Skip to content

Commit

Permalink
blackhole of ROA-covered prefixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@pierky
pierky committed Feb 3, 2017
1 parent 4a58b4a commit 4902414
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 1 deletion.
3 changes: 3 additions & 0 deletions tests/live_tests/scenarios/global/AS101.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ protocol static own_prefixes {
route {{ data.AS101_roa_valid1 }} reject;
route {{ data.AS101_roa_invalid1 }} reject;
route {{ data.AS101_roa_badlen }} reject;
route {{ data.AS101_roa_blackhole }} reject;
}

filter outgoing {
Expand Down Expand Up @@ -52,6 +53,8 @@ filter outgoing {
bgp_path.prepend(174);
bgp_path.prepend(101);
}
if net = {{ data.AS101_roa_blackhole }} then
bgp_community.add((65535,666));
accept;
}
protocol bgp AS1_1 {
Expand Down
3 changes: 2 additions & 1 deletion tests/live_tests/scenarios/global/README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,5 +138,6 @@ Built to group as many tests as possible in a single scenario.
AS101_transitfree_1 101.0.7.0/24 [101 174] fail as_path_contains_transit_free_asn
AS101_roa_valid1 101.0.8.0/24 roa check ok (roa n. 1), tagged with 64512:1 / 999:64512:1
AS101_roa_invalid1 101.0.9.0/24 roa check fail (roa n. 2, bad origin ASN), rejected
AS101_roa_badlen 101.0.128.0/22 roa check fail (roa n. 3, bad length), rejected
AS101_roa_badlen 101.0.128.0/24 roa check fail (roa n. 3, bad length), rejected
AS101_roa_blackhole 101.0.128.1/32 65535:666, pass because blackhole filtering request
==================== ============== ========== ==================================================================================
13 changes: 13 additions & 0 deletions tests/live_tests/scenarios/global/base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,19 @@ def test_045_rpki_invalid_prefixes_not_propagated_to_clients(self):
with self.assertRaises(AssertionError):
self.receive_route_from(self.AS3, self.DATA[pref_id])

def test_045_blackhole_with_roa(self):
"""{}: RPKI, blackhole request for a covered prefix"""
self.receive_route_from(self.rs, self.DATA["AS101_roa_blackhole"], self.AS1_1, as_path="1 101",
std_comms=["65535:666"], lrg_comms=[])
self.receive_route_from(self.rs, self.DATA["AS101_roa_blackhole"], self.AS2, as_path="2 101",
std_comms=["65535:666"], lrg_comms=[])
for inst in (self.AS1_1, self.AS2):
self.log_contains(self.rs, "blackhole filtering request from {{inst}} - ACCEPTING {}".format(
self.DATA["AS101_roa_blackhole"]), {"inst": inst})
self.receive_route_from(self.AS3, self.DATA["AS101_roa_blackhole"], self.rs,
next_hop=self.DATA["blackhole_IP"],
std_comms=["65535:666"], lrg_comms=[])

def test_050_prefixes_from_AS101_received_by_its_upstreams(self):
"""{}: prefixes from AS101 received by its upstreams"""
self.receive_route_from(self.AS1_1, self.DATA["AS101_good1"], self.AS101)
Expand Down
1 change: 1 addition & 0 deletions tests/live_tests/scenarios/global/test_bird4.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ class BasicScenario_BIRDIPv4(BasicScenario):
"AS101_roa_valid1": "101.0.8.0/24",
"AS101_roa_invalid1": "101.0.9.0/24",
"AS101_roa_badlen": "101.0.128.0/24",
"AS101_roa_blackhole": "101.0.128.1/32",

"AS102_no_asset": "102.0.1.0/24",
}
1 change: 1 addition & 0 deletions tests/live_tests/scenarios/global/test_bird6.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ class BasicScenario_BIRDIPv6(BasicScenario):
"AS101_roa_valid1": "3101:0:8::/48",
"AS101_roa_invalid1": "3101:0:9::/48",
"AS101_roa_badlen": "3101:0:8000::/48",
"AS101_roa_blackhole": "3101:0:8000::1/128",

"AS102_no_asset": "3102:0:1::/48",
}

0 comments on commit 4902414

Please sign in to comment.