Commit graph

549 commits

Author SHA1 Message Date
Ondrej Zajicek (work)
1f2eb2aca8 BGP: Implement flowspec validation procedure
Implement flowspec validation procedure as described in RFC 8955 sec. 6
and RFC 9117. The Validation procedure enforces that only routers in the
forwarding path for a network can originate flowspec rules for that
network.

The patch adds new mechanism for tracking inter-table dependencies, which
is necessary as the flowspec validation depends on IP routes, and flowspec
rules must be revalidated when best IP routes change.

The validation procedure is disabled by default and requires that
relevant IP table uses trie, as it uses interval queries for subnets.
2022-02-06 23:27:13 +01:00
Ondrej Zajicek (work)
596f2e32e3 Nest: Allow both 'password' and 'key' keywords for authentication keys 2021-06-09 19:54:01 +02:00
Ondrej Zajicek (work)
b174cc0abc Babel: Add MAC authentication support - update
Some cleanups and bugfixes to the previous patch, including:

 - Fix rate limiting in index mismatch check

 - Fix missing BABEL_AUTH_INDEX_LEN in auth_tx_overhead computation

 - Fix missing auth_tx_overhead recalculation during reconfiguration

 - Fix pseudoheader construction in babel_auth_sign() (sport vs fport)

 - Fix typecasts for ptrdiffs in log messages

 - Make auth log messages similar to corresponding RIP/OSPF ones

 - Change auth log messages for events that happen during regular
   operation to debug messages

 - Switch meaning of babel_auth_check*() functions for consistency
   with corresponding RIP/OSPF ones

 - Remove requirement for min/max key length, only those required by
   given MAC code are enforced
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
b218a28f61 Babel: Add MAC authentication support
This implements support for MAC authentication in the Babel protocol, as
specified by RFC 8967. The implementation seeks to follow the RFC as close
as possible, with the only deliberate deviation being the addition of
support for all the HMAC algorithms already supported by Bird, as well as
the Blake2b variant of the Blake algorithm.

For description of applicability, assumptions and security properties,
see RFC 8967 sections 1.1 and 1.2.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
35f88b305a Nest: Allow specifying security keys as hex bytes as well as strings
Add support for specifying a password in hexadecimal format, The result
is the same whether a password is specified as a quoted string or a
hex-encoded byte string, this just makes it more convenient to input
high-entropy byte strings as MAC keys.
2021-06-06 16:28:18 +02:00
Toke Høiland-Jørgensen
725d9af94a Lib: Add Blake2s and Blake2b hash functions
The Babel MAC authentication RFC recommends implementing Blake2s as one of
the supported algorithms. In order to achieve do this, add the blake2b and
blake2s hash functions for MAC authentication. The hashing function
implementations are the reference implementations from blake2.net.

The Blake2 algorithms allow specifying an arbitrary output size, and the
Babel MAC spec says to implement Blake2s with 128-bit output. To satisfy
this, we add two different variants of each of the algorithms, one using
the default size (256 bits for Blake2s, 512 bits for Blake2b), and one
using half the default output size.

Update to BIRD coding style done by committer.
2021-06-06 16:26:58 +02:00
Ondrej Zajicek (work)
c3c691e95c Flowspec: Documentation update 2021-05-18 20:41:01 +02:00
Ondrej Zajicek (work)
dd8481cc1c Flowspec: Do not use comma for bitmask operators
For numeric operators, comma is used for disjunction in expressions like
"10, 20, 30..40". But for bitmask operators, comma is used for
conjunction in a way that does not really make much sense. Use always
explicit logical operators (&& and ||) to connect bitmask operators.

Thanks to Matt Corallo for the bugreport.
2021-05-18 19:54:18 +02:00
Trisha Biswas
e5468d1685 Filter: Add MPLS label route attribute
Add support to set or read outgoing MPLS labels using filters. Currently
this supports the addition of one label per route for the first next hop.

Minor changes by committer.
2021-05-17 17:50:04 +02:00
Ondrej Zajicek (work)
58510024be Doc: Include full LinuxDocTools code
BIRD uses hacked LinuxDocTools for building documentation, keeping some
parts locally and using remaining parts from system-installed one. This
setup breaks when LinuxDocTools makes some internal changes and is hard
to keep consistent.

Just include full LinuxDocTools code (both hacked and unmodified parts)
to avoid consistency issues. Note that we still need some binaries from
LinuxDocTools, so it still needs to be installed to build documentation.
2021-04-25 02:21:05 +02:00
Ondrej Zajicek (work)
5caf32efa2 Doc: Fix flowspec example
Thanks to Matt Corallo for the bugreport.
2021-04-03 20:09:32 +02:00
Ondrej Zajicek (work)
0d1a11cca3 Doc: Document automatic RPKI reload 2021-03-15 17:51:33 +01:00
Ondrej Zajicek (work)
6489a2450e Doc: Document channel debug options 2021-03-15 16:16:32 +01:00
Vincent Bernat
714238716e BGP: Add support for BGP hostname capability
This is an implementation of draft-walton-bgp-hostname-capability-02.
It is implemented since quite some time for FRR and in datacenter, this
gives a nice output to avoid using IP addresses.

It is disabled by default. The hostname is retrieved from uname(2) and
can be overriden with "hostname" option. The domain name is never set
nor displayed.

Minor changes by committer.
2021-02-10 16:53:57 +01:00
Ondrej Zajicek (work)
a141959f07 Doc: Describe per-nexthop static route options
Also remove description of (no longer supported) per-route 'bfd' option,
and add examples of IPv6 routes with link-local nexthops.
2021-01-07 01:20:56 +01:00
Ondrej Zajicek (work)
4155104c90 BGP: Deprecate 'missing lladdr' option
The option is not implemented since transition to 2.0 and no plan to add it.
Also remove some deprecated RTS_* valus from documentation.

Thanks to Sébastien Parisot for notification.
2021-01-06 14:44:23 +01:00
Ondrej Zajicek (work)
8cc5bb09e3 Filter: Add 'weight' route attribute
Add 'weight' route attribute that allows to get and set ECMP weight of
nexthops. Similar to 'gw' attribute, it is limited to the first nexthop,
but it is useful for handling BGP multipath, where an ECMP route is
merged from multiple regular routes.
2020-12-02 05:02:26 +01:00
Ondrej Zajicek (work)
3347aaafec Static: Support for multiple routes with the same network
Add support for proper handling of multiple routes with the same network
to the static protocol. Routes are distinguished by internal index, which
is assigned automatically (sequentially for routes within each network).
Having different route preference or igp_metric attribute is optional.
2020-11-19 16:38:39 +01:00
Nigel Kukard
df65d519d6 Doc: Added example of static routes with BGP large communities 2020-11-18 18:00:12 +01:00
Ondrej Zajicek (work)
6ea8a46ccb Doc: Fix typo
Thanks to Hexhu for the bugreport.
2020-11-15 16:28:13 +01:00
Ondrej Zajicek (work)
4a42e7e925 BFD: Update documentation about per-session options 2020-11-12 04:50:45 +01:00
Ondrej Zajicek (work)
fc1e3211b1 RPKI: Add 'ignore max length' option
Add 'ignore max length' option to RPKI protocol, which ignores received
max length in ROA records and instead uses max value (32 or 128). This
may be useful for implementing loose RPKI check for blackholes.
2020-10-11 01:00:54 +02:00
Ondrej Zajicek (work)
6c11dbcf28 Doc: Fix missing semicolons
Thanks to Marco Gartmann for the bugreport.
2020-10-05 14:52:55 +02:00
Ondrej Zajicek (work)
14ce8904e7 Doc: Fix typo
Thanks to Sergey Kulikov for the bugreport.
2020-10-05 14:45:01 +02:00
Kenth Eriksson
71e08edd94 Doc: Add 'ptp address' to OSPF doc overview 2020-06-03 23:05:29 +02:00
Ondrej Zajicek (work)
c1632ad0f3 OSPF: Fix handling of unnumbered PtPs
This issue has a long history. In 2012, we changed data field for
unnumbered PtP links from iface id (specified by RFC) to IP address based
on reports of bugs in Quagga that required it, and we used out-of-band
information to distinquish unnumberred PtPs with the same local IP
address.

Then with OSPF graceful restart implementation, we found that we can no
longer use out-of-band information, and we need to use only LSAdb info
for routing table calculation, but i forgot to finish handling of this
case, so multiple unnumbered PtPs with the same local IP addresses were
broken.

Considering that even recent Mikrotik RouterOS has broken next hop
calculation that depends on IP address in PtP link data field, we
cannot just switch back to the iface id for unnumbered PtP links.

The patch makes two changes: First, it goes back to use out-of-band
(position) info for distinguishing local interfaces in SPF when graceful
restart is not enabled, while still uses LSAdb-only approach for SPF
calculation when graceful restart is enabled.

Second, it adds OSPF interface option 'ptp address', which controls
whether IP address or iface id is used in data field. It is enabled
by default except for unnumbered PtP links with enabled graceful
restart.

Thanks to Kenth Eriksson for the bugreport and Joakim Tjernlund for
suggestions.
2020-05-26 18:21:43 +02:00
Ondrej Zajicek (work)
1ca7665fa4 Nest: Allow key id 0
There is nothing in RFCs specifying that id 0 is not allowed. Some
implementations does not support it, while some other use key id 0 by
default. We allow it but start with key id 1 by default.

Thanks to Kenth Eriksson for the bugreport.
2020-05-19 02:50:47 +02:00
Ondrej Zajicek (work)
b729e731f9 RIP: Triggered RIP (demand circuit) documentation 2020-05-19 02:42:22 +02:00
Ondrej Zajicek (work)
ec430a7fee Nest: Implement BGP path mask loop operator
Implement regex-like '+' operator in BGP path masks to match previous
path mask item multiple times. This is useful as ASNs may appear
multiple times in paths due to path prepending for traffic engineering
purposes.
2020-05-18 16:25:08 +02:00
Ondrej Zajicek (work)
82bfee76f0 Filter: Remove quitbird command
No need for this debug filter command and it can be abused from CLI.
2020-05-02 02:47:18 +02:00
Ondrej Zajicek (work)
a109056145 Doc: Update prefix set comment 2020-04-08 13:11:51 +02:00
Ondrej Zajicek (work)
7f9adafc10 BFD: Option to specify which class of BFD sessions are accepted
Allows to configure IPv4/IPv6-only or direct/multihop-only BFD protocol
instances.
2020-01-28 18:07:25 +01:00
Ondrej Zajicek (work)
3232d17186 Doc: Fix documentation of BGP gateway option
Thanks to Nico Schottelius for the bugreport.
2019-12-16 18:08:40 +01:00
Ondrej Zajicek (work)
ff2ca10cba Filter: Add support for src/dst accessors for Flowspec and SADR 2019-12-09 04:23:01 +01:00
Ondrej Zajicek (work)
0b228fca04 BGP: Add option to enforce first AS in AS_PATH
This is optional check described in RFC 4271. Although this can be also
done by filters, it is widely implemented option in BGP implementations.

Thanks to Eugene Bogomazov for the original patch.
2019-11-10 02:06:07 +01:00
Ondrej Zajicek (work)
becda5638a Doc: Minor fix 2019-11-05 16:29:47 +01:00
Ondrej Zajicek (work)
d54a69ac7f Doc: Add documentation for BGP option 'allow as sets' 2019-11-05 16:00:25 +01:00
Ondrej Zajicek (work)
be7c1aef42 BGP: RFC 8654 got released 2019-10-26 01:32:24 +02:00
Ondrej Zajicek (work)
eeb2c61653 Doc: Minor documentation fixes
Thanks to Christoph for the bugreport.
2019-10-10 22:43:41 +02:00
Ondrej Zajicek (work)
09ee846d92 BGP: AIGP metric support (RFC 7311) 2019-10-09 17:53:23 +02:00
Ondrej Zajicek
15a7583787 Doc: Fix duplicated lines
Thanks to elados93 for the patch.
2019-10-08 14:20:25 +02:00
Ondrej Zajicek (work)
532471967e Doc: Update BGP mask documentation 2019-09-10 17:28:06 +02:00
Ondrej Zajicek (work)
b7d7599ce3 BGP: implement Adj-RIB-Out
The patch implements optional internal export table to a channel and
hooks it to BGP so it can be used as Adj-RIB-Out. When enabled, all
exported (post-filtered) routes are stored there. An export table can be
examined using e.g. 'show route export table bgp1.ipv4'.
2019-08-14 06:02:33 +02:00
Ondrej Zajicek (work)
70a4320bdd RAdv: Allow solicited RAs to be sent as unicast
Add option to send solicited router advertisements as unicast directly
to soliciting nodes instead of as multicast to all-nodes group.
2019-08-12 00:43:19 +02:00
Ondrej Zajicek (work)
96e4d0960c Change 'graceful down' command to 'graceful restart' and update docs
The command initiating planned graceful restart including bird shutdown
should be called 'graceful restart' instead of 'graceful down', as the
later should be reserved for graceful shutdown in style of RFC 8326.
2019-07-31 19:45:29 +02:00
Ondrej Zajicek (work)
8c703ecf73 Doc: Update documentation about VRFs and BFD 2019-07-30 19:21:06 +02:00
Vincent Bernat
e840cb9cd5 Doc: Fix typo in BGP dynamic names feature description 2019-07-09 15:30:45 +02:00
Ondrej Zajicek (work)
6c0f85d5de Doc: OSPF graceful restart options 2019-06-30 22:11:29 +02:00
Ondrej Zajicek (work)
8a68316eb9 Nest: Add command to request graceful restart
When 'graceful down' command is entered, protocols are shut down
with regard to graceful restart. Namely Kernel protocol does
not remove routes and BGP protocol does not send notification,
just closes the connection.
2019-06-30 21:29:24 +02:00
Ondrej Zajicek (work)
dbbe4a783b Doc: Dynamic BGP 2019-04-30 16:16:50 +02:00