# ExaFS
[](https://badge.fury.io/py/exafs)
[](https://hub.docker.com/r/jirivrany/exafs-base)
[](https://opensource.org/licenses/MIT)
[](https://github.com/CESNET/exafs/actions/workflows/python-app.yml)
[](https://github.com/CESNET/exafs/actions/workflows/github-code-scanning/codeql)
[](https://pypi.org/project/exafs/)
ExaFS brings new functionality to the environment of routing protocols configuration for backbone network hardware security.
The tool extends network administrators toolset by adding an extra layer for configuration rules creation, validation, and authorization. With this new layer, a larger group of network administrators can safely create new
[BGP protocol](https://github.com/Exa-Networks/exabgp) rules to prevent DDoS and other forms of malicious cyber attacks.
ExaFS is open source with MIT license. The system is regularly used at [CESNET](https://www.cesnet.cz/) - the Czech national e-infrastructure for science, research and education operator.
ExaFS provides both the user Web interface and the REST API for web service.
Key contributions of the system are **user authorization** mechanism and **validation system for BGP commands**.
Without ExaFS the system Root privileges are required for direct interaction with ExaBGP and networking hardware. ExaFS provides several user roles and access rights similarly to user roles in other software systems such as SQL. The system allows specifying user rights for various kinds of sub-nets following the network topology.
Validation system for BGP commands assures that only error-free messages can pass to the system BGP API. Both syntax and access rights are validated before a new rule can be stored in the database.
Thanks to the storage, all the rules can be restored quickly after a system reboot or failure. All rules are validated again, before sending them to ExaBPG from the storage, to prevent any malicious database manipulation.
ExaFS is an integral part of cybersecurity tools at CESNET. However, it can be used in any network where ExaBGP is available.
See how is ExaFS integrated into the network in the picture below.
## Project presentations
* 2020 - CZ [DDoS Protector v prostředí propojovacího uzlu NIX.CZ](https://www.cesnet.cz/wp-content/uploads/2020/02/DDP_v_NIX.pdf), [Seminář o bezpečností sítí a služeb 2020](https://www.cesnet.cz/akce/bss20/)
* 2019 - EN [ExaFS: mitigating unwanted traffic](https://xn--ondej-kcb.caletka.cz/dl/slidy/20191113-SIGNOC-ExaFS.pdf), [10th SIG-NOC meeting](https://wiki.geant.org/display/SIGNOC/10th+SIG-NOC+meeting), Prague
* 2019 - CZ [Potlačení nežádoucího provozu pomocí BGP Flowspec](https://indico.csnog.eu/event/6/contributions/64/attachments/35/61/CESNET-FlowSpec-CSNOG.pdf), [CSNOG 2019](https://indico.csnog.eu/event/6/overview)
* 2019 - CZ [Nástroje pro FlowSpec a RTBH](https://konference.cesnet.cz/prezentace2019/sal1/3_Adamec.pdf), [Konference e-infrastruktury CESNET](https://konference.cesnet.cz/) 2019
* 2019 - CZ [Nástroje pro obranu proti útokům na páteřních směrovačích](https://konference.cesnet.cz/prezentace2019/sal1/3_Verich.pdf),[Konference e-infrastruktury CESNET](https://konference.cesnet.cz/) 2019
## System overview
The core component of ExaFS is a web application written in Python using the Flask framework. It provides a user interface for managing ExaBGP rules (CRUD operations) and also exposes a REST API with similar functionality. The web application uses Shibboleth for authentication, while the REST API relies on token-based authentication.
The application generates ExaBGP commands and forwards them to the ExaBGP process. All rules are thoroughly validated—only valid rules are stored in the database and sent to the ExaBGP connector.
The second component of the system is a separate application that replicates received commands to `stdout`. The connection between the ExaBGP daemon and the `stdout` of the ExaAPI (ExaBGP process) is defined in the ExaBGP configuration.
This API was originally part of the same project but has since been moved to its own repository. You can use the [exabgp-process pip package](https://pypi.org/project/exabgp-process/), clone the Git repository, or develop your own implementation.
Each time this process receives a command from ExaFS, it outputs it to `stdout`, allowing the ExaBGP service to process the command and update its routing table—creating, modifying, or removing rules accordingly.
It may also be necessary to monitor ExaBGP and re-announce rules after a restart or shutdown. This can be handled via the ExaBGP service configuration, or by using an example system service called **Guarda**, described in the documentation. In either case, the key mechanism is calling the application endpoint `/rules/announce_all`. This endpoint is only accessible from `localhost`; a local IP address must be configured in the application settings.
## DOCS
### Instalation related
* [ExaFS Ansible deploy](https://github.com/CESNET/ExaFS-deploy) - repository with Ansbile playbook for deploying ExaFS with Docker Compose.
* [Install notes](./docs/INSTALL.md)
* [using Docker Image](./docs/DockerImage.md)
* [Database backup configuration](./docs/DB_BACKUP.md)
* [Local database instalation notes](./docs/DB_LOCAL.md)
### API
The REST API is documented using Swagger (OpenAPI). After installing and running the application, the API documentation is available locally at the /apidocs/ endpoint. This interactive documentation provides details about all available endpoints, request and response formats, and supported operations, making it easier to integrate and test the API.
## [Change log](./CHANGELOG.md)
Raw data
{
"_id": null,
"home_page": null,
"name": "exafs",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "Jiri Vrany <jiri.vrany@cesnet.cz>",
"keywords": "bgp, exabgp, flowspec, ddos, network-security, CESNET",
"author": "Jiri Vrany, Petr Adamec, Josef Verich, Jakub Man",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/51/55/103488bed23c699f6587a3c79634ecc8da8d9bc811622ceca2a2efbeea77/exafs-1.1.8.tar.gz",
"platform": null,
"description": "# ExaFS\n\n[](https://badge.fury.io/py/exafs)\n[](https://hub.docker.com/r/jirivrany/exafs-base)\n[](https://opensource.org/licenses/MIT)\n[](https://github.com/CESNET/exafs/actions/workflows/python-app.yml)\n[](https://github.com/CESNET/exafs/actions/workflows/github-code-scanning/codeql)\n[](https://pypi.org/project/exafs/)\n\nExaFS brings new functionality to the environment of routing protocols configuration for backbone network hardware security. \n\nThe tool extends network administrators toolset by adding an extra layer for configuration rules creation, validation, and authorization. With this new layer, a larger group of network administrators can safely create new\n [BGP protocol](https://github.com/Exa-Networks/exabgp) rules to prevent DDoS and other forms of malicious cyber attacks. \n\nExaFS is open source with MIT license. The system is regularly used at [CESNET](https://www.cesnet.cz/) - the Czech national e-infrastructure for science, research and education operator.\n\nExaFS provides both the user Web interface and the REST API for web service. \n\nKey contributions of the system are **user authorization** mechanism and **validation system for BGP commands**.\n\nWithout ExaFS the system Root privileges are required for direct interaction with ExaBGP and networking hardware. ExaFS provides several user roles and access rights similarly to user roles in other software systems such as SQL. The system allows specifying user rights for various kinds of sub-nets following the network topology.\n\nValidation system for BGP commands assures that only error-free messages can pass to the system BGP API. Both syntax and access rights are validated before a new rule can be stored in the database.\n\nThanks to the storage, all the rules can be restored quickly after a system reboot or failure. All rules are validated again, before sending them to ExaBPG from the storage, to prevent any malicious database manipulation.\n\nExaFS is an integral part of cybersecurity tools at CESNET. However, it can be used in any network where ExaBGP is available.\n\nSee how is ExaFS integrated into the network in the picture below. \n\n\n\n\n## Project presentations\n\n* 2020 - CZ [DDoS Protector v prost\u0159ed\u00ed propojovac\u00edho uzlu NIX.CZ](https://www.cesnet.cz/wp-content/uploads/2020/02/DDP_v_NIX.pdf), [Semin\u00e1\u0159 o bezpe\u010dnost\u00ed s\u00edt\u00ed a slu\u017eeb 2020](https://www.cesnet.cz/akce/bss20/)\n* 2019 - EN [ExaFS: mitigating unwanted traffic](https://xn--ondej-kcb.caletka.cz/dl/slidy/20191113-SIGNOC-ExaFS.pdf), [10th SIG-NOC meeting](https://wiki.geant.org/display/SIGNOC/10th+SIG-NOC+meeting), Prague\n* 2019 - CZ [Potla\u010den\u00ed ne\u017e\u00e1douc\u00edho provozu pomoc\u00ed BGP Flowspec](https://indico.csnog.eu/event/6/contributions/64/attachments/35/61/CESNET-FlowSpec-CSNOG.pdf), [CSNOG 2019](https://indico.csnog.eu/event/6/overview) \n* 2019 - CZ [N\u00e1stroje pro FlowSpec a RTBH](https://konference.cesnet.cz/prezentace2019/sal1/3_Adamec.pdf), [Konference e-infrastruktury CESNET](https://konference.cesnet.cz/) 2019\n* 2019 - CZ [N\u00e1stroje pro obranu proti \u00fatok\u016fm na p\u00e1te\u0159n\u00edch sm\u011brova\u010d\u00edch](https://konference.cesnet.cz/prezentace2019/sal1/3_Verich.pdf),[Konference e-infrastruktury CESNET](https://konference.cesnet.cz/) 2019\n\n\n## System overview\n\n\nThe core component of ExaFS is a web application written in Python using the Flask framework. It provides a user interface for managing ExaBGP rules (CRUD operations) and also exposes a REST API with similar functionality. The web application uses Shibboleth for authentication, while the REST API relies on token-based authentication.\n\nThe application generates ExaBGP commands and forwards them to the ExaBGP process. All rules are thoroughly validated\u2014only valid rules are stored in the database and sent to the ExaBGP connector.\n\nThe second component of the system is a separate application that replicates received commands to `stdout`. The connection between the ExaBGP daemon and the `stdout` of the ExaAPI (ExaBGP process) is defined in the ExaBGP configuration.\n\nThis API was originally part of the same project but has since been moved to its own repository. You can use the [exabgp-process pip package](https://pypi.org/project/exabgp-process/), clone the Git repository, or develop your own implementation.\n\nEach time this process receives a command from ExaFS, it outputs it to `stdout`, allowing the ExaBGP service to process the command and update its routing table\u2014creating, modifying, or removing rules accordingly.\n\nIt may also be necessary to monitor ExaBGP and re-announce rules after a restart or shutdown. This can be handled via the ExaBGP service configuration, or by using an example system service called **Guarda**, described in the documentation. In either case, the key mechanism is calling the application endpoint `/rules/announce_all`. This endpoint is only accessible from `localhost`; a local IP address must be configured in the application settings.\n\n## DOCS\n### Instalation related\n* [ExaFS Ansible deploy](https://github.com/CESNET/ExaFS-deploy) - repository with Ansbile playbook for deploying ExaFS with Docker Compose. \n* [Install notes](./docs/INSTALL.md)\n* [using Docker Image](./docs/DockerImage.md)\n* [Database backup configuration](./docs/DB_BACKUP.md)\n* [Local database instalation notes](./docs/DB_LOCAL.md)\n### API\nThe REST API is documented using Swagger (OpenAPI). After installing and running the application, the API documentation is available locally at the /apidocs/ endpoint. This interactive documentation provides details about all available endpoints, request and response formats, and supported operations, making it easier to integrate and test the API.\n\n## [Change log](./CHANGELOG.md)\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Tool for creation, validation, and execution of ExaBGP messages for network security.",
"version": "1.1.8",
"project_urls": {
"Changelog": "https://github.com/CESNET/exafs/blob/master/README.md",
"Documentation": "https://github.com/CESNET/exafs/blob/master/README.md",
"Homepage": "https://github.com/CESNET/exafs",
"Issues": "https://github.com/CESNET/exafs/issues",
"Repository": "https://github.com/CESNET/exafs"
},
"split_keywords": [
"bgp",
" exabgp",
" flowspec",
" ddos",
" network-security",
" cesnet"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "a883828dd2c766f2f54b42d23b99e278453f88ff760a9421c0a5cec8d3f04e46",
"md5": "b4c6f59e8539734205ebf3d169579295",
"sha256": "eea5f0be18afb4bff6b3852b2855b647cf39d6eec3a2ba0fa44604ba8d76f1fb"
},
"downloads": -1,
"filename": "exafs-1.1.8-py3-none-any.whl",
"has_sig": false,
"md5_digest": "b4c6f59e8539734205ebf3d169579295",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 148335,
"upload_time": "2025-10-20T10:24:11",
"upload_time_iso_8601": "2025-10-20T10:24:11.293998Z",
"url": "https://files.pythonhosted.org/packages/a8/83/828dd2c766f2f54b42d23b99e278453f88ff760a9421c0a5cec8d3f04e46/exafs-1.1.8-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "5155103488bed23c699f6587a3c79634ecc8da8d9bc811622ceca2a2efbeea77",
"md5": "9bb536f16a1c88ca2e6c53140a379ff7",
"sha256": "2edf8e88b180d3f6ee58b8a9e510e7fadcf8f4540baca4bb841454fbed23f83b"
},
"downloads": -1,
"filename": "exafs-1.1.8.tar.gz",
"has_sig": false,
"md5_digest": "9bb536f16a1c88ca2e6c53140a379ff7",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 107098,
"upload_time": "2025-10-20T10:24:13",
"upload_time_iso_8601": "2025-10-20T10:24:13.816191Z",
"url": "https://files.pythonhosted.org/packages/51/55/103488bed23c699f6587a3c79634ecc8da8d9bc811622ceca2a2efbeea77/exafs-1.1.8.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-20 10:24:13",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "CESNET",
"github_project": "exafs",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "exafs"
}
JSON
