Re: bgpd as-set

Wed, 02 Jan 2019 11:41:59 -0800 

On Wed, Jan 02, 2019 at 05:05:20PM +0100, Stéphane wrote:
> Hello Guys and happy news year to all !
> 
> I have recently setups a news BGP router for peering purpose using OpenBSD.
> 
> In order to do input filtering I have tried to use an as-set looking like
> that :
> 
> 
> ## use as-set to reject bogon AS number
> as-set bogon-as { 0 23456 64496-131071 64512-65534 65535 65536-65551
> 65552-131071 4200000000-4294967295 4294967295 }
> 
> But this configuration did not work.
> 
> It seems that bgpd cannot handle as rang in as-set unlike the filter
> directive.
> 
> As anyone tries that before me ? Can you confirm that filter is the best
> solution for now ?

Yes, as-set is a lookup table and so 4200000000-4294967295 would add
more than 94 Million entries to that table. That is not sensible. Doing
range lookups is more complex especially to make those efficent and fast.
AS sets are used primerably by config generators like bgpq3 or arouteserver.
In those cases ranges are not needed and lookup speed is more important.
This is why it was not built that way.
 
> I have fallen back on this configuration :
> 
> ## use filter to reject bogon AS numbers
> deny quick from any AS 0                             # reserved [RFC7607]
> deny quick from any AS 23456                         # AS_TRANS [RFC6793]
> deny quick from any AS 64496 - 131071                # reserved for
> documentation [RFC5398]
> deny quick from any AS 64512 - 65534                 # reserved for private
> usage [RFC5398]
> deny quick from any AS 65535                         # reserved [RFC7300]
> deny quick from any AS 65536 - 65551                 # reserved for
> documentation [RFC5398]
> deny quick from any AS 65552 - 131071                # reserved by IANA
> deny quick from any AS 4200000000 - 4294967295       # reserved for private
> usage [RFC6996]
> deny quick from any AS 4294967295                    # reserved [RFC7300]
> 

You can write that a bit more compact:
deny quick from any AS 23456
deny quick from any AS 64496 - 131071
deny quick from any AS 4200000000 - 4294967295

Or as an alternative
AS_BOGON="{ 23456, 64496 - 131071, 4200000000 - 4294967295}"
deny quick from any AS $AS_BOGON

AS 0 can never match so no need for such a rule. Then you have a lot of
overlapping ranges which can be simply combined.

-- 
:wq Claudio

Reply via email to