Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove entirely insecure configuration mode #23

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions config.d/clients.yml
Original file line number Diff line number Diff line change
Expand Up @@ -146,9 +146,6 @@ clients:
#- "NAME1"
#- "NAME2"

#enforce_origin_in_as_set: True
#enforce_prefix_in_as_set: True

# White lists.
# The following 3 sections allow to configure white lists
# for routes, prefixes and origin ASNs on a client-specific
Expand Down
28 changes: 0 additions & 28 deletions config.d/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -168,34 +168,6 @@ cfg:
6762, 6830, 7018, 12956

irrdb:
# With regards of the following two options, if no AS-SET
# is given in the clients configuration file for the
# specific client nor for its AS, then only the ASN
# of the announcing client is expanded and used to gather
# authorized origin ASNs and prefixes.
# If the 'peering_db' option below within this section is set
# to True, ARouteServer acquires the AS-SET of the client ASN
# from PeeringDB.
#
# More details on the Configuration page on ReadTheDocs:
# https://arouteserver.readthedocs.io/en/latest/CONFIG.html

# Accept only routes whose origin ASN is registered in
# the expanded AS-SET of the announcing client.
#
# Can be overwritten on a client-by-client basis.
#
# Default: True
enforce_origin_in_as_set: True

# Accept only prefixes which are present in the expanded
# AS-SET of the announcing client.
#
# Can be overwritten on a client-by-client basis.
#
# Default: True
enforce_prefix_in_as_set: True

# By default, only prefixes that have a strict correspondence
# in the route-set obtained by expading the AS-SET are
# allowed.
Expand Down
35 changes: 0 additions & 35 deletions docs/GENERAL.rst
Original file line number Diff line number Diff line change
Expand Up @@ -333,41 +333,6 @@ from PeeringDB.
More details on the Configuration page on ReadTheDocs:
https://arouteserver.readthedocs.io/en/latest/CONFIG.html

- ``enforce_origin_in_as_set``:
Accept only routes whose origin ASN is registered in
the expanded AS-SET of the announcing client.


Can be overwritten on a client-by-client basis.


Default: **True**

Example:

.. code:: yaml

enforce_origin_in_as_set: True



- ``enforce_prefix_in_as_set``:
Accept only prefixes which are present in the expanded
AS-SET of the announcing client.


Can be overwritten on a client-by-client basis.


Default: **True**

Example:

.. code:: yaml

enforce_prefix_in_as_set: True



- ``allow_longer_prefixes``:
By default, only prefixes that have a strict correspondence
Expand Down
2 changes: 0 additions & 2 deletions examples/auto-config/bird-general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,6 @@ cfg:
- 7018
- 12956
irrdb:
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
allow_longer_prefixes: true
tag_as_set: true
peering_db: true
Expand Down
2 changes: 0 additions & 2 deletions examples/auto-config/openbgpd62-general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,6 @@ cfg:
- 7018
- 12956
irrdb:
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
allow_longer_prefixes: true
tag_as_set: true
peering_db: true
Expand Down
4 changes: 0 additions & 4 deletions examples/bird_hooks/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,6 @@ cfg:
6762, 6830, 7018, 12956

irrdb:
enforce_origin_in_as_set: True

enforce_prefix_in_as_set: True

tag_as_set: True

rpki:
Expand Down
8 changes: 0 additions & 8 deletions examples/default/template-context
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: false
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -638,8 +636,6 @@ clients:
? 454ed823addc298946e5f2ad415842d8a0a89403cf8ad05e584f94caf52ef799ca506a90f5386c1335f271047089bc0612014069cbb3d9a7851d595a0374c5c3
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -687,8 +683,6 @@ clients:
? a47487d3c1df7a14133a9cff3612f3af305e57bc54f1f212d6f8fb2da1da11949dea574d2c972b103143a62afb13ce6c93f8f89d3b0102b7113b54f8e1c8b341
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -736,8 +730,6 @@ clients:
? a47487d3c1df7a14133a9cff3612f3af305e57bc54f1f212d6f8fb2da1da11949dea574d2c972b103143a62afb13ce6c93f8f89d3b0102b7113b54f8e1c8b341
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
6 changes: 0 additions & 6 deletions examples/default/template-context4
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: false
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -638,8 +636,6 @@ clients:
? 454ed823addc298946e5f2ad415842d8a0a89403cf8ad05e584f94caf52ef799ca506a90f5386c1335f271047089bc0612014069cbb3d9a7851d595a0374c5c3
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -687,8 +683,6 @@ clients:
? a47487d3c1df7a14133a9cff3612f3af305e57bc54f1f212d6f8fb2da1da11949dea574d2c972b103143a62afb13ce6c93f8f89d3b0102b7113b54f8e1c8b341
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
6 changes: 0 additions & 6 deletions examples/default/template-context6
Original file line number Diff line number Diff line change
Expand Up @@ -225,8 +225,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: false
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -636,8 +634,6 @@ clients:
irrdb:
as_set_bundle_ids: !!set {}
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -683,8 +679,6 @@ clients:
irrdb:
as_set_bundle_ids: !!set {}
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
4 changes: 0 additions & 4 deletions examples/rich/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,6 @@ cfg:
6762, 6830, 7018, 12956

irrdb:
enforce_origin_in_as_set: True

enforce_prefix_in_as_set: True

tag_as_set: True

allow_longer_prefixes: True
Expand Down
6 changes: 0 additions & 6 deletions examples/rich/template-context
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: true
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -661,8 +659,6 @@ clients:
? 454ed823addc298946e5f2ad415842d8a0a89403cf8ad05e584f94caf52ef799ca506a90f5386c1335f271047089bc0612014069cbb3d9a7851d595a0374c5c3
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -712,8 +708,6 @@ clients:
? a47487d3c1df7a14133a9cff3612f3af305e57bc54f1f212d6f8fb2da1da11949dea574d2c972b103143a62afb13ce6c93f8f89d3b0102b7113b54f8e1c8b341
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
6 changes: 0 additions & 6 deletions examples/rich/template-context4
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: true
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -661,8 +659,6 @@ clients:
? 454ed823addc298946e5f2ad415842d8a0a89403cf8ad05e584f94caf52ef799ca506a90f5386c1335f271047089bc0612014069cbb3d9a7851d595a0374c5c3
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -712,8 +708,6 @@ clients:
? a47487d3c1df7a14133a9cff3612f3af305e57bc54f1f212d6f8fb2da1da11949dea574d2c972b103143a62afb13ce6c93f8f89d3b0102b7113b54f8e1c8b341
: null
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
6 changes: 0 additions & 6 deletions examples/rich/template-context6
Original file line number Diff line number Diff line change
Expand Up @@ -247,8 +247,6 @@ cfg:
min: 12
irrdb:
allow_longer_prefixes: true
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
peering_db: false
tag_as_set: true
use_arin_bulk_whois_data:
Expand Down Expand Up @@ -659,8 +657,6 @@ clients:
irrdb:
as_set_bundle_ids: !!set {}
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down Expand Up @@ -708,8 +704,6 @@ clients:
irrdb:
as_set_bundle_ids: !!set {}
as_sets: null
enforce_origin_in_as_set: true
enforce_prefix_in_as_set: true
white_list_asn: null
white_list_pref: null
white_list_route: null
Expand Down
2 changes: 0 additions & 2 deletions pierky/arouteserver/commands/configure.py
Original file line number Diff line number Diff line change
Expand Up @@ -279,8 +279,6 @@ def add_comm(name, std=None, lrg=None):

filtering["irrdb"] = OrderedDict()
irrdb = filtering["irrdb"]
irrdb["enforce_origin_in_as_set"] = True
irrdb["enforce_prefix_in_as_set"] = True
irrdb["allow_longer_prefixes"] = True
self.notes.append(
"IRR-based filters are enabled; prefixes that are more specific "
Expand Down
2 changes: 0 additions & 2 deletions pierky/arouteserver/config/clients.py
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,6 @@ def get_client_descr(client):
"irrdb": {
"as_sets": ValidatorListOf(ValidatorASSet,
mandatory=False),
"enforce_origin_in_as_set": ValidatorBool(mandatory=False),
"enforce_prefix_in_as_set": ValidatorBool(mandatory=False),
"white_list_pref": ValidatorListOf(
ValidatorPrefixListEntry, mandatory=False,
),
Expand Down
2 changes: 0 additions & 2 deletions pierky/arouteserver/config/general.py
Original file line number Diff line number Diff line change
Expand Up @@ -138,8 +138,6 @@ def get_schema():
f["irrdb"] = OrderedDict()
i = f["irrdb"]

i["enforce_origin_in_as_set"] = ValidatorBool(default=True)
i["enforce_prefix_in_as_set"] = ValidatorBool(default=True)
i["allow_longer_prefixes"] = ValidatorBool(default=False)
i["tag_as_set"] = ValidatorBool(default=True)
i["peering_db"] = ValidatorBool(default=False)
Expand Down
6 changes: 0 additions & 6 deletions pierky/arouteserver/enrichers/irrdb.py
Original file line number Diff line number Diff line change
Expand Up @@ -246,12 +246,6 @@ def prepare(self):
client_irrdb = client["cfg"]["filtering"]["irrdb"]
client_irrdb["as_set_bundle_ids"] = set()

if not client_irrdb["enforce_origin_in_as_set"] and \
not client_irrdb["enforce_prefix_in_as_set"] and \
not self.builder.cfg_general["filtering"]["irrdb"]["tag_as_set"]:
# Client does not require AS-SETs info to be gathered.
continue

if self.builder.ip_ver is not None:
ip = client["ip"]
if IPAddress(ip).version != self.builder.ip_ver:
Expand Down
6 changes: 0 additions & 6 deletions pierky/arouteserver/enrichers/pdb_as_set.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,12 +77,6 @@ def add_tasks(self):
for client in self.builder.cfg_clients.cfg["clients"]:
client_irrdb = client["cfg"]["filtering"]["irrdb"]

if not client_irrdb["enforce_origin_in_as_set"] and \
not client_irrdb["enforce_prefix_in_as_set"] and \
not self.builder.cfg_general["filtering"]["irrdb"]["tag_as_set"]:
# Client does not require AS-SETs info to be gathered.
continue

if client_irrdb["as_sets"]:
# Client has its own specific set of AS-SETs.
continue
Expand Down
2 changes: 0 additions & 2 deletions pierky/arouteserver/tests/live_tests/skeleton/general.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ cfg:
filtering:
irrdb:
tag_as_set: False
enforce_origin_in_as_set: False
enforce_prefix_in_as_set: False
rpki:
enabled: False
communities:
Expand Down
Loading