This prototype demonstrates the testing of 4 controls in the MANRS+ control matrix by setting up a local topology of 3 BGP routers and local versions of the IRR and RPKI. To do this, we adapt the "connectivity provider (CP) AS" configuration, announce prefixes from the "MANRS+ Customer AS" and validate the filtering by monitoring the "MANRS+ Peer AS". This local setup allows us to gain more insights into how MANRS+ controls could be tested on the Internet with with production ASes. You can find a more detailed description of this project in our blog post.
.
├── README.md
├── binds
├── configs
│ ├── configs_bird
│ ├── configs_bird_multihop
│ ├── irrd.yaml
│ ├── krill.conf
│ ├── routinator.conf
│ └── rsyncd.conf
├── containerlab
│ ├── bird.manrs.clab.yml
│ └── multihop.bird.manrs.clab.yml
├── docker_images
│ ├── bird
│ └── irrd
├── docs
│ ├── manrs_testbed-multihop.png
│ └── manrs_testbed.png
├── orchestrator
│ ├── RS-01-route_origin_validation
│ ├── RS-02-prefix_filtering_customers
│ ├── RS-03-control_a_set_of_customer_ASes
│ └── RS-06-filtering_of_bogons
└── scripts
├── deploy.sh
├── deploy_multihop.sh
├── destroy.sh
├── destroy_multihop.sh
├── modify_cp_as_config
└── setup_topology
| Directory/File | Description |
|---|---|
manrs-prototype/configs |
All configurations for the routers and other supporting components. |
manrs-prototype/containerlab |
Definition of two container topologies (normal & multihop) using containerlab. |
manrs-prototype/docker_images |
Dockerfiles for BIRD and IRRd. |
manrs-prototype/orchestrator |
Test orchestrator scripts to demonstrate the testing of each of the 4 controls. |
manrs-prototype/scripts |
Deploy/destroy scripts for the topologies as well as scripts to modify the CP AS BIRD configuration. |
The topologies contain the following containerized components:
- BIRD software router
- Routinator
- Krill and rsyncd
- IRRd, Postgres and Redis
In this setup, the CP AS is the AS "under test". By announcing prefixes from the MANRS+ Customer AS and simultaneously monitoring the MANRS+ Peer AS, we determine if filtering at the CP AS is configured properly. Next to the 3 BIRD routers we run supporting components: a local RPKI and a local IRR database. These are only necessary in this local setup and allow us to easily manipulate RPKI and IRR data for our test cases.
Tests can be run on a topology with direct BGP sessions between CP AS and MANRS+ Customer/Peer AS and in a topology with multihop BGP sessions.
| Direct BGP sessions | Multihop BGP sessions |
|---|---|
 |
 |
- containerlab and its pre-requisites
The scripts folder contains scripts to deploy the containerlab setup and create all required associated resources. Use the deploy.sh script to start the topology with direct BGP sessions and the deploy_multihop.sh topology to start the topology with multihop BGP sessions. The destroy.sh and the destroy_multihop.sh can be used to stop and destroy the resources again.
The four test cases are based on four controls defined in the MANRS+ control matrix. During each test a different filter is enabled in the CP AS configuration and prefixes are announced from the Customer AS. Depending on the case the prefix should or should not show up in the RIB of the Peer AS.
Use the test_*.sh scripts to launch a test case were the announced prefix should (valid) or should not (invalid) show up at Peer AS. The cp_as_base.conf file is used as the base configuration for the CP AS. During the test, the import all; line for the BGP peering with the Customer AS is replaced with the appropriate filter.
Use the reset_*.sh scripts to revert the started test case. This removes all added resources from the RPKI/IRR and reverts the configuration to the base configuration.
- Enable validation at the CP AS by adding the RPKI import filter to the BGP session with the Customer AS.
- Generate a ROA that validates (or invalidates) the prefix that will be announced from the Customer AS.
- Announce the prefix and check if it shows up in the RIB of the Peer AS or not.
- Add a maintainer, role and route to the IRR database that validates (or invalidates) the prefix that will be announced from the Customer AS.
- Enable validation at the CP AS by adding the prefix import filter to the BGP session with the Customer AS and querying the local IRR database for prefixes of the Customer AS.
- Announce the prefix and validate if it shows up in the RIB of the Peer AS or not.
- Add a maintainer, role and AS-SET to the IRR database that allows (or disallows) AS numbers from the Customer (cone) to originate prefixes.
- Enable validation at the CP AS by adding the AS-SET import filter to the BGP session with the Customer AS and querying the local IRR database for the AS-SET of the Customer AS.
- Originate a prefix at the Customer AS and validate if it shows up in the RIB of the Peer AS or not.
- Enable validation at the CP AS by adding the bogon import filter to the BGP session with the Customer AS.
- Announce the (bogon) prefix and validate if it shows up in the RIB of the Peer AS or not.