From c73b5d2d3d94204d2a81d93efd02c4c115859353 Mon Sep 17 00:00:00 2001
From: Eugene Bogomazov <eb@qrator.net>
Date: Mon, 11 Jul 2022 17:19:34 +0200
Subject: BGP: Implement BGP roles

Implement BGP roles as described in RFC 9234. It is  a mechanism for
route leak prevention and automatic route filtering based on common BGP
topology relationships. It defines role capability (controlled by 'local
role' option) and OTC route attribute, which is used for automatic route
filtering and leak detection.

Minor changes done by commiter.
---
 proto/bgp/bgp.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'proto/bgp/bgp.c')

diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 89507f1a..3b28a338 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -102,6 +102,7 @@
  * RFC 8212 - Default EBGP Route Propagation Behavior without Policies
  * RFC 8654 - Extended Message Support for BGP
  * RFC 9117 - Revised Validation Procedure for BGP Flow Specifications
+ * RFC 9234 - Route Leak Prevention and Detection Using Roles
  * draft-ietf-idr-ext-opt-param-07
  * draft-uttaro-idr-bgp-persistence-04
  * draft-walton-bgp-hostname-capability-02
@@ -1983,6 +1984,12 @@ bgp_postconfig(struct proto_config *CF)
   if (internal && cf->rs_client)
     cf_error("Only external neighbor can be RS client");
 
+  if (internal && (cf->local_role != BGP_ROLE_UNDEFINED))
+    cf_error("Local role cannot be set on IBGP sessions");
+
+  if (cf->require_roles && (cf->local_role == BGP_ROLE_UNDEFINED))
+    cf_error("Local role must be set if roles are required");
+
   if (!cf->confederation && cf->confederation_member)
     cf_error("Confederation ID must be set for member sessions");
 
@@ -2345,6 +2352,15 @@ bgp_show_afis(int code, char *s, u32 *afis, uint count)
   cli_msg(code, b.start);
 }
 
+static const char *
+bgp_format_role_name(u8 role)
+{
+  static const char *bgp_role_names[] = { "provider", "rs_server", "rs_client", "customer", "peer" };
+  if (role == BGP_ROLE_UNDEFINED) return "undefined";
+  if (role < 5) return bgp_role_names[role];
+  return "?";
+}
+
 static void
 bgp_show_capabilities(struct bgp_proto *p UNUSED, struct bgp_caps *caps)
 {
@@ -2473,6 +2489,9 @@ bgp_show_capabilities(struct bgp_proto *p UNUSED, struct bgp_caps *caps)
 
   if (caps->hostname)
     cli_msg(-1006, "      Hostname: %s", caps->hostname);
+
+  if (caps->role != BGP_ROLE_UNDEFINED)
+    cli_msg(-1006, "      Role: %s", bgp_format_role_name(caps->role));
 }
 
 static void
-- 
cgit v1.2.3


From 971721c9b50d361e886762f1c7d0392e10f74021 Mon Sep 17 00:00:00 2001
From: Ondrej Zajicek <santiago@crfreenet.org>
Date: Tue, 12 Jul 2022 15:03:17 +0200
Subject: BGP: Minor improvements to BGP roles

Add support for bgp_otc in filters and warning for configuration
inside confederations.
---
 doc/bird.sgml      | 3 ++-
 proto/bgp/bgp.c    | 5 ++++-
 proto/bgp/config.Y | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

(limited to 'proto/bgp/bgp.c')

diff --git a/doc/bird.sgml b/doc/bird.sgml
index c1ce1b91..a0d9c405 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -2829,7 +2829,8 @@ using the following configuration parameters:
 	leaks created by third parties.
 
 	This option is valid for EBGP sessions, but it is not recommended to be
-	used within AS confederations.
+	used within AS confederations (which would require manual filtering of
+	<cf/bgp_otc/ attribute on confederation boundaries).
 
 	Possible <cf><m/role-name/</cf> values are: <cf/provider/,
 	<cf/rs_server/, <cf/rs_client/, <cf/customer/ and <cf/peer/.
diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 3b28a338..0f06746f 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -1987,6 +1987,9 @@ bgp_postconfig(struct proto_config *CF)
   if (internal && (cf->local_role != BGP_ROLE_UNDEFINED))
     cf_error("Local role cannot be set on IBGP sessions");
 
+  if (interior && (cf->local_role != BGP_ROLE_UNDEFINED))
+    log(L_WARN "BGP roles are not recommended to be used within AS confederations");
+
   if (cf->require_roles && (cf->local_role == BGP_ROLE_UNDEFINED))
     cf_error("Local role must be set if roles are required");
 
@@ -2357,7 +2360,7 @@ bgp_format_role_name(u8 role)
 {
   static const char *bgp_role_names[] = { "provider", "rs_server", "rs_client", "customer", "peer" };
   if (role == BGP_ROLE_UNDEFINED) return "undefined";
-  if (role < 5) return bgp_role_names[role];
+  if (role < ARRAY_SIZE(bgp_role_names)) return bgp_role_names[role];
   return "?";
 }
 
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index a00aa156..cb410a5e 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -32,7 +32,7 @@ CF_KEYWORDS(BGP, LOCAL, NEIGHBOR, AS, HOLD, TIME, CONNECT, RETRY, KEEPALIVE,
 	LIVED, STALE, IMPORT, IBGP, EBGP, MANDATORY, INTERNAL, EXTERNAL, SETS,
 	DYNAMIC, RANGE, NAME, DIGITS, BGP_AIGP, AIGP, ORIGINATE, COST, ENFORCE,
 	FIRST, FREE, VALIDATE, BASE, ROLE, ROLES, PEER, PROVIDER, CUSTOMER,
-	RS_SERVER, RS_CLIENT, REQUIRE)
+	RS_SERVER, RS_CLIENT, REQUIRE, BGP_OTC)
 
 %type <i> bgp_nh
 %type <i32> bgp_afi
@@ -355,6 +355,8 @@ dynamic_attr: BGP_AIGP
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_OPAQUE, T_ENUM_EMPTY, EA_CODE(PROTOCOL_BGP, BA_AIGP)); } ;
 dynamic_attr: BGP_LARGE_COMMUNITY
 	{ $$ = f_new_dynamic_attr(EAF_TYPE_LC_SET, T_LCLIST, EA_CODE(PROTOCOL_BGP, BA_LARGE_COMMUNITY)); } ;
+dynamic_attr: BGP_OTC
+	{ $$ = f_new_dynamic_attr(EAF_TYPE_INT, T_INT, EA_CODE(PROTOCOL_BGP, BA_ONLY_TO_CUSTOMER)); } ;
 
 
 
-- 
cgit v1.2.3