Live PRKI Origin Validation Annotation

- The BGPStream will be extended by Live PRKI Origin Validation
Annotation

- All details concerning the provided functions, annotation elements
and output format are described in issue #19

Author: Samir Al-Sheikh

configure.ac

@@ -262,6 +262,21 @@ AC_DEFINE_UNQUOTED([ED_PLUGIN_INIT_ALL_ENABLED], $ED_PLUGIN_INIT_ALL_ENABLED,
 
 AC_MSG_NOTICE([----------------------------------])
 
+AC_MSG_CHECKING([whether the RTR library is available])
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "rtrlib/rtrlib.h"]])],
+      [AC_MSG_RESULT(yes)
+       AC_DEFINE(FOUND_RTR,,found_rtr)],
+       AC_MSG_RESULT(no)
+  )
+
+AC_MSG_CHECKING([whether the RTR library is compiled with SSH])
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include "rtrlib/rtrlib.h"]],
+                        [[struct tr_ssh_config config;]])],
+      [AC_MSG_RESULT(yes)
+       AC_DEFINE(FOUND_SSH,,found_ssh)],
+       AC_MSG_RESULT(no)
+  )
+
 # we may want to come back later and add compile-time configuration for things
 # like datastructure providers, but for now it will all get compiled
 

lib/bgpstream.c

@@ -401,13 +401,46 @@ void bgpstream_set_live_mode(bgpstream_t *bs) {
   bgpstream_debug("BS: set_blocking stop");
 }
 
+#if defined(FOUND_RTR)
+/* Get the RTR-Socket & configuration
+*/
+struct rtr_mgr_config *bgpstream_get_rtr_config()
+{
+  return cfg_tr;
+}
+
+/* Set the RTR-Configuration
+*/
+int bgpstream_set_rtr_config(char *host, char *port, char *ssh_user,
+                             char *ssh_hostkey, char *ssh_privatekey,
+                             bool active)
+{
+  rtr_server_conf.host = host;
+  rtr_server_conf.port = port;
+  rtr_server_conf.ssh_user = ssh_user;
+  rtr_server_conf.ssh_hostkey = ssh_hostkey;
+  rtr_server_conf.ssh_privatekey = ssh_privatekey;
+  rtr_server_conf.active = active;
+
+  return 0;
+}
+#endif
 
 /* turn on the bgpstream interface, i.e.:
  * it makes the interface ready
  * for a new get next call
+ * it starts the RTR-Connection for validation if RTR is active
 */
 int bgpstream_start(bgpstream_t *bs) {
   bgpstream_debug("BS: init start");
+#if defined(FOUND_RTR)
+  if (rtr_server_conf.active) {
+    cfg_tr = bgpstream_rtr_start_connection(
+        rtr_server_conf.host, rtr_server_conf.port, NULL, NULL, NULL,
+        rtr_server_conf.ssh_user, rtr_server_conf.ssh_hostkey,
+        rtr_server_conf.ssh_privatekey);
+  }
+#endif
   if(bs == NULL || (bs != NULL && bs->status != BGPSTREAM_STATUS_ALLOCATED)) {
     return 0; // nothing to init
   }
@@ -492,6 +525,12 @@ int bgpstream_get_next_record(bgpstream_t *bs,
 /* turn off the bgpstream interface */
 void bgpstream_stop(bgpstream_t *bs) {
   bgpstream_debug("BS: close start");
+#if defined(FOUND_RTR)
+  if (rtr_server_conf.active) {
+    bgpstream_rtr_close_connection(cfg_tr);
+    rtr_server_conf.active = false;
+  }
+#endif
   if(bs == NULL || (bs != NULL && bs->status != BGPSTREAM_STATUS_ON)) {
     return; // nothing to close
   }

lib/bgpstream.h

@@ -146,13 +146,42 @@ typedef struct struct_bgpstream_data_interface_option
 
 } bgpstream_data_interface_option_t;
 
+#if defined(FOUND_RTR)
+struct rtr_mgr_config *cfg_tr;
+
+struct rtr_server_configure {
+  char *host;
+  char *port;
+  char *ssh_user;
+  char *ssh_hostkey;
+  char *ssh_privatekey;
+  bool active;
+} rtr_server_conf;
+
 /** @} */
 
 /**
  * @name Public API Functions
  *
  * @{ */
 
+/** Get the configuration of the RTR-Socket-Manager
+ *
+ * @return a pointer to the configuration of the rtr-socket-manager
+ */
+struct rtr_mgr_config *bgpstream_get_rtr_config();
+
+/** Set the configuration of the RTR-Socket-Manager
+*
+* @param host    the host of the cache server
+* @param port    the port of the cache server
+* @param active  whether the rtr-validation is enabled
+*/
+int bgpstream_set_rtr_config(char *host, char *port, char *ssh_user,
+                             char *ssh_hostkey, char *ssh_privatekey,
+                             bool active);
+#endif
+
 /** Create a new BGP Stream instance
  *
  * @return a pointer to a BGP Stream instance if successful, NULL otherwise

lib/bgpstream_elem.c

@@ -31,12 +31,14 @@
 #include "bgpdump_lib.h"
 #include "utils.h"
 
+#include "bgpstream.h"
 #include "bgpstream_utils.h"
 
 #include "bgpstream_debug.h"
 #include "bgpstream_record.h"
 
 #include "bgpstream_elem_int.h"
+#include "utils/bgpstream_utils_rtr.h"
 
 /* ==================== PROTECTED FUNCTIONS ==================== */
 
@@ -346,6 +348,15 @@ char *bgpstream_elem_custom_snprintf(char *buf, size_t len,
       if(B_FULL)
         return NULL;
 
+#if defined(FOUND_RTR)
+      /* RPKI Validation */
+      char buf_rpki[1024];
+      c = bgpstream_elem_get_rpki_validation_result_snprintf(
+          buf_rpki, sizeof(buf_rpki), elem);
+      strcat(buf, buf_rpki);
+      written += c;
+      buf_p += c;
+#endif
       /* END OF LINE */
       break;
 
@@ -422,3 +433,104 @@ char *bgpstream_elem_snprintf(char *buf, size_t len,
 {
   return bgpstream_elem_custom_snprintf(buf, len, elem, 1);
 }
+
+#if defined(FOUND_RTR)
+int bgpstream_elem_get_rpki_validation_result_snprintf(
+    char *buf, size_t len, bgpstream_elem_t const *elem)
+{
+  char result_output[1024] = "";
+  if (elem->annotations.rpki_validation_status !=
+      BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTFOUND) {
+    snprintf(result_output, sizeof(result_output), "%s%s", result_output,
+             elem->annotations.rpki_validation_status ==
+                     BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_INVALID
+                 ? "invalid;"
+                 : "valid;");
+    for (int i = 0; i < elem->annotations.rpki_validation_result.asn_used;
+         i++) {
+      char asn[1024];
+      snprintf(asn, sizeof(asn), "%" PRIu32 ",",
+               elem->annotations.rpki_validation_result.asn_pfx[i].asn);
+      strcat(result_output, asn);
+      for (int j = 0;
+           j < elem->annotations.rpki_validation_result.asn_pfx[i].pfx_used;
+           j++) {
+        char valid_prefix[INET6_ADDRSTRLEN];
+        bgpstream_pfx_snprintf(valid_prefix, INET6_ADDRSTRLEN,
+            (bgpstream_pfx_t *)&elem->annotations.rpki_validation_result
+                .asn_pfx[i].pfxs[j].pfx);
+        strcat(result_output, valid_prefix);
+        snprintf(asn, sizeof(asn), "-%" PRIu8,
+                 elem->annotations.rpki_validation_result.asn_pfx[i]
+                     .pfxs[j].max_pfx_len);
+        strcat(result_output, asn);
+        strcat(result_output,
+               j != elem->annotations.rpki_validation_result.asn_pfx[i]
+                               .pfx_used - 1
+                   ? " "
+                   : "");
+      }
+      strcat(result_output,
+             i != elem->annotations.rpki_validation_result.asn_used - 1 ? ";"
+                                                                        : "");
+    }
+  } else {
+    snprintf(result_output, sizeof(result_output), "%s%s", result_output,
+             "notfound");
+  }
+
+  return snprintf(buf, len, "%s", result_output);
+}
+
+void bgpstream_elem_get_rpki_validation_result(bgpstream_elem_t *elem,
+                                               char *prefix,
+                                               uint32_t origin_asn,
+                                               uint8_t mask_len)
+{
+  if (elem->annotations.rpki_validation_status ==
+      BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTVALIDATED) {
+    cfg_tr = bgpstream_get_rtr_config();
+
+    struct reasoned_result res_reasoned =
+        bgpstream_rtr_validate_reason(cfg_tr, origin_asn, prefix, mask_len);
+
+    if (res_reasoned.result == BGP_PFXV_STATE_VALID) {
+      elem->annotations.rpki_validation_status =
+          BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_VALID;
+    }
+    if (res_reasoned.result == BGP_PFXV_STATE_NOT_FOUND) {
+      elem->annotations.rpki_validation_status =
+          BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTFOUND;
+    }
+    if (res_reasoned.result == BGP_PFXV_STATE_INVALID) {
+      elem->annotations.rpki_validation_status =
+          BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_INVALID;
+    }
+
+    if (elem->annotations.rpki_validation_status !=
+        BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTFOUND) {
+      bgpstream_rpki_validation_result_init(
+          &elem->annotations.rpki_validation_result, 2);
+      char valid_prefix[INET6_ADDRSTRLEN];
+      char reason_prefix[INET6_ADDRSTRLEN];
+
+      for (int i = 0; i < res_reasoned.reason_len; i++) {
+        bgpstream_rpki_validation_result_insert_asn(
+            &elem->annotations.rpki_validation_result,
+            res_reasoned.reason[i].asn);
+        lrtr_ip_addr_to_str(&(res_reasoned.reason[i].prefix), reason_prefix,
+                            sizeof(reason_prefix));
+        snprintf(valid_prefix, sizeof(valid_prefix), "%s/%" PRIu8, reason_prefix,
+                 res_reasoned.reason[i].min_len);
+
+        bgpstream_pfx_t pfx;
+        bgpstream_str2pfx(valid_prefix, (bgpstream_pfx_storage_t *)&pfx);
+        bgpstream_rpki_validation_result_insert_pfx(
+            &elem->annotations.rpki_validation_result,
+            res_reasoned.reason[i].asn, &pfx, res_reasoned.reason[i].max_len);
+      }
+    }
+    free(res_reasoned.reason);
+  }
+}
+#endif

lib/bgpstream_elem.h

@@ -25,6 +25,7 @@
 #define __BGPSTREAM_ELEM_H
 
 #include "bgpstream_utils.h"
+#include "bgpstream_utils_as_path.h"
 
 /** @file
  *
@@ -105,13 +106,47 @@ typedef enum {
 
 } bgpstream_elem_type_t;
 
+/** Validation types */
+typedef enum {
+
+  /** Valid */
+  BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_VALID = 1,
+
+  /** Invalid */
+  BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_INVALID = 0,
+
+  /** Not found */
+  BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTFOUND = -1,
+
+  /** Not validated */
+  BGPSTREAM_ELEM_RPKI_VALIDATION_STATUS_NOTVALIDATED = 2,
+
+} bgpstream_validation_status_type_t;
+
 /** @} */
 
 /**
  * @name Public Data Structures
  *
  * @{ */
 
+/** A BGP Stream Elem object for Annotations */
+typedef struct struct_bgpstream_elem_annotations_t {
+
+  /** RPKI validation status
+   *
+   * RPKI validation status for a given prefix
+   */
+  bgpstream_validation_status_type_t rpki_validation_status;
+
+  /** RPKI validation result
+   *
+   * RPKI validation result (all valid ASNs) for a given prefix
+   */
+  bgpstream_rpki_validation_result_t rpki_validation_result;
+
+} bgpstream_elem_annotations_t;
+
 /** A BGP Stream Elem object */
 typedef struct struct_bgpstream_elem_t {
 
@@ -165,6 +200,12 @@ typedef struct struct_bgpstream_elem_t {
    */
   bgpstream_elem_peerstate_t new_state;
 
+  /** Annotations
+   *
+   * All additional annotations
+   */
+  bgpstream_elem_annotations_t annotations;
+
 } bgpstream_elem_t;
 
 /** @} */
@@ -238,6 +279,24 @@ int bgpstream_elem_peerstate_snprintf(char *buf, size_t len,
 char *bgpstream_elem_snprintf(char *buf, size_t len,
                               const bgpstream_elem_t *elem);
 
+#if defined(FOUND_RTR)
+/** Write the string representation of the RPKI validation result of an elem
+ *
+ * @param elem       the elem whose RPKI validation result will be printed
+ */
+int bgpstream_elem_get_rpki_validation_result_snprintf(
+    char *buf, size_t len, bgpstream_elem_t const *elem);
+
+/** Get the result of the RPKI-Validation for the elem
+ *
+ * @param elem       the elem which will be validated
+ */
+void bgpstream_elem_get_rpki_validation_result(bgpstream_elem_t *elem,
+                                               char *prefix,
+                                               uint32_t origin_asn,
+                                               uint8_t mask_len);
+#endif
+
 /** @} */
 
 #endif /* __BGPSTREAM_ELEM_H */