-
Notifications
You must be signed in to change notification settings - Fork 2
loop
Pre-Alpha. This page describes behavior that may change.
Route loop detection ingress filter per RFC 4271 Section 9 and RFC 4456 Section 8. Silently discards incoming UPDATE messages that indicate a routing loop.
Core.
Loop detection always runs on every received UPDATE with sensible defaults (AS-loop rejects on first match, cluster-id equals router-id). No configuration is needed to get RFC-compliant behaviour.
To tune it — for example to allow your own ASN to appear in AS_PATH a few times (AS-confederation members), or to use a cluster-id different from the router-id — define a loop-detection filter instance under bgp/policy:
bgp {
policy {
loop-detection no-self-as {
allow-own-as 0;
cluster-id 10.0.0.254;
}
}
}
The instance name is auto-populated at the front of every peer's import filter chain and can be suppressed on a specific peer with inactive:<name> or the CLI editor deactivate verb. See route filters for the chain mechanics and the loop-detection filter type reference for the leaves.
The filter walks the path attributes of each incoming UPDATE once and performs three checks:
-
AS loop (all sessions, RFC 4271 S9): if the local ASN appears in the AS_PATH attribute (AS_SEQUENCE or AS_SET segments) more than
allow-own-astimes, the route is rejected.allow-own-asdefaults to 0 (reject on the first occurrence). - Originator-ID loop (iBGP only, RFC 4456 S8): if the ORIGINATOR_ID attribute matches the local Router ID, the route is rejected.
-
Cluster-list loop (iBGP only, RFC 4456 S8): if the cluster ID (from
loop-detection/cluster-idorsession/cluster-id, defaulting to the router-id) appears in the CLUSTER_LIST attribute, the route is rejected.
The filter operates directly on the wire-format UPDATE payload with zero-copy attribute iteration. Rejected routes are logged at debug level and silently dropped before reaching the decision process.
session/cluster-id and loop-detection/cluster-id are kept in sync automatically (RFC 4456 egress and ingress must use the same value), so setting either one at any level propagates to the other.
- Runs as a protocol-stage ingress filter inside the BGP reactor. It is part of the filter chain that every received UPDATE passes through before route selection.
- Exposed to config as the built-in
loop-detectionfilter type underbgp/policy. See route filters. - No dependencies on other plugins. The filter is self-contained and stateless.
- Works with 2-byte and 4-byte ASN encodings depending on the peer's capability negotiation.
main/internal/component/bgp/reactor/filter/
Unreviewed draft. This wiki was authored in bulk and has not been reviewed. File corrections on the issue tracker.
- Overview
- YANG Model
- Editor Workflow
- Archive and Rollback
- System
- Interfaces
- BFD
- FIB
- Firewall
- Traffic Control
- L2TP/PPP
- VPP Data Plane
- RPKI
- TACACS+ AAA
- Fleet
- BGP
- Starting and Stopping
- Show Commands
- Monitoring
- Logging
- Operational Reports
- Healthcheck
- MRT Analysis
- Upgrade and Restart
- Storage
- Policy
- Core
- Resilience
- Validation
- Capabilities
- Address Families
- Protocol
- Subsystems
- Infrastructure
- Route Server at an IXP
- Transit Edge with RPKI
- Public Looking Glass
- ExaBGP Migration Walkthrough
- FlowSpec Injection
- Chaos-Tested Peering
- AS Path Topology