[j-nsp] empty as-lists ?

Jeff Haas jhaas at juniper.net
Mon Apr 21 09:17:22 EDT 2025 

As-list is designed to be removed when empty.

While I realize this may violate principle of least astonishment vs. similar features you highlight that take empty match elements, if I could go back in time I'd similarly make those fail as well.  The semantics of such empty matching elements have resulted in outages because they themselves fail POLA. Do they match everything? Nothing?  Bah.

-- Jeff


On 4/20/25, 13:20, "juniper-nsp on behalf of Alexandre Snarskii via juniper-nsp" <juniper-nsp-bounces at puck.nether.net <mailto:juniper-nsp-bounces at puck.nether.net> on behalf of juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>> wrote:


[External Email. Be cautious of content]




Hi!


Somewhat stupid question: are there any way to configure as-list that
does not contain any member ? With prefix-lists/route-filter-lists it's
trivial (delete policy-options prefix-list NNN; set policy-options prefix-list NNN;),
with classic as-path filters it's possible albeit a bit tricky
(set policy-options as-path none "!.*"), but I don't see any way to
create empty as-list or empty current one: on emptying it gets fully
removed from configuration and policy-options referencing it are not
valid anymore :(


Test scenario: create as-list with some members, reference it in policy:


[edit policy-options]
+ policy-statement as-test {
+ term ok {
+ from {
+ as-path-origins as-list-group as0;
+ }
+ then accept;
+ }
+ then reject;
+ }
[edit policy-options]
+ as-list-group as0 {
+ as-list as0 members [ 65533 65534 ];
+ }


so far so good, commit check succeeds. Now, some days/weeks/years after
as-set becomes empty or nonexistant for whatever reason, generated as-list
becomes empty, and attempt to upload it on router results in warning and
commit check failure:


load replace terminal relative
[Type ^D at a new line to end input]
policy-options {
replace:
as-list-group as0 {
}
}
[edit policy-options]
'as-list-group as0'
warning: statement has no contents; ignored
load complete


commit check
[edit]
'policy-options'
Policy error: as0 as-list-group referenced (in term ok) but not defined
error: configuration check-out failed


Ok, let's try to generate "not that empty" as-list, indicating that
"yes, it's empty, but it is deliberately":


[Type ^D at a new line to end input]
policy-options {
replace:
as-list-group as0 {
as-list aNone members [ ];
}
}
load complete


ok, warning is not here anymore, but commit check still fails with
the same error..


Are there any other options better than encoding some fake ASN into
empty as-list ?


PS: tested with 22.4R3-S3.3 and 23.4R2-S2.1 if that matters.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$ <https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$>




Juniper Business Use Only

More information about the juniper-nsp mailing list