Rework the pfkey and tcp md5 API to not depend on struct peer.

Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.

This is preparation

Rework the pfkey and tcp md5 API to not depend on struct peer.

Instead use struct auth_config and struct auth_state in the pfkey calls
and those tcp_md5 calls where it matters.

This is preparation work to allow RTR to use TCP MD5 as well.
OK tb@

show more ...

Call pfkey_remove() only after the Session Engine finished reloading its
configuration. Doing so before could result in some messages being sent
out without proper TCP-MD5 signature.

Fix for: https:

Call pfkey_remove() only after the Session Engine finished reloading its
configuration. Doing so before could result in some messages being sent
out without proper TCP-MD5 signature.

Fix for: https://github.com/openbgpd-portable/openbgpd-portable/issues/82
OK tb@

show more ...

Use msgbuf_queuelen() instead of accessing wbuf.queue for msgbuf structs.

Also export the msgbuf queue len as a stats member so bgpctl does not need
to dig into the msgbuf structure inside struct pe

Use msgbuf_queuelen() instead of accessing wbuf.queue for msgbuf structs.

Also export the msgbuf queue len as a stats member so bgpctl does not need
to dig into the msgbuf structure inside struct peer.
This skips imsg related msgbuf since that will be handled by a imsgbuf
specific function.
OK tb@

show more ...

Add 'min-version' RTR config option and default to RTR version 1 by default.

The min-version pins a minimal required version for rtr session. This is
needed if specific PDUs are required and it ensu

Add 'min-version' RTR config option and default to RTR version 1 by default.

The min-version pins a minimal required version for rtr session. This is
needed if specific PDUs are required and it ensures that the session is
not suddenly downgraded. This is important for ASPA where a minimum
version of 2 is required. Only then the ASPA PDUs are transmitted.

By default a RTR version of 1 is used but setting min-version to 2
will enable draft-ietf-sidrops-8210bis-14 support and enforce it
at the same time. Right now defaulting to version 2 is not possible
since draft-ietf-sidrops-8210bis failed to progress for a too long
time resulting in split eco system with various incompatible RTR
version 2 implementations.

OK tb@

show more ...

remove prototypes with no matching function; ok claudio@

Move setting of the shutdown reason to session_stop()

Also make sure that something is logged when a session is stopped.
Part of a bigger diff which was OK tb@

Rework parse_notification() to use the ibuf API for everything.

While there fix the RFC5492 handling of ERR_OPEN_CAPA (the current code
has the logic inversed). ERR_OPEN_CAPA is there to signal that

Rework parse_notification() to use the ibuf API for everything.

While there fix the RFC5492 handling of ERR_OPEN_CAPA (the current code
has the logic inversed). ERR_OPEN_CAPA is there to signal that a needed
capability is missing in our OPEN message. Just add the handling of
ERR_OPEN_CAPA to log_notification().

Also rework the handling of the shutdown reason and move the printing
into log_notification().

OK tb@

show more ...

Switch session_notification() over to use a struct ibuf to carry the
extra data. With this IMSG_UPDATE_ERR can use the new imsg API.

Introduce session_notification_data() for the few cases where the

Switch session_notification() over to use a struct ibuf to carry the
extra data. With this IMSG_UPDATE_ERR can use the new imsg API.

Introduce session_notification_data() for the few cases where there
is no ibuf readily available.

OK tb@

show more ...

rename field ibuf to imsgbuf in struct ctl_conn
OK tb@

Update the control.c code to use the new imsg API.

OK tb@

Convert the session engine to use the new ibuf API.
OK tb@

Improve IPv6 link-local address handling

When a session is established determine the possible interface scope of that
session. The scope is only set when the remote address is directly connected.
Th

Improve IPv6 link-local address handling

When a session is established determine the possible interface scope of that
session. The scope is only set when the remote address is directly connected.
This interface scope is passed to the RDE that uses this information when
link-local nexthops are received. Again checking that a link-local nexthop
is actually acceptable.

OK tb@

show more ...

Introduce a semaphore to protect intermediate state from different RTR
sessions to leak into the RDE via rtr_recalc. Only run rtr_recalc when
the last or only RTR session is done with the update. Run

Introduce a semaphore to protect intermediate state from different RTR
sessions to leak into the RDE via rtr_recalc. Only run rtr_recalc when
the last or only RTR session is done with the update. Run a new timer
along to ensure that the semaphore is not hold forever. The timeout
is currently a very generous 60sec, no RTR cache should be that slow.
OK tb@

show more ...

Implement ASPA support in RTR by following draft-ietf-sidrops-8210bis-10.

In rtr.c renamed rtr_aspa_merge_set() to rtr_aspa_insert() and move it
close to rtr_roa_insert().
In rtr_proto.c most comple

Implement ASPA support in RTR by following draft-ietf-sidrops-8210bis-10.

In rtr.c renamed rtr_aspa_merge_set() to rtr_aspa_insert() and move it
close to rtr_roa_insert().
In rtr_proto.c most complexity comes from the version negotiation. The
ASPA parser is reasonably streight forward. The version negotiation is
fragile but that is mostly because of the protocol specification and the
fact that RTR cache daemons sometimes fail to send errors.
OK tb@

show more ...

Major rework of RFC9234 support. My initial interpretation of the RFC was
too conservative. Fixes and changes include:

- add role output to bgpctl, also adjust the capability output.
Note, this ch

Major rework of RFC9234 support. My initial interpretation of the RFC was
too conservative. Fixes and changes include:

- add role output to bgpctl, also adjust the capability output.
Note, this changes the JSON output of neighbors a bit.
- adjust the config parser to enable the RFC9234 role capability when
there is a role set. iBGP and sessions with no role will not announce
the role capability.
- adjust the role capability announcement to be only on sessions that
use either AFI IPv4 or IPv6 and SAFI 1 (AID_INET, AID_INET6).
- if there is an OPEN notification indicating that the role capability
is bad only disable the capability if it is not enforced.
- Adjust capability negotiation, store remote_role on the peer since
the neighbors role is no longer needed by the RDE.
- inject the OTC attribute on ingress only for AID_INET and AID_INET6.
For other AIDs clear the F_ATTR_OTC_LOOP flag.
- Adjust the role logic in the RDE and use the peer->role (local role of
the system) for all checks. Also remove the check if the role capability
was negotiated between peers.
- In prefix_eligible() check also if the F_ATTR_OTC_LOOP flag is set.
The RFC requires that prefixes must be considered ineligible (and not
treat as withdraw as done before)
- When generating an UPDATE include the OTC attribute unless the AID is
neither AID_INET or AID_INET6.

Fixes https://github.com/openbgpd-portable/openbgpd-portable/issues/51
Reported by Pier Carlo Chiodi
OK tb@

show more ...

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into

Instead of relaying struct peer from the SE to the RDE to fill out 10
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@

show more ...

Export pending update and withdraw as part of struct peer_stats.
OK tb@

whitespace found during a read-thru; ok claudio

Add support for RFC 9234 - Route Leak Prevention and Detection Using Roles

With this it is possible to send a role in the OPEN message and if that
was successful the RDE will add the new OTC attribu

Add support for RFC 9234 - Route Leak Prevention and Detection Using Roles

With this it is possible to send a role in the OPEN message and if that
was successful the RDE will add the new OTC attribute if necessary.
OK tb@

show more ...

Do not use defines from pfkeyv2.h in portable code.

Instead define our own algorithm enums for the IPsec code.
OK tb@ sthen@

Switch from u_intX_t types to stdint.h uintX_t. Mostly mechanical with
a few reindents.
OK florian@ tb@

Add add-path support in MRT dumps (RFC8050).

This works for table-v2 formats and also for the all and update dumps.
For the latter the code needs to inspect the UPDATE message to guess if
add-path i

Add add-path support in MRT dumps (RFC8050).

This works for table-v2 formats and also for the all and update dumps.
For the latter the code needs to inspect the UPDATE message to guess if
add-path is used in that message or not. Add-path can be enabled per
AFI and alters the NLRI encoding without any way to detect.
For table dumps we decided to dump RIB_GENERIC entires the same way as
gobgp and not use the encoding from the RFC. The RFC specifies that
RIB_GENERIC (non-IPv4/v6) entries in a way that is not only different
but also against the normal codeflow. Only gobgp seems to implement
RIB_GENERIC encoding (neither bird nor frr/quagga do) and so it makes
sense to follow their way.

OK benno@

show more ...

Implement RFC9072: Extended Optional Parameters Length for BGP OPEN Message

This allows to send more then 255 bytes of optional parameters. With this
it is possible to send more capabilities. bgpd w

Implement RFC9072: Extended Optional Parameters Length for BGP OPEN Message

This allows to send more then 255 bytes of optional parameters. With this
it is possible to send more capabilities. bgpd will switch automatically
to the new extended lenght format if needed but by default the old 1 byte
param length encoding is used to keep compatible with old systems.

OK benno@

show more ...

bgpd(8) will soon support ADD-PATH (RFC7911) and enhanced route refresh
(RFC7313). This is the frist step toward this.

It adds the capability parsers for the two no capabilities, extends the
capabil

bgpd(8) will soon support ADD-PATH (RFC7911) and enhanced route refresh
(RFC7313). This is the frist step toward this.

It adds the capability parsers for the two no capabilities, extends the
capability struct and adds the capability negotiation bits.
The route refresh message parser and generator are extended to support
the BoRR and EoRR message. Also add the new NOTIFICATION type and subtype
for the route refresh message.

show more ...

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into on

Add RTR support to OpenBGPD. Add basic support for the protocol.
The RTR client runs in a new process where the protocol handling is done
and when new data is available all sources are merged into one ROA set
which is then loaded into the RDE. The roa-set from the config is also
handled by the new RTR engine.
Tested by and ok job@

show more ...