Commit e7284842 authored by Michael Baer's avatar Michael Baer Committed by Pavel Tvrdik
Browse files

The Michael Baer's patch for BGPsec Support

Imported from:
  https://securerouting.net/download/bird-1.5.0-bgpsec-0.7.tar.bz2
parent deec752e
1. BGPSEC tar ball
2. Installation Instructions:
3. BIRD run time configuration
4. Getting RPKI-RTR data (ROA's and Router Keys)
5. License(s)
1. BGPSEC patch
This code adds BGPSEC capability to the BIRD BGP implementation.
This has only been tested on Linux machines. It is in an Alpha release
and ***should not be considered for production systems***. The basic
BGPSEC protocol is supported with a several notable exceptions: more
than one signature block (for algorithm rollover), confederations, and
bugs we have not seen yet.
For information on BGPSEC see the Internet Engineering Task Force
(IETF) Secure Inter-Domain Routing (SIDR) working group page and
specifically the draft describing the BGPSEC protocol:
https://datatracker.ietf.org/wg/sidr/
https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-protocol/
This code is based on the v1.5.0 of the BIRD software. Information
about BIRD including download instructions can be found at:
http://bird.network.cz/
2. Installation Instructions:
General Instructions
Building BGPSEC enabled bird
This describes building bird with BGPSEC support turned on, which
requires a few steps. Contents
2.1 Dependencies
2.1.1 Use An OpenSSL version that supports ECDSA (Elliptic
Curve Digital Signature Algorithm)
2.2 Building Bird
2.2.1 Configuring and Compiling
2.3 Testing
2.4 Using It
2.5 Coding For It
2.1 Dependencies
On Fedora, you'll want flex, bison, and readline-devel packages.
2.1.1 Use an OpenSSL version that supports ECDSA (Elliptic Curve
Digital Signature Algorithm)
The default OpenSSL distributed on some Linux vendors does not include
elliptic curve support. If yours distribution does not support
elliptic curve in the OpenSSL libraries, you'll need to grab a fresh
copy and compile it by hand. You may want to install it in a location
separate from the normally installed package. Use the --prefix option
to do this:
# ./config --prefix=/usr/local/openssl-ecdsa
Then make and make install
2.2 Building Bird
Configuring and Compiling
If you are using the patch, download BIRD bird-1.4.5.tar.gz from
http://bird.network.cz/
# tar xvjpf bird-1.5.0.-bgpsec-0.7.tar.bz2
# cd bird-1.5.0-bgpsec-0.7/
Build it.
First rebuild configure (configure.in was changed by the patch):
# autoconf
Then Use configure flags that look something like the following. if a
version of OpenSSL that supported ecdsa had to be installed in a
non-standard location on your platform, it will be necessary to add
something like '-I/path/to//openssl-ecdsa/include' and
'-L/path/to/openssl-ecdsa/lib' options to the configure command.
# ./configure '--enable-bgpsec'
Then make and you should be good to go.
2.3 Using It
You can create key pairs using the proto/bgp/bgpsec/keytool.py
script. For Example:
# proto/bgp/bgpsec/keytool.py --printski --public-key-dir /usr/share/bird/bgpsec-keys --private-key-dir /usr/share/bird/bgpsec-private-keys generate 'ASN'
40C70252FE48D29401E9156ADBECF3EF42296AE4
Where ASN is the AS number for the key you are generating.
The generated public key is stored in '--public-key-dir' (default
/usr/share/bird/bgpsec-keys) and the private key is stored in
'--private-key-dir' (default /usr/share/bird/bgpsec-private-keys).
The file names are based on the AS number and the SKI value associated
with the keys, 'ASN.SKI#', e.g. for an ASN of 12345,
12345.40C70252FE48D29401E9156ADBECF3EF42296AE4.
The public key can be copied to other machines and placed in the same
public key directory without the private key. Likewise, keys from
other routers can be placed into the public key directory with their
ASN/SKI identifying the file names in order for the validation
routines to look them up.
NOTE: in the future, the rpki-rtr protocol could be used instead to
pull router keys. For example, BGPSEC-BIRD-Client is a tool that can
pull router keys from a rpki cache using the rpki-rtr protocol.
2.4 Coding For It
The API for use in validating stuff can be found in
proto/bgp/bgpsec/validate.h. But most importantly, these two functions
will be of the most use:
int bgpsec_sign_data_with_ski(...);
int bgpsec_verify_signature_with_ski(...);
As they sign and verify data simply by passing the data along with a
SKI in ascii/hex form and a ASN integer (in reality, it's just the
filename from above so as long as it can be stored in a file name it's
usable).
The algorithm option should be set to
BGPSEC_ALGORITHM_SHA256_ECDSA_P_256 or BGPSEC_DEFAULT_CURVE.
3. BIRD run time configuration
The BGPSEC implementation currently has several additional
configuration options for the configuration file. The following is an
example bgp section from a BIRD configuration file supporting BGPSEC:
protocol bgp {
# BGPsec configuration
# AS4 is required for BGPSEC, this must be enabled
enable as4;
# enable bgpsec for this connection
bgpsec on;
# The local BIRD router subject key identifier (SKI) for this
# connection. 'bgpsec_ski' identifies the (private) key that
# the local BIRD router should use to sign BGPSEC packets on
# this connection.
bgpsec_ski "8CA56CF0A4D943ACCEB9CB67967561CA8A773B73" ;
# The local directory paths for the public router key and private
# key storage. The defaults are below:
bgpsec_key_repo_path "/usr/share/bird/bgpsec-keys/" ;
bgpsec_priv_key_path "/usr/share/bird/bgpsec-private-keys" ;
# bgpsec_no_pcount0 indicates whether a peer is allowed to
# set its pcount to 0. Default is true. Set this value to
# false/0 if you want to allow your peer to not have their AS
# included in the effective AS_PATH of a route (e.g. Route
# Servers).
bgpsec_no_pcount0 1;
# bgpsec_prefer indicates whether validly signed bgpsec
# routes are preferred to non-valid and/or non-signed
# routes. Default is true. This decision is made after the
# local pref and before the as_path comparison in the best
# route selection algorithm.
bgpsec_prefer 1;
# bgpsec_require indicates whether bgpsec signed routes are
# required on this connection. If true, Non-signed routes
# will not be accepted. Default is false.
bgpsec_require 0;
# bgpsec_no_invalid_routes indicates if invalid routes are
# accepted. If true, routes that fail the BGPsec validity
# check are not accepted. Default is false.
bgpsec_no_invalid_routes 0;
# Non BGPsec configuration
description "BGP Link";
local as 64521;
neighbor 172.16.1.2 as 64522;
gateway direct;
path metric 1; # prefer shorter paths
default bgp_med 0; # when none is available
password "demonet";
}
4. Getting RPKI-RTR data (ROA's and Router Keys)
BGPSEC-BIRD-client is a separate application that is provided in order
to pull data from a rpki-rtr using rtrLib. It can garner Router
Origin Authorizations (ROAs) from a rpki-rtr and populate BIRD's ROA
tables in order to filter for Origin Authentication. It can get
router public keys and place them in the local file system for use by
the BGPsec code. Please see the README with that software for
instructions on how to use it.
5. License(s)
This BGPSEC code created by Parsons, Inc.
(c) 2013-2016 Parsons, Inc.
All Rights Reserved
Code within this patch is dual copyrighted under both the GPLv2+ and
the BSD license. It can be used under either license below:
GPLv2+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
BSD
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Parsons, Inc nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS
IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
......@@ -10,6 +10,7 @@ AC_ARG_ENABLE(debug, [ --enable-debug enable internal debugging routin
AC_ARG_ENABLE(memcheck, [ --enable-memcheck check memory allocations when debugging (default: enabled)],,enable_memcheck=yes)
AC_ARG_ENABLE(client, [ --enable-client enable building of BIRD client (default: enabled)],,enable_client=yes)
AC_ARG_ENABLE(ipv6, [ --enable-ipv6 enable building of IPv6 version (default: disabled)],,enable_ipv6=no)
AC_ARG_ENABLE(bgpsec,[ --enable-bgpsec enable building of bgp with security (default: disabled)],,enable_bgpsec=no)
AC_ARG_ENABLE(pthreads, [ --enable-pthreads enable POSIX threads support (default: detect)],,enable_pthreads=try)
AC_ARG_WITH(suffix, [ --with-suffix=STRING use specified suffix for BIRD files (default: 6 for IPv6 version)],[given_suffix="yes"])
AC_ARG_WITH(sysconfig, [ --with-sysconfig=FILE use specified BIRD system configuration file])
......@@ -21,7 +22,6 @@ AC_ARG_VAR([FLEX], [location of the Flex program])
AC_ARG_VAR([BISON], [location of the Bison program])
AC_ARG_VAR([M4], [location of the M4 program])
if test "$srcdir" = . ; then
# Building in current directory => create obj directory holding all objects
objdir=obj
......@@ -262,6 +262,21 @@ if test "$enable_debug" = yes ; then
fi
fi
AC_MSG_CHECKING([BGPsec enabled])
if test "$enable_bgpsec" = yes ; then
AC_MSG_RESULT(yes)
protocols="$protocols bgp/bgpsec"
AC_CHECK_LIB(dl, dlopen)
AC_CHECK_LIB(crypto, PEM_read_X509)
AC_CHECK_LIB(crypto, EC_KEY_set_asn1_flag)
if test $ac_cv_lib_crypto_EC_KEY_set_asn1_flag != yes ; then
AC_MSG_ERROR([openssl: libcrypt does not support elliptical curves. EC support is required for BGPsec])
fi
AC_DEFINE(CONFIG_BGPSEC)
else
AC_MSG_RESULT(no)
fi
CLIENT=
CLIENT_LIBS=
if test "$enable_client" = yes ; then
......@@ -304,6 +319,7 @@ BIRD was configured with the following options:
Debugging: $enable_debug
POSIX threads: $enable_pthreads
Routing protocols: $protocols
BGPsec enabled: $enable_bgpsec
Client: $enable_client
EOF
rm -f $objdir/.*-stamp
......@@ -19,6 +19,9 @@
#include "lib/string.h"
/* XXX need ifdef to intsead use bsd's #include <sys/endian.h> */
#include <endian.h>
static inline u16
get_u16(void *p)
{
......@@ -35,6 +38,14 @@ get_u32(void *p)
return ntohl(x);
}
static inline u64
get_u64(void *p)
{
u64 x;
memcpy(&x, p, 8);
return be64toh(x);
}
static inline void
put_u16(void *p, u16 x)
{
......@@ -49,4 +60,11 @@ put_u32(void *p, u32 x)
memcpy(p, &x, 4);
}
static inline void
put_u64(void *p, u64 x)
{
x = htobe64(x);
memcpy(p, &x, 8);
}
#endif
......@@ -76,7 +76,7 @@ void protos_dump_all(void);
extern struct protocol
proto_device, proto_radv, proto_rip, proto_static,
proto_ospf, proto_pipe, proto_bgp, proto_bfd;
proto_ospf, proto_pipe, proto_bgp, proto_bgpsec, proto_bfd;
/*
* Routing Protocol Instance
......
......@@ -407,7 +407,8 @@ typedef struct eattr {
#define EAP_RIP 2 /* RIP */
#define EAP_OSPF 3 /* OSPF */
#define EAP_KRT 4 /* Kernel route attributes */
#define EAP_MAX 5
#define EAP_BGPSEC 5 /* BGPSEC attributes */
#define EAP_MAX 6
#define EA_CODE(proto,id) (((proto) << 8) | (id))
#define EA_PROTO(ea) ((ea) >> 8)
......
This diff is collapsed.
......@@ -4,6 +4,14 @@
* (c) 2000 Martin Mares <mj@ucw.cz>
*
* Can be freely distributed and used under the terms of the GNU GPL.
*
*
* Code added from Parsons, Inc. (BGPSEC additions)
* (c) 2013-2013
*
* Can be used under either license:
* - Freely distributed and used under the terms of the GNU GPLv2.
* - Freely distributed and used under a BSD license, See README.bgpsec.
*/
/**
......@@ -78,6 +86,10 @@
#include "bgp.h"
#ifdef CONFIG_BGPSEC
/* sscanf parsing of SKI configuration value */
#include <stdio.h>
#endif
struct linpool *bgp_linpool; /* Global temporary pool */
static sock *bgp_listen_sk; /* Global listening socket */
......@@ -1266,7 +1278,6 @@ bgp_check_config(struct bgp_config *c)
if (c->c.class == SYM_TEMPLATE)
return;
/* EBGP direct by default, IBGP multihop by default */
if (c->multihop < 0)
c->multihop = internal ? 64 : 0;
......@@ -1283,7 +1294,6 @@ bgp_check_config(struct bgp_config *c)
if (c->c.in_limit && (c->c.in_limit->action == PLA_RESTART) && c->disable_after_error)
c->c.in_limit->action = PLA_DISABLE;
if (!c->local_as)
cf_error("Local AS number must be set");
......@@ -1329,6 +1339,61 @@ bgp_check_config(struct bgp_config *c)
if (c->secondary && !c->c.table->sorted)
cf_error("BGP with secondary option requires sorted table");
#ifdef CONFIG_BGPSEC
/* create a binary SKI from config */
if ( c->enable_bgpsec ) {
if ( strnlen(c->bgpsec_ski, (2 * BGPSEC_SKI_LENGTH))
!= (BGPSEC_SKI_LENGTH * 2) ) {
cf_error("BGPSEC: bad length of the configured SKI value");
}
if ( BGPSEC_SKI_LENGTH !=
sscanf(c->bgpsec_ski, "%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx%2hhx",
(unsigned char *)c->bgpsec_bski,
(unsigned char *)(c->bgpsec_bski+1),
(unsigned char *)(c->bgpsec_bski+2),
(unsigned char *)(c->bgpsec_bski+3),
(unsigned char *)(c->bgpsec_bski+4),
(unsigned char *)(c->bgpsec_bski+5),
(unsigned char *)(c->bgpsec_bski+6),
(unsigned char *)(c->bgpsec_bski+7),
(unsigned char *)(c->bgpsec_bski+8),
(unsigned char *)(c->bgpsec_bski+9),
(unsigned char *)(c->bgpsec_bski+10),
(unsigned char *)(c->bgpsec_bski+11),
(unsigned char *)(c->bgpsec_bski+12),
(unsigned char *)(c->bgpsec_bski+13),
(unsigned char *)(c->bgpsec_bski+14),
(unsigned char *)(c->bgpsec_bski+15),
(unsigned char *)(c->bgpsec_bski+16),
(unsigned char *)(c->bgpsec_bski+17),
(unsigned char *)(c->bgpsec_bski+18),
(unsigned char *)(c->bgpsec_bski+19)) ) {
cf_error("BGPSEC: unable to parse the configured SKI value");
}
log(L_WARN "BPGPSEC: bgpsec_key_repo_path is %s", c->bgpsec_key_repo_path);
if (c->bgpsec_key_repo_path) {
int krp = strnlen(c->bgpsec_key_repo_path, 10);
if ( 0 < krp && krp < 2 ) {
log(L_WARN "BPGPSEC: unable to parse bpgsec_key_repo_path: %d", krp);
cf_error("BGPSEC:: unable to parse bpgsec_key_repo_path");
}
}
log(L_WARN "BPGPSEC: bgpsec_key_repo_path is %s", c->bgpsec_priv_key_path);
if (c->bgpsec_priv_key_path) {
int pkp = strnlen(c->bgpsec_priv_key_path, 10);
if ( 0 < pkp && pkp < 2 ) {
log(L_WARN "BPGPSEC: unable to parse bpgsec_key_repo_path: %d", pkp);
cf_error("BGPSEC:: unable to parse bpgsec_key_repo_path");
}
}
}
#endif
}
static int
......
......@@ -4,6 +4,14 @@
* (c) 2000 Martin Mares <mj@ucw.cz>
*
* Can be freely distributed and used under the terms of the GNU GPL.
*
*
* Code added from Parsons, Inc. (BGPSEC additions)
* (c) 2013-2013
*
* Can be used under either license:
* - Freely distributed and used under the terms of the GNU GPLv2.
* - Freely distributed and used under a BSD license, See README.bgpsec.
*/
#ifndef _BIRD_BGP_H_
......@@ -17,6 +25,24 @@
struct linpool;
struct eattr;
#ifdef CONFIG_BGPSEC
/* BGPSec constants */
#define BGPSEC_VERSION 0
/* currently capability is arbitrary number from private use */
#define BGPSEC_CAPABILITY 212
#define BGPSEC_SKI_LENGTH 20
#define BGPSEC_ALGO_ID 1 /* XXX this needs to be changed */
#define BGPSEC_MAX_SIG_LENGTH 80
/* sig hash length is somewhat arbitrary,
= 20 + MaxASPathLength*(28 + max_sig_length).
As of 2016, max unique AS Path length found is 14.
This value will allowy for for a hash buffer that can handle an AS
path length ~47 long
*/
#define BGPSEC_SIG_HASH_LENGTH 5120
#define BGPSEC_MAX_INFO_ATTR_LENGTH 0 /* XXX this needs to be checked */
#endif
struct bgp_config {
struct proto_config c;
u32 local_as, remote_as;
......@@ -40,6 +66,20 @@ struct bgp_config {
int capabilities; /* Enable capability handshake [RFC3392] */
int enable_refresh; /* Enable local support for route refresh [RFC2918] */
int enable_as4; /* Enable local support for 4B AS numbers [RFC4893] */
/* BGPSec */
/* cannot be ifdef'd out due to config.Y compatibility */
int enable_bgpsec; /* Whether neighbor should be a BGPSec peer */
int bgpsec_prefer; /* Whether validly signed BGPsec routes are prefered during route selection */
int bgpsec_require; /* Whether neighbor should be a BGPSec peer */
char *bgpsec_ski; /* local subject key id */
u8 bgpsec_bski[BGPSEC_SKI_LENGTH]; /* binary local SKI */
char *bgpsec_key_repo_path; /* Path to the public key repository */
char *bgpsec_priv_key_path; /* Path to the private key location */
int bgpsec_save_binary_keys; /* Save a copy of the binary key */
int bgpsec_no_pcount0; /* allow peer to have pcount 0, xxx current default allows */
int bgpsec_no_invalid_routes; /* should invalid routes be dropped */
u32 rr_cluster_id; /* Route reflector cluster ID, if different from local ID */
int rr_client; /* Whether neighbor is RR client of me */
int rs_client; /* Whether neighbor is RS client of me */
......@@ -100,6 +140,12 @@ struct bgp_conn {
byte *notify_data;
u32 advertised_as; /* Temporary value for AS number received */
int start_state; /* protocol start_state snapshot when connection established */
#ifdef CONFIG_BGPSEC
/* BGPsec */
u8 peer_bgpsec_support; /* Peer supports BGPSec */
#endif
u8 peer_refresh_support; /* Peer supports route refresh [RFC2918] */
u8 peer_as4_support; /* Peer supports 4B AS numbers [RFC4893] */
u8 peer_add_path; /* Peer supports ADD-PATH [draft] */
......@@ -117,6 +163,15 @@ struct bgp_proto {
struct bgp_config *cf; /* Shortcut to BGP configuration */
u32 local_as, remote_as;
int start_state; /* Substates that partitions BS_START */
#ifdef CONFIG_BGPSEC
/* BGPsec */
u8 bgpsec_send; /* Sender can send BGPSec messages */
u8 bgpsec_receive; /* Sender can receive BGPSec messages */
u8 bgpsec_ipv4; /* Sender uses BGPSec over iPv4 */
u8 bgpsec_ipv6; /* Sender uses BGPSec over iPv6 */
#endif
u8 is_internal; /* Internal BGP connection (local_as == remote_as) */
u8 as4_session; /* Session uses 4B AS numbers in AS_PATH (both sides support it) */
u8 add_path_rx; /* Session expects receive of ADD-PATH extended NLRI */
......@@ -152,7 +207,7 @@ struct bgp_proto {
u8 last_error_class; /* Error class of last error */
u32 last_error_code; /* Error code of last error. BGP protocol errors
are encoded as (bgp_err_code << 16 | bgp_err_subcode) */
#ifdef IPV6
#if defined(IPV6) || defined CONFIG_BGPSEC
byte *mp_reach_start, *mp_unreach_start; /* Multiprotocol BGP attribute notes */
unsigned mp_reach_len, mp_unreach_len;
ip_addr local_link; /* Link-level version of source_addr */
......@@ -235,7 +290,7 @@ static inline void set_next_hop(byte *b, ip_addr addr) { ((ip_addr *) b)[0] = ad
void bgp_attach_attr(struct ea_list **to, struct linpool *pool, unsigned attr, uintptr_t val);
byte *bgp_attach_attr_wa(struct ea_list **to, struct linpool *pool, unsigned attr, unsigned len);
struct rta *bgp_decode_attrs(struct bgp_conn *conn, byte *a, unsigned int len, struct linpool *pool, int mandatory);
struct rta *bgp_decode_attrs(struct bgp_conn *conn, byte *attr, unsigned int len, struct linpool *pool, byte * nlri, int nlri_len);
int bgp_get_attr(struct eattr *e, byte *buf, int buflen);
int bgp_rte_better(struct rte *, struct rte *);
int bgp_rte_recalculate(rtable *table, net *net, rte *new, rte *old, rte *old_best);
......@@ -278,6 +333,8 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
#define BAF_PARTIAL 0x20
#define BAF_EXT_LEN 0x10
/* Note: these must match location in the bgp_attr_table */
#define BA_ORIGIN 0x01 /* [RFC1771] */ /* WM */
#define BA_AS_PATH 0x02 /* WM */
#define BA_NEXT_HOP 0x03 /* WM */
......@@ -287,16 +344,34 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
#define BA_AGGREGATOR 0x07 /* OT */
#define BA_COMMUNITY 0x08 /* [RFC1997] */ /* OT */
#define BA_ORIGINATOR_ID 0x09 /* [RFC1966] */ /* ON */
#define BA_CLUSTER_LIST 0x0a /* ON */
#define BA_CLUSTER_LIST 0x0a /* [RFC4456] */
/* We don't support these: */
#define BA_DPA 0x0b /* ??? */
#define BA_ADVERTISER 0x0c /* [RFC1863] */
#define BA_RCID_PATH 0x0d
#define BA_MP_REACH_NLRI 0x0e /* [RFC2283] */
#define BA_MP_UNREACH_NLRI 0x0f
#define BA_EXT_COMMUNITY 0x10 /* [RFC4360] */
#define BA_AS4_PATH 0x11 /* [RFC4893] */
#define BA_AS4_AGGREGATOR 0x12
#define BA_DPA 0x0b /* DPA deprecated */
#define BA_ADVERTISER 0x0c /* [RFC1863] */
#define BA_RCID_PATH 0x0d /* [RFC1863] */
/* supported? */
#define BA_MP_REACH_NLRI 0x0e /* [RFC4760] */
#define BA_MP_UNREACH_NLRI 0x0f /* [RFC4760] */
#define BA_EXT_COMMUNITY 0x10 /* [RFC4360] */
#define BA_AS4_PATH 0x11 /* [RFC6793] */
#define BA_AS4_AGGREGATOR 0x12 /* [RFC6793] */
/* not supported */
#define BA_SSA 0x13 /* SAFI Specific Attribute (SSA) (deprecated) */
#define BA_CONNECTOR_ATTR 0x14 /* (deprecated) [RFC6037] */
#define BA_AS_PATHLIMIT 0x15 /* (deprecated) [draft-ietf-idr-as-pathlimit] */
#define BA_PMSI_TUNNEL 0x16 /* [RFC6514] */
#define BA_TUNNEL_ENCAP 0x17 /* Tunnel Encapsulation [RFC5512] */
#define BA_TUNNEL_ENGINEERING 0x18 /* Traffic Engineering [RFC5543] */
#define BA_IPV6_EXT_COMMUNITY 0x19 /* IPv6 Address Specific Extended Community [RFC5701] */
#define BA_AIGP 0x1a /* AIGP (TEMPORARY, expired 2013-04-25) [draft-ietf-idr-aigp][Rex_Fernando][Pradosh_Mohapatra][Eric_Rosen][James_Uttaro] */
#define BA_PE_DIST_LABELS 0x1b /* PE Distinguisher Labels [RFC6514] */
#define BA_ENTROPY_LABELS 0x1c /* BGP Entropy Label Capability Attribute [RFC6790] */
#define BA_LS_ATTRIBUTE 0x1d /* BGP-LS Attribute (TEMPORARY, expired 2014-03-11) [draft-ietf-idr-ls-distribution] */
/* Supported */
#define BA_BGPSEC_SIGNATURE 0x1E /* XXX 30 is best guess, draft-ietf-sidr-bgpsec-protocol */
/* internal use only */
#define BA_INTERNAL_BGPSEC_VALID 0xdd
/* BGP connection states */
......@@ -376,6 +451,18 @@ void bgp_log_error(struct bgp_proto *p, u8 class, char *msg, unsigned code, unsi
#define BEA_ROUTE_LIMIT_EXCEEDED 1
/* BGP Update Error codes */
#define BGP_UPD_ERROR_MALFORMED_ATTR 1
#define BGP_UPD_ERROR_UNRCGNZD_WK_ATTR 2
#define BGP_UPD_ERROR_MISSING_WK_ATTR 3
#define BGP_UPD_ERROR_ATTR_FLAG 4
#define BGP_UPD_ERROR_ATTR_LENGTH 5