The Michael Baer's patch for BGPsec Support

Imported from: https://securerouting.net/download/bird-1.5.0-bgpsec-0.7.tar.bz2

The Michael Baer's patch for BGPsec Support
Imported from: https://securerouting.net/download/bird-1.5.0-bgpsec-0.7.tar.bz2
e7284842 · Michael Baer · Pavel Tvrdik · deec752e · e7284842 · e7284842
Commit e7284842 authored May 26, 2016 by Michael Baer Committed by Pavel Tvrdik May 26, 2016
--- a/README.bgpsec
+++ b/README.bgpsec
+
+  1. BGPSEC tar ball
+  2. Installation Instructions:
+  3. BIRD run time configuration
+  4. Getting RPKI-RTR data (ROA's and Router Keys)
+  5. License(s)
+
+
+1. BGPSEC patch
+
+This code adds BGPSEC capability to the BIRD BGP implementation.
+
+This has only been tested on Linux machines. It is in an Alpha release
+and ***should not be considered for production systems***.  The basic
+BGPSEC protocol is supported with a several notable exceptions: more
+than one signature block (for algorithm rollover), confederations, and
+bugs we have not seen yet.
+
+For information on BGPSEC see the Internet Engineering Task Force
+(IETF) Secure Inter-Domain Routing (SIDR) working group page and
+specifically the draft describing the BGPSEC protocol:
+
+https://datatracker.ietf.org/wg/sidr/
+https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
+
+This code is based on the v1.5.0 of the BIRD software.  Information
+about BIRD including download instructions can be found at:
+
+http://bird.network.cz/
+
+
+2. Installation Instructions:
+
+General Instructions
+
+Building BGPSEC enabled bird
+
+This describes building bird with BGPSEC support turned on, which
+requires a few steps.  Contents
+
+    2.1 Dependencies
+        2.1.1 Use An OpenSSL version that supports ECDSA (Elliptic
+              Curve Digital Signature Algorithm)
+    2.2 Building Bird
+        2.2.1 Configuring and Compiling
+    2.3 Testing
+    2.4 Using It
+    2.5 Coding For It
+
+
+2.1 Dependencies
+
+On Fedora, you'll want flex, bison, and readline-devel packages.
+
+2.1.1 Use an OpenSSL version that supports ECDSA (Elliptic Curve
+      Digital Signature Algorithm)
+
+The default OpenSSL distributed on some Linux vendors does not include
+elliptic curve support.  If yours distribution does not support
+elliptic curve in the OpenSSL libraries, you'll need to grab a fresh
+copy and compile it by hand. You may want to install it in a location
+separate from the normally installed package. Use the --prefix option
+to do this:
+
+ # ./config --prefix=/usr/local/openssl-ecdsa
+
+Then make and make install
+
+
+2.2 Building Bird
+
+Configuring and Compiling
+
+If you are using the patch, download BIRD bird-1.4.5.tar.gz from
+http://bird.network.cz/
+
+ # tar xvjpf bird-1.5.0.-bgpsec-0.7.tar.bz2
+ # cd bird-1.5.0-bgpsec-0.7/
+
+Build it.
+First rebuild configure (configure.in was changed by the patch):
+
+ # autoconf
+
+Then Use configure flags that look something like the following.  if a
+version of OpenSSL that supported ecdsa had to be installed in a
+non-standard location on your platform, it will be necessary to add
+something like '-I/path/to//openssl-ecdsa/include' and
+'-L/path/to/openssl-ecdsa/lib' options to the configure command.
+
+ # ./configure '--enable-bgpsec'
+
+Then make and you should be good to go.
+
+
+2.3 Using It
+
+You can create key pairs using the proto/bgp/bgpsec/keytool.py
+script.  For Example:
+
+# proto/bgp/bgpsec/keytool.py --printski --public-key-dir /usr/share/bird/bgpsec-keys --private-key-dir /usr/share/bird/bgpsec-private-keys generate 'ASN'
+ 40C70252FE48D29401E9156ADBECF3EF42296AE4
+
+Where ASN is the AS number for the key you are generating.
+
+The generated public key is stored in '--public-key-dir' (default
+/usr/share/bird/bgpsec-keys) and the private key is stored in
+'--private-key-dir' (default /usr/share/bird/bgpsec-private-keys).
+The file names are based on the AS number and the SKI value associated
+with the keys, 'ASN.SKI#', e.g. for an ASN of 12345,
+12345.40C70252FE48D29401E9156ADBECF3EF42296AE4.
+
+The public key can be copied to other machines and placed in the same
+public key directory without the private key. Likewise, keys from
+other routers can be placed into the public key directory with their
+ASN/SKI identifying the file names in order for the validation
+routines to look them up.
+
+NOTE: in the future, the rpki-rtr protocol could be used instead to
+pull router keys.  For example, BGPSEC-BIRD-Client is a tool that can
+pull router keys from a rpki cache using the rpki-rtr protocol.
+
+
+2.4 Coding For It
+
+The API for use in validating stuff can be found in
+proto/bgp/bgpsec/validate.h. But most importantly, these two functions
+will be of the most use:
+
+ int bgpsec_sign_data_with_ski(...);
+ int bgpsec_verify_signature_with_ski(...);
+
+As they sign and verify data simply by passing the data along with a
+SKI in ascii/hex form and a ASN integer (in reality, it's just the
+filename from above so as long as it can be stored in a file name it's
+usable).
+
+The algorithm option should be set to
+BGPSEC_ALGORITHM_SHA256_ECDSA_P_256 or BGPSEC_DEFAULT_CURVE.
+
+
+3. BIRD run time configuration
+
+The BGPSEC implementation currently has several additional
+configuration options for the configuration file.  The following is an
+example bgp section from a BIRD configuration file supporting BGPSEC:
+
+  protocol bgp {
+	 # BGPsec configuration
+
+	 # AS4 is required for BGPSEC, this must be enabled
+         enable as4;
+
+	 # enable bgpsec for this connection
+         bgpsec on;
+
+	 # The local BIRD router subject key identifier (SKI) for this
+         # connection.  'bgpsec_ski' identifies the (private) key that
+         # the local BIRD router should use to sign BGPSEC packets on
+         # this connection.
+         bgpsec_ski "8CA56CF0A4D943ACCEB9CB67967561CA8A773B73" ;
+
+	 # The local directory paths for the public router key and private
+         # key storage. The defaults are below:
+
+         bgpsec_key_repo_path "/usr/share/bird/bgpsec-keys/" ;
+	 bgpsec_priv_key_path "/usr/share/bird/bgpsec-private-keys" ;
+
+	 # bgpsec_no_pcount0 indicates whether a peer is allowed to
+         # set its pcount to 0.  Default is true.  Set this value to
+         # false/0 if you want to allow your peer to not have their AS
+         # included in the effective AS_PATH of a route (e.g. Route
+         # Servers).
+	 bgpsec_no_pcount0 1;
+
+	 # bgpsec_prefer indicates whether validly signed bgpsec
+         # routes are preferred to non-valid and/or non-signed
+         # routes. Default is true.  This decision is made after the
+         # local pref and before the as_path comparison in the best
+         # route selection algorithm.
+	 bgpsec_prefer 1;
+
+	 # bgpsec_require indicates whether bgpsec signed routes are
+         # required on this connection.  If true, Non-signed routes
+         # will not be accepted.  Default is false.
+	 bgpsec_require 0;
+
+         # bgpsec_no_invalid_routes indicates if invalid routes are
+         # accepted.  If true, routes that fail the BGPsec validity
+         # check are not accepted.  Default is false.
+	 bgpsec_no_invalid_routes 0;
+
+
+	 # Non BGPsec configuration
+
+         description "BGP Link";
+         local as 64521;
+
+         neighbor 172.16.1.2 as 64522;
+         gateway direct;
+
+         path metric 1;         # prefer shorter paths
+         default bgp_med 0;     # when none is available
+
+         password "demonet";
+  }
+
+
+4. Getting RPKI-RTR data (ROA's and Router Keys)
+
+BGPSEC-BIRD-client is a separate application that is provided in order
+to pull data from a rpki-rtr using rtrLib.  It can garner Router
+Origin Authorizations (ROAs) from a rpki-rtr and populate BIRD's ROA
+tables in order to filter for Origin Authentication.  It can get
+router public keys and place them in the local file system for use by
+the BGPsec code.  Please see the README with that software for
+instructions on how to use it.
+
+
+5. License(s)
+
+This BGPSEC code created by Parsons, Inc.
+
+(c) 2013-2016 Parsons, Inc.
+All Rights Reserved
+
+Code within this patch is dual copyrighted under both the GPLv2+ and
+the BSD license.  It can be used under either license below:
+
+
+GPLv2+
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or (at
+your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+USA
+
+
+BSD
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+*  Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+*  Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+*  Neither the name of Parsons, Inc nor the names of its contributors may
+   be used to endorse or promote products derived from this software
+   without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS
+IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/configure.in
+++ b/configure.in
@@ -10,6 +10,7 @@ AC_ARG_ENABLE(debug,	[  --enable-debug          enable internal debugging routin
 AC_ARG_ENABLE(memcheck,	[  --enable-memcheck       check memory allocations when debugging (default: enabled)],,enable_memcheck=yes)
 AC_ARG_ENABLE(client,	[  --enable-client         enable building of BIRD client (default: enabled)],,enable_client=yes)
 AC_ARG_ENABLE(ipv6,	[  --enable-ipv6           enable building of IPv6 version (default: disabled)],,enable_ipv6=no)
+AC_ARG_ENABLE(bgpsec,[  --enable-bgpsec         enable building of bgp with security (default: disabled)],,enable_bgpsec=no)
 AC_ARG_ENABLE(pthreads,	[  --enable-pthreads       enable POSIX threads support (default: detect)],,enable_pthreads=try)
 AC_ARG_WITH(suffix,	[  --with-suffix=STRING    use specified suffix for BIRD files (default: 6 for IPv6 version)],[given_suffix="yes"])
 AC_ARG_WITH(sysconfig,	[  --with-sysconfig=FILE   use specified BIRD system configuration file])
@@ -21,7 +22,6 @@ AC_ARG_VAR([FLEX], [location of the Flex program])
 AC_ARG_VAR([BISON], [location of the Bison program])
 AC_ARG_VAR([M4], [location of the M4 program])

-
 if test "$srcdir" = . ; then
 	# Building in current directory => create obj directory holding all objects
 	objdir=obj
@@ -262,6 +262,21 @@ if test "$enable_debug" = yes ; then
 	fi
 fi

+AC_MSG_CHECKING([BGPsec enabled])
+if test "$enable_bgpsec" = yes ; then
+	AC_MSG_RESULT(yes)
+	protocols="$protocols bgp/bgpsec"
+	AC_CHECK_LIB(dl, dlopen)
+	AC_CHECK_LIB(crypto, PEM_read_X509)
+	AC_CHECK_LIB(crypto, EC_KEY_set_asn1_flag)
+	if test $ac_cv_lib_crypto_EC_KEY_set_asn1_flag != yes ; then
+	   AC_MSG_ERROR([openssl: libcrypt does not support elliptical curves. EC support is required for BGPsec])
+	fi
+	AC_DEFINE(CONFIG_BGPSEC)
+else
+	AC_MSG_RESULT(no)
+fi
+
 CLIENT=
 CLIENT_LIBS=
 if test "$enable_client" = yes ; then
@@ -304,6 +319,7 @@ BIRD was configured with the following options:
 	Debugging:		$enable_debug
 	POSIX threads:		$enable_pthreads
 	Routing protocols:	$protocols
+	BGPsec enabled:		$enable_bgpsec
 	Client:			$enable_client
 EOF
 rm -f $objdir/.*-stamp
--- a/lib/unaligned.h
+++ b/lib/unaligned.h
@@ -19,6 +19,9 @@

 #include "lib/string.h"

+/* XXX need ifdef to intsead use bsd's #include <sys/endian.h> */
+#include <endian.h>
+
 static inline u16
 get_u16(void *p)
 {
@@ -35,6 +38,14 @@ get_u32(void *p)
  return ntohl(x);
 }

+static inline u64
+get_u64(void *p)
+{
+  u64 x;
+  memcpy(&x, p, 8);
+  return be64toh(x);
+}
+
 static inline void
 put_u16(void *p, u16 x)
 {
@@ -49,4 +60,11 @@ put_u32(void *p, u32 x)
  memcpy(p, &x, 4);
 }

+static inline void
+put_u64(void *p, u64 x)
+{
+  x = htobe64(x);
+  memcpy(p, &x, 8);
+}
+
 #endif
--- a/nest/protocol.h
+++ b/nest/protocol.h
@@ -76,7 +76,7 @@ void protos_dump_all(void);

 extern struct protocol
  proto_device, proto_radv, proto_rip, proto_static,
-  proto_ospf, proto_pipe, proto_bgp, proto_bfd;
+  proto_ospf, proto_pipe, proto_bgp, proto_bgpsec,  proto_bfd;

 /*
 *	Routing Protocol Instance

--- a/nest/route.h
+++ b/nest/route.h
@@ -407,7 +407,8 @@ typedef struct eattr {
 #define EAP_RIP 2			/* RIP */
 #define EAP_OSPF 3			/* OSPF */
 #define EAP_KRT 4			/* Kernel route attributes */
-#define EAP_MAX 5
+#define EAP_BGPSEC 5			/* BGPSEC attributes */
+#define EAP_MAX 6

 #define EA_CODE(proto,id) (((proto) << 8) | (id))
 #define EA_PROTO(ea) ((ea) >> 8)

--- a/proto/bgp/attrs.c
+++ b/proto/bgp/attrs.c
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -4,6 +4,14 @@
 *	(c) 2000 Martin Mares <mj@ucw.cz>
 *
 *	Can be freely distributed and used under the terms of the GNU GPL.
+ *
+ *
+ *      Code added from Parsons, Inc. (BGPSEC additions)
+ *      (c) 2013-2013
+ *
+ *	Can be used under either license:
+ *      - Freely distributed and used under the terms of the GNU GPLv2.
+ *      - Freely distributed and used under a BSD license, See README.bgpsec.
 */

 /**
@@ -78,6 +86,10 @@

 #include "bgp.h"

+#ifdef CONFIG_BGPSEC
+/* sscanf parsing of SKI configuration value */
+#include <stdio.h>
+#endif

 struct linpool *bgp_linpool;		/* Global temporary pool */
 static sock *bgp_listen_sk;		/* Global listening socket */
@@ -1266,7 +1278,6 @@ bgp_check_config(struct bgp_config *c)
  if (c->c.class == SYM_TEMPLATE)
    return;

-
  /* EBGP direct by default, IBGP multihop by default */
  if (c->multihop < 0)
    c->multihop = internal ? 64 : 0;
@@ -1283,7 +1294,6 @@ bgp_check_config(struct bgp_config *c)
  if (c->c.in_limit && (c->c.in_limit->action == PLA_RESTART) && c->disable_after_error)
    c->c.in_limit->action = PLA_DISABLE;

-
  if (!c->local_as)
    cf_error("Local AS number must be set");

@@ -1329,6 +1339,61 @@ bgp_check_config(struct bgp_config *c)

  if (c->secondary && !c->c.table->sorted)
    cf_error("BGP with secondary option requires sorted table");
+
+#ifdef CONFIG_BGPSEC
+  /* create a binary SKI from config */
+  if ( c->enable_bgpsec ) {
+    if ( strnlen(c->bgpsec_ski, (2 * BGPSEC_SKI_LENGTH))
+	 != (BGPSEC_SKI_LENGTH * 2) ) {
+      cf_error("BGPSEC: bad length of the configured SKI value");
+    }
+
+    if ( BGPSEC_SKI_LENGTH !=
+	 sscanf(c->bgpsec_ski, "%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx",
+		(unsigned char *)c->bgpsec_bski,
+		(unsigned char *)(c->bgpsec_bski+1),
+		(unsigned char *)(c->bgpsec_bski+2),
+		(unsigned char *)(c->bgpsec_bski+3),
+		(unsigned char *)(c->bgpsec_bski+4),
+		(unsigned char *)(c->bgpsec_bski+5),
+		(unsigned char *)(c->bgpsec_bski+6),
+		(unsigned char *)(c->bgpsec_bski+7),
+		(unsigned char *)(c->bgpsec_bski+8),
+		(unsigned char *)(c->bgpsec_bski+9),
+		(unsigned char *)(c->bgpsec_bski+10),
+		(unsigned char *)(c->bgpsec_bski+11),
+		(unsigned char *)(c->bgpsec_bski+12),
+		(unsigned char *)(c->bgpsec_bski+13),
+		(unsigned char *)(c->bgpsec_bski+14),
+		(unsigned char *)(c->bgpsec_bski+15),
+		(unsigned char *)(c->bgpsec_bski+16),
+		(unsigned char *)(c->bgpsec_bski+17),
+		(unsigned char *)(c->bgpsec_bski+18),
+		(unsigned char *)(c->bgpsec_bski+19)) ) {
+      cf_error("BGPSEC: unable to parse the configured SKI value");
+    }
+
+
+    log(L_WARN "BPGPSEC: bgpsec_key_repo_path is %s", c->bgpsec_key_repo_path);
+    if (c->bgpsec_key_repo_path) {
+      int krp = strnlen(c->bgpsec_key_repo_path, 10);
+      if ( 0 < krp && krp < 2 ) {
+	log(L_WARN "BPGPSEC: unable to parse bpgsec_key_repo_path: %d", krp);
+	cf_error("BGPSEC:: unable to parse bpgsec_key_repo_path");
+      }
+    }
+    log(L_WARN "BPGPSEC: bgpsec_key_repo_path is %s", c->bgpsec_priv_key_path);
+    if (c->bgpsec_priv_key_path) {
+      int pkp = strnlen(c->bgpsec_priv_key_path, 10);
+      if ( 0 < pkp && pkp < 2 ) {
+	log(L_WARN "BPGPSEC: unable to parse bpgsec_key_repo_path: %d", pkp);
+	cf_error("BGPSEC:: unable to parse bpgsec_key_repo_path");
+      }
+    }
+
+  }
+#endif
+
 }

 static int

--- a/proto/bgp/bgp.h
+++ b/proto/bgp/bgp.h
@@ -4,6 +4,14 @@
 *	(c) 2000 Martin Mares <mj@ucw.cz>
 *
 *	Can be freely distributed and used under the terms of the GNU GPL.
+ *
+ *
+ *      Code added from Parsons, Inc. (BGPSEC additions)
+ *      (c) 2013-2013
+ *
+ *	Can be used under either license:
+ *      - Freely distributed and used under the terms of the GNU GPLv2.
+ *      - Freely distributed and used under a BSD license, See README.bgpsec.
 */

 #ifndef _BIRD_BGP_H_
@@ -17,6 +25,24 @@
 struct linpool;
 struct eattr;

+#ifdef CONFIG_BGPSEC
+/* BGPSec constants */
+#define BGPSEC_VERSION	            0
+/* currently capability is arbitrary number from private use */
+#define BGPSEC_CAPABILITY           212
+#define BGPSEC_SKI_LENGTH           20
+#define BGPSEC_ALGO_ID              1   /* XXX this needs to be changed */
+#define BGPSEC_MAX_SIG_LENGTH       80
+ /* sig hash length is somewhat arbitrary,
+    = 20 + MaxASPathLength*(28 + max_sig_length).
+    As of 2016, max unique AS Path length found is 14.
+    This value will allowy for for a hash buffer that can handle an AS
+    path length ~47 long
+ */
+#define BGPSEC_SIG_HASH_LENGTH      5120
+#define BGPSEC_MAX_INFO_ATTR_LENGTH 0   /* XXX this needs to be checked */
+#endif
+
 struct bgp_config {
  struct proto_config c;
  u32 local_as, remote_as;
@@ -40,6 +66,20 @@ struct bgp_config {
  int capabilities;			/* Enable capability handshake [RFC3392] */
  int enable_refresh;			/* Enable local support for route refresh [RFC2918] */
  int enable_as4;			/* Enable local support for 4B AS numbers [RFC4893] */
+
+  /* BGPSec */
+  /* cannot be ifdef'd out due to config.Y compatibility */
+  int   enable_bgpsec;                  /* Whether neighbor should be a BGPSec peer */
+  int   bgpsec_prefer;                  /* Whether validly signed BGPsec routes are prefered during route selection */
+  int   bgpsec_require;                 /* Whether neighbor should be a BGPSec peer */
+  char *bgpsec_ski;                     /* local subject key id */
+  u8    bgpsec_bski[BGPSEC_SKI_LENGTH]; /* binary local SKI */
+  char *bgpsec_key_repo_path;           /* Path to the public key repository */
+  char *bgpsec_priv_key_path;           /* Path to the private key location */
+  int   bgpsec_save_binary_keys;        /* Save a copy of the binary key */
+  int   bgpsec_no_pcount0;              /* allow peer to have pcount 0, xxx current default allows */
+  int   bgpsec_no_invalid_routes;       /* should invalid routes be dropped */
+
  u32 rr_cluster_id;			/* Route reflector cluster ID, if different from local ID */
  int rr_client;			/* Whether neighbor is RR client of me */
  int rs_client;			/* Whether neighbor is RS client of me */
@@ -100,6 +140,12 @@ struct bgp_conn {
  byte *notify_data;
  u32 advertised_as;			/* Temporary value for AS number received */
  int start_state;			/* protocol start_state snapshot when connection established */
+
+#ifdef CONFIG_BGPSEC
+  /* BGPsec */
+  u8 peer_bgpsec_support;               /* Peer supports BGPSec */
+#endif
+
  u8 peer_refresh_support;		/* Peer supports route refresh [RFC2918] */
  u8 peer_as4_support;			/* Peer supports 4B AS numbers [RFC4893] */
  u8 peer_add_path;			/* Peer supports ADD-PATH [draft] */
@@ -117,6 +163,15 @@ struct bgp_proto {
  struct bgp_config *cf;		/* Shortcut to BGP configuration */
  u32 local_as, remote_as;
  int start_state;			/* Substates that partitions BS_START */
+
+#ifdef CONFIG_BGPSEC
+  /* BGPsec */
+  u8 bgpsec_send;                       /* Sender can send BGPSec messages */
+  u8 bgpsec_receive;                    /* Sender can receive BGPSec messages */
+  u8 bgpsec_ipv4;                       /* Sender uses BGPSec over iPv4 */
+  u8 bgpsec_ipv6;                       /* Sender uses BGPSec over iPv6 */
+#endif
+
  u8 is_internal;			/* Internal BGP connection (local_as == remote_as) */
  u8 as4_session;			/* Session uses 4B AS numbers in AS_PATH (both sides support it) */
  u8 add_path_rx;			/* Session expects receive of ADD-PATH extended NLRI */
@@ -152,7 +207,7 @@ struct bgp_proto {
  u8 last_error_class; 			/* Error class of last error */
  u32 last_error_code;			/* Error code of last error. BGP protocol errors
 					   are encoded as (bgp_err_code << 16 | bgp_err_subcode) */
-#ifdef IPV6
+#if defined(IPV6) || defined CONFIG_BGPSEC
  byte *mp_reach_start, *mp_unreach_start; /* Multiprotocol BGP attribute notes */
  unsigned mp_reach_len, mp_unreach_len;
  ip_addr local_link;			/* Link-level version of source_addr */
@@ -235,7 +290,7 @@ static inline void set_next_hop(byte *b, ip_addr addr) { ((ip_addr *) b)[0] = ad

 void bgp_attach_attr(struct ea_list **to, struct linpool *pool, unsigned attr, uintptr_t val);
 byte *bgp_attach_attr_wa(struct ea_list **to, struct linpool *pool, unsigned attr, unsigned len);
-struct rta *bgp_decode_attrs(struct bgp_conn *conn, byte *a, unsigned int len, struct linpool *pool, int mandatory);
+struct rta *bgp_decode_attrs(struct bgp_conn *conn, byte *attr, unsigned int len, struct linpool *pool, byte * nlri, int nlri_len);
 int bgp_get_attr(struct eattr *e, byte *buf, int buflen);
 int bgp_rte_better(struct rte *, struct rte *);
 int bgp_rte_recalculate(rtable *table, net *net, rte *new, rte *old, rte *old_best);
@@ -278,6 +333,8 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
 #define BAF_PARTIAL		0x20
 #define BAF_EXT_LEN		0x10

+/* Note: these must match location in the bgp_attr_table */
+
 #define BA_ORIGIN		0x01	/* [RFC1771] */		/* WM */
 #define BA_AS_PATH		0x02				/* WM */
 #define BA_NEXT_HOP		0x03				/* WM */
@@ -287,16 +344,34 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
 #define BA_AGGREGATOR		0x07				/* OT */
 #define BA_COMMUNITY		0x08	/* [RFC1997] */		/* OT */
 #define BA_ORIGINATOR_ID	0x09	/* [RFC1966] */		/* ON */
-#define BA_CLUSTER_LIST		0x0a				/* ON */
+#define BA_CLUSTER_LIST		0x0a	/* [RFC4456] */
 /* We don't support these: */
-#define BA_DPA			0x0b	/* ??? */
-#define BA_ADVERTISER		0x0c	/* [RFC1863] */
-#define BA_RCID_PATH		0x0d
-#define BA_MP_REACH_NLRI	0x0e	/* [RFC2283] */
-#define BA_MP_UNREACH_NLRI	0x0f
-#define BA_EXT_COMMUNITY	0x10	/* [RFC4360] */
-#define BA_AS4_PATH             0x11    /* [RFC4893] */
-#define BA_AS4_AGGREGATOR       0x12
+#define BA_DPA   		0x0b	/* DPA deprecated */
+#define BA_ADVERTISER		0x0c    /* [RFC1863] */
+#define BA_RCID_PATH		0x0d    /* [RFC1863] */
+/* supported? */
+#define BA_MP_REACH_NLRI	0x0e    /* [RFC4760] */
+#define BA_MP_UNREACH_NLRI      0x0f    /* [RFC4760] */
+#define BA_EXT_COMMUNITY        0x10    /* [RFC4360] */
+#define BA_AS4_PATH             0x11    /* [RFC6793] */
+#define BA_AS4_AGGREGATOR       0x12    /* [RFC6793] */
+/* not supported */
+#define BA_SSA                  0x13    /* SAFI Specific Attribute (SSA) (deprecated) */
+#define BA_CONNECTOR_ATTR       0x14   /* (deprecated) [RFC6037] */
+#define BA_AS_PATHLIMIT         0x15   /* (deprecated) 	[draft-ietf-idr-as-pathlimit] */
+#define BA_PMSI_TUNNEL          0x16   /* [RFC6514] */
+#define BA_TUNNEL_ENCAP         0x17   /* Tunnel Encapsulation [RFC5512] */
+#define BA_TUNNEL_ENGINEERING   0x18   /* Traffic Engineering [RFC5543] */
+#define BA_IPV6_EXT_COMMUNITY   0x19   /* IPv6 Address Specific Extended Community [RFC5701] */
+#define BA_AIGP                 0x1a   /* AIGP (TEMPORARY, expired 2013-04-25) 	[draft-ietf-idr-aigp][Rex_Fernando][Pradosh_Mohapatra][Eric_Rosen][James_Uttaro] */
+#define BA_PE_DIST_LABELS       0x1b   /* PE Distinguisher Labels [RFC6514] */
+#define BA_ENTROPY_LABELS       0x1c   /* BGP Entropy Label Capability Attribute [RFC6790] */
+#define BA_LS_ATTRIBUTE         0x1d   /* BGP-LS Attribute (TEMPORARY, expired 2014-03-11) [draft-ietf-idr-ls-distribution] */
+
+/* Supported */
+#define BA_BGPSEC_SIGNATURE     0x1E   /* XXX 30 is best guess, draft-ietf-sidr-bgpsec-protocol */
+/* internal use only */
+#define BA_INTERNAL_BGPSEC_VALID  0xdd

 /* BGP connection states */

@@ -376,6 +451,18 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi

 #define BEA_ROUTE_LIMIT_EXCEEDED 1

+/* BGP Update Error codes */
+#define BGP_UPD_ERROR_MALFORMED_ATTR   1
+#define BGP_UPD_ERROR_UNRCGNZD_WK_ATTR 2
+#define BGP_UPD_ERROR_MISSING_WK_ATTR  3
+#define BGP_UPD_ERROR_ATTR_FLAG        4
+#define BGP_UPD_ERROR_ATTR_LENGTH      5