Arouteserver

------

- New: add support for custom BGP communities to track rejected routes.

A new section of the general.yml file (``reject_cause_map``) allows to configure custom BGP communities for each reject reason (the list can be found on the `Reject reasons <https://arouteserver.readthedocs.io/en/latest/CONFIG.html#reject-reasons>`__ paragraph of on the doc site).

When this is implemented along with ``reject_policy`` set to ``tag`` or ``tag_and_reject``, ad-hoc custom BGP communities can be used to describe why a route was rejected by the route server.

- New: add support for custom BGP communities to internally track the outcome of BGP Origin Validation (or the lack of it).

3 new BGP communities are introduced to track the outcome of BGP Origin Validation (if enabled): ``rpki_bgp_origin_validation_valid``, ``rpki_bgp_origin_validation_unknown`` and ``rpki_bgp_origin_validation_invalid``. These communities can be used to classify routes depending on the their validation state using custom values, in addition to `RFC8097 communities <https://datatracker.ietf.org/doc/html/rfc8097>`__. They are not announced to clients, but rather they are meant to be used only internally within the route server, just to make it easier the integration with external tools, like looking glasses.

An additional fourth BGP community is also introduced, to classify routes for which BGP Origin Validation has not been performed: ``rpki_bgp_origin_validation_not_performed``. When configured, this community is added when BOV is not enabled, or when it is not performed for some specific reasons (only blackhole route processing at the moment). Contrary to the 3 previous ones, this community is announced to the clients.

See also `GitHub issue 78 <https://github.com/pierky/arouteserver/issues/78>`_.

- New: Euro-IX Large BGP Communities are included into the policy generated by the ``configure`` command.

This feature leverages the new ``reject_cause_map`` option commented above.

The general.yml file generated by the ``configure`` command now includes a mapping between internal reject codes and the communities proposed in the `Euro-IX Large BGP Community standard <https://www.euro-ix.net/en/forixps/large-bgp-communities/>`__ document.

Please note: to make the policies generated by ``configure`` consistent between BIRD and OpenBGPD, the ``reject_policy`` option for the latter is now set to ``tag`` (so rejected routes are kept in OpenBGPD but are still not advertised to the route server clients).

In addition to this, some of the BGP communities set by the ``configure`` command have been changed in order to match those suggested in the Euro-IX document above.

- New: ``check-config`` command, to verify configuration files (general.yml and clients.yml).

This command can be used to verify that the content of the two main configuration files is valid, without building the configurations.

See also `GitHub PR 82 <https://github.com/pierky/arouteserver/pull/82>`_ and `issue 79 <https://github.com/pierky/arouteserver/issues/79>`_.

- Improvement (OpenBGPD): informational extended BGP communities are now scrubbed from outbound routes.

Certain informational extended BGP communities that need dynamic values (like the one used to track the reject code of a route that is discarded when ``reject_policy`` is set to ``tag``) were not scrubbed from outbound routes, because of lack of wildcard matching in OpenBGPD. Since this feature was recently added to the BGP speaker, they are now removed.

- Fix (OpenBGPD): make behaviour of ``rpki_bgp_origin_validation.reject_invalid`` consistent with BIRD.

Contrary to what ``reject_invalid: False`` might seem doing, the actual behaviour it is designed for is to still prevent the propagation of INVALID routes when RPKI BOV is enabled. When it's set to ``True`` (the default value) the BGP daemons are configured to immediately drop INVALID routes in the inbound filters; when it's set to ``False`` those routes are accepted but not propagated to clients, they are blocked in the outbound filters: basically they are just kept internally within the route server to allow analysis and troubleshooting.

While the BIRD implementation of ``reject_invalid: False`` was working fine, a bug was found in the OpenBGPD one that prevented those routes from being blocked in the outbound direction, letting them to be propagated to clients.

-----

- New: Add support for `OpenBGPD 7.1 <https://marc.info/?l=openbgpd-users&m=162461267419135&w=2>`__, also added to the integration testing suite (portable edition only).

- Improvement: provide hint on how to change URL for external IRR DB data sources.

See also `GitHub issue 77 <https://github.com/pierky/arouteserver/issues/77>`_.

- Fix (OpenBGPD only): `RFC8097 communities <https://datatracker.ietf.org/doc/html/rfc8097>`_ were not added after BGP Origin Validation.

The *BGP Prefix Origin Validation State Extended Communities* were not added when RPKI OV was performed. INVALID routes were still dropped when the route server was configured to do so (those routes are internally marked using locally-meaningful communities).

- Improvement: RPKI ROAs files are checked for stale data.

The JSON files fetched from validating caches are now checked to detect stale data (rpki-client and OctoRPKI formats include this information) and they are ignored if the data they contain is no longer valid. In this case, the next URL in the ``rpki_roas.ripe_rpki_validator_url`` list is used.

By default, files whose content is older than 21600 seconds (6 hours) are ignored; it's possible to change this option via the newly introduced ``rpki_roas.ignore_cache_files_older_than`` setting.

Where available (rpki-client format only at this time), also the `VRP expiration time <https://github.com/openbsd/src/commit/a66158d7f8cdffc32bf2f8aa5d8bbed1f08a3a3d#diff-b2e9c61c4c7cfd2d5a0cde6066efe9a7c18dd1bdf06b1e473abc054261ea315c>`__ is checked.

As a consequence of this, the default ARouteServer cache expiration time for RPKI ROAs JSON files has been reduced to 60 minutes, to avoid caching ROAs that would turn out being expired at the next use of their cached copy.

- Improvement: new order for the default URLs of the RPKI JSON files.

Since the RIPE NCC RPKI Validator `is now in EoL <https://labs.ripe.net/author/nathalie_nathalie/lifecycle-of-the-ripe-ncc-rpki-validator/>`__, the URL of the JSON file that points to rpki-validator.ripe.net has been moved as the last resort option for ``rpki_roas.ripe_rpki_validator_url``.
The one exposed in the `rpki-client dashboard <https://console.rpki-client.org/>`__ has been added.

Please note: this change only affects the default configuration file that ships with ARouteServer and is not be automatically reflected in existing configurations that route-servers operators are already using. If you wish this setup to be reflected in your configuration, please update your general.yml file accordingly.

-----

- Improvement: add the ``logging`` option to ``--use-local-files`` argument, to allow customization of logging settings.

Details on the documentation: `Logging configuration of the BGP daemon <https://arouteserver.readthedocs.io/en/latest/CONFIG.html#logging-configuration-of-the-bgp-daemon>`__.

See also `GitHub issue 75 <https://github.com/pierky/arouteserver/issues/75>`_.

-----

- New: Add support for `OpenBGPD 7.0 <https://marc.info/?l=openbgpd-users&m=162282647904441&w=2>`__, also added to the integration testing suite (portable edition only).

Please note: starting with this release, since the default target version for OpenBGPD is 7.0, path-hiding mitigation will be enabled by default by the ``configure`` command. This option can be modified in the ``general.yml`` file.

-----

Starting with this release, the default target version for OpenBGPD will be the latest stable (6.9 in this case). Use the ``--target-version`` CLI option if you want to build your configurations for a previous release of OpenBGPD.

- New: Add support for OpenBGPD/OpenBSD 6.9 and OpenBGPD Portable 6.9p0, also added to the integration testing suite.

- New (OpenBGPD): add support for RTR sessions starting with version 6.9.

Please note the following issues with OpenBGPD 6.9 if you want to enable RTR sessions; you might want to apply the available patches:

- ``Invalid argument`` error and RTR session not coming up (`issue 23 on GitHub <https://github.com/openbgpd-portable/openbgpd-portable/issues/23>`__ and `"bgpd, fix RTR connect" <https://marc.info/?l=openbsd-tech&m=162004696829635&w=2>`__ post on openbsd-tech)

- non blocking ``connect()`` call for RTR session establishment (`"bgpd behaviour when RTR endpoint is not available" <https://marc.info/?l=openbgpd-users&m=161997334304946&w=2>`__ post on openbgpd-users and `"bgpd, non-blocking rtr connect" <https://marc.info/?l=openbsd-tech&m=162005636502085&w=2>`__ post on openbsd-tech)

- New (OpenBGPD): enable support for path-hiding mitigation.

Even though OpenBGPD supports path-hiding mitigation starting with version 6.9, the feature is not automatically enabled by the ``configure`` command because of some issues that might impair the stability of the routing ecosystem:

- withdrawal of 2nd best route with ``rde evaluate all`` (`issue 21 on GitHub <https://github.com/openbgpd-portable/openbgpd-portable/issues/21>`__ and `"bgpd fix for rde evaluate all" <https://marc.info/?l=openbsd-tech&m=162011500326166&w=2>`__ post on openbsd-tech)

- advertisement of 2nd best routes on reload with ``rde evaluate all`` (`issue 21 on GitHub <https://github.com/openbgpd-portable/openbgpd-portable/issues/21>`__ and `"bgpd better reload behaviour" <https://marc.info/?l=openbsd-tech&m=162021735205669&w=2>`__ post on openbsd-tech)

Please apply the existing patches before enabling it on a production environment, and acknowledge the error produced by ARouteServer using the ``--ignore-issues path_hiding_69`` CLI option.

- Improvement: the default list of `"transit free" <https://arouteserver.readthedocs.io/en/latest/GENERAL.html#transit-free-networks-transit-free>`__ ASNs has been updated and some networks have been removed.

See also `GitHub PR73 <https://github.com/pierky/arouteserver/pull/73>`_.

------

- Improvement (Docker image): generate HTML representation of the route server configuration through the Docker image.

See also `GitHub PR70 <https://github.com/pierky/arouteserver/pull/70>`_ and `issue 69 <https://github.com/pierky/arouteserver/issues/69>`_.

- Fix (Docker image): make ``RS_ASN``, ``ROUTER_ID`` and ``LOCAL_PREFIXES`` environment variables not required when a custom general.yml file is used.

See also `GitHub PR68 <https://github.com/pierky/arouteserver/pull/68>`_.

- Fix: the "Reject reasons" table in the HTML representation was rendered improperly.

See also `GitHub issue 71 <https://github.com/pierky/arouteserver/issues/71>`_.