[do not review yet] Add ability to disallow transit traffic

acceptance/common/scion.py

@@ -68,6 +68,19 @@ def update_json(change_dict: Dict[str, Any], files: LocalPath):
         with open(file, "w") as f:
             json.dump(t, f, indent=2)
 
+def write_file(contents: str, files: LocalPath):
+    """ Writes text into file(s).
+
+    Args:
+        contents: text to write into the file(s).
+        files: names of file or files to update.
+
+    Raises:
+        IOError / FileNotFoundError: File path is not valid
+    """
+    for file in files:
+        with open(file, "w") as f:
+            f.write(contents)
 
 def load_from_json(key: str, files: LocalPath) -> Any:
     """ Reads the value associated with the given key from the given json files.

acceptance/transit_traffic/BUILD.bazel

@@ -0,0 +1,33 @@
+load("//acceptance/common:topogen.bzl", "topogen_test")
+
+py_library(
+    name = "transit_traffic_base",
+    srcs = ["transit_traffic_base.py"],
+)
+
+topogen_test(
+    name = "test_isd_1",
+    src = "test_isd_1.py",
+    topo = "//topology:testdata/big.topo",
+    deps = [
+        ":transit_traffic_base",
+    ],
+)
+
+topogen_test(
+    name = "test_isd_3",
+    src = "test_isd_3.py",
+    topo = "//topology:testdata/big.topo",
+    deps = [
+        ":transit_traffic_base",
+    ],
+)
+
+topogen_test(
+    name = "test_incomplete_config",
+    src = "test_incomplete_config.py",
+    topo = "//topology:testdata/big.topo",
+    deps = [
+        ":transit_traffic_base",
+    ],
+)

acceptance/transit_traffic/test_incomplete_config.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+
+# Copyright 2026 SCION Association
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from acceptance.transit_traffic import transit_traffic_base
+
+class Test(transit_traffic_base.Test):
+    """
+    This test disallows transit traffic at only one of two core ASes in an ISD.
+    It demonstrates that an incomplete configuration (only AS 120 blocks transit,
+    while AS 110 does not) creates partial isolation: ISDs that both connect
+    through the blocking AS lose connectivity to each other, but can still reach
+    ISDs reachable through the non-blocking core AS.
+
+    The graph picture can be found here: topology/testdata/big.topo.png
+
+    Transit traffic is blocked only at AS 120.
+    """
+
+    def setup_prepare(self):
+        super().setup_prepare("1", ["120"])
+
+    def _run(self):
+        # Since only AS 120 is blocking transit traffic, there's no propagation
+        # from ISDs 2 and 6 towards ISDs 3, 4 and 5. However, beacons from
+        # ISDs 3, 4 and 5 are not blocked by AS 120 since they are propagating
+        # to AS 110, which does not count as transit traffic. So there're
+        # no paths only in one direction.
+        self._assert_no_path("310", "210")
+        self._assert_path("210", "310")
+        self._assert_no_path("411", "211")
+        self._assert_path("211", "411")
+        self._assert_no_path("510", "210")
+        self._assert_path("210", "510")
+
+        # ISDs 3 and 4 cannot reach ISD 5: the only path goes through 120.
+        self._assert_no_path_in_both_directions("310", "510")
+        self._assert_no_path_in_both_directions("410", "510")
+        self._assert_no_path_in_both_directions("311", "510")
+        self._assert_no_path_in_both_directions("411", "510")
+
+        # Traffic originating or ending in AS 120 is allowed.
+        self._assert_bidirectional_path("120", "310")
+        self._assert_bidirectional_path("120", "510")
+        self._assert_bidirectional_path("120", "110")
+
+        # Traffic outside of ISD 1 is not affected.
+        self._assert_bidirectional_path("310", "410")
+        self._assert_bidirectional_path("311", "411")
+        self._assert_bidirectional_path("610", "210")
+        self._assert_bidirectional_path("410", "411")
+        self._assert_bidirectional_path("310", "311")
+        self._assert_bidirectional_path("110", "111")
+        self._assert_bidirectional_path("122", "123")
+        self._assert_bidirectional_path("610", "611")
+        self._assert_bidirectional_path("620", "621")
+
+if __name__ == "__main__":
+    transit_traffic_base.main(Test)

acceptance/transit_traffic/test_isd_1.py

@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+
+# Copyright 2026 SCION Association
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from acceptance.transit_traffic import transit_traffic_base
+
+class Test(transit_traffic_base.Test):
+    """
+    This test disallows transit traffic at all core ASes in ISD 1,
+    the central hub ISD. It differs from ISD 3 test since there are
+    no peering links between ISDs 1,2,4,5 and ISDs 2,6.
+
+    The graph picture can be found here: topology/testdata/big.topo.png
+
+    With transit blocked at both 110 and 120, ISD 1 becomes a wall:
+    each neighboring ISD can reach ISD 1 via 2-ISD origination beacons,
+    but no beacon transits through ISD 1 to connect two other ISDs.
+    Only ISDs with direct core links bypass ISD 1:
+    ISD 3 <-> ISD 4 (310-410) and ISD 2 <-> ISD 6 (210-610).
+    """
+
+    def setup_prepare(self):
+        super().setup_prepare("1", ["110", "120"])
+
+    def _run(self):
+        # Traffic originating or ending in ISD 1 is allowed.
+        self._assert_bidirectional_path("210", "110")
+        self._assert_bidirectional_path("310", "120")
+        self._assert_bidirectional_path("410", "110")
+        self._assert_bidirectional_path("510", "120")
+        self._assert_bidirectional_path("610", "110")
+        self._assert_bidirectional_path("211", "111")
+        self._assert_bidirectional_path("311", "121")
+        self._assert_bidirectional_path("611", "111")
+        self._assert_bidirectional_path("110", "111")
+        self._assert_bidirectional_path("120", "122")
+
+        # Traffic outside of ISD 1 is not affected.
+        self._assert_bidirectional_path("310", "410")
+        self._assert_bidirectional_path("311", "411")
+        self._assert_bidirectional_path("210", "610")
+        self._assert_bidirectional_path("211", "611")
+        self._assert_bidirectional_path("310", "311")
+        self._assert_bidirectional_path("410", "411")
+        self._assert_bidirectional_path("610", "611")
+        self._assert_bidirectional_path("620", "621")
+
+        # Transit traffic via ISD 1 is not allowed.
+        self._assert_no_path_in_both_directions("210", "310")
+        self._assert_no_path_in_both_directions("210", "510")
+        self._assert_no_path_in_both_directions("310", "510")
+        self._assert_no_path_in_both_directions("310", "610")
+        self._assert_no_path_in_both_directions("410", "510")
+        self._assert_no_path_in_both_directions("410", "610")
+        self._assert_no_path_in_both_directions("510", "610")
+        self._assert_no_path_in_both_directions("211", "311")
+        self._assert_no_path_in_both_directions("411", "611")
+
+if __name__ == "__main__":
+    transit_traffic_base.main(Test)

acceptance/transit_traffic/test_isd_3.py

@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+
+# Copyright 2026 SCION Association
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from acceptance.transit_traffic import transit_traffic_base
+
+class Test(transit_traffic_base.Test):
+    """
+    This test disallows transit traffic in all ASes of ISD 3 and checks the
+    resulting paths. It differs from ISD 1 test since there are
+    peering links between ISD 4 and ISD 1.
+
+    The graph picture can be found here: topology/testdata/big.topo.png
+
+    Transit traffic is blocked at all ASes in ISD 3 (310 and 311).
+    """
+
+    def setup_prepare(self):
+        super().setup_prepare("3", ["310", "311"])
+
+    def _run(self):
+        # Traffic originating or ending in ISD 3 is allowed.
+        self._assert_bidirectional_path("310", "410")
+        self._assert_bidirectional_path("311", "410")
+        self._assert_bidirectional_path("310", "411")
+        self._assert_bidirectional_path("311", "411")
+        self._assert_bidirectional_path("310", "210")
+        self._assert_bidirectional_path("311", "123")
+        self._assert_bidirectional_path("310", "510")
+        self._assert_bidirectional_path("311", "111")
+        self._assert_bidirectional_path("310", "610")
+        self._assert_bidirectional_path("311", "611")
+
+        # Transit traffic via ISD 3 is not allowed,
+        # therefore beacons are not making it through ISD 3.
+        # Because of it, peering links info is not propagated.
+        # While the graph has peering links for all cases below,
+        # there's no path in such config.
+        self._assert_no_path_in_both_directions("410", "210")
+        self._assert_no_path_in_both_directions("411", "211")
+        self._assert_no_path_in_both_directions("411", "510")
+        self._assert_no_path_in_both_directions("410", "123")
+        self._assert_no_path_in_both_directions("411", "123")
+        self._assert_no_path_in_both_directions("410", "111")
+        self._assert_no_path_in_both_directions("410", "610")
+        self._assert_no_path_in_both_directions("411", "611")
+
+        # Traffic outside of ISD 3 is not affected.
+        self._assert_bidirectional_path("123", "510")
+        self._assert_bidirectional_path("123", "211")
+        self._assert_bidirectional_path("122", "111")
+        self._assert_bidirectional_path("120", "210")
+        self._assert_bidirectional_path("510", "211")
+        self._assert_bidirectional_path("111", "211")
+        self._assert_bidirectional_path("410", "411")
+        self._assert_bidirectional_path("610", "210")
+        self._assert_bidirectional_path("610", "110")
+        self._assert_bidirectional_path("610", "510")
+        self._assert_bidirectional_path("611", "211")
+        self._assert_bidirectional_path("610", "611")
+        self._assert_bidirectional_path("620", "621")
+
+if __name__ == "__main__":
+    transit_traffic_base.main(Test)

acceptance/transit_traffic/transit_traffic_base.py

@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+
+# Copyright 2026 SCION Association
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import time
+
+from acceptance.common import base, scion
+from tools.topology.scion_addr import ISD_AS
+
+class Test(base.TestTopogen):
+    _ases = {
+        "110": "1-ff00:0:110",
+        "111": "1-ff00:0:111",
+        "120": "1-ff00:0:120",
+        "121": "1-ff00:0:121",
+        "122": "1-ff00:0:122",
+        "123": "1-ff00:0:123",
+        "210": "2-ff00:0:210",
+        "211": "2-ff00:0:211",
+        "310": "3-ff00:0:310",
+        "311": "3-ff00:0:311",
+        "410": "4-ff00:0:410",
+        "411": "4-ff00:0:411",
+        "510": "5-ff00:0:510",
+        "610": "6-ff00:0:610",
+        "611": "6-ff00:0:611",
+        "612": "6-ff00:0:612",
+        "620": "6-ff00:0:620",
+        "621": "6-ff00:0:621",
+        "622": "6-ff00:0:622",
+    }
+
+    def setup_prepare(self, no_transit_isd_number, no_transit_as_numbers):
+        super().setup_prepare()
+
+        for as_number in no_transit_as_numbers:
+            as_number_string = "ff00_0_%s" % as_number
+            as_relative_dir_path = "AS%s" % as_number_string
+            as_absolute_dir_path = self.artifacts / "gen" / as_relative_dir_path
+
+            cs_toml_path = (
+                as_absolute_dir_path
+                / ("cs%s-%s-1.toml" % (no_transit_isd_number, as_number_string))
+            )
+            policy_path = as_absolute_dir_path / "policy.yaml"
+
+            scion.update_toml(
+                {"beaconing.policies.propagation": "/etc/scion/policy.yaml"},
+                [cs_toml_path])
+
+            scion.write_file("""Filter:
+                AllowTransitTraffic: False""", [policy_path])
+
+    def setup_start(self):
+        super().setup_start()
+        # since some paths are not available, self.await_connectivity() doesn't work well
+        time.sleep(15)
+
+    def _showpaths(self, source_as: str, destination_as: str):
+        print(self.execute_tester(ISD_AS(self._ases[source_as]),
+                                  "scion", "sp", self._ases[destination_as], "--timeout", "2s"))
+
+    def _assert_path(self, source_as: str, destination_as: str):
+        try:
+             self._showpaths(source_as, destination_as)
+        except Exception as e:
+            raise AssertionError(f"No path found: {source_as} -> {destination_as}") from e
+
+    def _assert_bidirectional_path(self, source_as: str, destination_as: str):
+        self._assert_path(source_as, destination_as)
+        self._assert_path(destination_as, source_as)
+
+    def _assert_no_path(self, source_as: str, destination_as: str):
+         try:
+             self._showpaths(source_as, destination_as)
+         except Exception as e:
+             print(e)
+         else:
+             raise AssertionError(f"Unexpected path: {source_as} -> {destination_as}")
+
+    def _assert_no_path_in_both_directions(self, source_as: str, destination_as: str):
+        self._assert_no_path(source_as, destination_as)
+        self._assert_no_path(destination_as, source_as)
+
+def main(test_class):
+    base.main(test_class)