[j-nsp] empty as-lists ?

Mon Apr 21 13:29:09 EDT 2025

On Mon, Apr 21, 2025 at 01:17:22PM +0000, Jeff Haas wrote:
> As-list is designed to be removed when empty.

Thanks for clarification.

> 
> While I realize this may violate principle of least astonishment vs. similar features you highlight that take empty match elements, if I could go back in time I'd similarly make those fail as well.  The semantics of such empty matching elements have resulted in outages because they themselves fail POLA. Do they match everything? Nothing?  Bah.

Hmm... For me it looks pretty straightforward that empty prefix-list 
matches nothing: it has no elements, so there is nothing to compare 
input with, so there can't be positive match or "no input can't be 
matched by empty prefix-list". Of course, it can result in outage 
(f.e, matching upstream routes by empty prefix-list may kill your 
connectivity), but it's not a vendor who shall be blamed for such
configurations..

>
> -- Jeff
> 
> 
> On 4/20/25, 13:20, "juniper-nsp on behalf of Alexandre Snarskii via juniper-nsp" <juniper-nsp-bounces at puck.nether.net <mailto:juniper-nsp-bounces at puck.nether.net> on behalf of juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>> wrote:
> 
> 
> [External Email. Be cautious of content]
> 
> 
> 
> 
> Hi!
> 
> 
> Somewhat stupid question: are there any way to configure as-list that
> does not contain any member ? With prefix-lists/route-filter-lists it's
> trivial (delete policy-options prefix-list NNN; set policy-options prefix-list NNN;),
> with classic as-path filters it's possible albeit a bit tricky
> (set policy-options as-path none "!.*"), but I don't see any way to
> create empty as-list or empty current one: on emptying it gets fully
> removed from configuration and policy-options referencing it are not
> valid anymore :(
> 
> 
> Test scenario: create as-list with some members, reference it in policy:
> 
> 
> [edit policy-options]
> + policy-statement as-test {
> + term ok {
> + from {
> + as-path-origins as-list-group as0;
> + }
> + then accept;
> + }
> + then reject;
> + }
> [edit policy-options]
> + as-list-group as0 {
> + as-list as0 members [ 65533 65534 ];
> + }
> 
> 
> so far so good, commit check succeeds. Now, some days/weeks/years after
> as-set becomes empty or nonexistant for whatever reason, generated as-list
> becomes empty, and attempt to upload it on router results in warning and
> commit check failure:
> 
> 
> load replace terminal relative
> [Type ^D at a new line to end input]
> policy-options {
> replace:
> as-list-group as0 {
> }
> }
> [edit policy-options]
> 'as-list-group as0'
> warning: statement has no contents; ignored
> load complete
> 
> 
> commit check
> [edit]
> 'policy-options'
> Policy error: as0 as-list-group referenced (in term ok) but not defined
> error: configuration check-out failed
> 
> 
> Ok, let's try to generate "not that empty" as-list, indicating that
> "yes, it's empty, but it is deliberately":
> 
> 
> [Type ^D at a new line to end input]
> policy-options {
> replace:
> as-list-group as0 {
> as-list aNone members [ ];
> }
> }
> load complete
> 
> 
> ok, warning is not here anymore, but commit check still fails with
> the same error..
> 
> 
> Are there any other options better than encoding some fake ASN into
> empty as-list ?
> 
> 
> PS: tested with 22.4R3-S3.3 and 23.4R2-S2.1 if that matters.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$ <https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$>
> 
> 
> 
> 
> Juniper Business Use Only