532:30 + + +# announce_to_peers_with_rtt_lower_than 50 ms +allow to 2001:db8:1:1::21 community 64532:50 +allow to 2001:db8:1:1::21 ext-community rt 64532:50 +allow to 2001:db8:1:1::21 large-community 999:64532:50 + + +# announce_to_peers_with_rtt_lower_than 100 ms +allow to 2001:db8:1:1::21 community 64532:100 +allow to 2001:db8:1:1::21 ext-community rt 64532:100 +allow to 2001:db8:1:1::21 large-community 999:64532:100 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 2001:db8:1:1::21 community 64532:200 +allow to 2001:db8:1:1::21 ext-community rt 64532:200 +allow to 2001:db8:1:1::21 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 2001:db8:1:1::21 community 64532:500 +allow to 2001:db8:1:1::21 ext-community rt 64532:500 +allow to 2001:db8:1:1::21 large-community 999:64532:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 2001:db8:1:1::21 community 64531:5 +deny to 2001:db8:1:1::21 ext-community rt 64531:5 +deny to 2001:db8:1:1::21 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 2001:db8:1:1::21 community 64531:10 +deny to 2001:db8:1:1::21 ext-community rt 64531:10 +deny to 2001:db8:1:1::21 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 2001:db8:1:1::21 community 64531:15 +deny to 2001:db8:1:1::21 ext-community rt 64531:15 +deny to 2001:db8:1:1::21 large-community 999:64531:15 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 2001:db8:1:1::21 community 64533:5 +allow to 2001:db8:1:1::21 ext-community rt 64533:5 +allow to 2001:db8:1:1::21 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 2001:db8:1:1::21 community 64533:10 +allow to 2001:db8:1:1::21 ext-community rt 64533:10 +allow to 2001:db8:1:1::21 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 2001:db8:1:1::21 community 64533:15 +allow to 2001:db8:1:1::21 ext-community rt 64533:15 +allow to 2001:db8:1:1::21 large-community 999:64533:15 + + +# announce_to_peer +allow to 2001:db8:1:1::21 community 65501:2 +allow to 2001:db8:1:1::21 ext-community rt 65501:2 +allow to 2001:db8:1:1::21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8 +allow quick from 192.0.2.31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_1_black_list_pref_ipv4" { + 3.0.1.0/24 prefixlen 24 - 32 + +} +# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11 +allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 192.0.2.31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 192.0.2.31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.31 community BLACKHOLE set community 65530:4 +match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.31 community BLACKHOLE +allow quick from 192.0.2.31 community 65534:0 +allow quick from 192.0.2.31 large-community 65534:0:0 + + +match from 192.0.2.31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.31 community 65534:0 set community BLACKHOLE +match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.31 community 65507:999 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.31 community 65509:3 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_any +deny to 192.0.2.31 community 0:999 +deny to 192.0.2.31 ext-community rt 0:999 +deny to 192.0.2.31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 +deny quick to 192.0.2.31 ext-community rt 0:3 +deny quick to 192.0.2.31 large-community 999:0:3 + +# announce_to_peer +allow to 192.0.2.31 community 65501:3 +allow to 192.0.2.31 ext-community rt 65501:3 +allow to 192.0.2.31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS { 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_2_black_list_pref_ipv6" { + 2a03:0:1::/48 prefixlen 48 - 128 + +} +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6' - reject code: 11 +allow quick from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::31 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::31 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::31 community BLACKHOLE +allow quick from 2001:db8:1:1::31 community 65534:0 +allow quick from 2001:db8:1:1::31 large-community 65534:0:0 + + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::31 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::31 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::31 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::31 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::31 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::31 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::31 community 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::31 community 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_any +deny to 2001:db8:1:1::31 community 0:999 +deny to 2001:db8:1:1::31 ext-community rt 0:999 +deny to 2001:db8:1:1::31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 +deny quick to 2001:db8:1:1::31 ext-community rt 0:3 +deny quick to 2001:db8:1:1::31 large-community 999:0:3 + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 2001:db8:1:1::31 community 64530:200 +deny to 2001:db8:1:1::31 ext-community rt 64530:200 +deny to 2001:db8:1:1::31 large-community 999:64530:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 2001:db8:1:1::31 community 64530:500 +deny to 2001:db8:1:1::31 ext-community rt 64530:500 +deny to 2001:db8:1:1::31 large-community 999:64530:500 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 2001:db8:1:1::31 community 64532:200 +allow to 2001:db8:1:1::31 ext-community rt 64532:200 +allow to 2001:db8:1:1::31 large-community 999:64532:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 2001:db8:1:1::31 community 64532:500 +allow to 2001:db8:1:1::31 ext-community rt 64532:500 +allow to 2001:db8:1:1::31 large-community 999:64532:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 2001:db8:1:1::31 community 64531:5 +deny to 2001:db8:1:1::31 ext-community rt 64531:5 +deny to 2001:db8:1:1::31 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 2001:db8:1:1::31 community 64531:10 +deny to 2001:db8:1:1::31 ext-community rt 64531:10 +deny to 2001:db8:1:1::31 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 2001:db8:1:1::31 community 64531:15 +deny to 2001:db8:1:1::31 ext-community rt 64531:15 +deny to 2001:db8:1:1::31 large-community 999:64531:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 2001:db8:1:1::31 community 64531:20 +deny to 2001:db8:1:1::31 ext-community rt 64531:20 +deny to 2001:db8:1:1::31 large-community 999:64531:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 2001:db8:1:1::31 community 64531:30 +deny to 2001:db8:1:1::31 ext-community rt 64531:30 +deny to 2001:db8:1:1::31 large-community 999:64531:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 2001:db8:1:1::31 community 64531:50 +deny to 2001:db8:1:1::31 ext-community rt 64531:50 +deny to 2001:db8:1:1::31 large-community 999:64531:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 2001:db8:1:1::31 community 64531:100 +deny to 2001:db8:1:1::31 ext-community rt 64531:100 +deny to 2001:db8:1:1::31 large-community 999:64531:100 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 2001:db8:1:1::31 community 64533:5 +allow to 2001:db8:1:1::31 ext-community rt 64533:5 +allow to 2001:db8:1:1::31 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 2001:db8:1:1::31 community 64533:10 +allow to 2001:db8:1:1::31 ext-community rt 64533:10 +allow to 2001:db8:1:1::31 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 2001:db8:1:1::31 community 64533:15 +allow to 2001:db8:1:1::31 ext-community rt 64533:15 +allow to 2001:db8:1:1::31 large-community 999:64533:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 2001:db8:1:1::31 community 64533:20 +allow to 2001:db8:1:1::31 ext-community rt 64533:20 +allow to 2001:db8:1:1::31 large-community 999:64533:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 2001:db8:1:1::31 community 64533:30 +allow to 2001:db8:1:1::31 ext-community rt 64533:30 +allow to 2001:db8:1:1::31 large-community 999:64533:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 2001:db8:1:1::31 community 64533:50 +allow to 2001:db8:1:1::31 ext-community rt 64533:50 +allow to 2001:db8:1:1::31 large-community 999:64533:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 2001:db8:1:1::31 community 64533:100 +allow to 2001:db8:1:1::31 ext-community rt 64533:100 +allow to 2001:db8:1:1::31 large-community 999:64533:100 + + +# announce_to_peer +allow to 2001:db8:1:1::31 community 65501:3 +allow to 2001:db8:1:1::31 ext-community rt 65501:3 +allow to 2001:db8:1:1::31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64534:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64535:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64536:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 192.0.2.41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 192.0.2.41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.41 community BLACKHOLE set community 65530:4 +match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.41 community BLACKHOLE +allow quick from 192.0.2.41 community 65534:0 +allow quick from 192.0.2.41 large-community 65534:0:0 + + +match from 192.0.2.41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.41 community 65534:0 set community BLACKHOLE +match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.41 community 65507:999 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.41 community 65509:4 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_any +deny to 192.0.2.41 community 0:999 +deny to 192.0.2.41 ext-community rt 0:999 +deny to 192.0.2.41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 +deny quick to 192.0.2.41 ext-community rt 0:4 +deny quick to 192.0.2.41 large-community 999:0:4 + +# announce_to_peer +allow to 192.0.2.41 community 65501:4 +allow to 192.0.2.41 ext-community rt 65501:4 +allow to 192.0.2.41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::41 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::41 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::41 community BLACKHOLE +allow quick from 2001:db8:1:1::41 community 65534:0 +allow quick from 2001:db8:1:1::41 large-community 65534:0:0 + + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::41 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::41 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::41 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::41 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::41 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::41 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::41 community 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::41 community 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_any +deny to 2001:db8:1:1::41 community 0:999 +deny to 2001:db8:1:1::41 ext-community rt 0:999 +deny to 2001:db8:1:1::41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 +deny quick to 2001:db8:1:1::41 ext-community rt 0:4 +deny quick to 2001:db8:1:1::41 large-community 999:0:4 + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 2001:db8:1:1::41 community 64531:5 +deny to 2001:db8:1:1::41 ext-community rt 64531:5 +deny to 2001:db8:1:1::41 large-community 999:64531:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 2001:db8:1:1::41 community 64531:10 +deny to 2001:db8:1:1::41 ext-community rt 64531:10 +deny to 2001:db8:1:1::41 large-community 999:64531:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 2001:db8:1:1::41 community 64531:15 +deny to 2001:db8:1:1::41 ext-community rt 64531:15 +deny to 2001:db8:1:1::41 large-community 999:64531:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 2001:db8:1:1::41 community 64531:20 +deny to 2001:db8:1:1::41 ext-community rt 64531:20 +deny to 2001:db8:1:1::41 large-community 999:64531:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 2001:db8:1:1::41 community 64531:30 +deny to 2001:db8:1:1::41 ext-community rt 64531:30 +deny to 2001:db8:1:1::41 large-community 999:64531:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 2001:db8:1:1::41 community 64531:50 +deny to 2001:db8:1:1::41 ext-community rt 64531:50 +deny to 2001:db8:1:1::41 large-community 999:64531:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 2001:db8:1:1::41 community 64531:100 +deny to 2001:db8:1:1::41 ext-community rt 64531:100 +deny to 2001:db8:1:1::41 large-community 999:64531:100 + + +# do_not_announce_to_peers_with_rtt_higher_than 200 ms +deny to 2001:db8:1:1::41 community 64531:200 +deny to 2001:db8:1:1::41 ext-community rt 64531:200 +deny to 2001:db8:1:1::41 large-community 999:64531:200 + + +# do_not_announce_to_peers_with_rtt_higher_than 500 ms +deny to 2001:db8:1:1::41 community 64531:500 +deny to 2001:db8:1:1::41 ext-community rt 64531:500 +deny to 2001:db8:1:1::41 large-community 999:64531:500 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 2001:db8:1:1::41 community 64533:5 +allow to 2001:db8:1:1::41 ext-community rt 64533:5 +allow to 2001:db8:1:1::41 large-community 999:64533:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 2001:db8:1:1::41 community 64533:10 +allow to 2001:db8:1:1::41 ext-community rt 64533:10 +allow to 2001:db8:1:1::41 large-community 999:64533:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 2001:db8:1:1::41 community 64533:15 +allow to 2001:db8:1:1::41 ext-community rt 64533:15 +allow to 2001:db8:1:1::41 large-community 999:64533:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 2001:db8:1:1::41 community 64533:20 +allow to 2001:db8:1:1::41 ext-community rt 64533:20 +allow to 2001:db8:1:1::41 large-community 999:64533:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 2001:db8:1:1::41 community 64533:30 +allow to 2001:db8:1:1::41 ext-community rt 64533:30 +allow to 2001:db8:1:1::41 large-community 999:64533:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 2001:db8:1:1::41 community 64533:50 +allow to 2001:db8:1:1::41 ext-community rt 64533:50 +allow to 2001:db8:1:1::41 large-community 999:64533:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 2001:db8:1:1::41 community 64533:100 +allow to 2001:db8:1:1::41 ext-community rt 64533:100 +allow to 2001:db8:1:1::41 large-community 999:64533:100 + + +# announce_to_peers_with_rtt_higher_than 200 ms +allow to 2001:db8:1:1::41 community 64533:200 +allow to 2001:db8:1:1::41 ext-community rt 64533:200 +allow to 2001:db8:1:1::41 large-community 999:64533:200 + + +# announce_to_peers_with_rtt_higher_than 500 ms +allow to 2001:db8:1:1::41 community 64533:500 +allow to 2001:db8:1:1::41 ext-community rt 64533:500 +allow to 2001:db8:1:1::41 large-community 999:64533:500 + + +# announce_to_peer +allow to 2001:db8:1:1::41 community 65501:4 +allow to 2001:db8:1:1::41 ext-community rt 65501:4 +allow to 2001:db8:1:1::41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64537:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64538:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64539:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + + + +# Scrub communities from outbound routes +# add_noadvertise_to_any +match to group clients set community delete 65508:999 +match to group clients set ext-community delete rt 65508:999 +match to group clients set large-community delete 999:65508:999 + +# add_noadvertise_to_peer +match to group clients set community delete 65510:* +match to group clients set ext-community delete rt 65510:* +match to group clients set large-community delete 999:65510:* + +# add_noexport_to_any +match to group clients set community delete 65507:999 +match to group clients set ext-community delete rt 65507:999 +match to group clients set large-community delete 999:65507:999 + +# add_noexport_to_peer +match to group clients set community delete 65509:* +match to group clients set ext-community delete rt 65509:* +match to group clients set large-community delete 999:65509:* + +# announce_to_peer +match to group clients set community delete 65501:* +match to group clients set ext-community delete rt 65501:* +match to group clients set large-community delete 999:65501:* + +# announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64533:* +match to group clients set ext-community delete rt 64533:* +match to group clients set large-community delete 999:64533:* + +# announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64532:* +match to group clients set ext-community delete rt 64532:* +match to group clients set large-community delete 999:64532:* + +# blackholing +match to group clients set community delete 65534:0 +match to group clients set large-community delete 65534:0:0 + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# do_not_announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64531:* +match to group clients set ext-community delete rt 64531:* +match to group clients set large-community delete 999:64531:* + +# do_not_announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64530:* +match to group clients set ext-community delete rt 64530:* +match to group clients set large-community delete 999:64530:* + +# prepend_once_to_any +match to group clients set community delete 65521:65521 +match to group clients set ext-community delete rt 65521:65521 +match to group clients set large-community delete 999:65521:65521 + +# prepend_once_to_peer +match to group clients set community delete 65521:* +match to group clients set ext-community delete rt 65521:* +match to group clients set large-community delete 999:65521:* + +# prepend_once_to_peers_with_rtt_higher_than +match to group clients set community delete 64537:* +match to group clients set ext-community delete rt 64537:* +match to group clients set large-community delete 999:64537:* + +# prepend_once_to_peers_with_rtt_lower_than +match to group clients set community delete 64534:* +match to group clients set ext-community delete rt 64534:* +match to group clients set large-community delete 999:64534:* + +# prepend_thrice_to_any +match to group clients set community delete 65523:65523 +match to group clients set ext-community delete rt 65523:65523 +match to group clients set large-community delete 999:65523:65523 + +# prepend_thrice_to_peer +match to group clients set community delete 65523:* +match to group clients set ext-community delete rt 65523:* +match to group clients set large-community delete 999:65523:* + +# prepend_thrice_to_peers_with_rtt_higher_than +match to group clients set community delete 64539:* +match to group clients set ext-community delete rt 64539:* +match to group clients set large-community delete 999:64539:* + +# prepend_thrice_to_peers_with_rtt_lower_than +match to group clients set community delete 64536:* +match to group clients set ext-community delete rt 64536:* +match to group clients set large-community delete 999:64536:* + +# prepend_twice_to_any +match to group clients set community delete 65522:65522 +match to group clients set ext-community delete rt 65522:65522 +match to group clients set large-community delete 999:65522:65522 + +# prepend_twice_to_peer +match to group clients set community delete 65522:* +match to group clients set ext-community delete rt 65522:* +match to group clients set large-community delete 999:65522:* + +# prepend_twice_to_peers_with_rtt_higher_than +match to group clients set community delete 64538:* +match to group clients set ext-community delete rt 64538:* +match to group clients set large-community delete 999:64538:* + +# prepend_twice_to_peers_with_rtt_lower_than +match to group clients set community delete 64535:* +match to group clients set ext-community delete rt 64535:* +match to group clients set large-community delete 999:64535:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities +match to group clients set { + community delete 65521:65521 + ext-community delete rt 65521:65521 + large-community delete 999:65521:65521 + +} +match to group clients set { + community delete 65521:* + ext-community delete rt 65521:* + large-community delete 999:65521:* + +} +match to group clients set { + community delete 64537:* + ext-community delete rt 64537:* + large-community delete 999:64537:* + +} +match to group clients set { + community delete 64534:* + ext-community delete rt 64534:* + large-community delete 999:64534:* + +} +match to group clients set { + community delete 65523:65523 + ext-community delete rt 65523:65523 + large-community delete 999:65523:65523 + +} +match to group clients set { + community delete 65523:* + ext-community delete rt 65523:* + large-community delete 999:65523:* + +} +match to group clients set { + community delete 64539:* + ext-community delete rt 64539:* + large-community delete 999:64539:* + +} +match to group clients set { + community delete 64536:* + ext-community delete rt 64536:* + large-community delete 999:64536:* + +} +match to group clients set { + community delete 65522:65522 + ext-community delete rt 65522:65522 + large-community delete 999:65522:65522 + +} +match to group clients set { + community delete 65522:* + ext-community delete rt 65522:* + large-community delete 999:65522:* + +} +match to group clients set { + community delete 64538:* + ext-community delete rt 64538:* + large-community delete 999:64538:* + +} +match to group clients set { + community delete 64535:* + ext-community delete rt 64535:* + large-community delete 999:64535:* + +} + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +include "/etc/bgpd/post-filters.local" + + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt new file mode 100644 index 00000000..6fcbe9f9 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt @@ -0,0 +1,588 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.12, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.1.0/24, AS_PATH: 2 1, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.12, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 2 1, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.3.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.12, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.3.0/24, AS_PATH: 2 1, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +10.0.0.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.1.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.1.1.0/24, AS_PATH: 2 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +11.1.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.2.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.3.0.0/16, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.3.0.0/16, AS_PATH: 2 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +11.3.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.4.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.4.1.0/24, AS_PATH: 2 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +128.0.0.0/10, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +128.0.0.0/7, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +128.0.0.0/8, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +128.0.0.0/9, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +192.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.21, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.21, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.21, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.21, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.1/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.2/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.3/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.22, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 1 2, NEXT_HOP: 192.0.2.22, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 1 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 1 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 2 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 1 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 1 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 2 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 1 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 1 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 2 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 2 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.2.0/24, AS_PATH: 1 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.2.0/24, AS_PATH: 1 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.3.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 1 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 1 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 2 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 1 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 1 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 2 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 1 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 1 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 2 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 1 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 1 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 1 3, NEXT_HOP: 192.0.2.31, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 1 3, NEXT_HOP: 192.0.2.31, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 2 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 2 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.4.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.4.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.6.0/24, AS_PATH: 2 4, NEXT_HOP: 192.0.2.41, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 1 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 2 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 1 4 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 1 4 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 2 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt new file mode 100644 index 00000000..3a6fd1d4 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt @@ -0,0 +1,350 @@ +101.0.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.10.0/24, AS_PATH: 101 666, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.11.0/24, AS_PATH: 101 777, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.7.0/24, AS_PATH: 101 174, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.9.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.1.0.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.3.0.0/24, AS_PATH: 101 105, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +102.0.1.0/24, AS_PATH: 101 102, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.1.0/24, AS_PATH: 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 101 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.1/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.2/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.3/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.11.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.13.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.2.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.4.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.7.1/32, AS_PATH: 4, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 4 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt new file mode 100644 index 00000000..8642e190 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt @@ -0,0 +1,322 @@ +101.0.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.10.0/24, AS_PATH: 101 666, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.11.0/24, AS_PATH: 101 777, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.7.0/24, AS_PATH: 101 174, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.9.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.1.0.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.3.0.0/24, AS_PATH: 101 105, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +102.0.1.0/24, AS_PATH: 101 102, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.1.0/24, AS_PATH: 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 101 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.11.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.13.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.2.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.4.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 4 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..23715fb7 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,406 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.3.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.10.0/24, AS_PATH: 101 666, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.11.0/24, AS_PATH: 101 777, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 1 101, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.7.0/24, AS_PATH: 101 174, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.9.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.1.0.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.3.0.0/24, AS_PATH: 101 105, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +102.0.1.0/24, AS_PATH: 101 102, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.1.0/24, AS_PATH: 101 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.1.1.0/24, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.3.0.0/16, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.4.1.0/24, AS_PATH: 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.11.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.13.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.3.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.6.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.7.1/32, AS_PATH: 4, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS222.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS222.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt new file mode 100644 index 00000000..23711ab8 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt @@ -0,0 +1,322 @@ +1.0.1.0/24, AS_PATH: 999 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +1.0.1.0/24, AS_PATH: 999 1, NEXT_HOP: 192.0.2.12, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +1.0.2.0/24, AS_PATH: 999 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +1.0.2.0/24, AS_PATH: 999 1, NEXT_HOP: 192.0.2.12, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +1.0.3.0/24, AS_PATH: 999 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.1.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.1.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.128.1/32, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.2.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.3.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.4.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.5.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.6.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.0.8.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.2.0.0/17, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 999 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +101.2.128.0/24, AS_PATH: 999 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +103.0.1.0/24, AS_PATH: 999 1 101 103, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +103.0.1.0/24, AS_PATH: 999 2 101 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 999 1 101 101 103, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +103.0.2.0/24, AS_PATH: 999 2 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 999 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +104.1.1.0/24, AS_PATH: 999 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +11.1.1.0/24, AS_PATH: 999 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +11.3.0.0/16, AS_PATH: 999 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +11.4.1.0/24, AS_PATH: 999 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2.0.1.0/24, AS_PATH: 999 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 999 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.1/32, AS_PATH: 999 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.2/32, AS_PATH: 999 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.3/32, AS_PATH: 999 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 999 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 999 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 999 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 999 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 999 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 999 4 4 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 999 4 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..6bbc453d --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/AS4.txt @@ -0,0 +1,266 @@ +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.3.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 1 101, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.1.0/24, AS_PATH: 2 101 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 2 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.1.1.0/24, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.3.0.0/16, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.4.1.0/24, AS_PATH: 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.1/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.2/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.3/32, AS_PATH: 2, NEXT_HOP: 192.0.2.66, via 192.0.2.2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.2.2.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.10.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.11.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.13.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.3.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 3 3 3 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..d26b2f1b --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,847 @@ +0.0.0.0/0, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (2) + +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.1.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.12, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +1.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.12, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +1.0.3.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +10.0.0.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (2) + +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.1.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.10.0/24, AS_PATH: 1 101 666, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.10.0/24, AS_PATH: 1 101 666, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (15) + +101.0.10.0/24, AS_PATH: 2 101 666, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (15) + +101.0.11.0/24, AS_PATH: 1 101 777, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.11.0/24, AS_PATH: 1 101 777, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (15) + +101.0.11.0/24, AS_PATH: 2 101 777, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (15) + +101.0.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +101.0.128.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (14) + +101.0.128.1/32, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: 65535:666 + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.128.1/32, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.128.1/32, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.2.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.2.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.3.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.3.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.4.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.4.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.5.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.5.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.6.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.6.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.7.0/24, AS_PATH: 1 101 174, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.7.0/24, AS_PATH: 1 101 174, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (8) + +101.0.7.0/24, AS_PATH: 2 101 174, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (8) + +101.0.8.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.8.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.8.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.0.9.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.0.9.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +101.0.9.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (14) + +101.1.0.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.1.0.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +101.1.0.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (12) + +101.2.0.0/17, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.2.0.0/17, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.0.0/17, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.2.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.2.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +101.2.1.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (12) + +101.2.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.2.128.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.2.128.0/24, AS_PATH: 2 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +101.3.0.0/24, AS_PATH: 1 101 105, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +101.3.0.0/24, AS_PATH: 1 101 105, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +101.3.0.0/24, AS_PATH: 2 101 105, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +102.0.1.0/24, AS_PATH: 1 101 102, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +102.0.1.0/24, AS_PATH: 1 101 102, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +102.0.1.0/24, AS_PATH: 2 101 102, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +103.0.1.0/24, AS_PATH: 1 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: 65535:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +103.0.1.0/24, AS_PATH: 1 101 103, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 65535:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 5 + filtered: False () + +103.0.1.0/24, AS_PATH: 2 101 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 1 101 101 103, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +103.0.2.0/24, AS_PATH: 1 101 101 103, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +103.0.2.0/24, AS_PATH: 2 101 103, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +104.0.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.0.1.0/24, AS_PATH: 2 101 104, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +104.1.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.101, via 192.0.2.12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +104.1.1.0/24, AS_PATH: 1 101 104, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +104.1.1.0/24, AS_PATH: 2 101 104, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +11.1.1.0/24, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.1.2.0/24, AS_PATH: 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +11.2.1.0/24, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +11.3.0.0/16, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +11.3.1.0/24, AS_PATH: 1 1011, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +11.4.1.0/24, AS_PATH: 1 1000, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +128.0.0.0/10, AS_PATH: 1 2 2 2 2 2 2 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (1) + +128.0.0.0/7, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (13) + +128.0.0.0/8, AS_PATH: 2 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: 999:1101:7 + best: True, LOCAL_PREF: 1 + filtered: True (6) + +128.0.0.0/9, AS_PATH: 1 65536 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (7) + +192.0.2.0/24, AS_PATH: 1, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (3) + +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.1/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.2/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 65530:4, 65534:0 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.3/32, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 65530:4 + ext comms: rfc8097-not-found + lrg comms: 65534:0:0, 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.22, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.23, via 192.0.2.21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (5) + +222.1.1.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.222 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +222.2.2.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.222 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +222.3.3.0/24, AS_PATH: 222 333, NEXT_HOP: 192.0.2.222, via 192.0.2.222 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (11) + +3.0.10.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65521:65521, 65523:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.11.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65507:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.12.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65509:1, 65523:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.13.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: + ext comms: rfc8097-not-found, soo:65535:65281 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.14.0/24, AS_PATH: 3 174 33, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (8) + +3.0.2.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 0:999, 65501:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.3.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 0:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.4.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 0:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.5.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65521:65521 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.6.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65522:65522 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.7.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65523:65523 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.8.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65521:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.9.0/24, AS_PATH: 3, NEXT_HOP: 192.0.2.31, via 192.0.2.31 + std comms: 65522:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 0:999, 64532:15 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.10.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: + ext comms: rfc8097-not-found, rt:64537:10, rt:64538:20 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 0:999, 64532:5 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64531:15 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.4.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64531:5 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.5.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64531:5, 65501:3 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.6.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64530:5, 64531:100 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.7.1/32, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64531:20, 65530:4, 65535:666 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.8.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64538:10, 64539:100 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.9.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 64535:20, 64536:5, 65521:65521 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS101.txt new file mode 100644 index 00000000..022728e9 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS101.txt @@ -0,0 +1,588 @@ +2001::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2001:db8:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 2 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 1 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 1 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 2 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 2 3 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 2 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 2 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 2 3 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:4::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:4::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:6::/48, AS_PATH: 2 4, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 2 4 4 4, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 1 4 4 4 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 1 4 4 4 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 2 4 4 4, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 1 4, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 2 4 4, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 2 1 1011, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a11:1:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:2:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 2 1 1011, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 2 1 1000, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a99:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/16, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 1 222 333, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 1 222 333, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 2 222 333, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 1 222 333, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 1 222 333, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 2 222 333, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_1.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_1.txt new file mode 100644 index 00000000..4db874d8 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_1.txt @@ -0,0 +1,357 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:4::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:7::1/128, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 4 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_2.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_2.txt new file mode 100644 index 00000000..5e6299fb --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS1_2.txt @@ -0,0 +1,329 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:4::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 4 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..bac1b23a --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt @@ -0,0 +1,413 @@ +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:6::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:7::1/128, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS222.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS222.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS3.txt new file mode 100644 index 00000000..86ea2ff0 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS3.txt @@ -0,0 +1,322 @@ +2a01:0:1::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a01:0:1::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +2a01:0:2::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a01:0:2::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +2a01:0:3::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a02:0:1::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 999 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 999 4 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 999 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 999 4 4 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 999 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a11:3::/32, AS_PATH: 999 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a11:4:1::/48, AS_PATH: 999 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:1::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:1::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:2::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:3::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:4::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:5::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:6::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:8::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:2:8000::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:2::/33, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 999 1 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3103:0:1::/48, AS_PATH: 999 2 101 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 999 1 101 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3103:0:2::/48, AS_PATH: 999 2 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 999 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3104:1:1::/48, AS_PATH: 999 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3222:0:2::/48, AS_PATH: 999 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 999 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..5214013c --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/AS4.txt @@ -0,0 +1,266 @@ +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 2 101 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 2 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:2::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..14c428e5 --- /dev/null +++ b/tests/live_tests/scenarios/global/routes/BasicScenario_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,868 @@ +2001::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (2) + +2001:db8:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (3) + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65534:0 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4 + ext comms: rfc8097-not-found + lrg comms: 65534:0:0, 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::23, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (5) + +2a03:0:1::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (11) + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:999, 65501:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:4::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:65521 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65522:65522 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65523:65523 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65522:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:65521, 65523:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65507:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65509:1, 65523:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: + ext comms: rfc8097-not-found, soo:65535:65281 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:e::/48, AS_PATH: 3 174 33, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (8) + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 0:999, 64532:15 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 0:999, 64532:5 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64531:15 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:4::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64531:5 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:5::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64531:5, 65501:3 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:6::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64530:5, 64531:100 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:7::1/128, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64531:20, 65530:4, 65535:666 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:8::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64538:10, 64539:100 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:9::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 64535:20, 64536:5, 65521:65521 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:a::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: + ext comms: rfc8097-not-found, rt:64537:10, rt:64538:20 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:2::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a11:2:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a11:3:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a11:3::/32, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:1::/48, AS_PATH: 1 65536 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (7) + +2a99:2::/48, AS_PATH: 1 2 2 2 2 2 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (1) + +2a99::/16, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (13) + +2a99::/32, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: 999:1101:7 + best: True, LOCAL_PREF: 1 + filtered: True (6) + +3101:0:10::/48, AS_PATH: 1 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:10::/48, AS_PATH: 1 101 666, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (15) + +3101:0:10::/48, AS_PATH: 2 101 666, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (15) + +3101:0:11::/48, AS_PATH: 1 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:11::/48, AS_PATH: 1 101 777, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (15) + +3101:0:11::/48, AS_PATH: 2 101 777, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (15) + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 1 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:7::/48, AS_PATH: 1 101 174, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (8) + +3101:0:7::/48, AS_PATH: 2 101 174, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (8) + +3101:0:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +3101:0:8000::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (14) + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65535:666 + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:0:9::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +3101:0:9::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (14) + +3101:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +3101:1::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (12) + +3101:2:4000::/34, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:2:4000::/34, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (12) + +3101:2:4000::/34, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (12) + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 1 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3101:3:1::/48, AS_PATH: 1 101 105, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +3101:3:1::/48, AS_PATH: 2 101 105, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3102:0:1::/48, AS_PATH: 1 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3102:0:1::/48, AS_PATH: 1 101 102, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (9) + +3102:0:1::/48, AS_PATH: 2 101 102, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3103:0:1::/48, AS_PATH: 1 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65535:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3103:0:1::/48, AS_PATH: 1 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65535:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 5 + filtered: False () + +3103:0:1::/48, AS_PATH: 2 101 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 1 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3103:0:2::/48, AS_PATH: 1 101 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 2 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 2 101 104, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (5) + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 2 101 104, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3222:0:1::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::222 + std comms: + ext comms: rfc8097-invalid + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (14) + +3222:0:2::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::222 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3222:0:3::/48, AS_PATH: 222 333, NEXT_HOP: 2001:db8:1:1::222, via 2001:db8:1:1::222 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (10) + +8000:1::/32, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (10) + +8000:1::/32, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: True (10) + +::/0, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: True (10) + diff --git a/tests/live_tests/scenarios/gshut/configs/GShutScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/gshut/configs/GShutScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..0c8a1432 --- /dev/null +++ b/tests/live_tests/scenarios/gshut/configs/GShutScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,665 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +deny quick from group clients max-as-len 32 + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +deny quick from group clients community NO_ADVERTISE + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +deny quick from group clients prefix-set bogons + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +deny quick from 192.0.2.11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +deny quick from 192.0.2.11 AS 23456 + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.11 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +deny quick from 2001:db8:1:1::11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.21 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +deny quick from 192.0.2.21 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +deny quick from 192.0.2.21 AS 23456 + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.21 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.21 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::21 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +deny quick from 2001:db8:1:1::21 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::21 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::21 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes + +# Scrub prepending communities + +match to group clients set community GRACEFUL_SHUTDOWN + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..6a695ab1 --- /dev/null +++ b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,14 @@ +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..4d268b5f --- /dev/null +++ b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,14 @@ +2a02:1:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65535:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..3f3e8bb6 --- /dev/null +++ b/tests/live_tests/scenarios/gshut/routes/GShutScenario_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,28 @@ +2a02:1:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..b5874e6e --- /dev/null +++ b/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,2263 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + max-prefix 4 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + max-prefix 4 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + max-prefix 3 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + max-prefix 3 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + max-prefix 2 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + max-prefix 2 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + max-prefix 6 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + max-prefix 6 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..b5874e6e --- /dev/null +++ b/tests/live_tests/scenarios/max_prefix/configs/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,2263 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + max-prefix 4 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + max-prefix 4 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + max-prefix 3 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + max-prefix 3 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + max-prefix 2 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + max-prefix 2 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + max-prefix 6 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + max-prefix 6 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRD2IPv4/bird2/AS2.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRD2IPv4/bird2/AS2.txt index a81a7a2c..d1c26932 100644 --- a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRD2IPv4/bird2/AS2.txt +++ b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRD2IPv4/bird2/AS2.txt @@ -82,6 +82,20 @@ best: True, LOCAL_PREF: 100 filtered: False () +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + 6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 std comms: ext comms: diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS1.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS1.txt index fb88dac2..e3af88ab 100644 --- a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS1.txt +++ b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS1.txt @@ -75,6 +75,20 @@ best: True, LOCAL_PREF: 100 filtered: False () +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + 6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 std comms: ext comms: diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS2.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS2.txt index a81a7a2c..d1c26932 100644 --- a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS2.txt +++ b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_BIRDIPv4/bird16/AS2.txt @@ -82,6 +82,20 @@ best: True, LOCAL_PREF: 100 filtered: False () +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + 6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 std comms: ext comms: diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/max_prefix/routes/MaxPrefixScenario_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/base.py b/tests/live_tests/scenarios/path_hiding/base.py index 05e517d8..1407a85b 100644 --- a/tests/live_tests/scenarios/path_hiding/base.py +++ b/tests/live_tests/scenarios/path_hiding/base.py @@ -205,9 +205,27 @@ def test_040_AS3_and_AS4_prefix_via_AS2(self): raise unittest.SkipTest("Path hiding mititaion not supported on OpenBGPD < 6.9") for inst in (self.AS3, self.AS4): - self.receive_route(inst, self.DATA["AS101_pref_ok1"], self.rs, - as_path="2 101 101 101 101", next_hop=self.AS2, - std_comms=[]) + if isinstance(self.rs, OpenBGPDInstance) and \ + version.parse(target_version) >= version.parse("7.5") and \ + inst is self.AS3: + # On OpenBGPD 7.5, ADD_PATH support was introduced: however, + # when it is set, the 'rde evaluate all' config knob that allows + # the BGP daemon to keep evaluating alternative paths in case + # the selected path is filtered out cannot be turned on - bgpd + # would generate the error + # neighbors with add-path send cannot use 'rde evaluate all' + # + # The clients in this scenario are all configured with ADD_PATH + # send enabled, but only AS4 has it also configured on its end + # with the rx, so AS3 would not benefit from the path hiding + # mitigation offered when 'rde evaluate all' is set, thus it + # would not be able to receive the route. + with self.assertRaisesRegex(AssertionError, "Routes not found."): + self.receive_route(inst, self.DATA["AS101_pref_ok1"], self.rs) + else: + self.receive_route(inst, self.DATA["AS101_pref_ok1"], self.rs, + as_path="2 101 101 101 101", next_hop=self.AS2, + std_comms=[]) def test_041_AS3_and_AS4_no_prefix_via_AS1(self): """{}: AS3 and AS4 don't receive prefix via AS1""" @@ -247,7 +265,8 @@ def test_050_AS3_prefix_not_received_by_AS3(self): def test_051_AS4_receives_prefix_via_AS2_because_of_ADD_PATH(self): """{}: AS4 receives the prefix via AS2 because of ADD-PATH""" if isinstance(self.rs, OpenBGPDInstance): - raise unittest.SkipTest("ADD-PATH not supported by OpenBGPD") + if version.parse(self.rs.TARGET_VERSION) < version.parse("7.5"): + raise unittest.SkipTest("ADD-PATH not supported by OpenBGPD < 7.5") self.receive_route(self.AS4, self.DATA["AS101_pref_ok1"], self.rs, as_path="2 101 101 101 101", next_hop=self.AS2, diff --git a/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..99962116 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,2281 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# do_not_announce_to_peer +match to group clients set community delete 0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..99962116 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,2281 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# do_not_announce_to_peer +match to group clients set community delete 0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..ea9f1875 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,2322 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# do_not_announce_to_peer +match to group clients set community delete 0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..ea9f1875 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/configs/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,2322 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + + + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::31 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# do_not_announce_to_peer +match to group clients set community delete 0:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..7fe4a1b3 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS101.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..dd7e5651 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 101 101 101 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..16373410 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/AS4.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 2 101 101 101 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..12d72bc0 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,14 @@ +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 0:3, 0:4 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +101.0.1.0/24, AS_PATH: 2 101 101 101 101, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..61c455e4 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS1.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS101.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..d2dd2ccd --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS2.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 101 101 101 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..430ef778 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/AS4.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 2 101 101 101 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..a3d81fe6 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOff_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,14 @@ +2a01:1:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 0:3, 0:4 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:1:1::/48, AS_PATH: 2 101 101 101 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..7fe4a1b3 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 101, NEXT_HOP: 192.0.2.101, via 192.0.2.101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS101.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..16373410 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/AS4.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 2 101 101 101 101, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..1b00af92 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,7 @@ +101.0.1.0/24, AS_PATH: 1 101, NEXT_HOP: 192.0.2.11, via 192.0.2.11 + std comms: 0:3, 0:4 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..61c455e4 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS1.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS101.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS3.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..430ef778 --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/AS4.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 2 101 101 101 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..819f293a --- /dev/null +++ b/tests/live_tests/scenarios/path_hiding/routes/PathHidingScenario_MitigationOn_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,7 @@ +2a01:1:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 0:3, 0:4 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd68.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd68.conf index 6dfa8171..4690e27f 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd68.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd68.conf @@ -185,7 +185,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd70.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd70.conf index 8b3811b7..ae22c859 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd70.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd70.conf @@ -189,7 +189,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd75p.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd75p.conf new file mode 100644 index 00000000..3924c411 --- /dev/null +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd75p.conf @@ -0,0 +1,4027 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS3333, used by client AS3333_1 +as-set "AS_SET_AS3333_asns" { + 3333 +} +prefix-set "AS_SET_AS3333_prefixes" { + 2001:67c:2e8::/48 prefixlen 48 - 128 +} + +# AS10745, used by client AS10745_1, client AS10745_2 +as-set "AS_SET_AS10745_asns" { + 10745 +} +prefix-set "AS_SET_AS10745_prefixes" { + 2001:500:4::/48 prefixlen 48 - 128 +} + +# AS-RIPENCC, used by client AS3333_1 +# no origin ASNs found for AS_RIPENCC +# no prefixes found for AS_RIPENCC + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + # RTT: 224 ms (normalized value: 224) + neighbor 192.0.2.22 { + remote-as 10745 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security yes + max-prefix 121 restart 30 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + # RTT: 226 ms (normalized value: 226) + neighbor 2001:db8:1:1::22 { + remote-as 10745 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security yes + max-prefix 13915 restart 30 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + # RTT: 114 ms (normalized value: 114) + neighbor 192.0.2.11 { + remote-as 3333 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + passive + ttl-security yes + max-prefix 150 restart 30 + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + +prefix-set "global_black_list_pref" { + 192.0.2.0/24 prefixlen 24 - 32 + 2001:db8:1:1::/64 prefixlen 64 - 128 + +} + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + +# never via route-servers ASNs +as-set "neverviarouteserver" { + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 +} + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 65530:0 +match from group clients set large-community delete 999:65530:0 + +# origin_present_in_as_set +match from group clients set community delete 65530:1 +match from group clients set large-community delete 999:65530:1 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 65530:4 +match from group clients set large-community delete 999:65530:4 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 65530:2 +match from group clients set large-community delete 999:65530:2 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# route_validated_via_white_list +match from group clients set community delete 65530:3 +match from group clients set large-community delete 999:65530:3 + +# from_europe +match from group clients set community delete 65534:1 +match from group clients set ext-community delete rt 65534:1 +match from group clients set large-community delete 999:65534:1 + +# from_usa +match from group clients set community delete 65534:2 +match from group clients set ext-community delete rt 65534:2 +match from group clients set large-community delete 999:65534:2 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 193.0.0.0/21 source-as 3333 + 193.0.24.0/22 maxlen 26 source-as 3333 + 193.0.10.0/23 source-as 3333 + 193.0.12.0/23 source-as 3333 + 193.0.14.0/23 source-as 25152 + 193.0.18.0/23 source-as 3333 + 193.0.20.0/23 source-as 3333 + 193.0.22.0/23 source-as 3333 + 193.0.14.0/24 source-as 25152 + 193.0.24.0/24 source-as 3333 + 2001:7fd::/32 source-as 25152 + 2001:610:240::/42 source-as 3333 + 2001:67c:2e8::/48 source-as 3333 + 2001:7fd::/48 source-as 25152 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +# Since RPKI-based Origin Validation is already performed above, +# use the origin validation state to identify valid routes. +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + +# ARIN Whois records used for preifx validation +# --------------------------------------------- + +# Add the $INTCOMM_PREF_OK_ARINDB ext community to routes whose +# origin ASN has an ARIN Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "ARINDB" { +192.136.136.0/24 prefixlen 24 - 32 source-as 10745 +192.149.252.0/24 prefixlen 24 - 32 source-as 10745 +199.43.0.0/24 prefixlen 24 - 32 source-as 10745 +2001:500:110::/48 prefixlen 48 - 128 source-as 10745 +2001:500:4::/48 prefixlen 48 - 128 source-as 10745 +} +match from group clients origin-set ARINDB set ext-community $INTCOMM_PREF_OK_ARINDB + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.22 set ext-community rt 65520:10745 + +match from 2001:db8:1:1::22 set ext-community rt 65520:10745 + +match from 192.0.2.11 set ext-community rt 65520:3333 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: global blacklist +# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3 +allow quick from group clients prefix-set global_black_list_pref set { + localpref 1 + community 65520:0 + community 65520:3 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS10745_1, inbound + + +# Attach custom BGP communities +# from_usa +match from 192.0.2.22 set community 65534:2 +match from 192.0.2.22 set ext-community rt 65534:2 +match from 192.0.2.22 set large-community 999:65534:2 + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +allow quick from 192.0.2.22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.22 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 }' - reject code: 8 +allow quick from 192.0.2.22 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.22 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.22 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_1, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_KO set community 65530:0 +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_KO set large-community 999:65530:0 +# adding present_in_as_set community to authorized routes +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK set community 65530:1 +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK set large-community 999:65530:1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_1, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 65530:2 +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:65530:2 + +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 65530:4 +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:65530:4 + +match from 192.0.2.22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.22 set ext-community delete rt 65520:10745 + + +# Remove internal communities before accepting the route +match from 192.0.2.22 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.22 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.22 large-community 999:666:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +allow quick from 192.0.2.22 community BLACKHOLE +allow quick from 192.0.2.22 community 65534:0 +allow quick from 192.0.2.22 large-community 999:666:0 + + +match from 192.0.2.22 set ext-community rt 65520:10745 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.22 community GRACEFUL_SHUTDOWN set localpref 0 + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.22 set ext-community delete rt 65520:10745 + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS10745_1, outbound + +deny quick to 192.0.2.22 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.22 community 65534:0 set community BLACKHOLE +match to 192.0.2.22 large-community 999:666:0 set community BLACKHOLE + +match to 192.0.2.22 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.22 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.22 community 65507:999 set community NO_EXPORT +match to 192.0.2.22 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.22 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.22 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.22 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.22 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.22 community 65509:10745 set community NO_EXPORT +match to 192.0.2.22 ext-community rt 65509:10745 set community NO_EXPORT +match to 192.0.2.22 large-community 999:65509:10745 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.22 community 65510:10745 set community NO_ADVERTISE +match to 192.0.2.22 ext-community rt 65510:10745 set community NO_ADVERTISE +match to 192.0.2.22 large-community 999:65510:10745 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.22 + +# do_not_announce_to_any +deny to 192.0.2.22 community 0:999 +deny to 192.0.2.22 ext-community rt 0:999 +deny to 192.0.2.22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.22 community 0:10745 +deny quick to 192.0.2.22 ext-community rt 0:10745 +deny quick to 192.0.2.22 large-community 999:0:10745 + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.22 community 64511:500 +deny to 192.0.2.22 ext-community rt 64511:500 +deny to 192.0.2.22 large-community 999:64511:500 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.22 community 64513:500 +allow to 192.0.2.22 ext-community rt 64513:500 +allow to 192.0.2.22 large-community 999:64513:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 192.0.2.22 community 64512:5 +deny to 192.0.2.22 ext-community rt 64512:5 +deny to 192.0.2.22 large-community 999:64512:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 192.0.2.22 community 64512:10 +deny to 192.0.2.22 ext-community rt 64512:10 +deny to 192.0.2.22 large-community 999:64512:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 192.0.2.22 community 64512:15 +deny to 192.0.2.22 ext-community rt 64512:15 +deny to 192.0.2.22 large-community 999:64512:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 192.0.2.22 community 64512:20 +deny to 192.0.2.22 ext-community rt 64512:20 +deny to 192.0.2.22 large-community 999:64512:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 192.0.2.22 community 64512:30 +deny to 192.0.2.22 ext-community rt 64512:30 +deny to 192.0.2.22 large-community 999:64512:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 192.0.2.22 community 64512:50 +deny to 192.0.2.22 ext-community rt 64512:50 +deny to 192.0.2.22 large-community 999:64512:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 192.0.2.22 community 64512:100 +deny to 192.0.2.22 ext-community rt 64512:100 +deny to 192.0.2.22 large-community 999:64512:100 + + +# do_not_announce_to_peers_with_rtt_higher_than 200 ms +deny to 192.0.2.22 community 64512:200 +deny to 192.0.2.22 ext-community rt 64512:200 +deny to 192.0.2.22 large-community 999:64512:200 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 192.0.2.22 community 64514:5 +allow to 192.0.2.22 ext-community rt 64514:5 +allow to 192.0.2.22 large-community 999:64514:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 192.0.2.22 community 64514:10 +allow to 192.0.2.22 ext-community rt 64514:10 +allow to 192.0.2.22 large-community 999:64514:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 192.0.2.22 community 64514:15 +allow to 192.0.2.22 ext-community rt 64514:15 +allow to 192.0.2.22 large-community 999:64514:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 192.0.2.22 community 64514:20 +allow to 192.0.2.22 ext-community rt 64514:20 +allow to 192.0.2.22 large-community 999:64514:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 192.0.2.22 community 64514:30 +allow to 192.0.2.22 ext-community rt 64514:30 +allow to 192.0.2.22 large-community 999:64514:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 192.0.2.22 community 64514:50 +allow to 192.0.2.22 ext-community rt 64514:50 +allow to 192.0.2.22 large-community 999:64514:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 192.0.2.22 community 64514:100 +allow to 192.0.2.22 ext-community rt 64514:100 +allow to 192.0.2.22 large-community 999:64514:100 + + +# announce_to_peers_with_rtt_higher_than 200 ms +allow to 192.0.2.22 community 64514:200 +allow to 192.0.2.22 ext-community rt 64514:200 +allow to 192.0.2.22 large-community 999:64514:200 + + +# announce_to_peer +allow to 192.0.2.22 community 999:10745 +allow to 192.0.2.22 ext-community rt 999:10745 +allow to 192.0.2.22 large-community 999:999:10745 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS10745_2, inbound + + +# Attach custom BGP communities +# from_usa +match from 2001:db8:1:1::22 set community 65534:2 +match from 2001:db8:1:1::22 set ext-community rt 65534:2 +match from 2001:db8:1:1::22 set large-community 999:65534:2 + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::22 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 10745' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::22 peer-as != 10745 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 }' - reject code: 8 +allow quick from 2001:db8:1:1::22 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::22 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_2, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::22 source-as as-set AS_SET_AS10745_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS10745 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_KO set community 65530:0 +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_KO set large-community 999:65530:0 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK set community 65530:1 +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK set large-community 999:65530:1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_2, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::22 prefix-set AS_SET_AS10745_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS10745 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 65530:2 +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:65530:2 + +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 65530:4 +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:65530:4 + +match from 2001:db8:1:1::22 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::22 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::22 set ext-community delete rt 65520:10745 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::22 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::22 large-community 999:666:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +allow quick from 2001:db8:1:1::22 community BLACKHOLE +allow quick from 2001:db8:1:1::22 community 65534:0 +allow quick from 2001:db8:1:1::22 large-community 999:666:0 + + +match from 2001:db8:1:1::22 set ext-community rt 65520:10745 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::22 community GRACEFUL_SHUTDOWN set localpref 0 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::22 set ext-community delete rt 65520:10745 + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS10745_2, outbound + +deny quick to 2001:db8:1:1::22 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::22 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::22 large-community 999:666:0 set community BLACKHOLE + +match to 2001:db8:1:1::22 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::22 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::22 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::22 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::22 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::22 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::22 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::22 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::22 community 65509:10745 set community NO_EXPORT +match to 2001:db8:1:1::22 ext-community rt 65509:10745 set community NO_EXPORT +match to 2001:db8:1:1::22 large-community 999:65509:10745 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::22 community 65510:10745 set community NO_ADVERTISE +match to 2001:db8:1:1::22 ext-community rt 65510:10745 set community NO_ADVERTISE +match to 2001:db8:1:1::22 large-community 999:65510:10745 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::22 + +# do_not_announce_to_any +deny to 2001:db8:1:1::22 community 0:999 +deny to 2001:db8:1:1::22 ext-community rt 0:999 +deny to 2001:db8:1:1::22 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::22 community 0:10745 +deny quick to 2001:db8:1:1::22 ext-community rt 0:10745 +deny quick to 2001:db8:1:1::22 large-community 999:0:10745 + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 2001:db8:1:1::22 community 64511:500 +deny to 2001:db8:1:1::22 ext-community rt 64511:500 +deny to 2001:db8:1:1::22 large-community 999:64511:500 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 2001:db8:1:1::22 community 64513:500 +allow to 2001:db8:1:1::22 ext-community rt 64513:500 +allow to 2001:db8:1:1::22 large-community 999:64513:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 2001:db8:1:1::22 community 64512:5 +deny to 2001:db8:1:1::22 ext-community rt 64512:5 +deny to 2001:db8:1:1::22 large-community 999:64512:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 2001:db8:1:1::22 community 64512:10 +deny to 2001:db8:1:1::22 ext-community rt 64512:10 +deny to 2001:db8:1:1::22 large-community 999:64512:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 2001:db8:1:1::22 community 64512:15 +deny to 2001:db8:1:1::22 ext-community rt 64512:15 +deny to 2001:db8:1:1::22 large-community 999:64512:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 2001:db8:1:1::22 community 64512:20 +deny to 2001:db8:1:1::22 ext-community rt 64512:20 +deny to 2001:db8:1:1::22 large-community 999:64512:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 2001:db8:1:1::22 community 64512:30 +deny to 2001:db8:1:1::22 ext-community rt 64512:30 +deny to 2001:db8:1:1::22 large-community 999:64512:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 2001:db8:1:1::22 community 64512:50 +deny to 2001:db8:1:1::22 ext-community rt 64512:50 +deny to 2001:db8:1:1::22 large-community 999:64512:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 2001:db8:1:1::22 community 64512:100 +deny to 2001:db8:1:1::22 ext-community rt 64512:100 +deny to 2001:db8:1:1::22 large-community 999:64512:100 + + +# do_not_announce_to_peers_with_rtt_higher_than 200 ms +deny to 2001:db8:1:1::22 community 64512:200 +deny to 2001:db8:1:1::22 ext-community rt 64512:200 +deny to 2001:db8:1:1::22 large-community 999:64512:200 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 2001:db8:1:1::22 community 64514:5 +allow to 2001:db8:1:1::22 ext-community rt 64514:5 +allow to 2001:db8:1:1::22 large-community 999:64514:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 2001:db8:1:1::22 community 64514:10 +allow to 2001:db8:1:1::22 ext-community rt 64514:10 +allow to 2001:db8:1:1::22 large-community 999:64514:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 2001:db8:1:1::22 community 64514:15 +allow to 2001:db8:1:1::22 ext-community rt 64514:15 +allow to 2001:db8:1:1::22 large-community 999:64514:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 2001:db8:1:1::22 community 64514:20 +allow to 2001:db8:1:1::22 ext-community rt 64514:20 +allow to 2001:db8:1:1::22 large-community 999:64514:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 2001:db8:1:1::22 community 64514:30 +allow to 2001:db8:1:1::22 ext-community rt 64514:30 +allow to 2001:db8:1:1::22 large-community 999:64514:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 2001:db8:1:1::22 community 64514:50 +allow to 2001:db8:1:1::22 ext-community rt 64514:50 +allow to 2001:db8:1:1::22 large-community 999:64514:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 2001:db8:1:1::22 community 64514:100 +allow to 2001:db8:1:1::22 ext-community rt 64514:100 +allow to 2001:db8:1:1::22 large-community 999:64514:100 + + +# announce_to_peers_with_rtt_higher_than 200 ms +allow to 2001:db8:1:1::22 community 64514:200 +allow to 2001:db8:1:1::22 ext-community rt 64514:200 +allow to 2001:db8:1:1::22 large-community 999:64514:200 + + +# announce_to_peer +allow to 2001:db8:1:1::22 community 999:10745 +allow to 2001:db8:1:1::22 ext-community rt 999:10745 +allow to 2001:db8:1:1::22 large-community 999:999:10745 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65504:10745 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65505:10745 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS10745; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65506:10745 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::22 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3333_1, inbound + + +# Attach custom BGP communities +# from_europe +match from 192.0.2.11 set community 65534:1 +match from 192.0.2.11 set ext-community rt 65534:1 +match from 192.0.2.11 set large-community 999:65534:1 + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 3333' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 3333 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.11 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 }' - reject code: 8 +allow quick from 192.0.2.11 AS { 174, 701, 1299, 2914, 3257, 3320, 3356, 5511, 6453, 6461, 6762, 6830, 7018, 12956 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS3333_1, AS3333: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS3333_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS3333 +# AS-SET AS_RIPENCC referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set community 65530:0 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:65530:0 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set community 65530:1 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:65530:1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS3333_1, AS3333: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS3333_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS3333 +# AS-SET AS_RIPENCC referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 65530:2 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:65530:2 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 65530:4 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:65530:4 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.11 set ext-community delete rt 65520:3333 + + +# Remove internal communities before accepting the route +match from 192.0.2.11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 large-community 999:666:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +allow quick from 192.0.2.11 community BLACKHOLE +allow quick from 192.0.2.11 community 65534:0 +allow quick from 192.0.2.11 large-community 999:666:0 + + +match from 192.0.2.11 set ext-community rt 65520:3333 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 0 + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:3333 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS3333_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.11 community 65534:0 set community BLACKHOLE +match to 192.0.2.11 large-community 999:666:0 set community BLACKHOLE + +match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.11 community 65507:999 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.11 community 65509:3333 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65509:3333 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65509:3333 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.11 community 65510:3333 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65510:3333 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65510:3333 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:3333 +deny quick to 192.0.2.11 ext-community rt 0:3333 +deny quick to 192.0.2.11 large-community 999:0:3333 + +# do_not_announce_to_peers_with_rtt_lower_than 200 ms +deny to 192.0.2.11 community 64511:200 +deny to 192.0.2.11 ext-community rt 64511:200 +deny to 192.0.2.11 large-community 999:64511:200 + + +# do_not_announce_to_peers_with_rtt_lower_than 500 ms +deny to 192.0.2.11 community 64511:500 +deny to 192.0.2.11 ext-community rt 64511:500 +deny to 192.0.2.11 large-community 999:64511:500 + + +# announce_to_peers_with_rtt_lower_than 200 ms +allow to 192.0.2.11 community 64513:200 +allow to 192.0.2.11 ext-community rt 64513:200 +allow to 192.0.2.11 large-community 999:64513:200 + + +# announce_to_peers_with_rtt_lower_than 500 ms +allow to 192.0.2.11 community 64513:500 +allow to 192.0.2.11 ext-community rt 64513:500 +allow to 192.0.2.11 large-community 999:64513:500 + + +# do_not_announce_to_peers_with_rtt_higher_than 5 ms +deny to 192.0.2.11 community 64512:5 +deny to 192.0.2.11 ext-community rt 64512:5 +deny to 192.0.2.11 large-community 999:64512:5 + + +# do_not_announce_to_peers_with_rtt_higher_than 10 ms +deny to 192.0.2.11 community 64512:10 +deny to 192.0.2.11 ext-community rt 64512:10 +deny to 192.0.2.11 large-community 999:64512:10 + + +# do_not_announce_to_peers_with_rtt_higher_than 15 ms +deny to 192.0.2.11 community 64512:15 +deny to 192.0.2.11 ext-community rt 64512:15 +deny to 192.0.2.11 large-community 999:64512:15 + + +# do_not_announce_to_peers_with_rtt_higher_than 20 ms +deny to 192.0.2.11 community 64512:20 +deny to 192.0.2.11 ext-community rt 64512:20 +deny to 192.0.2.11 large-community 999:64512:20 + + +# do_not_announce_to_peers_with_rtt_higher_than 30 ms +deny to 192.0.2.11 community 64512:30 +deny to 192.0.2.11 ext-community rt 64512:30 +deny to 192.0.2.11 large-community 999:64512:30 + + +# do_not_announce_to_peers_with_rtt_higher_than 50 ms +deny to 192.0.2.11 community 64512:50 +deny to 192.0.2.11 ext-community rt 64512:50 +deny to 192.0.2.11 large-community 999:64512:50 + + +# do_not_announce_to_peers_with_rtt_higher_than 100 ms +deny to 192.0.2.11 community 64512:100 +deny to 192.0.2.11 ext-community rt 64512:100 +deny to 192.0.2.11 large-community 999:64512:100 + + +# announce_to_peers_with_rtt_higher_than 5 ms +allow to 192.0.2.11 community 64514:5 +allow to 192.0.2.11 ext-community rt 64514:5 +allow to 192.0.2.11 large-community 999:64514:5 + + +# announce_to_peers_with_rtt_higher_than 10 ms +allow to 192.0.2.11 community 64514:10 +allow to 192.0.2.11 ext-community rt 64514:10 +allow to 192.0.2.11 large-community 999:64514:10 + + +# announce_to_peers_with_rtt_higher_than 15 ms +allow to 192.0.2.11 community 64514:15 +allow to 192.0.2.11 ext-community rt 64514:15 +allow to 192.0.2.11 large-community 999:64514:15 + + +# announce_to_peers_with_rtt_higher_than 20 ms +allow to 192.0.2.11 community 64514:20 +allow to 192.0.2.11 ext-community rt 64514:20 +allow to 192.0.2.11 large-community 999:64514:20 + + +# announce_to_peers_with_rtt_higher_than 30 ms +allow to 192.0.2.11 community 64514:30 +allow to 192.0.2.11 ext-community rt 64514:30 +allow to 192.0.2.11 large-community 999:64514:30 + + +# announce_to_peers_with_rtt_higher_than 50 ms +allow to 192.0.2.11 community 64514:50 +allow to 192.0.2.11 ext-community rt 64514:50 +allow to 192.0.2.11 large-community 999:64514:50 + + +# announce_to_peers_with_rtt_higher_than 100 ms +allow to 192.0.2.11 community 64514:100 +allow to 192.0.2.11 ext-community rt 64514:100 +allow to 192.0.2.11 large-community 999:64514:100 + + +# announce_to_peer +allow to 192.0.2.11 community 999:3333 +allow to 192.0.2.11 ext-community rt 999:3333 +allow to 192.0.2.11 large-community 999:999:3333 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3333; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65504:3333 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65504:3333 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65504:3333 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3333; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65505:3333 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65505:3333 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65505:3333 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3333; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65506:3333 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65506:3333 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65506:3333 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:100 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:100 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 100 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:100 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:50 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:50 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 50 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:50 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:30 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:30 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 30 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:30 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:20 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:20 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 20 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:20 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:15 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:15 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 15 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:15 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:10 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:10 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 10 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:10 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64518:5 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64519:5 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_higher_than 5 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64520:5 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64515:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64515:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64515:200 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64516:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64516:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64516:200 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 200 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64517:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64517:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64517:200 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_once_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64515:500 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_twice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64516:500 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + +# prepend_thrice_to_peers_with_rtt_lower_than 500 ms; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:64517:500 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65501:999 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65502:999 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65503:999 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + + + +# Scrub communities from outbound routes +# add_noadvertise_to_any +match to group clients set community delete 65508:999 +match to group clients set ext-community delete rt 65508:999 +match to group clients set large-community delete 999:65508:999 + +# add_noadvertise_to_peer +match to group clients set community delete 65510:* +match to group clients set ext-community delete rt 65510:* +match to group clients set large-community delete 999:65510:* + +# add_noexport_to_any +match to group clients set community delete 65507:999 +match to group clients set ext-community delete rt 65507:999 +match to group clients set large-community delete 999:65507:999 + +# add_noexport_to_peer +match to group clients set community delete 65509:* +match to group clients set ext-community delete rt 65509:* +match to group clients set large-community delete 999:65509:* + +# announce_to_peer +match to group clients set community delete 999:* +match to group clients set ext-community delete rt 999:* +match to group clients set large-community delete 999:999:* + +# announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64514:* +match to group clients set ext-community delete rt 64514:* +match to group clients set large-community delete 999:64514:* + +# announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64513:* +match to group clients set ext-community delete rt 64513:* +match to group clients set large-community delete 999:64513:* + +# blackholing +match to group clients set community delete 65534:0 +match to group clients set large-community delete 999:666:0 + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# do_not_announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64512:* +match to group clients set ext-community delete rt 64512:* +match to group clients set large-community delete 999:64512:* + +# do_not_announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64511:* +match to group clients set ext-community delete rt 64511:* +match to group clients set large-community delete 999:64511:* + +# prepend_once_to_any +match to group clients set community delete 65501:999 +match to group clients set ext-community delete rt 65501:999 +match to group clients set large-community delete 999:65501:999 + +# prepend_once_to_peer +match to group clients set community delete 65504:* +match to group clients set ext-community delete rt 65504:* +match to group clients set large-community delete 999:65504:* + +# prepend_once_to_peers_with_rtt_higher_than +match to group clients set community delete 64518:* +match to group clients set ext-community delete rt 64518:* +match to group clients set large-community delete 999:64518:* + +# prepend_once_to_peers_with_rtt_lower_than +match to group clients set community delete 64515:* +match to group clients set ext-community delete rt 64515:* +match to group clients set large-community delete 999:64515:* + +# prepend_thrice_to_any +match to group clients set community delete 65503:999 +match to group clients set ext-community delete rt 65503:999 +match to group clients set large-community delete 999:65503:999 + +# prepend_thrice_to_peer +match to group clients set community delete 65506:* +match to group clients set ext-community delete rt 65506:* +match to group clients set large-community delete 999:65506:* + +# prepend_thrice_to_peers_with_rtt_higher_than +match to group clients set community delete 64520:* +match to group clients set ext-community delete rt 64520:* +match to group clients set large-community delete 999:64520:* + +# prepend_thrice_to_peers_with_rtt_lower_than +match to group clients set community delete 64517:* +match to group clients set ext-community delete rt 64517:* +match to group clients set large-community delete 999:64517:* + +# prepend_twice_to_any +match to group clients set community delete 65502:999 +match to group clients set ext-community delete rt 65502:999 +match to group clients set large-community delete 999:65502:999 + +# prepend_twice_to_peer +match to group clients set community delete 65505:* +match to group clients set ext-community delete rt 65505:* +match to group clients set large-community delete 999:65505:* + +# prepend_twice_to_peers_with_rtt_higher_than +match to group clients set community delete 64519:* +match to group clients set ext-community delete rt 64519:* +match to group clients set large-community delete 999:64519:* + +# prepend_twice_to_peers_with_rtt_lower_than +match to group clients set community delete 64516:* +match to group clients set ext-community delete rt 64516:* +match to group clients set large-community delete 999:64516:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities +match to group clients set { + community delete 65501:999 + ext-community delete rt 65501:999 + large-community delete 999:65501:999 + +} +match to group clients set { + community delete 65504:* + ext-community delete rt 65504:* + large-community delete 999:65504:* + +} +match to group clients set { + community delete 64518:* + ext-community delete rt 64518:* + large-community delete 999:64518:* + +} +match to group clients set { + community delete 64515:* + ext-community delete rt 64515:* + large-community delete 999:64515:* + +} +match to group clients set { + community delete 65503:999 + ext-community delete rt 65503:999 + large-community delete 999:65503:999 + +} +match to group clients set { + community delete 65506:* + ext-community delete rt 65506:* + large-community delete 999:65506:* + +} +match to group clients set { + community delete 64520:* + ext-community delete rt 64520:* + large-community delete 999:64520:* + +} +match to group clients set { + community delete 64517:* + ext-community delete rt 64517:* + large-community delete 999:64517:* + +} +match to group clients set { + community delete 65502:999 + ext-community delete rt 65502:999 + large-community delete 999:65502:999 + +} +match to group clients set { + community delete 65505:* + ext-community delete rt 65505:* + large-community delete 999:65505:* + +} +match to group clients set { + community delete 64519:* + ext-community delete rt 64519:* + large-community delete 999:64519:* + +} +match to group clients set { + community delete 64516:* + ext-community delete rt 64516:* + large-community delete 999:64516:* + +} + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd68.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd68.conf index 24d040e1..fb56d9e6 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd68.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd68.conf @@ -185,7 +185,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd70.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd70.conf index d0d0b339..1ee7a311 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd70.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenarioOpenBGPD_IPv6/openbgpd70.conf @@ -189,7 +189,7 @@ prefix-set "bogons" { # never via route-servers ASNs as-set "neverviarouteserver" { - 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 + 92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338 } # ===================================================================================== diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv4/bird2.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv4/bird2.conf index 58c192b9..c97c4229 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv4/bird2.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv4/bird2.conf @@ -82,7 +82,7 @@ define ARIN_Whois_db_AS10745_4 = [ 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32}, 199.43.0.0/24{24,32} ]; define ARIN_Whois_db_AS10745_6 = [ - 2001:500:4::/48{48,128}, 2001:500:110::/48{48,128} + 2001:500:110::/48{48,128}, 2001:500:4::/48{48,128} ]; @@ -1916,7 +1916,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2141,7 +2141,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2374,7 +2374,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv6/bird2.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv6/bird2.conf index 4ef395a1..bcc452ef 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv6/bird2.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRD2IPv6/bird2.conf @@ -82,7 +82,7 @@ define ARIN_Whois_db_AS10745_4 = [ 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32}, 199.43.0.0/24{24,32} ]; define ARIN_Whois_db_AS10745_6 = [ - 2001:500:4::/48{48,128}, 2001:500:110::/48{48,128} + 2001:500:110::/48{48,128}, 2001:500:4::/48{48,128} ]; @@ -1914,7 +1914,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2141,7 +2141,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -2372,7 +2372,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv4/bird16.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv4/bird16.conf index 200a1916..48940a04 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv4/bird16.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv4/bird16.conf @@ -65,7 +65,7 @@ define AS_SET_AS10745_prefixes_4 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_4 = [ - 192.149.252.0/24{24,32}, 199.43.0.0/24{24,32}, 192.136.136.0/24{24,32} + 199.43.0.0/24{24,32}, 192.136.136.0/24{24,32}, 192.149.252.0/24{24,32} ]; @@ -1745,7 +1745,7 @@ filter receive_from_AS10745_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; @@ -1963,7 +1963,7 @@ filter receive_from_AS3333_1 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv6/bird16.conf b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv6/bird16.conf index ad373318..bf14fcf8 100644 --- a/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv6/bird16.conf +++ b/tests/live_tests/scenarios/rich_example/configs/RichConfigExampleScenario_BIRDIPv6/bird16.conf @@ -45,7 +45,7 @@ define AS_SET_AS10745_prefixes_6 = [ # ARIN Whois database records define ARIN_Whois_db_AS10745_6 = [ - 2001:500:4::/48{48,128}, 2001:500:110::/48{48,128} + 2001:500:110::/48{48,128}, 2001:500:4::/48{48,128} ]; @@ -1772,7 +1772,7 @@ filter receive_from_AS10745_2 { # AS_PATH: never via route-servers ASNs - if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 13760, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 51530, 51630, 52946, 52965, 52973, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146904, 146958, 147059, 149296, 149663, 149826, 200807, 201978, 202561, 202793, 207353, 207484, 208425, 208548, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263328, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 268091, 268772, 268952, 269156, 269190, 269367, 269512, 269535, 269574, 269654, 269906, 270407, 270544, 270653, 270781, 270796, 270828, 271053, 271172, 271200, 271203, 272018, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then + if bgp_path ~ [92, 174, 278, 680, 714, 1273, 1299, 1955, 2152, 2914, 3257, 3265, 3292, 3320, 3491, 3630, 3754, 5391, 5432, 5511, 6079, 6730, 6805, 6830, 6908, 7155, 7843, 7862, 8075, 8365, 8455, 8607, 8943, 9908, 10013, 11164, 11260, 11290, 11670, 12322, 12353, 12822, 13030, 13032, 14295, 15692, 16509, 17012, 18520, 19237, 20115, 20161, 21396, 23888, 23961, 24282, 24800, 27947, 29169, 30967, 30983, 31764, 33983, 34108, 34209, 34587, 35836, 35900, 36165, 36459, 37271, 37529, 38713, 39326, 39651, 40029, 40063, 43470, 46450, 47377, 47583, 48237, 48265, 48408, 49127, 49910, 49922, 51530, 51630, 53859, 54295, 55244, 57433, 57468, 57866, 58768, 60412, 60757, 61756, 62164, 62567, 62623, 63290, 131398, 131996, 132563, 132829, 132996, 133317, 134022, 135706, 135848, 136106, 136874, 137207, 137610, 138023, 138769, 138953, 139667, 140287, 141091, 141120, 141134, 141140, 141411, 141856, 141892, 142164, 142348, 142369, 146846, 146958, 147059, 149296, 149663, 149826, 201978, 202561, 202793, 206275, 207353, 207484, 208425, 209699, 210030, 210715, 212512, 212539, 212623, 212706, 212953, 213202, 262191, 262888, 263258, 263686, 263801, 263856, 264424, 265337, 265630, 267214, 267442, 267561, 268091, 269156, 269190, 269367, 269512, 269654, 269906, 270407, 270544, 270781, 270828, 271053, 271172, 271200, 272018, 272124, 327732, 328445, 328572, 328582, 328959, 393573, 393684, 396304, 396477, 398203, 399338] then reject "AS_PATH [", bgp_path ,"] contains never via route-servers ASN - REJECTING ", net; diff --git a/tests/live_tests/scenarios/rich_example/routes/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/rich_example/routes/RichConfigExampleScenarioOpenBGPD_IPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv4/openbgpd75p.conf b/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv4/openbgpd75p.conf new file mode 100644 index 00000000..ca5f2e31 --- /dev/null +++ b/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv4/openbgpd75p.conf @@ -0,0 +1,1186 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.33 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::33 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.44 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::44 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# rpki_bgp_origin_validation_invalid +match from group clients set community delete 64512:2 + +# rpki_bgp_origin_validation_unknown +match from group clients set community delete 64512:3 + +# rpki_bgp_origin_validation_valid +match from group clients set community delete 64512:1 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 2.0.128.0/20 maxlen 23 source-as 101 + 3.0.128.0/20 maxlen 23 source-as 103 + 2.0.8.0/24 source-as 101 + 2.0.9.0/24 source-as 102 + 3.0.8.0/24 source-as 103 + 3.0.9.0/24 source-as 102 + 3002:0:8000::/33 maxlen 34 source-as 101 + 3003:0:8000::/33 maxlen 34 source-as 103 + 3002:0:8::/48 source-as 101 + 3002:0:9::/48 source-as 102 + 3003:0:8::/48 source-as 103 + 3003:0:9::/48 source-as 102 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + community 64512:3 +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + community 64512:1 +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + community 64512:2 +} + + + + + + + + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +deny quick from group clients max-as-len 32 + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +deny quick from group clients community NO_ADVERTISE + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +deny quick from group clients prefix-set bogons + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +deny quick from 192.0.2.11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +deny quick from 192.0.2.11 AS 23456 + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.11 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +deny quick from 2001:db8:1:1::11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 2' - reject code: 6 +deny quick from 192.0.2.22 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +deny quick from 192.0.2.22 AS 23456 + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.22 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.22 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS2_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 2' - reject code: 6 +deny quick from 2001:db8:1:1::22 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS2_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.33 set community NO_ADVERTISE +match from 192.0.2.33 nexthop 192.0.2.33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.33 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.33 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.33 peer-as != 3' - reject code: 6 +deny quick from 192.0.2.33 peer-as != 3 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.33 AS 23456' - reject code: 7 +deny quick from 192.0.2.33 AS 23456 + +# Reject inbound routes when 'from 192.0.2.33 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.33 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.33 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.33 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.33 + + + +# --------------------------------------------- +# client AS3_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.33 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.33 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.33 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::33 set community NO_ADVERTISE +match from 2001:db8:1:1::33 nexthop 2001:db8:1:1::33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::33 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::33 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::33 peer-as != 3' - reject code: 6 +deny quick from 2001:db8:1:1::33 peer-as != 3 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::33 + + + +# --------------------------------------------- +# client AS3_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::33 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::33 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::33 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.44 set community NO_ADVERTISE +match from 192.0.2.44 nexthop 192.0.2.44 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.44 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.44 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.44 peer-as != 4' - reject code: 6 +deny quick from 192.0.2.44 peer-as != 4 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.44 AS 23456' - reject code: 7 +deny quick from 192.0.2.44 AS 23456 + +# Reject inbound routes when 'from 192.0.2.44 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.44 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.44 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.44 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.44 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.44 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.44 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.44 + + + +# --------------------------------------------- +# client AS4_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.44 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.44 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.44 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.44 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::44 set community NO_ADVERTISE +match from 2001:db8:1:1::44 nexthop 2001:db8:1:1::44 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::44 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::44 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::44 peer-as != 4' - reject code: 6 +deny quick from 2001:db8:1:1::44 peer-as != 4 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::44 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::44 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::44 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::44 + + + +# --------------------------------------------- +# client AS4_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::44 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::44 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::44 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::44 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# rpki_bgp_origin_validation_invalid +match to group clients set community delete 64512:2 + +# rpki_bgp_origin_validation_unknown +match to group clients set community delete 64512:3 + +# rpki_bgp_origin_validation_valid +match to group clients set community delete 64512:1 + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv6/openbgpd75p.conf b/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv6/openbgpd75p.conf new file mode 100644 index 00000000..ca5f2e31 --- /dev/null +++ b/tests/live_tests/scenarios/rpki_bov_comms/configs/RPKICustomBOVCommunitiesScenario_OpenBGPDPortableLatest_IPv6/openbgpd75p.conf @@ -0,0 +1,1186 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::22 { + remote-as 2 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.33 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::33 { + remote-as 3 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.44 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::44 { + remote-as 4 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# rpki_bgp_origin_validation_invalid +match from group clients set community delete 64512:2 + +# rpki_bgp_origin_validation_unknown +match from group clients set community delete 64512:3 + +# rpki_bgp_origin_validation_valid +match from group clients set community delete 64512:1 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 2.0.128.0/20 maxlen 23 source-as 101 + 3.0.128.0/20 maxlen 23 source-as 103 + 2.0.8.0/24 source-as 101 + 2.0.9.0/24 source-as 102 + 3.0.8.0/24 source-as 103 + 3.0.9.0/24 source-as 102 + 3002:0:8000::/33 maxlen 34 source-as 101 + 3003:0:8000::/33 maxlen 34 source-as 103 + 3002:0:8::/48 source-as 101 + 3002:0:9::/48 source-as 102 + 3003:0:8::/48 source-as 103 + 3003:0:9::/48 source-as 102 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + community 64512:3 +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + community 64512:1 +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + community 64512:2 +} + + + + + + + + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +deny quick from group clients max-as-len 32 + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +deny quick from group clients community NO_ADVERTISE + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +deny quick from group clients prefix-set bogons + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +deny quick from 192.0.2.11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +deny quick from 192.0.2.11 AS 23456 + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.11 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +deny quick from 2001:db8:1:1::11 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 2' - reject code: 6 +deny quick from 192.0.2.22 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +deny quick from 192.0.2.22 AS 23456 + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.22 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.22 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS2_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 2' - reject code: 6 +deny quick from 2001:db8:1:1::22 peer-as != 2 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS2_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.33 set community NO_ADVERTISE +match from 192.0.2.33 nexthop 192.0.2.33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.33 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.33 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.33 peer-as != 3' - reject code: 6 +deny quick from 192.0.2.33 peer-as != 3 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.33 AS 23456' - reject code: 7 +deny quick from 192.0.2.33 AS 23456 + +# Reject inbound routes when 'from 192.0.2.33 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.33 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.33 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.33 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.33 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.33 + + + +# --------------------------------------------- +# client AS3_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.33 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.33 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.33 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::33 set community NO_ADVERTISE +match from 2001:db8:1:1::33 nexthop 2001:db8:1:1::33 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::33 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::33 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::33 peer-as != 3' - reject code: 6 +deny quick from 2001:db8:1:1::33 peer-as != 3 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::33 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::33 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::33 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::33 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::33 + + + +# --------------------------------------------- +# client AS3_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::33 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::33 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::33 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::33 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.44 set community NO_ADVERTISE +match from 192.0.2.44 nexthop 192.0.2.44 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.44 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.44 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.44 peer-as != 4' - reject code: 6 +deny quick from 192.0.2.44 peer-as != 4 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.44 AS 23456' - reject code: 7 +deny quick from 192.0.2.44 AS 23456 + +# Reject inbound routes when 'from 192.0.2.44 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.44 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.44 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.44 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.44 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.44 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.44 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.44 + + + +# --------------------------------------------- +# client AS4_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.44 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.44 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.44 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.44 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::44 set community NO_ADVERTISE +match from 2001:db8:1:1::44 nexthop 2001:db8:1:1::44 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::44 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::44 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::44 peer-as != 4' - reject code: 6 +deny quick from 2001:db8:1:1::44 peer-as != 4 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::44 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::44 AS 4200000000 - 4294967295 + + + + + + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::44 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::44 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::44 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::44 + + + +# --------------------------------------------- +# client AS4_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::44 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::44 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::44 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::44 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# rpki_bgp_origin_validation_invalid +match to group clients set community delete 64512:2 + +# rpki_bgp_origin_validation_unknown +match to group clients set community delete 64512:3 + +# rpki_bgp_origin_validation_valid +match to group clients set community delete 64512:1 + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/rpki_rtr_example/configs/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/rpki_rtr_example/configs/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..62594272 --- /dev/null +++ b/tests/live_tests/scenarios/rpki_rtr_example/configs/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,802 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS3333, used by client AS3333_1 +# no origin ASNs found for AS3333 +# no prefixes found for AS3333 + +# AS10745, used by client AS10745_1, client AS10745_2 +# no origin ASNs found for AS10745 +# no prefixes found for AS10745 + +# AS1, used by client AS1_1 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::22 { + remote-as 10745 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.111 { + remote-as 1 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 192.0.2.11 { + remote-as 3333 + + rde evaluate all + + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +include "/etc/bgpd/rpki_rtr_config.local" + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + + + + + + + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +deny quick from group clients max-as-len 32 + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +deny quick from group clients community NO_ADVERTISE + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +deny quick from group clients prefix-set bogons + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS10745_1, inbound + + + +# NEXT_HOP +match from 192.0.2.22 set community NO_ADVERTISE +match from 192.0.2.22 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.22 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.22 peer-as != 10745' - reject code: 6 +deny quick from 192.0.2.22 peer-as != 10745 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.22 AS 23456' - reject code: 7 +deny quick from 192.0.2.22 AS 23456 + +# Reject inbound routes when 'from 192.0.2.22 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.22 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.22 AS 4200000000 - 4294967295 + + + + + +match from 192.0.2.22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_1, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS10745 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_1, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS10745 referenced but empty. + + + + + + + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +deny quick from 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.22 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.22 + + + +# --------------------------------------------- +# client AS10745_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS10745_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::22 set community NO_ADVERTISE +match from 2001:db8:1:1::22 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::22 community NO_ADVERTISE' - reject code: 5 +deny quick from 2001:db8:1:1::22 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::22 peer-as != 10745' - reject code: 6 +deny quick from 2001:db8:1:1::22 peer-as != 10745 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 23456' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 23456 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 64496 - 131071' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 64496 - 131071 + +# Reject inbound routes when 'from 2001:db8:1:1::22 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 2001:db8:1:1::22 AS 4200000000 - 4294967295 + + + + + +match from 2001:db8:1:1::22 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS10745_2, AS10745: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::22 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS10745 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS10745_2, AS10745: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::22 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS10745 referenced but empty. + + + + + + + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +deny quick from 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +deny quick from 2001:db8:1:1::22 prefix ::/0 prefixlen 12 >< 48 + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::22 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 2001:db8:1:1::22 + + + +# --------------------------------------------- +# client AS10745_2, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::22 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::22 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::22 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::22 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.111 set community NO_ADVERTISE +match from 192.0.2.111 nexthop 192.0.2.111 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.111 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.111 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.111 peer-as != 1' - reject code: 6 +deny quick from 192.0.2.111 peer-as != 1 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.111 AS 23456' - reject code: 7 +deny quick from 192.0.2.111 AS 23456 + +# Reject inbound routes when 'from 192.0.2.111 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.111 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.111 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.111 AS 4200000000 - 4294967295 + + + + + +match from 192.0.2.111 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.111 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.111 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. + + + + + + + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.111 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +deny quick from 192.0.2.111 ext-community $INTCOMM_RPKI_INVALID + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.111 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.111 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.111 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.111 + + + +# --------------------------------------------- +# client AS1_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.111 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.111 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.111 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.111 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS3333_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +deny quick from 192.0.2.11 community NO_ADVERTISE + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 3333' - reject code: 6 +deny quick from 192.0.2.11 peer-as != 3333 + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +deny quick from 192.0.2.11 AS 23456 + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +deny quick from 192.0.2.11 AS 64496 - 131071 + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +deny quick from 192.0.2.11 AS 4200000000 - 4294967295 + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS3333_1, AS3333: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS3333 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS3333_1, AS3333: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS3333 referenced but empty. + + + + + + + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +deny quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +deny quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS3333_1, outbound + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/rpki_rtr_example/routes/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt b/tests/live_tests/scenarios/rpki_rtr_example/routes/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/rpki_rtr_example/routes/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/rpki_rtr_example/routes/RPKIRTRScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..e69de29b diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..b896b0a1 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,3557 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# WHITE_LIST_AS4_1, used by client AS4_1 white list +as-set "AS_SET_WHITE_LIST_AS4_1_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_1_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS4 +# no prefixes found for AS4 + +# WHITE_LIST_AS2_2, used by client AS2_2 white list +as-set "AS_SET_WHITE_LIST_AS2_2_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_2_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS-AS5_FROM_PDB, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS_AS5_FROM_PDB +# no prefixes found for AS_AS5_FROM_PDB + +# AS-AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS_AS4 +# no prefixes found for AS_AS4 + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# WHITE_LIST_AS5_2, used by client AS5_2 white list +as-set "AS_SET_WHITE_LIST_AS5_2_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_2_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# AS5, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS5 +# no prefixes found for AS5 + +# AS6, used by client AS6_1, client AS6_2 +# no origin ASNs found for AS6 +# no prefixes found for AS6 + +# WHITE_LIST_AS5_1, used by client AS5_1 white list +as-set "AS_SET_WHITE_LIST_AS5_1_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_1_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS2_1, used by client AS2_1 white list +as-set "AS_SET_WHITE_LIST_AS2_1_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_1_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS1, used by client AS1_1, client AS1_2 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS4_2, used by client AS4_2 white list +as-set "AS_SET_WHITE_LIST_AS4_2_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_2_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS-AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS_AS2 +# no prefixes found for AS_AS2 + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 999:64515 +match from group clients set large-community delete 999:0:64515 + +# origin_present_in_as_set +match from group clients set community delete 999:64514 +match from group clients set large-community delete 999:0:64514 + +# prefix_not_present_in_as_set +match from group clients set community delete 999:64513 +match from group clients set large-community delete 999:0:64513 + +# prefix_present_in_as_set +match from group clients set community delete 999:64512 +match from group clients set large-community delete 999:0:64512 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 999:64518 +match from group clients set large-community delete 999:0:64518 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 999:64516 +match from group clients set large-community delete 999:0:64516 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# route_validated_via_white_list +match from group clients set community delete 999:64517 +match from group clients set large-community delete 999:0:64517 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + +} + + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + +match from 192.0.2.51 set ext-community rt 65520:5 + +match from 2001:db8:1:1::51 set ext-community rt 65520:5 + +match from 192.0.2.61 set ext-community rt 65520:6 + +match from 2001:db8:1:1::61 set ext-community rt 65520:6 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_WHITE_LIST_AS2_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_1 +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_WHITE_LIST_AS2_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_1 +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 source-as as-set AS_SET_WHITE_LIST_AS2_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 prefix-set AS_SET_WHITE_LIST_AS2_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_1, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 source-as as-set AS_SET_WHITE_LIST_AS4_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_1, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 prefix-set AS_SET_WHITE_LIST_AS4_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_2, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +match from 2001:db8:1:1::41 source-as as-set AS_SET_WHITE_LIST_AS4_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_2, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +match from 2001:db8:1:1::41 prefix-set AS_SET_WHITE_LIST_AS4_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_1, inbound + + + +# NEXT_HOP +match from 192.0.2.51 set community NO_ADVERTISE +match from 192.0.2.51 nexthop 192.0.2.51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.51 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.51 AS 23456' - reject code: 7 +allow quick from 192.0.2.51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_1, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 source-as as-set AS_SET_WHITE_LIST_AS5_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_1, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 prefix-set AS_SET_WHITE_LIST_AS5_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.51 set ext-community delete rt 65520:5 + + + +allow quick from 192.0.2.51 + + + +# --------------------------------------------- +# client AS5_1, outbound + +deny quick to 192.0.2.51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::51 set community NO_ADVERTISE +match from 2001:db8:1:1::51 nexthop 2001:db8:1:1::51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::51 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_2, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +match from 2001:db8:1:1::51 source-as as-set AS_SET_WHITE_LIST_AS5_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_2, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +match from 2001:db8:1:1::51 prefix-set AS_SET_WHITE_LIST_AS5_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::51 set ext-community delete rt 65520:5 + + + +allow quick from 2001:db8:1:1::51 + + + +# --------------------------------------------- +# client AS5_2, outbound + +deny quick to 2001:db8:1:1::51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_1, inbound + + + +# NEXT_HOP +match from 192.0.2.61 set community NO_ADVERTISE +match from 192.0.2.61 nexthop 192.0.2.61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.61 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.61 AS 23456' - reject code: 7 +allow quick from 192.0.2.61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_1, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_1, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.61 set ext-community delete rt 65520:6 + + + +allow quick from 192.0.2.61 + + + +# --------------------------------------------- +# client AS6_1, outbound + +deny quick to 192.0.2.61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::61 set community NO_ADVERTISE +match from 2001:db8:1:1::61 nexthop 2001:db8:1:1::61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::61 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_2, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_2, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::61 set ext-community delete rt 65520:6 + + + +allow quick from 2001:db8:1:1::61 + + + +# --------------------------------------------- +# client AS6_2, outbound + +deny quick to 2001:db8:1:1::61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..b896b0a1 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,3557 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# WHITE_LIST_AS4_1, used by client AS4_1 white list +as-set "AS_SET_WHITE_LIST_AS4_1_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_1_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS4 +# no prefixes found for AS4 + +# WHITE_LIST_AS2_2, used by client AS2_2 white list +as-set "AS_SET_WHITE_LIST_AS2_2_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_2_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS-AS5_FROM_PDB, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS_AS5_FROM_PDB +# no prefixes found for AS_AS5_FROM_PDB + +# AS-AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS_AS4 +# no prefixes found for AS_AS4 + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# WHITE_LIST_AS5_2, used by client AS5_2 white list +as-set "AS_SET_WHITE_LIST_AS5_2_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_2_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# AS5, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS5 +# no prefixes found for AS5 + +# AS6, used by client AS6_1, client AS6_2 +# no origin ASNs found for AS6 +# no prefixes found for AS6 + +# WHITE_LIST_AS5_1, used by client AS5_1 white list +as-set "AS_SET_WHITE_LIST_AS5_1_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_1_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS2_1, used by client AS2_1 white list +as-set "AS_SET_WHITE_LIST_AS2_1_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_1_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS1, used by client AS1_1, client AS1_2 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS4_2, used by client AS4_2 white list +as-set "AS_SET_WHITE_LIST_AS4_2_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_2_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS-AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS_AS2 +# no prefixes found for AS_AS2 + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 999:64515 +match from group clients set large-community delete 999:0:64515 + +# origin_present_in_as_set +match from group clients set community delete 999:64514 +match from group clients set large-community delete 999:0:64514 + +# prefix_not_present_in_as_set +match from group clients set community delete 999:64513 +match from group clients set large-community delete 999:0:64513 + +# prefix_present_in_as_set +match from group clients set community delete 999:64512 +match from group clients set large-community delete 999:0:64512 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 999:64518 +match from group clients set large-community delete 999:0:64518 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 999:64516 +match from group clients set large-community delete 999:0:64516 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# route_validated_via_white_list +match from group clients set community delete 999:64517 +match from group clients set large-community delete 999:0:64517 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + +} + + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + +match from 192.0.2.51 set ext-community rt 65520:5 + +match from 2001:db8:1:1::51 set ext-community rt 65520:5 + +match from 192.0.2.61 set ext-community rt 65520:6 + +match from 2001:db8:1:1::61 set ext-community rt 65520:6 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS1 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_WHITE_LIST_AS2_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_1 +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_WHITE_LIST_AS2_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_1 +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 source-as as-set AS_SET_WHITE_LIST_AS2_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 prefix-set AS_SET_WHITE_LIST_AS2_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +# AS-SET AS_AS2 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_1, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 source-as as-set AS_SET_WHITE_LIST_AS4_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_1, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 prefix-set AS_SET_WHITE_LIST_AS4_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_2, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +match from 2001:db8:1:1::41 source-as as-set AS_SET_WHITE_LIST_AS4_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_2, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +# AS-SET AS_AS4 referenced but empty. +match from 2001:db8:1:1::41 prefix-set AS_SET_WHITE_LIST_AS4_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_1, inbound + + + +# NEXT_HOP +match from 192.0.2.51 set community NO_ADVERTISE +match from 192.0.2.51 nexthop 192.0.2.51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.51 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.51 AS 23456' - reject code: 7 +allow quick from 192.0.2.51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_1, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 source-as as-set AS_SET_WHITE_LIST_AS5_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_1, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 prefix-set AS_SET_WHITE_LIST_AS5_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.51 set ext-community delete rt 65520:5 + + + +allow quick from 192.0.2.51 + + + +# --------------------------------------------- +# client AS5_1, outbound + +deny quick to 192.0.2.51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::51 set community NO_ADVERTISE +match from 2001:db8:1:1::51 nexthop 2001:db8:1:1::51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::51 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_2, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +match from 2001:db8:1:1::51 source-as as-set AS_SET_WHITE_LIST_AS5_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_2, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS_AS5_FROM_PDB referenced but empty. +match from 2001:db8:1:1::51 prefix-set AS_SET_WHITE_LIST_AS5_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::51 set ext-community delete rt 65520:5 + + + +allow quick from 2001:db8:1:1::51 + + + +# --------------------------------------------- +# client AS5_2, outbound + +deny quick to 2001:db8:1:1::51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_1, inbound + + + +# NEXT_HOP +match from 192.0.2.61 set community NO_ADVERTISE +match from 192.0.2.61 nexthop 192.0.2.61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.61 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.61 AS 23456' - reject code: 7 +allow quick from 192.0.2.61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_1, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_1, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.61 set ext-community delete rt 65520:6 + + + +allow quick from 192.0.2.61 + + + +# --------------------------------------------- +# client AS6_1, outbound + +deny quick to 192.0.2.61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::61 set community NO_ADVERTISE +match from 2001:db8:1:1::61 nexthop 2001:db8:1:1::61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::61 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_2, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_2, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS6 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::61 set ext-community delete rt 65520:6 + + + +allow quick from 2001:db8:1:1::61 + + + +# --------------------------------------------- +# client AS6_2, outbound + +deny quick to 2001:db8:1:1::61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRD2IPv6/bird2.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRD2IPv6/bird2.conf index 0d0739a6..992ee7cd 100644 --- a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRD2IPv6/bird2.conf +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRD2IPv6/bird2.conf @@ -193,10 +193,10 @@ define AS_SET_AS_AS2_prefixes_6 = [ # ARIN Whois database records define ARIN_Whois_db_AS2_4 = [ - 2.6.0.0/16{16,32}, 2.0.5.0/24{24,32}, 2.7.0.0/16{16,32} + 2.6.0.0/16{16,32}, 2.7.0.0/16{16,32}, 2.0.5.0/24{24,32} ]; define ARIN_Whois_db_AS2_6 = [ - 2a02:6::/32{32,128}, 2a02:0:5::/48{48,128}, 2a02:7::/32{32,128} + 2a02:0:5::/48{48,128}, 2a02:7::/32{32,128}, 2a02:6::/32{32,128} ]; define ARIN_Whois_db_AS3_4 = [ 3.3.0.0/16{16,32}, 3.2.0.0/16{16,32} diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv4/bird16.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv4/bird16.conf index f796286f..fec2cfd8 100644 --- a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv4/bird16.conf +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv4/bird16.conf @@ -126,7 +126,7 @@ define AS_SET_AS_AS2_prefixes_4 = [ # ARIN Whois database records define ARIN_Whois_db_AS2_4 = [ - 2.0.5.0/24{24,32}, 2.6.0.0/16{16,32}, 2.7.0.0/16{16,32} + 2.7.0.0/16{16,32}, 2.0.5.0/24{24,32}, 2.6.0.0/16{16,32} ]; define ARIN_Whois_db_AS3_4 = [ 3.2.0.0/16{16,32}, 3.3.0.0/16{16,32} diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv6/bird16.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv6/bird16.conf index f013df08..a820f223 100644 --- a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv6/bird16.conf +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDIPv6/bird16.conf @@ -126,10 +126,10 @@ define AS_SET_AS_AS2_prefixes_6 = [ # ARIN Whois database records define ARIN_Whois_db_AS2_6 = [ - 2a02:0:5::/48{48,128}, 2a02:7::/32{32,128}, 2a02:6::/32{32,128} + 2a02:7::/32{32,128}, 2a02:6::/32{32,128}, 2a02:0:5::/48{48,128} ]; define ARIN_Whois_db_AS3_6 = [ - 2a03:3::/32{32,128}, 2a03:2::/32{32,128} + 2a03:2::/32{32,128}, 2a03:3::/32{32,128} ]; define ARIN_Whois_db_AS6_6 = [ 2a06:0:1::/48{48,128} diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDsIPv4/bird2.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDsIPv4/bird2.conf index 1252ad3b..bf38538e 100644 --- a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDsIPv4/bird2.conf +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_BIRDsIPv4/bird2.conf @@ -193,10 +193,10 @@ define AS_SET_AS_AS2_prefixes_4 = [ # ARIN Whois database records define ARIN_Whois_db_AS2_4 = [ - 2.6.0.0/16{16,32}, 2.0.5.0/24{24,32}, 2.7.0.0/16{16,32} + 2.6.0.0/16{16,32}, 2.7.0.0/16{16,32}, 2.0.5.0/24{24,32} ]; define ARIN_Whois_db_AS2_6 = [ - 2a02:6::/32{32,128}, 2a02:0:5::/48{48,128}, 2a02:7::/32{32,128} + 2a02:0:5::/48{48,128}, 2a02:7::/32{32,128}, 2a02:6::/32{32,128} ]; define ARIN_Whois_db_AS3_4 = [ 3.3.0.0/16{16,32}, 3.2.0.0/16{16,32} diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..bd34f331 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,3741 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# WHITE_LIST_AS4_1, used by client AS4_1 white list +as-set "AS_SET_WHITE_LIST_AS4_1_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_1_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS4 +# no prefixes found for AS4 + +# WHITE_LIST_AS2_2, used by client AS2_2 white list +as-set "AS_SET_WHITE_LIST_AS2_2_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_2_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS-AS5_FROM_PDB, used by client AS5_1, client AS5_2 +as-set "AS_SET_AS_AS5_FROM_PDB_asns" { + 5 +} +prefix-set "AS_SET_AS_AS5_FROM_PDB_prefixes" { + 5.0.0.0/16 prefixlen 16 - 32 +} + +# AS-AS4, used by client AS4_1, client AS4_2 +as-set "AS_SET_AS_AS4_asns" { + 4 +} +prefix-set "AS_SET_AS_AS4_prefixes" { + 4.0.0.0/16 prefixlen 16 - 32 +} + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# WHITE_LIST_AS5_2, used by client AS5_2 white list +as-set "AS_SET_WHITE_LIST_AS5_2_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_2_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# AS5, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS5 +# no prefixes found for AS5 + +# AS6, used by client AS6_1, client AS6_2 +as-set "AS_SET_AS6_asns" { + 3 6 +} +prefix-set "AS_SET_AS6_prefixes" { + 6.0.0.0/16 prefixlen 16 - 32 +} + +# WHITE_LIST_AS5_1, used by client AS5_1 white list +as-set "AS_SET_WHITE_LIST_AS5_1_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_1_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS2_1, used by client AS2_1 white list +as-set "AS_SET_WHITE_LIST_AS2_1_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_1_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS1, used by client AS1_1, client AS1_2 +as-set "AS_SET_AS1_asns" { + 1 +} +prefix-set "AS_SET_AS1_prefixes" { + 1.0.0.0/16 prefixlen 16 - 32 +} + +# WHITE_LIST_AS4_2, used by client AS4_2 white list +as-set "AS_SET_WHITE_LIST_AS4_2_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_2_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS-AS2, used by client AS2_1, client AS2_2 +as-set "AS_SET_AS_AS2_asns" { + 2 +} +prefix-set "AS_SET_AS_AS2_prefixes" { + 2.0.0.0/16 prefixlen 16 - 32 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 999:64515 +match from group clients set large-community delete 999:0:64515 + +# origin_present_in_as_set +match from group clients set community delete 999:64514 +match from group clients set large-community delete 999:0:64514 + +# prefix_not_present_in_as_set +match from group clients set community delete 999:64513 +match from group clients set large-community delete 999:0:64513 + +# prefix_present_in_as_set +match from group clients set community delete 999:64512 +match from group clients set large-community delete 999:0:64512 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 999:64518 +match from group clients set large-community delete 999:0:64518 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 999:64516 +match from group clients set large-community delete 999:0:64516 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# route_validated_via_white_list +match from group clients set community delete 999:64517 +match from group clients set large-community delete 999:0:64517 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 2.4.0.0/16 source-as 2 + 2.5.0.0/16 source-as 2 + 2.7.0.0/16 source-as 2 + 3.1.0.0/16 source-as 3 + 3.3.0.0/16 source-as 3 + 2.0.4.0/24 source-as 2 + 6.0.1.0/24 source-as 6 + 2a02:4::/32 source-as 2 + 2a02:5::/32 source-as 2 + 2a02:7::/32 source-as 2 + 2a03:1::/32 source-as 3 + 2a03:3::/32 source-as 3 + 2a02:0:4::/48 source-as 2 + 2a06:0:1::/48 source-as 6 + +} + + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +origin-set "RPKI_ROA" { + 2.4.0.0/16 source-as 2 + 2.5.0.0/16 source-as 2 + 2.7.0.0/16 source-as 2 + 3.1.0.0/16 source-as 3 + 3.3.0.0/16 source-as 3 + 2.0.4.0/24 source-as 2 + 6.0.1.0/24 source-as 6 + 2a02:4::/32 source-as 2 + 2a02:5::/32 source-as 2 + 2a02:7::/32 source-as 2 + 2a03:1::/32 source-as 3 + 2a03:3::/32 source-as 3 + 2a02:0:4::/48 source-as 2 + 2a06:0:1::/48 source-as 6 + +} +match from group clients origin-set RPKI_ROA set ext-community $INTCOMM_PREF_OK_ROA + + +# ARIN Whois records used for preifx validation +# --------------------------------------------- + +# Add the $INTCOMM_PREF_OK_ARINDB ext community to routes whose +# origin ASN has an ARIN Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "ARINDB" { +2.0.5.0/24 prefixlen 24 - 32 source-as 2 +2.6.0.0/16 prefixlen 16 - 32 source-as 2 +2.7.0.0/16 prefixlen 16 - 32 source-as 2 +2a02:0:5::/48 prefixlen 48 - 128 source-as 2 +2a02:6::/32 prefixlen 32 - 128 source-as 2 +2a02:7::/32 prefixlen 32 - 128 source-as 2 +2a03:2::/32 prefixlen 32 - 128 source-as 3 +2a03:3::/32 prefixlen 32 - 128 source-as 3 +3.2.0.0/16 prefixlen 16 - 32 source-as 3 +3.3.0.0/16 prefixlen 16 - 32 source-as 3 +2a06:0:1::/48 prefixlen 48 - 128 source-as 6 +6.0.1.0/24 prefixlen 24 - 32 source-as 6 +} +match from group clients origin-set ARINDB set ext-community $INTCOMM_PREF_OK_ARINDB + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + +match from 192.0.2.51 set ext-community rt 65520:5 + +match from 2001:db8:1:1::51 set ext-community rt 65520:5 + +match from 192.0.2.61 set ext-community rt 65520:6 + +match from 2001:db8:1:1::61 set ext-community rt 65520:6 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 source-as as-set AS_SET_AS1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 prefix-set AS_SET_AS1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_WHITE_LIST_AS2_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_1 +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_WHITE_LIST_AS2_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_1 +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 source-as as-set AS_SET_WHITE_LIST_AS2_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 source-as as-set AS_SET_AS_AS2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 prefix-set AS_SET_WHITE_LIST_AS2_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 prefix-set AS_SET_AS_AS2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_1, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 source-as as-set AS_SET_WHITE_LIST_AS4_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +match from 192.0.2.41 source-as as-set AS_SET_AS_AS4_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS4 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_1, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 prefix-set AS_SET_WHITE_LIST_AS4_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +match from 192.0.2.41 prefix-set AS_SET_AS_AS4_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS4 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_2, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +match from 2001:db8:1:1::41 source-as as-set AS_SET_AS_AS4_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS4 +match from 2001:db8:1:1::41 source-as as-set AS_SET_WHITE_LIST_AS4_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_2, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +match from 2001:db8:1:1::41 prefix-set AS_SET_AS_AS4_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS4 +match from 2001:db8:1:1::41 prefix-set AS_SET_WHITE_LIST_AS4_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_1, inbound + + + +# NEXT_HOP +match from 192.0.2.51 set community NO_ADVERTISE +match from 192.0.2.51 nexthop 192.0.2.51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.51 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.51 AS 23456' - reject code: 7 +allow quick from 192.0.2.51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_1, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.51 source-as as-set AS_SET_AS_AS5_FROM_PDB_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS5_FROM_PDB +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 source-as as-set AS_SET_WHITE_LIST_AS5_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_1, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.51 prefix-set AS_SET_AS_AS5_FROM_PDB_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS5_FROM_PDB +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 prefix-set AS_SET_WHITE_LIST_AS5_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.51 set ext-community delete rt 65520:5 + + + +allow quick from 192.0.2.51 + + + +# --------------------------------------------- +# client AS5_1, outbound + +deny quick to 192.0.2.51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::51 set community NO_ADVERTISE +match from 2001:db8:1:1::51 nexthop 2001:db8:1:1::51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::51 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_2, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::51 source-as as-set AS_SET_AS_AS5_FROM_PDB_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS5_FROM_PDB +match from 2001:db8:1:1::51 source-as as-set AS_SET_WHITE_LIST_AS5_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_2, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::51 prefix-set AS_SET_AS_AS5_FROM_PDB_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS5_FROM_PDB +match from 2001:db8:1:1::51 prefix-set AS_SET_WHITE_LIST_AS5_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::51 set ext-community delete rt 65520:5 + + + +allow quick from 2001:db8:1:1::51 + + + +# --------------------------------------------- +# client AS5_2, outbound + +deny quick to 2001:db8:1:1::51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_1, inbound + + + +# NEXT_HOP +match from 192.0.2.61 set community NO_ADVERTISE +match from 192.0.2.61 nexthop 192.0.2.61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.61 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.61 AS 23456' - reject code: 7 +allow quick from 192.0.2.61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_1, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.61 source-as as-set AS_SET_AS6_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_1, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.61 prefix-set AS_SET_AS6_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.61 set ext-community delete rt 65520:6 + + + +allow quick from 192.0.2.61 + + + +# --------------------------------------------- +# client AS6_1, outbound + +deny quick to 192.0.2.61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::61 set community NO_ADVERTISE +match from 2001:db8:1:1::61 nexthop 2001:db8:1:1::61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::61 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_2, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::61 source-as as-set AS_SET_AS6_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_2, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::61 prefix-set AS_SET_AS6_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::61 set ext-community delete rt 65520:6 + + + +allow quick from 2001:db8:1:1::61 + + + +# --------------------------------------------- +# client AS6_2, outbound + +deny quick to 2001:db8:1:1::61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p.conf b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p.conf new file mode 100644 index 00000000..ecab7e3e --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/configs/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p.conf @@ -0,0 +1,3741 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# WHITE_LIST_AS4_1, used by client AS4_1 white list +as-set "AS_SET_WHITE_LIST_AS4_1_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_1_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS4, used by client AS4_1, client AS4_2 +# no origin ASNs found for AS4 +# no prefixes found for AS4 + +# WHITE_LIST_AS2_2, used by client AS2_2 white list +as-set "AS_SET_WHITE_LIST_AS2_2_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_2_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS-AS5_FROM_PDB, used by client AS5_1, client AS5_2 +as-set "AS_SET_AS_AS5_FROM_PDB_asns" { + 5 +} +prefix-set "AS_SET_AS_AS5_FROM_PDB_prefixes" { + 2a05::/32 prefixlen 32 - 128 +} + +# AS-AS4, used by client AS4_1, client AS4_2 +as-set "AS_SET_AS_AS4_asns" { + 4 +} +prefix-set "AS_SET_AS_AS4_prefixes" { + 2a04::/32 prefixlen 32 - 128 +} + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# WHITE_LIST_AS5_2, used by client AS5_2 white list +as-set "AS_SET_WHITE_LIST_AS5_2_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_2_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# AS5, used by client AS5_1, client AS5_2 +# no origin ASNs found for AS5 +# no prefixes found for AS5 + +# AS6, used by client AS6_1, client AS6_2 +as-set "AS_SET_AS6_asns" { + 3 6 +} +prefix-set "AS_SET_AS6_prefixes" { + 2a06::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS5_1, used by client AS5_1 white list +as-set "AS_SET_WHITE_LIST_AS5_1_asns" { + 51 +} +prefix-set "AS_SET_WHITE_LIST_AS5_1_prefixes" { + 5.2.0.0/16 prefixlen 16 - 32 + 2a05:2::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS2_1, used by client AS2_1 white list +as-set "AS_SET_WHITE_LIST_AS2_1_asns" { + 21 +} +prefix-set "AS_SET_WHITE_LIST_AS2_1_prefixes" { + 2.2.0.0/16 prefixlen 16 - 32 + 2a02:2::/32 prefixlen 32 - 128 +} + +# AS1, used by client AS1_1, client AS1_2 +as-set "AS_SET_AS1_asns" { + 1 +} +prefix-set "AS_SET_AS1_prefixes" { + 2a01::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS4_2, used by client AS4_2 white list +as-set "AS_SET_WHITE_LIST_AS4_2_asns" { + 41 +} +prefix-set "AS_SET_WHITE_LIST_AS4_2_prefixes" { + 4.2.0.0/16 prefixlen 16 - 32 + 2a04:2::/32 prefixlen 32 - 128 +} + +# AS-AS2, used by client AS2_1, client AS2_2 +as-set "AS_SET_AS_AS2_asns" { + 2 +} +prefix-set "AS_SET_AS_AS2_prefixes" { + 2a02::/32 prefixlen 32 - 128 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client, no AS-SET" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client, AS-SET from AS..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client, AS-SET configu..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::51 { + remote-as 5 + + rde evaluate all + + descr "AS5_1 client, AS-SET from Pe..." + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::61 { + remote-as 6 + + rde evaluate all + + descr "AS6_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 999:64515 +match from group clients set large-community delete 999:0:64515 + +# origin_present_in_as_set +match from group clients set community delete 999:64514 +match from group clients set large-community delete 999:0:64514 + +# prefix_not_present_in_as_set +match from group clients set community delete 999:64513 +match from group clients set large-community delete 999:0:64513 + +# prefix_present_in_as_set +match from group clients set community delete 999:64512 +match from group clients set large-community delete 999:0:64512 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 999:64518 +match from group clients set large-community delete 999:0:64518 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 999:64516 +match from group clients set large-community delete 999:0:64516 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# route_validated_via_white_list +match from group clients set community delete 999:64517 +match from group clients set large-community delete 999:0:64517 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 2.4.0.0/16 source-as 2 + 2.5.0.0/16 source-as 2 + 2.7.0.0/16 source-as 2 + 3.1.0.0/16 source-as 3 + 3.3.0.0/16 source-as 3 + 2.0.4.0/24 source-as 2 + 6.0.1.0/24 source-as 6 + 2a02:4::/32 source-as 2 + 2a02:5::/32 source-as 2 + 2a02:7::/32 source-as 2 + 2a03:1::/32 source-as 3 + 2a03:3::/32 source-as 3 + 2a02:0:4::/48 source-as 2 + 2a06:0:1::/48 source-as 6 + +} + + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +origin-set "RPKI_ROA" { + 2.4.0.0/16 source-as 2 + 2.5.0.0/16 source-as 2 + 2.7.0.0/16 source-as 2 + 3.1.0.0/16 source-as 3 + 3.3.0.0/16 source-as 3 + 2.0.4.0/24 source-as 2 + 6.0.1.0/24 source-as 6 + 2a02:4::/32 source-as 2 + 2a02:5::/32 source-as 2 + 2a02:7::/32 source-as 2 + 2a03:1::/32 source-as 3 + 2a03:3::/32 source-as 3 + 2a02:0:4::/48 source-as 2 + 2a06:0:1::/48 source-as 6 + +} +match from group clients origin-set RPKI_ROA set ext-community $INTCOMM_PREF_OK_ROA + + +# ARIN Whois records used for preifx validation +# --------------------------------------------- + +# Add the $INTCOMM_PREF_OK_ARINDB ext community to routes whose +# origin ASN has an ARIN Whois record for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. +origin-set "ARINDB" { +2.0.5.0/24 prefixlen 24 - 32 source-as 2 +2.6.0.0/16 prefixlen 16 - 32 source-as 2 +2.7.0.0/16 prefixlen 16 - 32 source-as 2 +2a02:0:5::/48 prefixlen 48 - 128 source-as 2 +2a02:6::/32 prefixlen 32 - 128 source-as 2 +2a02:7::/32 prefixlen 32 - 128 source-as 2 +2a03:2::/32 prefixlen 32 - 128 source-as 3 +2a03:3::/32 prefixlen 32 - 128 source-as 3 +3.2.0.0/16 prefixlen 16 - 32 source-as 3 +3.3.0.0/16 prefixlen 16 - 32 source-as 3 +2a06:0:1::/48 prefixlen 48 - 128 source-as 6 +6.0.1.0/24 prefixlen 24 - 32 source-as 6 +} +match from group clients origin-set ARINDB set ext-community $INTCOMM_PREF_OK_ARINDB + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + +match from 192.0.2.51 set ext-community rt 65520:5 + +match from 2001:db8:1:1::51 set ext-community rt 65520:5 + +match from 192.0.2.61 set ext-community rt 65520:6 + +match from 2001:db8:1:1::61 set ext-community rt 65520:6 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 32' - reject code: 1 +allow quick from group clients max-as-len 32 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 source-as as-set AS_SET_AS1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 prefix-set AS_SET_AS1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS1 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::11 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::11 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::11 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_WHITE_LIST_AS2_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_1 +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_WHITE_LIST_AS2_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_1 +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 source-as as-set AS_SET_WHITE_LIST_AS2_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 source-as as-set AS_SET_AS_AS2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::21 prefix-set AS_SET_WHITE_LIST_AS2_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS2_2 +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 prefix-set AS_SET_AS_AS2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::21 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::21 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::21 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_1, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 source-as as-set AS_SET_WHITE_LIST_AS4_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +match from 192.0.2.41 source-as as-set AS_SET_AS_AS4_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS4 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_1, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.41 prefix-set AS_SET_WHITE_LIST_AS4_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_1 +# AS-SET AS4 referenced but empty. +match from 192.0.2.41 prefix-set AS_SET_AS_AS4_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS4 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::41 prefix 2a04:4::/32 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:5::/32 prefixlen 32 - 128 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 2a04:6::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.4.0.0/16 source-as 44 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.5.0.0/16 prefixlen 16 - 32 source-as 43 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::41 prefix 4.6.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::41 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS4_2, AS4: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +match from 2001:db8:1:1::41 source-as as-set AS_SET_AS_AS4_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS4 +match from 2001:db8:1:1::41 source-as as-set AS_SET_WHITE_LIST_AS4_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS4_2, AS4: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::41 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS4 referenced but empty. +match from 2001:db8:1:1::41 prefix-set AS_SET_AS_AS4_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS4 +match from 2001:db8:1:1::41 prefix-set AS_SET_WHITE_LIST_AS4_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS4_2 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::41 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::41 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::41 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_1, inbound + + + +# NEXT_HOP +match from 192.0.2.51 set community NO_ADVERTISE +match from 192.0.2.51 nexthop 192.0.2.51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.51 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.51 AS 23456' - reject code: 7 +allow quick from 192.0.2.51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 192.0.2.51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_1, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.51 source-as as-set AS_SET_AS_AS5_FROM_PDB_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS5_FROM_PDB +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 source-as as-set AS_SET_WHITE_LIST_AS5_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_1, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.51 prefix-set AS_SET_AS_AS5_FROM_PDB_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS5_FROM_PDB +# AS-SET AS5 referenced but empty. +match from 192.0.2.51 prefix-set AS_SET_WHITE_LIST_AS5_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_1 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.51 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.51 set ext-community delete rt 65520:5 + + + +allow quick from 192.0.2.51 + + + +# --------------------------------------------- +# client AS5_1, outbound + +deny quick to 192.0.2.51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS5_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::51 set community NO_ADVERTISE +match from 2001:db8:1:1::51 nexthop 2001:db8:1:1::51 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::51 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::51 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::51 peer-as != 5' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::51 peer-as != 5 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::51 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::51 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +match from 2001:db8:1:1::51 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS5_2, AS5: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::51 source-as as-set AS_SET_AS_AS5_FROM_PDB_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS5_FROM_PDB +match from 2001:db8:1:1::51 source-as as-set AS_SET_WHITE_LIST_AS5_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS5_2, AS5: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::51 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::51 prefix-set AS_SET_AS_AS5_FROM_PDB_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS5_FROM_PDB +match from 2001:db8:1:1::51 prefix-set AS_SET_WHITE_LIST_AS5_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS5_2 +# AS-SET AS5 referenced but empty. +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::51 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::51 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::51 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::51 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::51 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::51 set ext-community delete rt 65520:5 + + + +allow quick from 2001:db8:1:1::51 + + + +# --------------------------------------------- +# client AS5_2, outbound + +deny quick to 2001:db8:1:1::51 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::51 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::51 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::51 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_1, inbound + + + +# NEXT_HOP +match from 192.0.2.61 set community NO_ADVERTISE +match from 192.0.2.61 nexthop 192.0.2.61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.61 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.61 AS 23456' - reject code: 7 +allow quick from 192.0.2.61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_1, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.61 source-as as-set AS_SET_AS6_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_1, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.61 prefix-set AS_SET_AS6_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 192.0.2.61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 192.0.2.61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.61 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 192.0.2.61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.61 set ext-community delete rt 65520:6 + + + +allow quick from 192.0.2.61 + + + +# --------------------------------------------- +# client AS6_1, outbound + +deny quick to 192.0.2.61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 192.0.2.61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 192.0.2.61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + +# --------------------------------------------- +# client AS6_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::61 set community NO_ADVERTISE +match from 2001:db8:1:1::61 nexthop 2001:db8:1:1::61 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::61 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::61 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 peer-as != 6' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::61 peer-as != 6 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::61 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::61 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::61 prefix 2a03:2::/32 prefixlen 32 - 128 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::61 prefix 3.2.0.0/16 prefixlen 16 - 32 source-as 3 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::61 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS6_2, AS6: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::61 source-as as-set AS_SET_AS6_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set community 999:64515 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_KO set large-community 999:0:64515 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set community 999:64514 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK set large-community 999:0:64514 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS6_2, AS6: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::61 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::61 prefix-set AS_SET_AS6_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS6 +# adding not_present_in_as_set community to unauthorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set community 999:64513 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_KO set large-community 999:0:64513 +# adding present_in_as_set community to authorized routes +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set community 999:64512 +match from 2001:db8:1:1::61 ext-community $INTCOMM_PREFIX_OK set large-community 999:0:64512 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set community 999:64516 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set large-community 999:0:64516 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + +# routes tagged with $INTCOMM_PREF_OK_ARINDB community have the prefix validated by an ARIN Whois record; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set community 999:64518 +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set large-community 999:0:64518 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ARINDB set ext-community delete $INTCOMM_IRR_REJECT + + +# route authorized by a client's white list? +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set community 999:64517 +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set large-community 999:0:64517 + +match from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::61 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::61 prefix ::/0 prefixlen 12 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::61 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::61 set ext-community delete rt 65520:6 + + + +allow quick from 2001:db8:1:1::61 + + + +# --------------------------------------------- +# client AS6_2, outbound + +deny quick to 2001:db8:1:1::61 community 65520:0 + + + +# Blackhole request? +# No blackhole filtering policy given +deny quick to 2001:db8:1:1::61 community BLACKHOLE + + + +# NO_EXPORT and NO_ADVERTISE communities + +# BGP control communities +allow to 2001:db8:1:1::61 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::61 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + + + + + + + +# Scrub communities from outbound routes +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..a8837f73 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,168 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..e63496cd --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,70 @@ +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..16590df8 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt @@ -0,0 +1,126 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt new file mode 100644 index 00000000..2e9887a9 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt @@ -0,0 +1,147 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt new file mode 100644 index 00000000..6460e7ee --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt @@ -0,0 +1,161 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..176237ed --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,294 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.4.0.0/16, AS_PATH: 6 2, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3.0.1.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (12) + +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.0.2.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.2.2.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.1.0/24, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.2.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +5.1.0.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.3.1.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..49691e25 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt @@ -0,0 +1,168 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..caf2fb62 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt @@ -0,0 +1,70 @@ +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..3d1aa72a --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt @@ -0,0 +1,126 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt new file mode 100644 index 00000000..e09d4eda --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt @@ -0,0 +1,147 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt new file mode 100644 index 00000000..186e7a62 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt @@ -0,0 +1,161 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..cd89e49a --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_EmptyAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,294 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:4::/32, AS_PATH: 6 2, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (9) + +2a03:0:1::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (12) + +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:0:2::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:2:2::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4:1::/48, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:2::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a05:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:3:1::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt new file mode 100644 index 00000000..37ae5299 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS1.txt @@ -0,0 +1,231 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..fd45026e --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,133 @@ +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt new file mode 100644 index 00000000..90a0ec35 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS4.txt @@ -0,0 +1,168 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt new file mode 100644 index 00000000..8d6a5ff6 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS5.txt @@ -0,0 +1,189 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt new file mode 100644 index 00000000..64d1581a --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/AS6.txt @@ -0,0 +1,203 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..a776c298 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,294 @@ +2.0.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.4.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.0.5.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.1.0.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.1.0/24, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.2.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.2.3.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.3.1.0/24, AS_PATH: 2 21, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.4.0.0/16, AS_PATH: 6 2, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2.5.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.6.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2.7.0.0/16, AS_PATH: 2, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 2 3, NEXT_HOP: 192.0.2.21, via 192.0.2.21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.0.1.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (9) + +3.0.1.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (12) + +3.1.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.2.1.0/24, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +3.3.0.0/16, AS_PATH: 6 3, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.0.2.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.0.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.1.0.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.1.0/24, AS_PATH: 4, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.2.2.0/24, AS_PATH: 4 3, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.2.3.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.3.1.0/24, AS_PATH: 4 41, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.0.0/16, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.4.1.0/24, AS_PATH: 4 44, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.5.1.0/24, AS_PATH: 4 43, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +4.5.2.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +4.6.1.0/24, AS_PATH: 4 45, NEXT_HOP: 192.0.2.41, via 192.0.2.41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.0.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.1.0.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +5.2.1.0/24, AS_PATH: 5, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.2.0/24, AS_PATH: 5 3, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.2.3.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +5.3.1.0/24, AS_PATH: 5 51, NEXT_HOP: 192.0.2.51, via 192.0.2.51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +6.0.1.0/24, AS_PATH: 6, NEXT_HOP: 192.0.2.61, via 192.0.2.61 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt new file mode 100644 index 00000000..b4c388d5 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS1.txt @@ -0,0 +1,231 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt new file mode 100644 index 00000000..75c453dd --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS2.txt @@ -0,0 +1,133 @@ +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt new file mode 100644 index 00000000..d3c83f17 --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS4.txt @@ -0,0 +1,168 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt new file mode 100644 index 00000000..7578bd1a --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS5.txt @@ -0,0 +1,189 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt new file mode 100644 index 00000000..d185074c --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/AS6.txt @@ -0,0 +1,203 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::2 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::2 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt new file mode 100644 index 00000000..17b4fb3e --- /dev/null +++ b/tests/live_tests/scenarios/tag_as_set/routes/TagASSetScenario_WithAS_SETs_OpenBGPDIPv6/openbgpd75p/rs.txt @@ -0,0 +1,294 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:2::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:2:3::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:3:1::/48, AS_PATH: 2 21, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:4::/32, AS_PATH: 6 2, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a02:5::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:6::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:7::/32, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (9) + +2a03:0:1::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: False, LOCAL_PREF: 1 + filtered: True (12) + +2a03:1::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64514, 999:64516 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:2:1::/48, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64514, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:3::/32, AS_PATH: 6 3, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64513, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64513, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:0:2::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:0:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:1::/48, AS_PATH: 4, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:2:2::/48, AS_PATH: 4 3, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:2:3::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:3:1::/48, AS_PATH: 4 41, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:4:1::/48, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:4::/32, AS_PATH: 4 44, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:1::/48, AS_PATH: 4 43, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a04:5:2::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515 + ext comms: + lrg comms: 999:0:64513, 999:0:64515 + best: True, LOCAL_PREF: 1 + filtered: True (9) + +2a04:6:1::/48, AS_PATH: 4 45, NEXT_HOP: 2001:db8:1:1::41, via 2001:db8:1:1::41 + std comms: 999:64513, 999:64515, 999:64517 + ext comms: + lrg comms: 999:0:64513, 999:0:64515, 999:0:64517 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:0:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a05:2:1::/48, AS_PATH: 5, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:2::/48, AS_PATH: 5 3, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64515 + ext comms: + lrg comms: 999:0:64512, 999:0:64515 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:2:3::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64512, 999:64514 + ext comms: + lrg comms: 999:0:64512, 999:0:64514 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a05:3:1::/48, AS_PATH: 5 51, NEXT_HOP: 2001:db8:1:1::51, via 2001:db8:1:1::51 + std comms: 999:64513, 999:64514 + ext comms: + lrg comms: 999:0:64513, 999:0:64514 + best: True, LOCAL_PREF: 1 + filtered: True (12) + +2a06:0:1::/48, AS_PATH: 6, NEXT_HOP: 2001:db8:1:1::61, via 2001:db8:1:1::61 + std comms: 999:64512, 999:64514, 999:64516, 999:64518 + ext comms: + lrg comms: 999:0:64512, 999:0:64514, 999:0:64516, 999:0:64518 + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/configs/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p.conf b/tests/live_tests/scenarios/tag_reject_policy/configs/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p.conf new file mode 100644 index 00000000..c89ff319 --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/configs/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p.conf @@ -0,0 +1,7616 @@ +# built by ARouteServer +AS 999 +router-id 192.0.2.2 + +fib-update no +log updates + +nexthop qualify via default + +rde evaluate all + +INTCOMM_PREF_OK_ROA="soo 65535:1" +INTCOMM_ROUTE_OK_WL="soo 65535:2" +INTCOMM_PREF_OK_ARINDB="soo 65535:3" +INTCOMM_PREF_OK_REGISTROBRDB="soo 65535:12" + +INTCOMM_ORIGIN_OK="soo 65535:4" +INTCOMM_ORIGIN_KO="soo 65535:5" +INTCOMM_PREFIX_OK="soo 65535:6" +INTCOMM_PREFIX_KO="soo 65535:7" +INTCOMM_IRR_REJECT="soo 65535:8" + +INTCOMM_RPKI_UNKNOWN="soo 65535:9" +INTCOMM_RPKI_INVALID="soo 65535:10" +INTCOMM_RPKI_VALID="soo 65535:11" + +INTCOMM_PROCESS_PREPEND_COMMS="soo 65535:13" + +INTCOMM_NO_EXPORT="soo 65535:65281" +INTCOMM_NO_ADVERTISE="soo 65535:65282" + +# --------------------------------------------------------- +# IRRDB + +# AS222, used by client AS222_1, client AS222_2 +# no origin ASNs found for AS222 +# no prefixes found for AS222 + +# AS2, used by client AS2_1, client AS2_2 +# no origin ASNs found for AS2 +# no prefixes found for AS2 + +# AS-AS1, AS-AS1_CUSTOMERS, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +as-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns" { + 1 101 +} +prefix-set "AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes" { + 2a01::/32 prefixlen 32 - 128 + 2a99::/16 prefixlen 16 - 128 + 3101::/32 prefixlen 32 - 128 +} + +# AS-AS2, AS-AS2_CUSTOMERS, used by client AS2_1, client AS2_2 +as-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns" { + 2 101 +} +prefix-set "AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes" { + 2a02::/32 prefixlen 32 - 128 + 3101::/32 prefixlen 32 - 128 +} + +# WHITE_LIST_AS1_2, used by client AS1_2 white list +as-set "AS_SET_WHITE_LIST_AS1_2_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_2_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + +# AS-AS222, used by client AS222_1, client AS222_2 +# no origin ASNs found for AS_AS222 +# no prefixes found for AS_AS222 + +# AS1, used by client AS1_1, client AS1_2, client AS1_3, client AS1_4 +# no origin ASNs found for AS1 +# no prefixes found for AS1 + +# WHITE_LIST_AS1_1, used by client AS1_1 white list +as-set "AS_SET_WHITE_LIST_AS1_1_asns" { + 1011 +} +prefix-set "AS_SET_WHITE_LIST_AS1_1_prefixes" { + 11.1.0.0/16 prefixlen 16 - 32 + 2a11:1::/32 prefixlen 32 - 128 +} + + + + +# --------------------------------------------------------- +# MEMBERS + +group "clients" { + + neighbor 192.0.2.11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::11 { + remote-as 1 + + rde evaluate all + + descr "AS1_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::12 { + remote-as 1 + + rde evaluate all + + descr "AS1_2 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::222 { + remote-as 222 + + rde evaluate all + + descr "AS222_1 client" + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::21 { + remote-as 2 + + rde evaluate all + + descr "AS2_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } + + neighbor 192.0.2.31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::31 { + remote-as 3 + + # This is needed to avoid the bgpd error + # "neighbors with add-path send cannot use 'rde evaluate all'" + # It overrides the global 'rde evaluate all' setting for + # the neighbors for which ADD-PATH is configured. + rde evaluate default + + descr "AS3_1 client" + ttl-security no + transparent-as no + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + announce add-path send best plus 5 + + set nexthop no-modify + } + + neighbor 192.0.2.41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 none + announce IPv4 unicast + + set nexthop no-modify + } + + neighbor 2001:db8:1:1::41 { + remote-as 4 + + rde evaluate all + + descr "AS4_1 client" + passive + ttl-security no + transparent-as yes + enforce neighbor-as no + + announce as-4byte yes + announce IPv6 unicast + announce IPv4 none + + set nexthop no-modify + } +} + +include "/etc/bgpd/post-clients.local" + + + +# --------------------------------------------------------- +# FILTERS + +# NO_ADVERTISE usage notes. +# The NO_ADVERTISE well-know community is used here to handle +# filters that span over multiple steps. At first it is added +# to any route, then it is removed as filters conditions are +# satisfied. Finally, if it is still present, it means that +# the route should be discarded. + + + + +prefix-set "global_black_list_pref" { + 192.0.2.0/24 prefixlen 24 - 32 + 2001:db8::/32 prefixlen 32 - 128 + +} + +prefix-set "bogons" { + 0.0.0.0/0 + 0.0.0.0/8 prefixlen 8 - 32 + 10.0.0.0/8 prefixlen 8 - 32 + 127.0.0.0/8 prefixlen 8 - 32 + 169.254.0.0/16 prefixlen 16 - 32 + 172.16.0.0/12 prefixlen 12 - 32 + 192.0.2.0/24 prefixlen 24 - 32 + 192.88.99.0/24 prefixlen 24 - 32 + 192.168.0.0/16 prefixlen 16 - 32 + 198.18.0.0/15 prefixlen 15 - 32 + 198.51.100.0/24 prefixlen 24 - 32 + 203.0.113.0/24 prefixlen 24 - 32 + 224.0.0.0/3 prefixlen 3 - 32 + 100.64.0.0/10 prefixlen 10 - 32 + ::/0 + ::/8 prefixlen 8 - 128 + 64:ff9b::/96 prefixlen 96 - 128 + 100::/8 prefixlen 8 - 128 + 200::/7 prefixlen 7 - 128 + 400::/6 prefixlen 6 - 128 + 800::/5 prefixlen 5 - 128 + 1000::/4 prefixlen 4 - 128 + 2001::/33 prefixlen 33 - 128 + 2001:0:8000::/33 prefixlen 33 - 128 + 2001:2::/48 prefixlen 48 - 128 + 2001:3::/32 prefixlen 32 - 128 + 2001:10::/28 prefixlen 28 - 128 + 2001:20::/28 prefixlen 28 - 128 + 2001:db8::/32 prefixlen 32 - 128 + 2002::/16 prefixlen 16 - 128 + 3ffe::/16 prefixlen 16 - 128 + 4000::/3 prefixlen 3 - 128 + 5f00::/8 prefixlen 8 - 128 + 6000::/3 prefixlen 3 - 128 + 8000::/3 prefixlen 3 - 128 + a000::/3 prefixlen 3 - 128 + c000::/3 prefixlen 3 - 128 + e000::/4 prefixlen 4 - 128 + f000::/5 prefixlen 5 - 128 + f800::/6 prefixlen 6 - 128 + fc00::/7 prefixlen 7 - 128 + fe80::/10 prefixlen 10 - 128 + fec0::/10 prefixlen 10 - 128 + ff00::/8 prefixlen 8 - 128 + +} + +# never via route-servers ASNs +as-set "neverviarouteserver" { + 666, 777 +} + +# ===================================================================================== +# Global rules. + +# This part of configuration is processed at the beginning of the filters. +# The rules defined in this part are applied to all the clients, and not on a +# client-by-client basis (see the 'match from group clients'), so only global policies +# can be implemented here, that is no client-level configuration are allowed. + + + +# Scrub communities from inbound routes +# origin_not_present_in_as_set +match from group clients set community delete 65530:0 +match from group clients set large-community delete 999:65530:0 + +# origin_present_in_as_set +match from group clients set community delete 65530:1 +match from group clients set large-community delete 999:65530:1 + +# prefix_validated_via_arin_whois_db_dump +match from group clients set community delete 65530:3 +match from group clients set large-community delete 999:65530:3 + +# prefix_validated_via_rpki_roas +match from group clients set community delete 65530:2 +match from group clients set large-community delete 999:65530:2 + +# reject_cause +match from group clients set community delete 65520:* + +# reject_cause_map_6 +match from group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match from group clients set ext-community delete rt 65520:* + +# rpki_bgp_origin_validation_not_performed +match from group clients set community delete 65530:4 +match from group clients set large-community delete 999:65530:4 + + +# Scrub internal communities from inbound routes +match from group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +# The main goal of this block is to enrich routes received from clients by attaching to them +# internal informational communities which are used later by the rest of the filter rules. + +# Internal communities used for RFC1997 well-known communities handling + +# Transform NO_EXPORT into $INTCOMM_NO_EXPORT +match from group clients community NO_EXPORT set { ext-community $INTCOMM_NO_EXPORT community delete NO_EXPORT } + +# Transform NO_ADVERTISE into $INTCOMM_NO_ADVERTISE +match from group clients community NO_ADVERTISE set { ext-community $INTCOMM_NO_ADVERTISE community delete NO_ADVERTISE } + + +# --------------------------------------------------------- +# ROAs source + + +roa-set { + 101.3.0.0/16 maxlen 24 source-as 105 expires 4102444799 + 101.2.0.0/17 source-as 101 expires 4102444799 + 101.2.128.0/17 maxlen 24 source-as 101 expires 4102444799 + 101.0.128.0/20 maxlen 23 source-as 101 expires 4102444799 + 101.0.8.0/24 source-as 101 expires 4102444799 + 101.0.9.0/24 source-as 102 expires 4102444799 + 222.1.1.0/24 source-as 333 expires 4102444799 + 3101:3::/32 maxlen 48 source-as 105 expires 4102444799 + 3101:0:8000::/33 maxlen 34 source-as 101 expires 4102444799 + 3101:2:8000::/33 maxlen 48 source-as 101 expires 4102444799 + 3101:2::/33 source-as 101 expires 4102444799 + 3101:0:8::/48 source-as 101 expires 4102444799 + 3101:0:9::/48 source-as 102 expires 4102444799 + 3222:0:1::/48 source-as 333 expires 4102444799 + +} + + + +# --------------------------------------------------------- +# RPKI-based Origin Validation + + +# Add $INTCOMM_RPKI_UNKNOWN, $INTCOMM_RPKI_INVALID and $INTCOMM_RPKI_VALID +# ext community on the basis of ovs. +match from group clients ovs not-found set { + ext-community $INTCOMM_RPKI_UNKNOWN + ext-community ovs not-found + +} +match from group clients ovs valid set { + ext-community $INTCOMM_RPKI_VALID + ext-community ovs valid + +} +match from group clients ovs invalid set { + ext-community $INTCOMM_RPKI_INVALID + ext-community ovs invalid + +} + + + +# --------------------------------------------------------- +# RPKI ROAs used as route objects. + +# Add the $INTCOMM_PREF_OK_ROA ext community to routes whose +# origin ASN has a ROA for the announced prefix. +# It will be used later during IRRDB validation in +# case the origin ASN is authorized by a client's +# AS-SET but the prefix is not. + +# Since RPKI-based Origin Validation is already performed above, +# use the origin validation state to identify valid routes. +match from group clients ovs valid set ext-community $INTCOMM_PREF_OK_ROA + + + + + + +# Set the 'rejected_route_announced_by' community for all the clients. +# It will be removed later if the route is not invalid +match from 192.0.2.11 set ext-community rt 65520:1 + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + +match from 192.0.2.12 set ext-community rt 65520:1 + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + +match from 192.0.2.222 set ext-community rt 65520:222 + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + +match from 192.0.2.21 set ext-community rt 65520:2 + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + +match from 192.0.2.31 set ext-community rt 65520:3 + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + +match from 192.0.2.41 set ext-community rt 65520:4 + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + + + +# AS_PATH: length +# Reject inbound routes when 'from group clients max-as-len 6' - reject code: 1 +allow quick from group clients max-as-len 6 set { + localpref 1 + community 65520:0 + community 65520:1 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: global blacklist +# Reject inbound routes when 'from group clients prefix-set global_black_list_pref' - reject code: 3 +allow quick from group clients prefix-set global_black_list_pref set { + localpref 1 + community 65520:0 + community 65520:3 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: only IPv6 Global Unicast space allowed +match from group clients inet6 set community NO_ADVERTISE +match from group clients prefix 2000::/3 or-longer set community delete NO_ADVERTISE +# Reject inbound routes when 'from group clients community NO_ADVERTISE' - reject code: 10 +allow quick from group clients community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:10 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: bogon +# Reject inbound routes when 'from group clients prefix-set bogons' - reject code: 2 +allow quick from group clients prefix-set bogons set { + localpref 1 + community 65520:0 + community 65520:2 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# ===================================================================================== +# Per client rules. + + +# --------------------------------------------- +# client AS1_1, inbound + + + +# NEXT_HOP +match from 192.0.2.11 set community NO_ADVERTISE +match from 192.0.2.11 nexthop 192.0.2.11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.11 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.11 AS 23456' - reject code: 7 +allow quick from 192.0.2.11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.11 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_1, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 source-as as-set AS_SET_WHITE_LIST_AS1_1_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_1 + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_1, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. +match from 192.0.2.11 prefix-set AS_SET_WHITE_LIST_AS1_1_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_1 + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.11 community BLACKHOLE set community 65530:4 +match from 192.0.2.11 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.11 community BLACKHOLE +allow quick from 192.0.2.11 community 65534:0 +allow quick from 192.0.2.11 large-community 65534:0:0 + + +match from 192.0.2.11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.11 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.11 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.11 + + + +# --------------------------------------------- +# client AS1_1, outbound + +deny quick to 192.0.2.11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.11 community 65534:0 set community BLACKHOLE +match to 192.0.2.11 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.11 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.11 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.11 community 65507:999 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.11 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.11 community 65509:1 set community NO_EXPORT +match to 192.0.2.11 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.11 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.11 + +# do_not_announce_to_any +deny to 192.0.2.11 community 0:999 +deny to 192.0.2.11 ext-community rt 0:999 +deny to 192.0.2.11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.11 community 0:1 +deny quick to 192.0.2.11 ext-community rt 0:1 +deny quick to 192.0.2.11 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.11 community 65501:1 +allow to 192.0.2.11 ext-community rt 65501:1 +allow to 192.0.2.11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::11 set community NO_ADVERTISE +match from 2001:db8:1:1::11 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::11 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::11 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::11 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::11 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::11 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::11 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::11 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::11 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::11 prefix 11.3.0.0/16 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 11.4.0.0/16 prefixlen 16 - 32 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:3::/32 source-as 1011 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::11 prefix 2a11:4::/32 prefixlen 32 - 128 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::11 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_2, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 source-as as-set AS_SET_WHITE_LIST_AS1_2_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_2, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::11 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::11 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +match from 2001:db8:1:1::11 prefix-set AS_SET_WHITE_LIST_AS1_2_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # WHITE_LIST_AS1_2 +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::11 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::11 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::11 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::11 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::11 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::11 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::11 community BLACKHOLE +allow quick from 2001:db8:1:1::11 community 65534:0 +allow quick from 2001:db8:1:1::11 large-community 65534:0:0 + + +match from 2001:db8:1:1::11 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::11 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::11 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::11 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::11 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::11 + + + +# --------------------------------------------- +# client AS1_2, outbound + +deny quick to 2001:db8:1:1::11 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::11 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::11 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::11 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::11 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::11 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::11 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::11 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::11 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::11 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::11 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::11 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::11 + +# do_not_announce_to_any +deny to 2001:db8:1:1::11 community 0:999 +deny to 2001:db8:1:1::11 ext-community rt 0:999 +deny to 2001:db8:1:1::11 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::11 community 0:1 +deny quick to 2001:db8:1:1::11 ext-community rt 0:1 +deny quick to 2001:db8:1:1::11 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::11 community 65501:1 +allow to 2001:db8:1:1::11 ext-community rt 65501:1 +allow to 2001:db8:1:1::11 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::11 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::11 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_3, inbound + + + +# NEXT_HOP +match from 192.0.2.12 set community NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.11 set community delete NO_ADVERTISE +match from 192.0.2.12 nexthop 192.0.2.12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.12 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.12 AS 23456' - reject code: 7 +allow quick from 192.0.2.12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.12 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_3, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_3, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 192.0.2.12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 192.0.2.12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.12 community BLACKHOLE set community 65530:4 +match from 192.0.2.12 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.12 community BLACKHOLE +allow quick from 192.0.2.12 community 65534:0 +allow quick from 192.0.2.12 large-community 65534:0:0 + + +match from 192.0.2.12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.12 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.12 set ext-community delete rt 65520:1 + + + +allow quick from 192.0.2.12 + + + +# --------------------------------------------- +# client AS1_3, outbound + +deny quick to 192.0.2.12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 192.0.2.12 community BLACKHOLE +deny quick to 192.0.2.12 community 65534:0 +deny quick to 192.0.2.12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.12 community 65507:999 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.12 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.12 community 65509:1 set community NO_EXPORT +match to 192.0.2.12 ext-community rt 65509:1 set community NO_EXPORT +match to 192.0.2.12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.12 community 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 192.0.2.12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.12 + +# do_not_announce_to_any +deny to 192.0.2.12 community 0:999 +deny to 192.0.2.12 ext-community rt 0:999 +deny to 192.0.2.12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.12 community 0:1 +deny quick to 192.0.2.12 ext-community rt 0:1 +deny quick to 192.0.2.12 large-community 999:0:1 + +# announce_to_peer +allow to 192.0.2.12 community 65501:1 +allow to 192.0.2.12 ext-community rt 65501:1 +allow to 192.0.2.12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS1_4, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::12 set community NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::11 set community delete NO_ADVERTISE +match from 2001:db8:1:1::12 nexthop 2001:db8:1:1::12 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::12 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::12 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 peer-as != 1' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::12 peer-as != 1 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::12 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::12 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::12 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::12 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::12 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::12 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS1_4, AS1: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 source-as as-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS1_4, AS1: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::12 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +match from 2001:db8:1:1::12 prefix-set AS_SET_AS_AS1_AS_AS1_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS1_AS_AS1_CUSTOMERS +# AS-SET AS1 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::12 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::12 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::12 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::12 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::12 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::12 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::12 community BLACKHOLE +allow quick from 2001:db8:1:1::12 community 65534:0 +allow quick from 2001:db8:1:1::12 large-community 65534:0:0 + + +match from 2001:db8:1:1::12 set ext-community rt 65520:1 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::12 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::12 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::12 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::12 set ext-community delete rt 65520:1 + + + +allow quick from 2001:db8:1:1::12 + + + +# --------------------------------------------- +# client AS1_4, outbound + +deny quick to 2001:db8:1:1::12 community 65520:0 + + + +# Blackhole request? +# Client not enabled to receive blackhole routes +deny quick to 2001:db8:1:1::12 community BLACKHOLE +deny quick to 2001:db8:1:1::12 community 65534:0 +deny quick to 2001:db8:1:1::12 large-community 65534:0:0 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::12 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::12 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::12 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::12 community 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 ext-community rt 65509:1 set community NO_EXPORT +match to 2001:db8:1:1::12 large-community 999:65509:1 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::12 community 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 ext-community rt 65510:1 set community NO_ADVERTISE +match to 2001:db8:1:1::12 large-community 999:65510:1 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::12 + +# do_not_announce_to_any +deny to 2001:db8:1:1::12 community 0:999 +deny to 2001:db8:1:1::12 ext-community rt 0:999 +deny to 2001:db8:1:1::12 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::12 community 0:1 +deny quick to 2001:db8:1:1::12 ext-community rt 0:1 +deny quick to 2001:db8:1:1::12 large-community 999:0:1 + +# announce_to_peer +allow to 2001:db8:1:1::12 community 65501:1 +allow to 2001:db8:1:1::12 ext-community rt 65501:1 +allow to 2001:db8:1:1::12 large-community 999:65501:1 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::12 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:1 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:1 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS1; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:1 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::12 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_1, inbound + + + +# NEXT_HOP +match from 192.0.2.222 set community NO_ADVERTISE +match from 192.0.2.222 nexthop 192.0.2.222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.222 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.222 AS 23456' - reject code: 7 +allow quick from 192.0.2.222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.222 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 192.0.2.222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 192.0.2.222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 192.0.2.222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_1, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +# AS-SET AS_AS222 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_1, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +# AS-SET AS_AS222 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 192.0.2.222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.222 community BLACKHOLE set community 65530:4 +match from 192.0.2.222 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.222 community BLACKHOLE +allow quick from 192.0.2.222 community 65534:0 +allow quick from 192.0.2.222 large-community 65534:0:0 + + +match from 192.0.2.222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.222 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.222 set ext-community delete rt 65520:222 + + + +allow quick from 192.0.2.222 + + + +# --------------------------------------------- +# client AS222_1, outbound + +deny quick to 192.0.2.222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.222 community 65534:0 set community BLACKHOLE +match to 192.0.2.222 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.222 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.222 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.222 community 65507:999 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.222 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.222 community 65509:222 set community NO_EXPORT +match to 192.0.2.222 ext-community rt 65509:222 set community NO_EXPORT +match to 192.0.2.222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.222 community 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 192.0.2.222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.222 + +# do_not_announce_to_any +deny to 192.0.2.222 community 0:999 +deny to 192.0.2.222 ext-community rt 0:999 +deny to 192.0.2.222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.222 community 0:222 +deny quick to 192.0.2.222 ext-community rt 0:222 +deny quick to 192.0.2.222 large-community 999:0:222 + +# announce_to_peer +allow to 192.0.2.222 community 65501:222 +allow to 192.0.2.222 ext-community rt 65501:222 +allow to 192.0.2.222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS222_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::222 set community NO_ADVERTISE +match from 2001:db8:1:1::222 nexthop 2001:db8:1:1::222 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::222 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::222 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 peer-as != 222' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::222 peer-as != 222 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::222 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::222 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::222 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::222 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::222 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# client's white list +# Add the $INTCOMM_ROUTE_OK_WL ext community to routes which +# are validated by a client's white list entry. +# It will be used later during IRRDB validation in +# case the route is not authorized by a client's +# AS-SET. +match from 2001:db8:1:1::222 prefix 222.1.1.0/24 set ext-community $INTCOMM_ROUTE_OK_WL # None +match from 2001:db8:1:1::222 prefix 3222:0:1::/48 set ext-community $INTCOMM_ROUTE_OK_WL # None + +match from 2001:db8:1:1::222 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS222_2, AS222: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +# AS-SET AS_AS222 referenced but empty. + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS222_2, AS222: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::222 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS222 referenced but empty. +# AS-SET AS_AS222 referenced but empty. + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::222 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + +# route authorized by a client's white list? +match from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ROUTE_OK_WL set ext-community delete $INTCOMM_IRR_REJECT + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::222 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::222 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::222 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::222 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::222 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::222 community BLACKHOLE +allow quick from 2001:db8:1:1::222 community 65534:0 +allow quick from 2001:db8:1:1::222 large-community 65534:0:0 + + +match from 2001:db8:1:1::222 set ext-community rt 65520:222 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::222 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::222 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::222 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::222 set ext-community delete rt 65520:222 + + + +allow quick from 2001:db8:1:1::222 + + + +# --------------------------------------------- +# client AS222_2, outbound + +deny quick to 2001:db8:1:1::222 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::222 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::222 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::222 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::222 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::222 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::222 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::222 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::222 community 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 ext-community rt 65509:222 set community NO_EXPORT +match to 2001:db8:1:1::222 large-community 999:65509:222 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::222 community 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 ext-community rt 65510:222 set community NO_ADVERTISE +match to 2001:db8:1:1::222 large-community 999:65510:222 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::222 + +# do_not_announce_to_any +deny to 2001:db8:1:1::222 community 0:999 +deny to 2001:db8:1:1::222 ext-community rt 0:999 +deny to 2001:db8:1:1::222 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::222 community 0:222 +deny quick to 2001:db8:1:1::222 ext-community rt 0:222 +deny quick to 2001:db8:1:1::222 large-community 999:0:222 + +# announce_to_peer +allow to 2001:db8:1:1::222 community 65501:222 +allow to 2001:db8:1:1::222 ext-community rt 65501:222 +allow to 2001:db8:1:1::222 large-community 999:65501:222 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::222 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:222 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:222 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS222; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:222 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::222 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_1, inbound + + + +# NEXT_HOP +match from 192.0.2.21 set community NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.21 set community delete NO_ADVERTISE +match from 192.0.2.21 nexthop 192.0.2.22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.21 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.21 AS 23456' - reject code: 7 +allow quick from 192.0.2.21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.21 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 192.0.2.21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_1, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_1, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 192.0.2.21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 192.0.2.21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 192.0.2.21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 192.0.2.21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 192.0.2.21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 192.0.2.21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.21 community BLACKHOLE set community 65530:4 +match from 192.0.2.21 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.21 community BLACKHOLE +allow quick from 192.0.2.21 community 65534:0 +allow quick from 192.0.2.21 large-community 65534:0:0 + + +match from 192.0.2.21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.21 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 192.0.2.21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.21 set ext-community delete rt 65520:2 + + + +allow quick from 192.0.2.21 + + + +# --------------------------------------------- +# client AS2_1, outbound + +deny quick to 192.0.2.21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.21 community 65534:0 set community BLACKHOLE +match to 192.0.2.21 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.21 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.21 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.21 community 65507:999 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.21 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.21 community 65509:2 set community NO_EXPORT +match to 192.0.2.21 ext-community rt 65509:2 set community NO_EXPORT +match to 192.0.2.21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.21 community 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 192.0.2.21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.21 + +# do_not_announce_to_any +deny to 192.0.2.21 community 0:999 +deny to 192.0.2.21 ext-community rt 0:999 +deny to 192.0.2.21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.21 community 0:2 +deny quick to 192.0.2.21 ext-community rt 0:2 +deny quick to 192.0.2.21 large-community 999:0:2 + +# announce_to_peer +allow to 192.0.2.21 community 65501:2 +allow to 192.0.2.21 ext-community rt 65501:2 +allow to 192.0.2.21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS2_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::21 set community NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::21 set community delete NO_ADVERTISE +match from 2001:db8:1:1::21 nexthop 2001:db8:1:1::22 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::21 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::21 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 peer-as != 2' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::21 peer-as != 2 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::21 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::21 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::21 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::21 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::21 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + +match from 2001:db8:1:1::21 set ext-community $INTCOMM_IRR_REJECT + +# AS_PATH: check origin via AS-SET +# IRRDB filters for AS2_2, AS2: asns +# add $INTCOMM_ORIGIN_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_ORIGIN_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 source-as as-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_asns set { + ext-community delete $INTCOMM_ORIGIN_KO + ext-community $INTCOMM_ORIGIN_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# Prefix: check prefix via AS-SET +# IRRDB filters for AS2_2, AS2: prefixes +# add $INTCOMM_PREFIX_KO to any; it will be removed later if at least one AS-SET authorizes this object +match from 2001:db8:1:1::21 set ext-community $INTCOMM_PREFIX_KO +# verifying if object is authorized by AS-SETs +# AS-SET AS2 referenced but empty. +match from 2001:db8:1:1::21 prefix-set AS_SET_AS_AS2_AS_AS2_CUSTOMERS_prefixes set { + ext-community delete $INTCOMM_PREFIX_KO + ext-community $INTCOMM_PREFIX_OK +} # AS_AS2_AS_AS2_CUSTOMERS + + +# routes tagged with $INTCOMM_PREF_OK_ROA community have the prefix validated by a ROA; origin ASN previously validated ($INTCOMM_ORIGIN_OK) +match from 2001:db8:1:1::21 ext-community $INTCOMM_ORIGIN_OK ext-community $INTCOMM_PREF_OK_ROA set ext-community delete $INTCOMM_IRR_REJECT + + + + +# enforcing: origin ASN +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO' - reject code: 9 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_ORIGIN_KO set { + localpref 1 + community 65520:0 + community 65520:9 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# enforcing: prefix +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO' - reject code: 12 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_IRR_REJECT ext-community $INTCOMM_PREFIX_KO set { + localpref 1 + community 65520:0 + community 65520:12 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Blackhole request? +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::21 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::21 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::21 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::21 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::21 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::21 community BLACKHOLE +allow quick from 2001:db8:1:1::21 community 65534:0 +allow quick from 2001:db8:1:1::21 large-community 65534:0:0 + + +match from 2001:db8:1:1::21 set ext-community rt 65520:2 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::21 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::21 community GRACEFUL_SHUTDOWN set community delete GRACEFUL_SHUTDOWN + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::21 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::21 set ext-community delete rt 65520:2 + + + +allow quick from 2001:db8:1:1::21 + + + +# --------------------------------------------- +# client AS2_2, outbound + +deny quick to 2001:db8:1:1::21 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::21 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::21 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::21 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::21 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::21 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::21 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::21 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::21 community 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 ext-community rt 65509:2 set community NO_EXPORT +match to 2001:db8:1:1::21 large-community 999:65509:2 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::21 community 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 ext-community rt 65510:2 set community NO_ADVERTISE +match to 2001:db8:1:1::21 large-community 999:65510:2 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::21 + +# do_not_announce_to_any +deny to 2001:db8:1:1::21 community 0:999 +deny to 2001:db8:1:1::21 ext-community rt 0:999 +deny to 2001:db8:1:1::21 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::21 community 0:2 +deny quick to 2001:db8:1:1::21 ext-community rt 0:2 +deny quick to 2001:db8:1:1::21 large-community 999:0:2 + +# announce_to_peer +allow to 2001:db8:1:1::21 community 65501:2 +allow to 2001:db8:1:1::21 ext-community rt 65501:2 +allow to 2001:db8:1:1::21 large-community 999:65501:2 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::21 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:2 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:2 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS2; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:2 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::21 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_1, inbound + + + +# NEXT_HOP +match from 192.0.2.31 set community NO_ADVERTISE +match from 192.0.2.31 nexthop 192.0.2.31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.31 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.31 AS 23456' - reject code: 7 +allow quick from 192.0.2.31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.31 AS { 174 }' - reject code: 8 +allow quick from 192.0.2.31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_1_black_list_pref_ipv4" { + 3.0.1.0/24 prefixlen 24 - 32 + +} +# Reject inbound routes when 'from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4' - reject code: 11 +allow quick from 192.0.2.31 prefix-set client_AS3_1_black_list_pref_ipv4 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 192.0.2.31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 192.0.2.31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.31 community BLACKHOLE set community 65530:4 +match from 192.0.2.31 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.31 community BLACKHOLE +allow quick from 192.0.2.31 community 65534:0 +allow quick from 192.0.2.31 large-community 65534:0:0 + + +match from 192.0.2.31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.31 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.31 set ext-community delete rt 65520:3 + + + +allow quick from 192.0.2.31 + + + +# --------------------------------------------- +# client AS3_1, outbound + +deny quick to 192.0.2.31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.31 community 65534:0 set community BLACKHOLE +match to 192.0.2.31 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.31 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.31 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.31 community 65507:999 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.31 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.31 community 65509:3 set community NO_EXPORT +match to 192.0.2.31 ext-community rt 65509:3 set community NO_EXPORT +match to 192.0.2.31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.31 community 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 192.0.2.31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.31 + +# do_not_announce_to_any +deny to 192.0.2.31 community 0:999 +deny to 192.0.2.31 ext-community rt 0:999 +deny to 192.0.2.31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.31 community 0:3 +deny quick to 192.0.2.31 ext-community rt 0:3 +deny quick to 192.0.2.31 large-community 999:0:3 + +# announce_to_peer +allow to 192.0.2.31 community 65501:3 +allow to 192.0.2.31 ext-community rt 65501:3 +allow to 192.0.2.31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS3_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::31 set community NO_ADVERTISE +match from 2001:db8:1:1::31 nexthop 2001:db8:1:1::31 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::31 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::31 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::31 peer-as != 3' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::31 peer-as != 3 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::31 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::31 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS { 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::31 AS { 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::31 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::31 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + +# Prefix: client's blacklist +prefix-set "client_AS3_2_black_list_pref_ipv6" { + 2a03:0:1::/48 prefixlen 48 - 128 + +} +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6' - reject code: 11 +allow quick from 2001:db8:1:1::31 prefix-set client_AS3_2_black_list_pref_ipv6 set { + localpref 1 + community 65520:0 + community 65520:11 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + +# Blackhole request? +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::31 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::31 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::31 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::31 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::31 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::31 community BLACKHOLE +allow quick from 2001:db8:1:1::31 community 65534:0 +allow quick from 2001:db8:1:1::31 large-community 65534:0:0 + + +match from 2001:db8:1:1::31 set ext-community rt 65520:3 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::31 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::31 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::31 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::31 set ext-community delete rt 65520:3 + + + +allow quick from 2001:db8:1:1::31 + + + +# --------------------------------------------- +# client AS3_2, outbound + +deny quick to 2001:db8:1:1::31 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::31 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::31 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::31 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::31 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::31 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::31 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::31 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::31 community 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 ext-community rt 65509:3 set community NO_EXPORT +match to 2001:db8:1:1::31 large-community 999:65509:3 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::31 community 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 ext-community rt 65510:3 set community NO_ADVERTISE +match to 2001:db8:1:1::31 large-community 999:65510:3 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::31 + +# do_not_announce_to_any +deny to 2001:db8:1:1::31 community 0:999 +deny to 2001:db8:1:1::31 ext-community rt 0:999 +deny to 2001:db8:1:1::31 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::31 community 0:3 +deny quick to 2001:db8:1:1::31 ext-community rt 0:3 +deny quick to 2001:db8:1:1::31 large-community 999:0:3 + +# announce_to_peer +allow to 2001:db8:1:1::31 community 65501:3 +allow to 2001:db8:1:1::31 ext-community rt 65501:3 +allow to 2001:db8:1:1::31 large-community 999:65501:3 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::31 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:3 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:3 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS3; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:3 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::31 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_1, inbound + + + +# NEXT_HOP +match from 192.0.2.41 set community NO_ADVERTISE +match from 192.0.2.41 nexthop 192.0.2.41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 192.0.2.41 community NO_ADVERTISE' - reject code: 5 +allow quick from 192.0.2.41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 192.0.2.41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 192.0.2.41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 192.0.2.41 AS 23456' - reject code: 7 +allow quick from 192.0.2.41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 64496 - 131071' - reject code: 7 +allow quick from 192.0.2.41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 192.0.2.41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 192.0.2.41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 192.0.2.41 AS { 3, 174 }' - reject code: 8 +allow quick from 192.0.2.41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 192.0.2.41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 192.0.2.41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 192.0.2.41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 192.0.2.41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 192.0.2.41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 192.0.2.41 community BLACKHOLE set community 65530:4 +match from 192.0.2.41 community BLACKHOLE set large-community 999:65530:4 + +match from 192.0.2.41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 192.0.2.41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 192.0.2.41 community BLACKHOLE +allow quick from 192.0.2.41 community 65534:0 +allow quick from 192.0.2.41 large-community 65534:0:0 + + +match from 192.0.2.41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24' - reject code: 13 +allow quick from 192.0.2.41 prefix 0.0.0.0/0 prefixlen 8 >< 24 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 192.0.2.41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 192.0.2.41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 192.0.2.41 set ext-community delete rt 65520:4 + + + +allow quick from 192.0.2.41 + + + +# --------------------------------------------- +# client AS4_1, outbound + +deny quick to 192.0.2.41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 192.0.2.41 community 65534:0 set community BLACKHOLE +match to 192.0.2.41 large-community 65534:0:0 set community BLACKHOLE + +match to 192.0.2.41 community BLACKHOLE set community NO_EXPORT +match to 192.0.2.41 community BLACKHOLE set nexthop 192.0.2.66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 192.0.2.41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 192.0.2.41 community 65507:999 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65507:999 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 192.0.2.41 community 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 192.0.2.41 community 65509:4 set community NO_EXPORT +match to 192.0.2.41 ext-community rt 65509:4 set community NO_EXPORT +match to 192.0.2.41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 192.0.2.41 community 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 192.0.2.41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 192.0.2.41 + +# do_not_announce_to_any +deny to 192.0.2.41 community 0:999 +deny to 192.0.2.41 ext-community rt 0:999 +deny to 192.0.2.41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 192.0.2.41 community 0:4 +deny quick to 192.0.2.41 ext-community rt 0:4 +deny quick to 192.0.2.41 large-community 999:0:4 + +# announce_to_peer +allow to 192.0.2.41 community 65501:4 +allow to 192.0.2.41 ext-community rt 65501:4 +allow to 192.0.2.41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 192.0.2.41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 192.0.2.41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# --------------------------------------------- +# client AS4_2, inbound + + + +# NEXT_HOP +match from 2001:db8:1:1::41 set community NO_ADVERTISE +match from 2001:db8:1:1::41 nexthop 2001:db8:1:1::41 set community delete NO_ADVERTISE +# Reject inbound routes when 'from 2001:db8:1:1::41 community NO_ADVERTISE' - reject code: 5 +allow quick from 2001:db8:1:1::41 community NO_ADVERTISE set { + localpref 1 + community 65520:0 + community 65520:5 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: left-most ASN +# Reject inbound routes when 'from 2001:db8:1:1::41 peer-as != 4' - reject code: 6 +# community from reject_cause_map +allow quick from 2001:db8:1:1::41 peer-as != 4 set { + localpref 1 + community 65520:0 + community 65520:6 + large-community 999:1101:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: invalid ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 23456' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 23456 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 64496 - 131071' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 64496 - 131071 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +# Reject inbound routes when 'from 2001:db8:1:1::41 AS 4200000000 - 4294967295' - reject code: 7 +allow quick from 2001:db8:1:1::41 AS 4200000000 - 4294967295 set { + localpref 1 + community 65520:0 + community 65520:7 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: transit-free ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS { 3, 174 }' - reject code: 8 +allow quick from 2001:db8:1:1::41 AS { 3, 174 } set { + localpref 1 + community 65520:0 + community 65520:8 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# AS_PATH: never via route-servers ASNs +# Reject inbound routes when 'from 2001:db8:1:1::41 AS as-set neverviarouteserver' - reject code: 15 +allow quick from 2001:db8:1:1::41 AS as-set neverviarouteserver set { + localpref 1 + community 65520:0 + community 65520:15 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + + + + + + + +# Blackhole request? +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 community BLACKHOLE set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 community 65534:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} +allow from 2001:db8:1:1::41 large-community 65534:0:0 set { + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Add the rpki_bgp_origin_validation_not_performed community +match from 2001:db8:1:1::41 community BLACKHOLE set community 65530:4 +match from 2001:db8:1:1::41 community BLACKHOLE set large-community 999:65530:4 + +match from 2001:db8:1:1::41 community 65534:0 set { community 65530:4 large-community 999:65530:4} +match from 2001:db8:1:1::41 large-community 65534:0:0 set { community 65530:4 large-community 999:65530:4} + + +allow quick from 2001:db8:1:1::41 community BLACKHOLE +allow quick from 2001:db8:1:1::41 community 65534:0 +allow quick from 2001:db8:1:1::41 large-community 65534:0:0 + + +match from 2001:db8:1:1::41 set ext-community rt 65520:4 + + +# RPKI-based Origin Validation +# Reject inbound routes when 'from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID' - reject code: 14 +allow quick from 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID set { + localpref 1 + community 65520:0 + community 65520:14 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Prefix: length +# Reject inbound routes when 'from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48' - reject code: 13 +allow quick from 2001:db8:1:1::41 prefix ::/0 prefixlen 17 >< 48 set { + localpref 1 + community 65520:0 + community 65520:13 + community delete NO_ADVERTISE + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + + +# Graceful shutdown +match from 2001:db8:1:1::41 community GRACEFUL_SHUTDOWN set localpref 5 + +# Remove internal communities before accepting the route +match from 2001:db8:1:1::41 set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +match from 2001:db8:1:1::41 set ext-community delete rt 65520:4 + + + +allow quick from 2001:db8:1:1::41 + + + +# --------------------------------------------- +# client AS4_2, outbound + +deny quick to 2001:db8:1:1::41 community 65520:0 + + + +# Blackhole request? +# Configured policy: rewrite-next-hop +match to 2001:db8:1:1::41 community 65534:0 set community BLACKHOLE +match to 2001:db8:1:1::41 large-community 65534:0:0 set community BLACKHOLE + +match to 2001:db8:1:1::41 community BLACKHOLE set community NO_EXPORT +match to 2001:db8:1:1::41 community BLACKHOLE set nexthop 2001:db8:1:1::66 + + +# RPKI-based Origin Validation +# Do not announce INVALID to clients +deny quick to 2001:db8:1:1::41 ext-community $INTCOMM_RPKI_INVALID + +# NO_EXPORT and NO_ADVERTISE communities +# add_noexport_to_any +match to 2001:db8:1:1::41 community 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65507:999 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65507:999 set community NO_EXPORT + +# add_noadvertise_to_any +match to 2001:db8:1:1::41 community 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65508:999 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65508:999 set community NO_ADVERTISE + +# add_noexport_to_peer +match to 2001:db8:1:1::41 community 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 ext-community rt 65509:4 set community NO_EXPORT +match to 2001:db8:1:1::41 large-community 999:65509:4 set community NO_EXPORT + +# add_noadvertise_to_peer +match to 2001:db8:1:1::41 community 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 ext-community rt 65510:4 set community NO_ADVERTISE +match to 2001:db8:1:1::41 large-community 999:65510:4 set community NO_ADVERTISE + + +# BGP control communities +allow to 2001:db8:1:1::41 + +# do_not_announce_to_any +deny to 2001:db8:1:1::41 community 0:999 +deny to 2001:db8:1:1::41 ext-community rt 0:999 +deny to 2001:db8:1:1::41 large-community 999:0:999 + +# do_not_announce_to_peer +deny quick to 2001:db8:1:1::41 community 0:4 +deny quick to 2001:db8:1:1::41 ext-community rt 0:4 +deny quick to 2001:db8:1:1::41 large-community 999:0:4 + +# announce_to_peer +allow to 2001:db8:1:1::41 community 65501:4 +allow to 2001:db8:1:1::41 ext-community rt 65501:4 +allow to 2001:db8:1:1::41 large-community 999:65501:4 + + +# Add the $INTCOMM_PROCESS_PREPEND_COMMS ext community to signal that communities +# for prepending can be processed. As soon as one prepending action is performed, +# this internal community is removed, so that further actions are not processed. +match to 2001:db8:1:1::41 set ext-community $INTCOMM_PROCESS_PREPEND_COMMS + +# prepend_once_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:4 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:4 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_peer AS4; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:4 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + +# prepend_once_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65521:65521 set { + prepend-neighbor 1 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_twice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65522:65522 set { + prepend-neighbor 2 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + +# prepend_thrice_to_any; remove INTCOMM_PROCESS_PREPEND_COMMS to prevent further prepending actions +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS community 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS ext-community rt 65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} +match to 2001:db8:1:1::41 ext-community $INTCOMM_PROCESS_PREPEND_COMMS large-community 999:65523:65523 set { + prepend-neighbor 3 + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS +} + + + + + +# Scrub communities from outbound routes +# add_noadvertise_to_any +match to group clients set community delete 65508:999 +match to group clients set ext-community delete rt 65508:999 +match to group clients set large-community delete 999:65508:999 + +# add_noadvertise_to_peer +match to group clients set community delete 65510:* +match to group clients set ext-community delete rt 65510:* +match to group clients set large-community delete 999:65510:* + +# add_noexport_to_any +match to group clients set community delete 65507:999 +match to group clients set ext-community delete rt 65507:999 +match to group clients set large-community delete 999:65507:999 + +# add_noexport_to_peer +match to group clients set community delete 65509:* +match to group clients set ext-community delete rt 65509:* +match to group clients set large-community delete 999:65509:* + +# announce_to_peer +match to group clients set community delete 65501:* +match to group clients set ext-community delete rt 65501:* +match to group clients set large-community delete 999:65501:* + +# announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64533:* +match to group clients set ext-community delete rt 64533:* +match to group clients set large-community delete 999:64533:* + +# announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64532:* +match to group clients set ext-community delete rt 64532:* +match to group clients set large-community delete 999:64532:* + +# blackholing +match to group clients set community delete 65534:0 +match to group clients set large-community delete 65534:0:0 + +# do_not_announce_to_any +match to group clients set community delete 0:999 +match to group clients set ext-community delete rt 0:999 +match to group clients set large-community delete 999:0:999 + +# do_not_announce_to_peer +match to group clients set community delete 0:* +match to group clients set ext-community delete rt 0:* +match to group clients set large-community delete 999:0:* + +# do_not_announce_to_peers_with_rtt_higher_than +match to group clients set community delete 64531:* +match to group clients set ext-community delete rt 64531:* +match to group clients set large-community delete 999:64531:* + +# do_not_announce_to_peers_with_rtt_lower_than +match to group clients set community delete 64530:* +match to group clients set ext-community delete rt 64530:* +match to group clients set large-community delete 999:64530:* + +# prepend_once_to_any +match to group clients set community delete 65521:65521 +match to group clients set ext-community delete rt 65521:65521 +match to group clients set large-community delete 999:65521:65521 + +# prepend_once_to_peer +match to group clients set community delete 65521:* +match to group clients set ext-community delete rt 65521:* +match to group clients set large-community delete 999:65521:* + +# prepend_once_to_peers_with_rtt_higher_than +match to group clients set community delete 64537:* +match to group clients set ext-community delete rt 64537:* +match to group clients set large-community delete 999:64537:* + +# prepend_once_to_peers_with_rtt_lower_than +match to group clients set community delete 64534:* +match to group clients set ext-community delete rt 64534:* +match to group clients set large-community delete 999:64534:* + +# prepend_thrice_to_any +match to group clients set community delete 65523:65523 +match to group clients set ext-community delete rt 65523:65523 +match to group clients set large-community delete 999:65523:65523 + +# prepend_thrice_to_peer +match to group clients set community delete 65523:* +match to group clients set ext-community delete rt 65523:* +match to group clients set large-community delete 999:65523:* + +# prepend_thrice_to_peers_with_rtt_higher_than +match to group clients set community delete 64539:* +match to group clients set ext-community delete rt 64539:* +match to group clients set large-community delete 999:64539:* + +# prepend_thrice_to_peers_with_rtt_lower_than +match to group clients set community delete 64536:* +match to group clients set ext-community delete rt 64536:* +match to group clients set large-community delete 999:64536:* + +# prepend_twice_to_any +match to group clients set community delete 65522:65522 +match to group clients set ext-community delete rt 65522:65522 +match to group clients set large-community delete 999:65522:65522 + +# prepend_twice_to_peer +match to group clients set community delete 65522:* +match to group clients set ext-community delete rt 65522:* +match to group clients set large-community delete 999:65522:* + +# prepend_twice_to_peers_with_rtt_higher_than +match to group clients set community delete 64538:* +match to group clients set ext-community delete rt 64538:* +match to group clients set large-community delete 999:64538:* + +# prepend_twice_to_peers_with_rtt_lower_than +match to group clients set community delete 64535:* +match to group clients set ext-community delete rt 64535:* +match to group clients set large-community delete 999:64535:* + +# reject_cause +match to group clients set community delete 65520:* + +# reject_cause_map_6 +match to group clients set large-community delete 999:1101:7 + +# rejected_route_announced_by +match to group clients set ext-community delete rt 65520:* + + +# Scrub prepending communities +match to group clients set { + community delete 65521:65521 + ext-community delete rt 65521:65521 + large-community delete 999:65521:65521 + +} +match to group clients set { + community delete 65521:* + ext-community delete rt 65521:* + large-community delete 999:65521:* + +} +match to group clients set { + community delete 64537:* + ext-community delete rt 64537:* + large-community delete 999:64537:* + +} +match to group clients set { + community delete 64534:* + ext-community delete rt 64534:* + large-community delete 999:64534:* + +} +match to group clients set { + community delete 65523:65523 + ext-community delete rt 65523:65523 + large-community delete 999:65523:65523 + +} +match to group clients set { + community delete 65523:* + ext-community delete rt 65523:* + large-community delete 999:65523:* + +} +match to group clients set { + community delete 64539:* + ext-community delete rt 64539:* + large-community delete 999:64539:* + +} +match to group clients set { + community delete 64536:* + ext-community delete rt 64536:* + large-community delete 999:64536:* + +} +match to group clients set { + community delete 65522:65522 + ext-community delete rt 65522:65522 + large-community delete 999:65522:65522 + +} +match to group clients set { + community delete 65522:* + ext-community delete rt 65522:* + large-community delete 999:65522:* + +} +match to group clients set { + community delete 64538:* + ext-community delete rt 64538:* + large-community delete 999:64538:* + +} +match to group clients set { + community delete 64535:* + ext-community delete rt 64535:* + large-community delete 999:64535:* + +} + + +# RFC1997 NO_EXPORT/NO_ADVERTISE received from clients and propagated because of pass-through policy +match to group clients ext-community $INTCOMM_NO_EXPORT set community NO_EXPORT +match to group clients ext-community $INTCOMM_NO_ADVERTISE set community NO_ADVERTISE + +# Remove internal communities before announcing the route +match to group clients set { + ext-community delete $INTCOMM_PREF_OK_ROA + ext-community delete $INTCOMM_ROUTE_OK_WL + ext-community delete $INTCOMM_PREF_OK_ARINDB + ext-community delete $INTCOMM_PREF_OK_REGISTROBRDB + ext-community delete $INTCOMM_ORIGIN_OK + ext-community delete $INTCOMM_ORIGIN_KO + ext-community delete $INTCOMM_PREFIX_OK + ext-community delete $INTCOMM_PREFIX_KO + ext-community delete $INTCOMM_IRR_REJECT + ext-community delete $INTCOMM_RPKI_UNKNOWN + ext-community delete $INTCOMM_RPKI_INVALID + ext-community delete $INTCOMM_RPKI_VALID + ext-community delete $INTCOMM_NO_EXPORT + ext-community delete $INTCOMM_NO_ADVERTISE + ext-community delete $INTCOMM_PROCESS_PREPEND_COMMS + +} + +include "/etc/bgpd/post-filters.local" + + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt new file mode 100644 index 00000000..33ec3bbb --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS101.txt @@ -0,0 +1,406 @@ +2001::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2001:db8:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 1 2, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 2 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 1 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 1 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 2 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 2 3 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 1 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 2 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 1 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 2 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 1 3 3 3 3, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 2 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 2 3 3 3 3, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 2 1 1011, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a11:1:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:2:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 2 1 1011, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 2 1 1000, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a99:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/16, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/32, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt new file mode 100644 index 00000000..5a4a4b4c --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_1.txt @@ -0,0 +1,280 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt new file mode 100644 index 00000000..86b7ea6c --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS1_2.txt @@ -0,0 +1,259 @@ +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt new file mode 100644 index 00000000..aafa6dae --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS2.txt @@ -0,0 +1,350 @@ +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3 3 3 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65535:65281 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3::/32, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 999:65530:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65530:1, 777:0 + ext comms: + lrg comms: 777:0:0, 999:65530:1 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: 65535:666 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::101 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt new file mode 100644 index 00000000..43cf4811 --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/AS3.txt @@ -0,0 +1,238 @@ +2a01:0:1::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a01:0:1::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +2a01:0:2::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a01:0:2::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 101 + filtered: False () + +2a01:0:3::/48, AS_PATH: 999 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a02:0:1::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 999 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:1::/48, AS_PATH: 999 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a11:3::/32, AS_PATH: 999 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +2a11:4:1::/48, AS_PATH: 999 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:1::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:1::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:2::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:3::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:4::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 888:0 + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:5::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:6::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 777:0 + ext comms: + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::66, via 2001:db8:1:1::2 + std comms: 65530:4, 65535:65281, 65535:666 + ext comms: + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:0:8::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:2:8000::/48, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 999 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: True, LOCAL_PREF: 101 + filtered: False () + +3101:2::/33, AS_PATH: 999 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: + ext comms: + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rc.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rc.txt new file mode 100644 index 00000000..df8ece37 --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rc.txt @@ -0,0 +1,259 @@ +2001::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:2 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2001:db8:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:3 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::23, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:2 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:1::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:11 + ext comms: rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:e::/48, AS_PATH: 3 174 33, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:8 + ext comms: rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:2::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:2:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:12 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:3:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:12 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:1::/48, AS_PATH: 1 65536 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:7 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:2::/48, AS_PATH: 1 2 2 2 2 2 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:1 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/16, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:13 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99::/32, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:6 + ext comms: rt:65520:1 + lrg comms: 999:1101:7 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:10::/48, AS_PATH: 1 101 666, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:15 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:11::/48, AS_PATH: 1 101 777, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:15 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5, 888:0 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5, 777:0 + ext comms: rt:65520:1 + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 1 101 174, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:8 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:14 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5, 65535:666 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:14 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:12 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:4000::/34, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:12 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:5 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 1 101 105, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3102:0:1::/48, AS_PATH: 1 101 102, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:1::/48, AS_PATH: 1 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9, 65535:0 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3103:0:2::/48, AS_PATH: 2 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9, 65535:0 + ext comms: rt:65520:2 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:9 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +8000:1::/32, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:10 + ext comms: rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +::/0, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::2 + std comms: 65520:0, 65520:10 + ext comms: rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + diff --git a/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rs.txt b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rs.txt new file mode 100644 index 00000000..a5b956f1 --- /dev/null +++ b/tests/live_tests/scenarios/tag_reject_policy/routes/TagRejectPolicyScenario_OpenBGPDIPv4/openbgpd75p/rs.txt @@ -0,0 +1,777 @@ +2001::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:2 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2001:db8:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:3 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:1::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a01:0:2::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::12, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +2a01:0:3::/48, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::12 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:1::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:2::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::1/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::2/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65534:0 + ext comms: rfc8097-not-found + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:3::3/128, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4 + ext comms: rfc8097-not-found + lrg comms: 65534:0:0, 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:4::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::22, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a02:0:5::/48, AS_PATH: 2, NEXT_HOP: 2001:db8:1:1::23, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a03:0:1::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65520:0, 65520:11 + ext comms: rfc8097-not-found, rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a03:0:2::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:999, 65501:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:3::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:4::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 0:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:5::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:65521 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:6::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65522:65522 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:7::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65523:65523 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:8::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:9::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65522:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:a::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65521:65521, 65523:1 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:b::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65507:999 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:c::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65509:1, 65523:2 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:d::/48, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: + ext comms: rfc8097-not-found, soo:65535:65281 + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a03:0:e::/48, AS_PATH: 3 174 33, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65520:0, 65520:8 + ext comms: rfc8097-not-found, rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a11:1:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:1:2::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a11:2:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a11:3:1::/48, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a11:3::/32, AS_PATH: 1 1011, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a11:4:1::/48, AS_PATH: 1 1000, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +2a99:1::/48, AS_PATH: 1 65536 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:7 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a99:2::/48, AS_PATH: 1 2 2 2 2 2 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:1 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a99::/16, AS_PATH: 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:13 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +2a99::/32, AS_PATH: 2 1, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:6 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: 999:1101:7 + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:10::/48, AS_PATH: 1 101 666, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:10::/48, AS_PATH: 1 101 666, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:15 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:10::/48, AS_PATH: 2 101 666, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:15 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:11::/48, AS_PATH: 1 101 777, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:11::/48, AS_PATH: 1 101 777, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:15 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:11::/48, AS_PATH: 2 101 777, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:15 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:1::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:2::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:2::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:3::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:3::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5, 888:0 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:4::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:4::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 888:0 + ext comms: rfc8097-not-found + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:5::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:5::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-not-found + lrg comms: 888:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5, 777:0 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:6::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:6::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 777:0 + ext comms: rfc8097-not-found + lrg comms: 777:0:0 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:7::/48, AS_PATH: 1 101 174, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:7::/48, AS_PATH: 1 101 174, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:8 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:7::/48, AS_PATH: 2 101 174, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:8 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:14 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:8000::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:14 + ext comms: rfc8097-invalid, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5, 65535:666 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8000::1/128, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65530:4, 65535:666 + ext comms: rfc8097-invalid + lrg comms: 999:65530:4 + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-valid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:8::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:0:8::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:0:9::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:0:9::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:14 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:0:9::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:14 + ext comms: rfc8097-invalid, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:1::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:1::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:2:4000::/34, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:2:4000::/34, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-invalid, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:2:4000::/34, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:12 + ext comms: rfc8097-invalid, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-valid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:2:8000::/48, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2:8000::/48, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-valid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:2::/33, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: True, LOCAL_PREF: 100 + filtered: False () + +3101:2::/33, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: + ext comms: rfc8097-valid + lrg comms: + best: False, LOCAL_PREF: 100 + filtered: False () + +3101:3:1::/48, AS_PATH: 1 101 105, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-valid, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3101:3:1::/48, AS_PATH: 1 101 105, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-valid, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3101:3:1::/48, AS_PATH: 2 101 105, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-valid, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3102:0:1::/48, AS_PATH: 1 101 102, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3102:0:1::/48, AS_PATH: 1 101 102, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3102:0:1::/48, AS_PATH: 2 101 102, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3103:0:1::/48, AS_PATH: 1 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5, 65535:0 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3103:0:1::/48, AS_PATH: 1 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9, 65535:0 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3103:0:1::/48, AS_PATH: 2 101 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3103:0:2::/48, AS_PATH: 1 101 101 103, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3103:0:2::/48, AS_PATH: 1 101 101 103, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3103:0:2::/48, AS_PATH: 2 101 103, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9, 65535:0 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3104:0:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3104:0:1::/48, AS_PATH: 2 101 104, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:5 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +3104:1:1::/48, AS_PATH: 1 101 104, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +3104:1:1::/48, AS_PATH: 2 101 104, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:9 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +8000:1::/32, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::101, via 2001:db8:1:1::12 + std comms: 65520:0, 65520:10 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +8000:1::/32, AS_PATH: 1 101, NEXT_HOP: 2001:db8:1:1::11, via 2001:db8:1:1::11 + std comms: 65520:0, 65520:10 + ext comms: rfc8097-not-found, rt:65520:1 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + +8000:1::/32, AS_PATH: 2 101, NEXT_HOP: 2001:db8:1:1::21, via 2001:db8:1:1::21 + std comms: 65520:0, 65520:10 + ext comms: rfc8097-not-found, rt:65520:2 + lrg comms: + best: False, LOCAL_PREF: 1 + filtered: False () + +::/0, AS_PATH: 3, NEXT_HOP: 2001:db8:1:1::31, via 2001:db8:1:1::31 + std comms: 65520:0, 65520:10 + ext comms: rfc8097-not-found, rt:65520:3 + lrg comms: + best: True, LOCAL_PREF: 1 + filtered: False () + diff --git a/tests/static/test_cfg_program.py b/tests/static/test_cfg_program.py index e0e10fbd..2fddec89 100644 --- a/tests/static/test_cfg_program.py +++ b/tests/static/test_cfg_program.py @@ -60,7 +60,7 @@ def test_010_load_distributed_file(self): ("bgpq3_path", "bgpq4"), ("bgpq3_host", ["rr.ntt.net", "rr1.ntt.net"]), ("bgpq3_sources", ("RIPE,APNIC,AFRINIC,ARIN,NTTCOM,ALTDB,BBOI," - "BELL,JPIRR,LEVEL3,RADB,RGNET,TC")), + "BELL,JPIRR,LEVEL3,RADB,TC")), ("bgpq3_timeout", 120), ("rtt_getter_path", ""), ("threads", 4), diff --git a/utils/build_supported_speakers_table.py b/utils/build_supported_speakers_table.py index 087a4c4a..89e0fbc2 100755 --- a/utils/build_supported_speakers_table.py +++ b/utils/build_supported_speakers_table.py @@ -249,8 +249,8 @@ def put_table_line(lengths, char="="): add_feature("ADD_PATH capability (RFC7911)", { "bird": True, "bird2": True, - "openbgpd": None, - "openbgpd_portable": None, + "openbgpd": True, + "openbgpd_portable": True, })