Community discussions

MikroTik App
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

IRR Filtering on eBGP Sessions

Sat Apr 08, 2023 7:03 am

Has anyone built IRR filtering on their eBGP sessions? Multiple tools exist to build the configuration off-router on a linux host (Such as bgpq4), but there's no way to update/replace the configuration, so every time the script runs, my import filter gets longer and longer as it simply appends to the end of the existing one.

Anyone found an imaginative way around this? Not sure it's actually possible which means managing the filters manually - which sucks for big peers who add/remove prefixes semi-frequently.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IRR Filtering on eBGP Sessions

Sat Apr 08, 2023 12:49 pm

When you want to use tools like that, you would use a different name for the filter every time you use it (you can toggle between two different names).
You generate and import the new list, then you change the relevant configuration (peer, connection) to use the new filter, then you delete the old one.
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

Re: IRR Filtering on eBGP Sessions

Sun Apr 09, 2023 1:36 am

That's pretty interesting. After a bunch of digging, I've actually gotten my script to output the right thing to remove the current filter, and put in a new version.

As an example for AS23028 below;
/routing/filter/rule remove [find chain=as23028-import-ipv4]
/routing/filter/rule remove [find chain=as23028-import-ipv6]
/routing filter rule
add chain=as23028-import-ipv4 disabled=no rule="if (dst in 38.229.0.0/16 && dst-len<=24) { jump fcix-import}"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==68.22.187.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==192.0.37.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==192.0.38.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst in 192.0.40.0/23 && dst-len<=24) { jump fcix-import}"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==192.138.226.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst in 199.7.82.0/23 && dst-len<=24) { jump fcix-import}"
add chain=as23028-import-ipv4 disabled=no rule="if (dst in 199.7.94.0/23 && dst-len<=24) { jump fcix-import}"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==199.43.132.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==203.28.18.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==204.74.64.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==209.176.111.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 disabled=no rule="if (dst in 216.31.0.0/18 && dst-len<=24) { jump fcix-import}"
add chain=as23028-import-ipv4 disabled=no rule="if (dst==216.90.108.0/24) { jump fcix-import }"
add chain=as23028-import-ipv4 rule="reject"
add chain=as23028-import-ipv6 disabled=no rule="if (dst==2001:500:3::/48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst==2001:500:8c::/48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst in 2001:500:9c::/46 && dst-len<=48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst in 2602:800:9004::/47 && dst-len<=48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst in 2604:8800::/32 && dst-len<=48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst==2620:0:6b0::/48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst==2620:0:2ee0::/48) { jump fcix-import }"
add chain=as23028-import-ipv6 disabled=no rule="if (dst==2620:0:22b0::/48) { jump fcix-import }"
add chain=as23028-import-ipv6 rule="reject"

This seems to work fine when I paste it into the box on the command line. It doesn't seem to flap the BGP session at least - but it looks pretty trivial to create a new filter, update the BGP session and then remove the old filter.

Now to find a good way to automate the SSH onto the router, to run the commands
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

Re: IRR Filtering on eBGP Sessions

Tue Apr 18, 2023 5:01 am

I've ended up writing a bunch of scripts, to generate the IRR filters off box using IRRPT and mangle them into ROS format, then a bunch of python to use the RouterOS API to check if they're in sync, and if they are not, remove the existing filter and add a new version... Not many folks on Mikrotik seem to be fussed about routing security, surprised there wasn't already a tool for this.

If anyone is interested in running this on their BGP peering edge, let me know. I'll likely publish to github.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: IRR Filtering on eBGP Sessions

Tue Apr 18, 2023 5:09 am

 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IRR Filtering on eBGP Sessions

Tue Apr 18, 2023 11:45 am

IRR filtering and RPKI are not the same thing. They are related, yes.
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

Re: IRR Filtering on eBGP Sessions

Wed Apr 19, 2023 6:38 am

RPKI is another measure for routing security for sure as pe1chl said, but IRR filters sadly still have their place and are as important - there was just no decent systems I could find to manipulate these on Mikrotik, like there are for the big name vendors. I'm pretty happy with the setup now, dropping RPKI invalids, and now also filtering peering sessions based on IRR data.

The (very alpha) code I wrote is on github now: https://github.com/edgenative/mikrotik-irrupdater
 
User avatar
edielson_atm
Trainer
Trainer
Posts: 30
Joined: Tue May 29, 2007 5:23 am
Location: Brasilia - Brasil
Contact:

Re: IRR Filtering on eBGP Sessions

Wed Apr 19, 2023 2:53 pm

RPKI is another measure for routing security for sure as pe1chl said, but IRR filters sadly still have their place and are as important - there was just no decent systems I could find to manipulate these on Mikrotik, like there are for the big name vendors. I'm pretty happy with the setup now, dropping RPKI invalids, and now also filtering peering sessions based on IRR data.

The (very alpha) code I wrote is on github now: https://github.com/edgenative/mikrotik-irrupdater
you have a manual to implement.
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

Re: IRR Filtering on eBGP Sessions

Thu Apr 20, 2023 4:12 am

I've written a readme in the github repo... happy to write some step by step/more comprehensive guide if you think its useful, including how to setup IRRPT (Although, that's all very well documented elsewhere on the internet)
 
User avatar
edielson_atm
Trainer
Trainer
Posts: 30
Joined: Tue May 29, 2007 5:23 am
Location: Brasilia - Brasil
Contact:

Re: IRR Filtering on eBGP Sessions

Thu Apr 20, 2023 4:57 pm

I've written a readme in the github repo... happy to write some step by step/more comprehensive guide if you think its useful, including how to setup IRRPT (Although, that's all very well documented elsewhere on the internet)
if you can create a step by step guide I can help with the project
 
kerfuffle
just joined
Topic Author
Posts: 15
Joined: Wed Feb 22, 2023 6:50 am
Location: San Francisco, CA
Contact:

Re: IRR Filtering on eBGP Sessions

Thu Apr 20, 2023 8:39 pm

Drop me an email and let’s talk :)

My email address is in the top of the python code.

Who is online

Users browsing this forum: No registered users and 13 guests