secshellnet
diff --git a/‎tests/README.md‎
Lines changed: 2 additions & 1 deletion b/‎tests/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎tests/bird-bgp-tcpao/README.md‎ ‎tests/bgp-bird-tcpao/README.md‎tests/bird-bgp-tcpao/README.md renamed to tests/bgp-bird-tcpao/README.md b/‎tests/bird-bgp-tcpao/README.md‎ ‎tests/bgp-bird-tcpao/README.md‎tests/bird-bgp-tcpao/README.md renamed to tests/bgp-bird-tcpao/README.md
diff --git a/‎tests/bird-bgp-tcpao/default.nix‎ ‎tests/bgp-bird-tcpao/default.nix‎tests/bird-bgp-tcpao/default.nix renamed to tests/bgp-bird-tcpao/default.nix b/‎tests/bird-bgp-tcpao/default.nix‎ ‎tests/bgp-bird-tcpao/default.nix‎tests/bird-bgp-tcpao/default.nix renamed to tests/bgp-bird-tcpao/default.nix
diff --git a/‎tests/bgp-frr-unnumbered/README.md‎
Lines changed: 18 additions & 0 deletions b/‎tests/bgp-frr-unnumbered/README.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎tests/bgp-frr-unnumbered/default.nix‎
Lines changed: 72 additions & 0 deletions b/‎tests/bgp-frr-unnumbered/default.nix‎
Lines changed: 72 additions & 0 deletions
@@ -2,12 +2,13 @@
 
 | Test Name                                 | Tested Software Components |
 |-------------------------------------------|----------------------------|
+| bgp-bird-tcpao                            | BIRD3                      | <!-- Add FRR when TCP-AO is supported -->
 | bgp-extended-nexthop                      | FRR, BIRD3                 |
+| bgp-frr-unnumbered                        | FRR                        | <!-- Add BIRD when unnumbered peerings are supported -->
 | bgp-md5                                   | FRR, BIRD3                 |
 | bgp-prefsource                            | FRR, BIRD3                 |
 | bgp-simple                                | FRR, BIRD3                 |
 | bgp-ttl-security                          | FRR, BIRD3                 |
-| bird-bgp-tcpao                            | BIRD3                      | <!-- Add FRR as a if TCP-AO is supported -->
 | dhcpv4                                    | Kea DHCP Server, dhclient  | <!-- Extend by NetworkManager/systemd-networkd clients -->
 | dns-knot                                  | Knot DNS Server            |
 | dns-knot-dnssec                           | Knot DNS Server            |
 
@@ -0,0 +1,18 @@
+# frr-bgp-unnumbered
+
+This configuration extends the [bgp-extended-nexthop](../bgp-extended-nexthop/) test by
+introducing BGP unnumbered support, which removes the need to explicitly specify an IPv6 link-local address.
+
+**Note:**
+BGP unnumbered is not currently standardized by any RFC, so behavior and implementation may vary across
+platforms; additionally, the BIRD routing daemon does not support BGP unnumbered interfaces at this time.
+
+In BGP unnumbered, neighbors use IPv6 link-local addresses that are automatically configured via IPv6
+Router Advertisements based on interface identifiers, eliminating the need to manually specify addresses.
+
+Because sessions rely on dynamic link-local addresses rather than explicit IPs, traditional IP-based security
+measures like access lists may not be effective, exposing the session to risks if the link is compromised.
+
+Unlike some other vendors, FRR currently does not support features like allowas-in for additional session
+filtering, so it is recommended to use extra protections such as TTL-Security and TCP MD5 or, hopefully
+in the future, TCP-AO.
@@ -0,0 +1,72 @@
+{ ... }:
+{
+  name = "frr-bgp-unnumbered";
+
+  defaults = {
+    networking = {
+      useDHCP = false;
+      firewall.allowedTCPPorts = [ 179 ];
+    };
+    services.frr.bgpd.enable = true;
+  };
+
+  nodes = {
+    a = {
+      services.frr.config = ''
+        router bgp 65001
+          no bgp ebgp-requires-policy
+          no bgp default ipv4-unicast
+          bgp router-id 192.0.2.10
+
+          neighbor fabric peer-group
+          neighbor fabric remote-as external
+          neighbor fabric capability extended-nexthop
+          neighbor eth1 interface peer-group fabric
+
+          address-family ipv4 unicast
+            neighbor fabric activate
+          exit-address-family
+
+          address-family ipv6 unicast
+            neighbor fabric activate
+          exit-address-family
+      '';
+    };
+    b = {
+      services.frr.config = ''
+        router bgp 65002
+          no bgp ebgp-requires-policy
+          no bgp default ipv4-unicast
+          bgp router-id 192.0.2.11
+
+          neighbor fabric peer-group
+          neighbor fabric remote-as external
+          neighbor fabric capability extended-nexthop
+          neighbor eth1 interface peer-group fabric
+
+          address-family ipv4 unicast
+            neighbor fabric activate
+          exit-address-family
+
+          address-family ipv6 unicast
+            neighbor fabric activate
+          exit-address-family
+      '';
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    for m in [a, b]:
+      m.wait_for_unit("network.target")
+      m.wait_for_unit("frr.service")
+
+    a.wait_until_succeeds("vtysh -c 'show bgp ipv4 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+    b.wait_until_succeeds("vtysh -c 'show bgp ipv4 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+
+    # IPv6 DAD might need some time to complete for the local link address
+    a.wait_until_succeeds("vtysh -c 'show bgp ipv6 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+    b.wait_until_succeeds("vtysh -c 'show bgp ipv6 summary' | grep 'eth1.*0\\s*0\\s*N/A'")
+  '';
+}