From ebd32b68866f62f4fdd5e410ffda9fab8b6156a1 Mon Sep 17 00:00:00 2001 From: Barry O'Donovan Date: Wed, 15 Sep 2021 20:43:22 +0100 Subject: [PATCH] [IM] Update transit ASN filtering and allow greater control - closes inex/IXP-Manager#716 Docs at: https://docs.ixpmanager.org/features/routers/#filtering-known-transit-networks --- .env.dev | 2 + .env.example | 4 + config/ixp.php | 22 ++++++ .../known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf | 18 +---- .../known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf | 18 +---- .../bird2/filter-transit-networks.foil.php | 74 ++++++++++++++----- .../bird2/filter-transit-networks.foil.php | 72 +++++++++++++----- 7 files changed, 141 insertions(+), 69 deletions(-) diff --git a/.env.dev b/.env.dev index 4266720be..cf8ed679a 100644 --- a/.env.dev +++ b/.env.dev @@ -294,4 +294,6 @@ IXP_IRRDB_BGPQ3_PATH=/usr/local/bin/bgpq3 2FA_ENABLED=false +#IXP_NO_TRANSIT_ASNS_EXCLUDE=174,1299 +#IXP_NO_TRANSIT_ASNS_OVERRIDE=25,45,174 diff --git a/.env.example b/.env.example index f234888a7..fff08b26e 100644 --- a/.env.example +++ b/.env.example @@ -289,4 +289,8 @@ IXP_IRRDB_BGPQ3_PATH=/usr/bin/bgpq3 # PEERINGDB_OAUTH_REDIRECT="https://www.example.com/auth/login/peeringdb/callback" +######################################################################################### +### See: https://docs.ixpmanager.org/features/routers/#filtering-known-transit-networks +# IXP_NO_TRANSIT_ASNS_EXCLUDE=65501,65502 +# IXP_NO_TRANSIT_ASNS_OVERRIDE=65501,65502,65503 diff --git a/config/ixp.php b/config/ixp.php index 6815094ef..9f1d04bca 100644 --- a/config/ixp.php +++ b/config/ixp.php @@ -126,4 +126,26 @@ ], + // Filter known transit networks + // Inspired by: http://bgpfilterguide.nlnog.net/guides/no_transit_leaks/ + // Overrides: + 'no_transit_asns' => [ + 'override' => call_user_func( function() { + $env = env( 'IXP_NO_TRANSIT_ASNS_OVERRIDE', false ); + + if( $env === false ) { + return false; + } + + if( !$env ) { + return []; + } + + return explode( ',', $env ); + }), + + 'exclude' => explode( ',', env( 'IXP_NO_TRANSIT_ASNS_EXCLUDE', '' ) ), + ], + + ]; diff --git a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf index b4e317d2d..f34cb58ab 100644 --- a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf +++ b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf @@ -266,23 +266,7 @@ function filter_rpki() ######################################################################################## -define TRANSIT_ASNS = [ 174, # Cogent - 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018)) - 701, # UUNET - 702, # UUNET - 1239, # Sprint - 1299, # Telia - 2914, # NTT Communications - 3257, # GTT Backbone - 3320, # Deutsche Telekom AG (DTAG) - 3356, # Level3 - 3549, # Level3 - 3561, # Savvis / CenturyLink - 4134, # Chinanet - 5511, # Orange opentransit - 6453, # Tata Communications - 6762, # Seabone / Telecom Italia - 7018 ]; # AT&T +define TRANSIT_ASNS = [ 174, 701, 1299, 2914, 3257, 3320, 3356, 3491, 4134, 5511, 6453, 6461, 6762, 6830, 7018 ]; function filter_has_transit_path() int set transit_asns; diff --git a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf index 660118441..a46124fc5 100644 --- a/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf +++ b/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv6.conf @@ -275,23 +275,7 @@ function filter_rpki() ######################################################################################## -define TRANSIT_ASNS = [ 174, # Cogent - 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018)) - 701, # UUNET - 702, # UUNET - 1239, # Sprint - 1299, # Telia - 2914, # NTT Communications - 3257, # GTT Backbone - 3320, # Deutsche Telekom AG (DTAG) - 3356, # Level3 - 3549, # Level3 - 3561, # Savvis / CenturyLink - 4134, # Chinanet - 5511, # Orange opentransit - 6453, # Tata Communications - 6762, # Seabone / Telecom Italia - 7018 ]; # AT&T +define TRANSIT_ASNS = [ 174, 701, 1299, 2914, 3257, 3320, 3356, 3491, 4134, 5511, 6453, 6461, 6762, 6830, 7018 ]; function filter_has_transit_path() int set transit_asns; diff --git a/resources/views/api/v4/router/collector/bird2/filter-transit-networks.foil.php b/resources/views/api/v4/router/collector/bird2/filter-transit-networks.foil.php index 9f1ba31cb..7cb5bae4e 100644 --- a/resources/views/api/v4/router/collector/bird2/filter-transit-networks.foil.php +++ b/resources/views/api/v4/router/collector/bird2/filter-transit-networks.foil.php @@ -10,33 +10,71 @@ ######################################################################################## ######################################################################################## + 'Cogent', + 701 => 'UUNET', + 1299 => 'Telia', + 2914 => 'NTT Communications', + 3257 => 'GTT Backbone', + 3320 => 'Deutsche Telekom AG (DTAG)', + 3356 => 'Level3', + 3491 => 'PCCW', + 4134 => 'Chinanet', + 5511 => 'Orange opentransit', + 6453 => 'Tata Communications', + 6461 => 'Zayo Bandwidth', + 6762 => 'Seabone / Telecom Italia', + 6830 => 'Liberty Global', + 7018 => 'AT&T', + ]; -define TRANSIT_ASNS = [ 174, # Cogent - 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018)) - 701, # UUNET - 702, # UUNET - 1239, # Sprint - 1299, # Telia - 2914, # NTT Communications - 3257, # GTT Backbone - 3320, # Deutsche Telekom AG (DTAG) - 3356, # Level3 - 3549, # Level3 - 3561, # Savvis / CenturyLink - 4134, # Chinanet - 5511, # Orange opentransit - 6453, # Tata Communications - 6762, # Seabone / Telecom Italia - 7018 ]; # AT&T + // possible overrides - exclusions from the above: + if( count( config( 'ixp.no_transit_asns.exclude' ) ) ) { + foreach( config( 'ixp.no_transit_asns.exclude' ) as $asn ) { + if( isset( $no_transit_asns[$asn] ) ) { + unset( $no_transit_asns[$asn] ); + } + } + } + + // possible overrides - complete replacement: + if( config( 'ixp.no_transit_asns.override' ) !== false ) { + $no_transit_asns = []; + foreach( config( 'ixp.no_transit_asns.override' ) as $asn ) { + $no_transit_asns[ $asn ] = 'Override from .env file'; + } + } +?> + +# Filtering the following ASNs: +# + $desc ): ?> +# - + + + + +# .env file has disabled transit ASN filtering with an empty IXP_NO_TRANSIT_ASNS_OVERRIDE setting: +function filter_has_transit_path() +{ + return false; +} + + +define TRANSIT_ASNS = [ ]; function filter_has_transit_path() int set transit_asns; { transit_asns = TRANSIT_ASNS; - if (bgp_path.first !~ transit_asns && bgp_path ~ transit_asns) then { + if (bgp_path ~ transit_asns) then { bgp_large_community.add( IXP_LC_FILTERED_TRANSIT_FREE_ASN ); return true; } return false; } + + \ No newline at end of file diff --git a/resources/views/api/v4/router/server/bird2/filter-transit-networks.foil.php b/resources/views/api/v4/router/server/bird2/filter-transit-networks.foil.php index 2d6f8c41e..7cb5bae4e 100644 --- a/resources/views/api/v4/router/server/bird2/filter-transit-networks.foil.php +++ b/resources/views/api/v4/router/server/bird2/filter-transit-networks.foil.php @@ -10,24 +10,60 @@ ######################################################################################## ######################################################################################## + 'Cogent', + 701 => 'UUNET', + 1299 => 'Telia', + 2914 => 'NTT Communications', + 3257 => 'GTT Backbone', + 3320 => 'Deutsche Telekom AG (DTAG)', + 3356 => 'Level3', + 3491 => 'PCCW', + 4134 => 'Chinanet', + 5511 => 'Orange opentransit', + 6453 => 'Tata Communications', + 6461 => 'Zayo Bandwidth', + 6762 => 'Seabone / Telecom Italia', + 6830 => 'Liberty Global', + 7018 => 'AT&T', + ]; -define TRANSIT_ASNS = [ 174, # Cogent - 209, # Qwest (HE carries this on IXPs IPv6 (Jul 12 2018)) - 701, # UUNET - 702, # UUNET - 1239, # Sprint - 1299, # Telia - 2914, # NTT Communications - 3257, # GTT Backbone - 3320, # Deutsche Telekom AG (DTAG) - 3356, # Level3 - 3549, # Level3 - 3561, # Savvis / CenturyLink - 4134, # Chinanet - 5511, # Orange opentransit - 6453, # Tata Communications - 6762, # Seabone / Telecom Italia - 7018 ]; # AT&T + // possible overrides - exclusions from the above: + if( count( config( 'ixp.no_transit_asns.exclude' ) ) ) { + foreach( config( 'ixp.no_transit_asns.exclude' ) as $asn ) { + if( isset( $no_transit_asns[$asn] ) ) { + unset( $no_transit_asns[$asn] ); + } + } + } + + // possible overrides - complete replacement: + if( config( 'ixp.no_transit_asns.override' ) !== false ) { + $no_transit_asns = []; + foreach( config( 'ixp.no_transit_asns.override' ) as $asn ) { + $no_transit_asns[ $asn ] = 'Override from .env file'; + } + } +?> + +# Filtering the following ASNs: +# + $desc ): ?> +# - + + + + +# .env file has disabled transit ASN filtering with an empty IXP_NO_TRANSIT_ASNS_OVERRIDE setting: +function filter_has_transit_path() +{ + return false; +} + + +define TRANSIT_ASNS = [ ]; function filter_has_transit_path() int set transit_asns; @@ -40,3 +76,5 @@ function filter_has_transit_path() return false; } + + \ No newline at end of file