BGP: add dissector for BGPsec capability and path

BGPsec is specified in RFC8205. It adds a path attribute to BGP update
messages and a capability to BGP open messages.

tests: add pcap for BGPsec test

diff --git a/print-bgp.c b/print-bgp.c
index 1292542c3347108962ef6aa687eae2d71f5d4151..4fc39957af4be6811be9ce19ce64e89c309bc0ea 100644 (file)
--- a/print-bgp.c
+++ b/print-bgp.c
@@ -173,6 +173,7 @@ static const struct tok bgp_route_refresh_subtype_values[] = {
 #define BGPTYPE_PE_DISTINGUISHER_LABEL  27    /* RFC6514 */
 #define BGPTYPE_ENTROPY_LABEL           28    /* RFC6790 */
 #define BGPTYPE_LARGE_COMMUNITY         32    /* draft-ietf-idr-large-community-05 */
+#define BGPTYPE_BGPSEC_PATH             33    /* RFC8205 */
 #define BGPTYPE_ATTR_SET               128    /* RFC6368 */
 
 #define BGP_MP_NLRI_MINSIZE              3    /* End of RIB Marker detection */
@@ -201,6 +202,7 @@ static const struct tok bgp_attr_values[] = {
     { BGPTYPE_PE_DISTINGUISHER_LABEL, "PE Distinguisher Label"},
     { BGPTYPE_ENTROPY_LABEL,    "Entropy Label"},
     { BGPTYPE_LARGE_COMMUNITY,  "Large Community"},
+    { BGPTYPE_BGPSEC_PATH,      "BGPsec Path"},
     { BGPTYPE_ATTR_SET,         "Attribute Set"},
     { 255,                      "Reserved for development"},
     { 0, NULL}
@@ -245,6 +247,7 @@ static const struct tok bgp_opt_values[] = {
 #define BGP_CAPCODE_MR                  4 /* RFC3107 */
 #define BGP_CAPCODE_EXT_NH              5 /* RFC5549 */
 #define BGP_CAPCODE_EXT_MSG             6 /* RFC8654 */
+#define BGP_CAPCODE_BGPSEC              7 /* RFC8205 */
 #define BGP_CAPCODE_ML                  8 /* RFC8277 */
 #define BGP_CAPCODE_RESTART            64 /* RFC4724  */
 #define BGP_CAPCODE_AS_NEW             65 /* RFC6793 */
@@ -262,6 +265,7 @@ static const struct tok bgp_capcode_values[] = {
     { BGP_CAPCODE_MR,           "Multiple Routes to a Destination"},
     { BGP_CAPCODE_EXT_NH,       "Extended Next Hop Encoding"},
     { BGP_CAPCODE_EXT_MSG,      "BGP Extended Message"},
+    { BGP_CAPCODE_BGPSEC,       "BGPsec"},
     { BGP_CAPCODE_ML,           "Multiple Labels"},
     { BGP_CAPCODE_RESTART,      "Graceful Restart"},
     { BGP_CAPCODE_AS_NEW,       "32-Bit AS Number"},
@@ -600,6 +604,18 @@ static const struct tok bgp_add_path_recvsend[] = {
     { 0, NULL },
 };
 
+static const struct tok bgp_bgpsec_bitmap_str[] = {
+    { 1U << 0, "MBZ-0" },
+    { 1U << 1, "MBZ-1" },
+    { 1U << 2, "MBZ-2" },
+    { 1U << 3, "MBZ-3" },
+    { 1U << 4, "MBZ-4" },
+    { 1U << 5, "MBZ-5" },
+    { 1U << 6, "MBZ-6" },
+    { 1U << 7, "C" },
+    { 0, NULL}
+};
+
 #define AS_STR_SIZE sizeof("xxxxx.xxxxx")
 
 /*
@@ -2543,6 +2559,74 @@ bgp_attr_print(netdissect_options *ndo,
             len -= 12;
         }
         break;
+    case BGPTYPE_BGPSEC_PATH:
+    {
+        uint16_t sblen, splen;
+
+        splen = GET_BE_U_2(tptr);
+
+        /*
+         * A secure path has a minimum length of 8 bytes:
+         * 2 bytes length field
+         * 6 bytes per secure path segment
+         */
+        ND_ICHECKMSG_U("secure path length", splen, <, 8);
+
+        ND_PRINT("\n\t    Secure Path Length: %u", splen);
+
+        tptr += 2;
+        splen -= 2;
+        /* Make sure the secure path length does not signal trailing bytes */
+        if (splen % 6) {
+            ND_PRINT(" [invalid total segments len %u]", splen);
+            break;
+        }
+
+        /* Parse secure path segments */
+        while (splen != 0) {
+            uint8_t pcount = GET_U_1(tptr);
+            uint8_t flags = GET_U_1(tptr + 1);
+            uint32_t asn = GET_BE_U_4(tptr + 2);
+            ND_PRINT("\n\t      Secure Path Segment: pCount: %u, Flags: [%s] (0x%02x), AS: %u",
+                     pcount,
+                     bittok2str(bgp_bgpsec_bitmap_str, "none", flags),
+                     flags,
+                     asn);
+            tptr += 6;
+            splen -= 6;
+        }
+
+        sblen = GET_BE_U_2(tptr);
+
+        ND_PRINT("\n\t    Signature Block: Length: %u, Algo ID: %u",
+                 sblen,
+                 GET_U_1(tptr + 2));
+
+        tptr += 3;
+        sblen -= 3;
+        /* Parse signature segments */
+        while (sblen > 0) {
+            uint16_t siglen;
+
+            ND_PRINT("\n\t      Signature Segment:\n\t        SKI: ");
+            ND_ICHECKMSG_U("remaining length", sblen, <, 20);
+            hex_print(ndo, "\n\t          ", tptr, 20);
+            tptr += 20;
+            sblen -= 20;
+            ND_ICHECKMSG_U("remaining length", sblen, <, 2);
+            siglen = GET_BE_U_2(tptr);
+            tptr += 2;
+            sblen -= 2;
+
+            ND_PRINT("\n\t        Length: %u", siglen);
+            ND_ICHECKMSG_U("remaining length", sblen, <, siglen);
+            ND_PRINT("\n\t        Signature:");
+            hex_print(ndo, "\n\t          ", tptr, siglen);
+            tptr += siglen;
+            sblen -= siglen;
+        }
+        break;
+    }
     default:
         ND_TCHECK_LEN(pptr, len);
         ND_PRINT("\n\t    no Attribute %u decoder", atype); /* we have no decoder for the attribute */
@@ -2557,6 +2641,10 @@ done:
     }
     return 1;
 
+invalid:
+    nd_print_invalid(ndo);
+    return 1;
+
 trunc:
     return 0;
 }
@@ -2592,6 +2680,23 @@ bgp_capabilities_print(netdissect_options *ndo,
                tok2str(bgp_safi_values, "Unknown", GET_U_1(opt + i + 5)),
                GET_U_1(opt + i + 5));
             break;
+        case BGP_CAPCODE_BGPSEC:
+            /* Version (4 bits), Direction (1 bit), Flags (3 bits), AFI (16 bits) */
+            cap_offset = 1;
+            /* The capability length [...] MUST be set to 3. */
+            if (cap_len != 3) {
+                ND_PRINT(" [%u != 3]", cap_len);
+                return;
+            }
+
+            ND_PRINT("\n\t\tVersion %u, Direction %s (%u), AFI %s (%u)",
+                      GET_U_1(opt + i + 2)&0xf0,
+                      (GET_U_1(opt + i + 2)&0x08) ? "Send" : "Receive",
+                      (GET_U_1(opt + i + 2)&0x08)>>3,
+                      bittok2str(af_values, "Unknown",
+                                  GET_BE_U_2(opt + i + cap_offset + 2)),
+                      GET_BE_U_2(opt + i + cap_offset + 2));
+            break;
         case BGP_CAPCODE_ML:
             cap_offset = 2;
             tcap_len = cap_len;

diff --git a/tests/TESTLIST b/tests/TESTLIST
index 1b0d9593ed0951420601f8b01b4884e2625a1d1e..763b251cdff04cae5ee6a198bcac1dbc4e06cb40 100644 (file)
--- a/tests/TESTLIST
+++ b/tests/TESTLIST
@@ -70,6 +70,7 @@ bgp-cease-hard-reset          bgp-cease-hard-reset.pcap       bgp-cease-hard-reset.out        -v
 bgp-malformed-hard-reset       bgp-malformed-hard-reset.pcap   bgp-malformed-hard-reset.out    -v
 bgp-bfd-cease                  bgp-bfd-cease.pcap              bgp-bfd-cease.out               -v
 bgp-orf                        bgp-orf.pcapng          bgp-orf.out             -v
+bgp-bgpsec     bgp-bgpsec.pcap         bgp-bgpsec.out          -v
 
 # Broadcom tag tests
 brcmtag                brcm-tag.pcap           brcm-tag.out

diff --git a/tests/bgp-bgpsec.out b/tests/bgp-bgpsec.out
new file mode 100644 (file)
index 0000000..7fadd3e
--- /dev/null
+++ b/tests/bgp-bgpsec.out
@@ -0,0 +1,778 @@
+    1  13:45:50.158839 IP (tos 0xc0, ttl 1, id 931, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.2.44538 > 172.18.0.3.179: Flags [S], cksum 0x5858 (incorrect -> 0xe30a), seq 1813951547, win 64240, options [mss 1460,sackOK,TS val 2791087222 ecr 0,nop,wscale 7], length 0
+    2  13:45:50.158874 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    172.18.0.3.179 > 172.18.0.2.44538: Flags [R.], cksum 0x889e (correct), seq 0, ack 1813951548, win 0, length 0
+    3  13:45:52.580424 IP (tos 0xc0, ttl 1, id 49352, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [S], cksum 0x5858 (incorrect -> 0xe776), seq 2144546963, win 64240, options [mss 1460,sackOK,TS val 1161315278 ecr 0,nop,wscale 7], length 0
+    4  13:45:52.580594 IP (tos 0xc0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [S.], cksum 0x5858 (incorrect -> 0xb7ed), seq 2060149963, ack 2144546964, win 65160, options [mss 1460,sackOK,TS val 2791089644 ecr 1161315278,nop,wscale 7], length 0
+    5  13:45:52.580696 IP (tos 0xc0, ttl 1, id 49353, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [.], cksum 0x5850 (incorrect -> 0xe34b), ack 1, win 502, options [nop,nop,TS val 1161315279 ecr 2791089644], length 0
+    6  13:45:52.582638 IP (tos 0xc0, ttl 1, id 29723, offset 0, flags [DF], proto TCP (6), length 159)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [P.], cksum 0x58bb (incorrect -> 0xf937), seq 1:108, ack 1, win 510, options [nop,nop,TS val 2791089646 ecr 1161315279], length 107: BGP
+       Open Message (1), length: 107
+         Version 4, my AS 2, Holdtime 180s, ID 172.18.0.2
+         Optional parameters, length: 78
+           Option Capabilities Advertisement (2), length: 6
+             Multiprotocol Extensions (1), length: 4
+               AFI IPv4 (1), SAFI Unicast (1)
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (Cisco) (128), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (2), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Enhanced Route Refresh (70), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             32-Bit AS Number (65), length: 4
+                4 Byte AS 2
+           Option Capabilities Advertisement (2), length: 2
+             BGP Extended Message (6), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             Multiple Paths (69), length: 4
+               AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
+           Option Capabilities Advertisement (2), length: 9
+             Unknown (73), length: 7
+               no decoder for Capability 73
+               0x0000:  0562 6770 6431 00
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Receive (0), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv6 (2)
+           Option Capabilities Advertisement (2), length: 4
+             Graceful Restart (64), length: 2
+               Restart Flags: [R], Restart Time 120s
+    7  13:45:52.582735 IP (tos 0xc0, ttl 1, id 49354, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [.], cksum 0x5850 (incorrect -> 0xe2dc), ack 108, win 502, options [nop,nop,TS val 1161315281 ecr 2791089646], length 0
+    8  13:45:52.583463 IP (tos 0xc0, ttl 1, id 49355, offset 0, flags [DF], proto TCP (6), length 159)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [P.], cksum 0x58bb (incorrect -> 0xf6cf), seq 1:108, ack 108, win 502, options [nop,nop,TS val 1161315282 ecr 2791089646], length 107: BGP
+       Open Message (1), length: 107
+         Version 4, my AS 3, Holdtime 180s, ID 172.18.0.3
+         Optional parameters, length: 78
+           Option Capabilities Advertisement (2), length: 6
+             Multiprotocol Extensions (1), length: 4
+               AFI IPv4 (1), SAFI Unicast (1)
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (Cisco) (128), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (2), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Enhanced Route Refresh (70), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             32-Bit AS Number (65), length: 4
+                4 Byte AS 3
+           Option Capabilities Advertisement (2), length: 2
+             BGP Extended Message (6), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             Multiple Paths (69), length: 4
+               AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
+           Option Capabilities Advertisement (2), length: 9
+             Unknown (73), length: 7
+               no decoder for Capability 73
+               0x0000:  0562 6770 6432 00
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Receive (0), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv6 (2)
+           Option Capabilities Advertisement (2), length: 4
+             Graceful Restart (64), length: 2
+               Restart Flags: [R], Restart Time 120s
+    9  13:45:52.583533 IP (tos 0xc0, ttl 1, id 29724, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [.], cksum 0x5850 (incorrect -> 0xe267), ack 108, win 510, options [nop,nop,TS val 2791089647 ecr 1161315282], length 0
+   10  13:45:52.584130 IP (tos 0xc0, ttl 1, id 29725, offset 0, flags [DF], proto TCP (6), length 71)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [P.], cksum 0x5863 (incorrect -> 0xde39), seq 108:127, ack 108, win 510, options [nop,nop,TS val 2791089647 ecr 1161315282], length 19: BGP
+       Keepalive Message (4), length: 19
+   11  13:45:52.584126 IP (tos 0xc0, ttl 1, id 49356, offset 0, flags [DF], proto TCP (6), length 71)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [P.], cksum 0x5863 (incorrect -> 0xde41), seq 108:127, ack 108, win 502, options [nop,nop,TS val 1161315282 ecr 2791089647], length 19: BGP
+       Keepalive Message (4), length: 19
+   12  13:45:52.584196 IP (tos 0xc0, ttl 1, id 29726, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [.], cksum 0x5850 (incorrect -> 0xe241), ack 127, win 510, options [nop,nop,TS val 2791089647 ecr 1161315282], length 0
+   13  13:45:52.584196 IP (tos 0xc0, ttl 1, id 49357, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [.], cksum 0x5850 (incorrect -> 0xe249), ack 127, win 502, options [nop,nop,TS val 1161315282 ecr 2791089647], length 0
+   14  13:45:52.585786 IP (tos 0xc0, ttl 1, id 8954, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.3.45314 > 172.18.0.4.179: Flags [S], cksum 0x585a (incorrect -> 0x9b7b), seq 1914912993, win 64240, options [mss 1460,sackOK,TS val 2450416287 ecr 0,nop,wscale 7], length 0
+   15  13:45:52.585912 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    172.18.0.4.179 > 172.18.0.3.45314: Flags [R.], cksum 0xf2e9 (correct), seq 0, ack 1914912994, win 0, length 0
+   16  13:45:53.685808 IP (tos 0xc0, ttl 1, id 49358, offset 0, flags [DF], proto TCP (6), length 75)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [P.], cksum 0x5867 (incorrect -> 0xdbc5), seq 127:150, ack 127, win 502, options [nop,nop,TS val 1161316384 ecr 2791089647], length 23: BGP
+       Update Message (2), length: 23
+         End-of-Rib Marker (empty NLRI)
+   17  13:45:53.685905 IP (tos 0xc0, ttl 1, id 29727, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [.], cksum 0x5850 (incorrect -> 0xd98e), ack 150, win 510, options [nop,nop,TS val 2791090749 ecr 1161316384], length 0
+   18  13:45:53.695782 IP (tos 0xc0, ttl 1, id 29728, offset 0, flags [DF], proto TCP (6), length 1662)
+    172.18.0.2.179 > 172.18.0.3.54094: Flags [P.], cksum 0x5e9a (incorrect -> 0xc146), seq 127:1737, ack 150, win 510, options [nop,nop,TS val 2791090759 ecr 1161316384], length 1610: BGP
+       Update Message (2), length: 158
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.1.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 103, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 95, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7e5f 7511 2da3 41b1 2fe0 9789
+                 0x0010:  2cc9 2c5a 2396 5445 955e 3e11 ac65 b660
+                 0x0020:  6441 3630 0220 2103 bd0f 5793 7b63 b6f2
+                 0x0030:  613f 1f6a 13e6 e65f 8484 b6b8 84c1 479e
+                 0x0040:  878c f668 71a4
+       Update Message (2), length: 160
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.10.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 105, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 97, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 72
+               Signature:
+                 0x0000:  3046 0221 00aa d2ca 6cf3 8568 3bc1 ddb9
+                 0x0010:  5ecf 53a2 e1dc bb76 f80b 8cc9 d3d5 f23d
+                 0x0020:  e973 303c f302 2100 bff5 8cb3 a1d4 458d
+                 0x0030:  aa1b b6b8 faaa ad11 0d27 54a9 c2cb 1b77
+                 0x0040:  c88f ac3c 3ef0 2676
+       Update Message (2), length: 158
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.9.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 103, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 95, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 0a09 31f7 9172 940a d1df 7dd5
+                 0x0010:  5fde dc2b 0dc0 6a46 bb0f a22b 8021 f735
+                 0x0020:  98bb fd46 0220 35c7 bb54 ca67 07df 45bc
+                 0x0030:  51da dd9d 8f4c 66c7 f09b a72f 5ead 7393
+                 0x0040:  6807 96dc 01c5
+       Update Message (2), length: 160
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.8.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 105, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 97, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 72
+               Signature:
+                 0x0000:  3046 0221 0091 cce5 3628 025f 5a44 8465
+                 0x0010:  0351 d3d7 5bbe ad98 5040 49cc a0d5 373c
+                 0x0020:  7f79 3ed6 1802 2100 fe77 53d6 df6d 1d03
+                 0x0030:  e096 4a05 3bbf 1765 845d f777 0cb9 ab99
+                 0x0040:  d3c4 186c 3cea 8b0b
+       Update Message (2), length: 159
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.7.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 104, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 96, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 05e2 5f3f 9544 f375 6217 eaf8
+                 0x0010:  528e 65ad 24c9 74da 9f92 18fb b6c8 5720
+                 0x0020:  6dbb da29 0221 00c4 84e5 1c46 c18d c3ee
+                 0x0030:  b5fd 629f c6b9 7ba5 e18e abdf 64b9 8e46
+                 0x0040:  cd69 5b53 eac0 c3
+       Update Message (2), length: 158
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.6.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 103, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 95, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7f1a edbc e643 4869 ec9c 60ac
+                 0x0010:  7d9e cb04 d4cf 1d68 4a03 aa19 f7c2 ed8a
+                 0x0020:  9d3d c37b 0220 53e8 87be b9e9 1c3a 2785
+                 0x0030:  d856 022f 482f 63c6 06c9 957b a688 b0ee
+                 0x0040:  6b88 30bc ad46
+       Update Message (2), length: 158
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.5.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 103, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 95, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 65b5 609f c88b 232e c992 3daa
+                 0x0010:  8d19 9e22 43e7 e83d 378a 88c3 6636 01a5
+                 0x0020:  183a 469d 0220 6bab 77fb 4d8b 8ef8 c3cf
+                 0x0030:  a206 82de 9da8 e0a1 77eb cabc 0e3d 8c49
+                 0x0040:  260e 9bc2 cf9d
+       Update Message (2), length: 158
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.4.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 103, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 95, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7415 c8b7 7912 8968 caa9 4dfd
+                 0x0010:  db4b feb1 286d e68d bc88 3930 9506 a1b8
+                 0x0020:  9e16 0919 0220 61fa 3f1e dbd1 2594 5243
+                 0x0030:  2a8c c95c 84ee 29f8 c207 b646 977c 10b3
+                 0x0040:  1d9c 3fb5 1f3f
+       Update Message (2), length: 159
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.3.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 104, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 96, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 1073 0d4c 8363 cae0 41f7 45e3
+                 0x0010:  f5d0 8893 413f c095 e3f7 95eb 0aa3 4da5
+                 0x0020:  a400 9c4d 0221 00b4 8e44 c4fb e5bb 77a2
+                 0x0030:  e8b8 808d cd4f 3db9 94be e72c f929 5628
+                 0x0040:  bc74 e99c 55af 64
+       Update Message (2), length: 159
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.2.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         Multi Exit Discriminator (4), length: 4, Flags [O]: 0
+         BGPsec Path (33), length: 104, Flags [OE]: 
+           Secure Path Length: 8
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 96, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 7d87 e54d f871 4400 768a 3db7
+                 0x0010:  acfa 55ae be23 e200 3cdf 21b6 1424 0d1e
+                 0x0020:  8831 49e3 0221 00e2 d828 edb0 0277 dc25
+                 0x0030:  f4c5 aa4e 2906 74e3 aa13 6c30 f78b d415
+                 0x0040:  0e55 35ef 3fc8 70
+       Update Message (2), length: 23
+         End-of-Rib Marker (empty NLRI)
+   19  13:45:53.695866 IP (tos 0xc0, ttl 1, id 49359, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.54094 > 172.18.0.2.179: Flags [.], cksum 0x5850 (incorrect -> 0xd339), ack 1737, win 501, options [nop,nop,TS val 1161316394 ecr 2791090759], length 0
+   20  13:45:56.356964 IP (tos 0xc0, ttl 1, id 59932, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [S], cksum 0x585a (incorrect -> 0x05d8), seq 2209904309, win 64240, options [mss 1460,sackOK,TS val 3983705651 ecr 0,nop,wscale 7], length 0
+   21  13:45:56.357094 IP (tos 0xc0, ttl 255, id 0, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [S.], cksum 0x585a (incorrect -> 0xe537), seq 994631237, ack 2209904310, win 65160, options [mss 1460,sackOK,TS val 2450420058 ecr 3983705651,nop,wscale 7], length 0
+   22  13:45:56.357166 IP (tos 0xc0, ttl 1, id 59933, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [.], cksum 0x5852 (incorrect -> 0x1097), ack 1, win 502, options [nop,nop,TS val 3983705651 ecr 2450420058], length 0
+   23  13:45:56.358934 IP (tos 0xc0, ttl 1, id 52957, offset 0, flags [DF], proto TCP (6), length 159)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [P.], cksum 0x58bd (incorrect -> 0x2481), seq 1:108, ack 1, win 510, options [nop,nop,TS val 2450420060 ecr 3983705651], length 107: BGP
+       Open Message (1), length: 107
+         Version 4, my AS 3, Holdtime 180s, ID 172.18.0.3
+         Optional parameters, length: 78
+           Option Capabilities Advertisement (2), length: 6
+             Multiprotocol Extensions (1), length: 4
+               AFI IPv4 (1), SAFI Unicast (1)
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (Cisco) (128), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (2), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Enhanced Route Refresh (70), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             32-Bit AS Number (65), length: 4
+                4 Byte AS 3
+           Option Capabilities Advertisement (2), length: 2
+             BGP Extended Message (6), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             Multiple Paths (69), length: 4
+               AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
+           Option Capabilities Advertisement (2), length: 9
+             Unknown (73), length: 7
+               no decoder for Capability 73
+               0x0000:  0562 6770 6432 00
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Receive (0), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv6 (2)
+           Option Capabilities Advertisement (2), length: 4
+             Graceful Restart (64), length: 2
+               Restart Flags: [R], Restart Time 120s
+   24  13:45:56.359049 IP (tos 0xc0, ttl 1, id 59934, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [.], cksum 0x5852 (incorrect -> 0x1028), ack 108, win 502, options [nop,nop,TS val 3983705653 ecr 2450420060], length 0
+   25  13:45:56.359710 IP (tos 0xc0, ttl 1, id 59935, offset 0, flags [DF], proto TCP (6), length 159)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [P.], cksum 0x58bd (incorrect -> 0x2219), seq 1:108, ack 108, win 502, options [nop,nop,TS val 3983705654 ecr 2450420060], length 107: BGP
+       Open Message (1), length: 107
+         Version 4, my AS 4, Holdtime 180s, ID 172.18.0.4
+         Optional parameters, length: 78
+           Option Capabilities Advertisement (2), length: 6
+             Multiprotocol Extensions (1), length: 4
+               AFI IPv4 (1), SAFI Unicast (1)
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (Cisco) (128), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Route Refresh (2), length: 0
+           Option Capabilities Advertisement (2), length: 2
+             Enhanced Route Refresh (70), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             32-Bit AS Number (65), length: 4
+                4 Byte AS 4
+           Option Capabilities Advertisement (2), length: 2
+             BGP Extended Message (6), length: 0
+           Option Capabilities Advertisement (2), length: 6
+             Multiple Paths (69), length: 4
+               AFI IPv4 (1), SAFI Unicast (1), Send/Receive: Receive
+           Option Capabilities Advertisement (2), length: 9
+             Unknown (73), length: 7
+               no decoder for Capability 73
+               0x0000:  0562 6770 6433 00
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Receive (0), AFI IPv4 (1)
+           Option Capabilities Advertisement (2), length: 5
+             BGPsec (7), length: 3
+               Version 0, Direction Send (1), AFI IPv6 (2)
+           Option Capabilities Advertisement (2), length: 4
+             Graceful Restart (64), length: 2
+               Restart Flags: [R], Restart Time 120s
+   26  13:45:56.359726 IP (tos 0xc0, ttl 1, id 52958, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [.], cksum 0x5852 (incorrect -> 0x0fb3), ack 108, win 510, options [nop,nop,TS val 2450420061 ecr 3983705654], length 0
+   27  13:45:56.359883 IP (tos 0xc0, ttl 1, id 52959, offset 0, flags [DF], proto TCP (6), length 71)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [P.], cksum 0x5865 (incorrect -> 0x0b85), seq 108:127, ack 108, win 510, options [nop,nop,TS val 2450420061 ecr 3983705654], length 19: BGP
+       Keepalive Message (4), length: 19
+   28  13:45:56.359886 IP (tos 0xc0, ttl 1, id 59936, offset 0, flags [DF], proto TCP (6), length 71)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [P.], cksum 0x5865 (incorrect -> 0x0b8d), seq 108:127, ack 108, win 502, options [nop,nop,TS val 3983705654 ecr 2450420061], length 19: BGP
+       Keepalive Message (4), length: 19
+   29  13:45:56.359901 IP (tos 0xc0, ttl 1, id 52960, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [.], cksum 0x5852 (incorrect -> 0x0f8d), ack 127, win 510, options [nop,nop,TS val 2450420061 ecr 3983705654], length 0
+   30  13:45:56.359926 IP (tos 0xc0, ttl 1, id 59937, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [.], cksum 0x5852 (incorrect -> 0x0f95), ack 127, win 502, options [nop,nop,TS val 3983705654 ecr 2450420061], length 0
+   31  13:45:56.360322 IP (tos 0xc0, ttl 1, id 6237, offset 0, flags [DF], proto TCP (6), length 60)
+    172.18.0.4.38322 > 172.18.0.5.179: Flags [S], cksum 0x585c (incorrect -> 0xc38f), seq 2729165046, win 64240, options [mss 1460,sackOK,TS val 1672860564 ecr 0,nop,wscale 7], length 0
+   32  13:45:56.360364 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
+    172.18.0.5.179 > 172.18.0.4.38322: Flags [R.], cksum 0x5d9a (correct), seq 0, ack 2729165047, win 0, length 0
+   33  13:45:57.460725 IP (tos 0xc0, ttl 1, id 59938, offset 0, flags [DF], proto TCP (6), length 75)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [P.], cksum 0x5869 (incorrect -> 0x0912), seq 127:150, ack 127, win 502, options [nop,nop,TS val 3983706755 ecr 2450420061], length 23: BGP
+       Update Message (2), length: 23
+         End-of-Rib Marker (empty NLRI)
+   34  13:45:57.460843 IP (tos 0xc0, ttl 1, id 52961, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [.], cksum 0x5852 (incorrect -> 0x06dc), ack 150, win 510, options [nop,nop,TS val 2450421162 ecr 3983706755], length 0
+   35  13:45:57.523627 IP (tos 0xc0, ttl 1, id 52962, offset 0, flags [DF], proto TCP (6), length 2582)
+    172.18.0.3.179 > 172.18.0.4.32836: Flags [P.], cksum 0x6234 (incorrect -> 0xda51), seq 127:2657, ack 150, win 510, options [nop,nop,TS val 2450421225 ecr 3983706755], length 2530: BGP
+       Update Message (2), length: 250
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.1.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 202, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 188, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0221 00d5 9ec6 6346 2826 f329 b960
+                 0x0010:  c898 c635 a89d 4fa1 5219 d000 32df ee1a
+                 0x0020:  5da1 49a0 e202 204a 8331 61a0 8a04 4a1b
+                 0x0030:  10cc 85b4 883c a7ff 9c73 43c0 5fc9 2633
+                 0x0040:  97b9 830d d2ca 75
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7e5f 7511 2da3 41b1 2fe0 9789
+                 0x0010:  2cc9 2c5a 2396 5445 955e 3e11 ac65 b660
+                 0x0020:  6441 3630 0220 2103 bd0f 5793 7b63 b6f2
+                 0x0030:  613f 1f6a 13e6 e65f 8484 b6b8 84c1 479e
+                 0x0040:  878c f668 71a4
+       Update Message (2), length: 252
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.10.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 204, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 190, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 6397 a10f 4e63 04df 9f54 e32d
+                 0x0010:  801c fa8c 024a 319a 76cd 10b6 4a41 03b2
+                 0x0020:  47b2 8835 0221 00e2 2ed8 3acb d650 fc0c
+                 0x0030:  5057 2aac 8c8b 909c f5d9 fe51 d921 c539
+                 0x0040:  083d da53 ffff 63
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 72
+               Signature:
+                 0x0000:  3046 0221 00aa d2ca 6cf3 8568 3bc1 ddb9
+                 0x0010:  5ecf 53a2 e1dc bb76 f80b 8cc9 d3d5 f23d
+                 0x0020:  e973 303c f302 2100 bff5 8cb3 a1d4 458d
+                 0x0030:  aa1b b6b8 faaa ad11 0d27 54a9 c2cb 1b77
+                 0x0040:  c88f ac3c 3ef0 2676
+       Update Message (2), length: 249
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.9.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 201, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 187, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7a44 089c 6460 dfbf b5a8 d951
+                 0x0010:  088d 7c39 0f67 f78c e457 182e c5e1 5a1f
+                 0x0020:  95f5 7a35 0220 47d3 7d2c c110 f829 c6a2
+                 0x0030:  16dc 369e e371 fe23 9536 f122 eb5c a4ad
+                 0x0040:  3d68 7fb0 44cb
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 0a09 31f7 9172 940a d1df 7dd5
+                 0x0010:  5fde dc2b 0dc0 6a46 bb0f a22b 8021 f735
+                 0x0020:  98bb fd46 0220 35c7 bb54 ca67 07df 45bc
+                 0x0030:  51da dd9d 8f4c 66c7 f09b a72f 5ead 7393
+                 0x0040:  6807 96dc 01c5
+       Update Message (2), length: 253
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.8.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 205, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 191, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 72
+               Signature:
+                 0x0000:  3046 0221 0085 4894 249d 57a5 53c5 b00f
+                 0x0010:  2059 df1c b425 db15 fbe5 7f07 9904 5e1b
+                 0x0020:  be06 9f0a cc02 2100 c6cc 1be0 c5a8 07fb
+                 0x0030:  18f3 c3c4 8cfc 02e3 e35e ff23 ceda aa0e
+                 0x0040:  e667 a2c9 e4e6 689e
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 72
+               Signature:
+                 0x0000:  3046 0221 0091 cce5 3628 025f 5a44 8465
+                 0x0010:  0351 d3d7 5bbe ad98 5040 49cc a0d5 373c
+                 0x0020:  7f79 3ed6 1802 2100 fe77 53d6 df6d 1d03
+                 0x0030:  e096 4a05 3bbf 1765 845d f777 0cb9 ab99
+                 0x0040:  d3c4 186c 3cea 8b0b
+       Update Message (2), length: 251
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.7.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 203, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 189, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 75de f062 9ba6 9a02 75d8 78c0
+                 0x0010:  d5d7 4b04 0929 e81b 477f 6260 909c fbc7
+                 0x0020:  906c d1c8 0221 0083 9ce1 00ca 7546 ef95
+                 0x0030:  2667 2525 7457 aa25 0bb6 5eee 1eb5 2374
+                 0x0040:  b7bd bc79 f8d6 19
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 05e2 5f3f 9544 f375 6217 eaf8
+                 0x0010:  528e 65ad 24c9 74da 9f92 18fb b6c8 5720
+                 0x0020:  6dbb da29 0221 00c4 84e5 1c46 c18d c3ee
+                 0x0030:  b5fd 629f c6b9 7ba5 e18e abdf 64b9 8e46
+                 0x0040:  cd69 5b53 eac0 c3
+       Update Message (2), length: 250
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.6.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 202, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 188, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 594c bc47 1182 94ab e269 ddd6
+                 0x0010:  b751 3a4b 1077 441b e5c9 3357 4194 7e01
+                 0x0020:  edb3 a121 0221 00f3 be50 cd41 db62 5a24
+                 0x0030:  b317 6ba4 1d4d 4f34 befa a0e5 3515 41f8
+                 0x0040:  0b5b 9032 4860 a6
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7f1a edbc e643 4869 ec9c 60ac
+                 0x0010:  7d9e cb04 d4cf 1d68 4a03 aa19 f7c2 ed8a
+                 0x0020:  9d3d c37b 0220 53e8 87be b9e9 1c3a 2785
+                 0x0030:  d856 022f 482f 63c6 06c9 957b a688 b0ee
+                 0x0040:  6b88 30bc ad46
+       Update Message (2), length: 250
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.5.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 202, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 188, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0221 00a6 82a5 78ea 9069 7156 5c1b
+                 0x0010:  fb82 8250 5861 c13c ba7b c9a5 6c20 8f58
+                 0x0020:  12e9 02d7 ae02 2066 87a8 78ee 0041 009d
+                 0x0030:  5480 ce6d 0f57 2bae 4198 7aee 7156 f555
+                 0x0040:  03b2 5bb2 110b 5c
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 65b5 609f c88b 232e c992 3daa
+                 0x0010:  8d19 9e22 43e7 e83d 378a 88c3 6636 01a5
+                 0x0020:  183a 469d 0220 6bab 77fb 4d8b 8ef8 c3cf
+                 0x0030:  a206 82de 9da8 e0a1 77eb cabc 0e3d 8c49
+                 0x0040:  260e 9bc2 cf9d
+       Update Message (2), length: 250
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.4.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 202, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 188, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 053f d166 2455 ff75 71fe 7fa9
+                 0x0010:  a7a7 04d9 0d7b 663f 41c2 8d8c c4f3 1819
+                 0x0020:  7d49 d6bd 0221 00dc 88fb 3f3c cd81 ac69
+                 0x0030:  52e2 e4fb d14f f589 8207 471f 7e37 f870
+                 0x0040:  bb29 6d09 2f86 19
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 70
+               Signature:
+                 0x0000:  3044 0220 7415 c8b7 7912 8968 caa9 4dfd
+                 0x0010:  db4b feb1 286d e68d bc88 3930 9506 a1b8
+                 0x0020:  9e16 0919 0220 61fa 3f1e dbd1 2594 5243
+                 0x0030:  2a8c c95c 84ee 29f8 c207 b646 977c 10b3
+                 0x0040:  1d9c 3fb5 1f3f
+       Update Message (2), length: 251
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.3.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 203, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 189, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0221 0083 b2b1 b64c 8370 e11b 5d41
+                 0x0010:  5234 7e42 6c40 ac59 314e dbd7 50df a43c
+                 0x0020:  4af5 ce7c e702 202b 7a87 d510 a632 580c
+                 0x0030:  fc80 c4e4 d318 a09f 226e 72a9 8c8e aade
+                 0x0040:  6593 2659 5894 6b
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 1073 0d4c 8363 cae0 41f7 45e3
+                 0x0010:  f5d0 8893 413f c095 e3f7 95eb 0aa3 4da5
+                 0x0020:  a400 9c4d 0221 00b4 8e44 c4fb e5bb 77a2
+                 0x0030:  e8b8 808d cd4f 3db9 94be e72c f929 5628
+                 0x0040:  bc74 e99c 55af 64
+       Update Message (2), length: 251
+         Multi-Protocol Reach NLRI (14), length: 13, Flags [OE]: 
+           AFI: IPv4 (1), SAFI: Unicast (1)
+           nexthop: 172.18.0.2, nh-length: 4, no SNPA
+             1.0.2.0/24
+         Origin (1), length: 1, Flags [T]: IGP
+         BGPsec Path (33), length: 203, Flags [OE]: 
+           Secure Path Length: 14
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 3
+             Secure Path Segment: pCount: 1, Flags: [none] (0x00), AS: 2
+           Signature Block: Length: 189, Algo ID: 1
+             Signature Segment:
+               SKI: 
+                 0x0000:  0ca0 6bdf c294 88fa 1a7f 4a47 93f3 a940
+                 0x0010:  10a8 0f97
+               Length: 71
+               Signature:
+                 0x0000:  3045 0221 0087 24ba eae1 09bc a23a c0f1
+                 0x0010:  794c e301 3bab 329b 7c23 5e0a a0fd a4ca
+                 0x0020:  0afe 736c ef02 203b 42ff c318 7568 16bb
+                 0x0030:  3e88 0796 7379 db4f a83c fd56 1821 28d2
+                 0x0040:  b78a 6ec7 145e 75
+             Signature Segment:
+               SKI: 
+                 0x0000:  0a15 fa1c b92f 4d34 95fe f0ca 9180 c0a9
+                 0x0010:  3c4a 254f
+               Length: 71
+               Signature:
+                 0x0000:  3045 0220 7d87 e54d f871 4400 768a 3db7
+                 0x0010:  acfa 55ae be23 e200 3cdf 21b6 1424 0d1e
+                 0x0020:  8831 49e3 0221 00e2 d828 edb0 0277 dc25
+                 0x0030:  f4c5 aa4e 2906 74e3 aa13 6c30 f78b d415
+                 0x0040:  0e55 35ef 3fc8 70
+       Update Message (2), length: 23
+         End-of-Rib Marker (empty NLRI)
+   36  13:45:57.523797 IP (tos 0xc0, ttl 1, id 59939, offset 0, flags [DF], proto TCP (6), length 52)
+    172.18.0.4.32836 > 172.18.0.3.179: Flags [.], cksum 0x5852 (incorrect -> 0xfc87), ack 2657, win 498, options [nop,nop,TS val 3983706818 ecr 2450421225], length 0

diff --git a/tests/bgp-bgpsec.pcap b/tests/bgp-bgpsec.pcap
new file mode 100644 (file)
index 0000000..b2ae6a9
Binary files /dev/null and b/tests/bgp-bgpsec.pcap differ