From c73b5d2d3d94204d2a81d93efd02c4c115859353 Mon Sep 17 00:00:00 2001
From: Eugene Bogomazov <eb@qrator.net>
Date: Mon, 11 Jul 2022 17:19:34 +0200
Subject: BGP: Implement BGP roles

Implement BGP roles as described in RFC 9234. It is  a mechanism for
route leak prevention and automatic route filtering based on common BGP
topology relationships. It defines role capability (controlled by 'local
role' option) and OTC route attribute, which is used for automatic route
filtering and leak detection.

Minor changes done by commiter.
---
 doc/bird.sgml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'doc')

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 89b1541c..c1ce1b91 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -2377,6 +2377,7 @@ avoid routing loops.
 <item> <rfc id="8203"> - BGP Administrative Shutdown Communication
 <item> <rfc id="8212"> - Default EBGP Route Propagation Behavior without Policies
 <item> <rfc id="9117"> - Revised Validation Procedure for BGP Flow Specifications
+<item> <rfc id="9234"> - Route Leak Prevention and Detection Using Roles
 </itemize>
 
 <sect1>Route selection rules
@@ -2817,6 +2818,28 @@ using the following configuration parameters:
 	protocol itself (for example, if a route is received through eBGP and
 	therefore does not have such attribute). Default: 100 (0 in pre-1.2.0
 	versions of BIRD).
+
+	<tag><label id="bgp-local-role">local role <m/role-name/</tag>
+	BGP roles are a mechanism for route leak prevention and automatic route
+	filtering based on common BGP topology relationships. They are defined
+	in <rfc id="9234">. Instead of manually configuring filters and
+	communities, automatic filtering is done with the help of the OTC
+	attribute - a flag for routes that should be sent only to customers.
+	The same attribute is also used to automatically detect and filter route
+	leaks created by third parties.
+
+	This option is valid for EBGP sessions, but it is not recommended to be
+	used within AS confederations.
+
+	Possible <cf><m/role-name/</cf> values are: <cf/provider/,
+	<cf/rs_server/, <cf/rs_client/, <cf/customer/ and <cf/peer/.
+	Default: No local role assigned.
+
+	<tag><label id="bgp-require-roles">require roles <m/switch/</tag>
+	If this option is set, the BGP roles must be defined on both sides,
+	otherwise the session will not be established. This behavior is defined
+	in <rfc id="9234"> as "strict mode" and is used to enforce corresponding
+	configuration at your conterpart side. Default: disabled.
 </descrip>
 
 <sect1>Channel configuration
@@ -3124,6 +3147,11 @@ some of them (marked with `<tt/O/') are optional.
 	This attribute contains accumulated IGP metric, which is a total
 	distance to the destination through multiple autonomous systems.
 	Currently, the attribute is not accessible from filters.
+
+	<tag><label id="bgp-otc">int bgp_otc [O]</tag>
+	This attribute is defined in <rfc id="9234">. OTC is a flag that marks
+	routes that should be sent only to customers. If <ref id="bgp-role"
+	name="local Role"> is configured it set automatically.
 </descrip>
 
 <sect1>Example
-- 
cgit v1.2.3


From 971721c9b50d361e886762f1c7d0392e10f74021 Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Tue, 12 Jul 2022 15:03:17 +0200
Subject: BGP: Minor improvements to BGP roles

Add support for bgp_otc in filters and warning for configuration
inside confederations.
---
 doc/bird.sgml      | 3 ++-
 proto/bgp/bgp.c    | 5 ++++-
 proto/bgp/config.Y | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

(limited to 'doc')

diff --git a/doc/bird.sgml b/doc/bird.sgml
index c1ce1b91..a0d9c405 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -2829,7 +2829,8 @@ using the following configuration parameters:
 	leaks created by third parties.
 
 	This option is valid for EBGP sessions, but it is not recommended to be
-	used within AS confederations.
+	used within AS confederations (which would require manual filtering of
+	<cf/bgp_otc/ attribute on confederation boundaries).
 
 	Possible <cf><m/role-name/</cf> values are: <cf/provider/,
 	<cf/rs_server/, <cf/rs_client/, <cf/customer/ and <cf/peer/.
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 3b28a338..0f06746f 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -1987,6 +1987,9 @@ bgp_postconfig(struct proto_config *CF)
   if (internal && (cf->local_role != BGP_ROLE_UNDEFINED))
     cf_error("Local role cannot be set on IBGP sessions");
 
+  if (interior && (cf->local_role != BGP_ROLE_UNDEFINED))
+    log(L_WARN "BGP roles are not recommended to be used within AS confederations");
+
   if (cf->require_roles && (cf->local_role == BGP_ROLE_UNDEFINED))
     cf_error("Local role must be set if roles are required");
 
@@ -2357,7 +2360,7 @@ bgp_format_role_name(u8 role)
 {
   static const char *bgp_role_names[] = { "provider", "rs_server", "rs_client", "customer", "peer" };
   if (role == BGP_ROLE_UNDEFINED) return "undefined";
-  if (role < 5) return bgp_role_names[role];
+  if (role < ARRAY_SIZE(bgp_role_names)) return bgp_role_names[role];
   return "?";
 }
 
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index a00aa156..cb410a5e 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -32,7 +32,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE,
 	LIVED, STALE, IMPORT, IBGP, EBGP, MANDATORY, INTERNAL, EXTERNAL, SETS,
 	DYNAMIC, RANGE, NAME, DIGITS, BGP_AIGP, AIGP, ORIGINATE, COST, ENFORCE,
 	FIRST, FREE, VALIDATE, BASE, ROLE, ROLES, PEER, PROVIDER, CUSTOMER,
-	RS_SERVER, RS_CLIENT, REQUIRE)
+	RS_SERVER, RS_CLIENT, REQUIRE, BGP_OTC)
 
 %type <i> bgp_nh
 %type <i32> bgp_afi
@@ -355,6 +355,8 @@ dynamic_attr: BGP_AIGP
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_OPAQUE, T_ENUM_EMPTY, EA_CODE(PROTOCOL_BGP, BA_AIGP)); } ;
 dynamic_attr: BGP_LARGE_COMMUNITY
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_LC_SET, T_LCLIST, EA_CODE(PROTOCOL_BGP, BA_LARGE_COMMUNITY)); } ;
+dynamic_attr: BGP_OTC
+	{ $$ = f_new_dynamic_attr(EAF_TYPE_INT, T_INT, EA_CODE(PROTOCOL_BGP, BA_ONLY_TO_CUSTOMER)); } ;
 
 
 
-- 
cgit v1.2.3