Add security validation and RFC compliance fixes

[digizeph]

Summary

This PR addresses security vulnerabilities and RFC compliance issues identified in security audits.

Security Fixes

Critical

• AS_PATH segment count validation: Added bounds check to prevent buffer over-read (CWE-126)
• BGP message length underflow: Added saturating arithmetic protection (CWE-191)
• NLRI prefix length validation: Enforce max 32 bits for IPv4, 128 bits for IPv6 (CWE-20)
• BGP marker encoding: Fixed to comply with RFC 4271 (16 bytes of 0xFF)
• BGP marker validation: Added validation on parse with warning for invalid markers
• Attribute length overflow: Added defensive overflow protection

Stability

• Communities divisibility validation (4/8/12 bytes per RFC)
• FlowSpec traffic rate NaN/infinity validation
• FlowSpec DSCP byte offset correction per RFC 5575
• Replaced assert_eq! with debug_assert_eq! in production code
• Timestamp truncation fix for values beyond 2106
• Removed unwrap() in favor of proper error handling
• Encoding truncation checks with overflow warnings
• IPv6 rejection for AGGREGATOR and ORIGINATOR_ID (BGP requires IPv4)

RFC Compliance

• RFC 7606: Error handling with PARTIAL flag validation and treat-as-withdraw semantics
• RFC 4760: NEXT_HOP/MP_REACH_NLRI interaction with documented heuristics
• Added AIGP (RFC 7311) and ATTR_SET (RFC 6368) model support

Testing

• Added 18 new tests covering security vulnerabilities
• All 612 tests pass
• 0 clippy warnings

References

Addresses findings from security audits of bgpkit-parser.

Backward Compatibility

All changes maintain backward compatibility. Stricter validation may reject previously-accepted malformed data, which is the intended security improvement.

[codecov]

Codecov Report

❌ Patch coverage is 83.00654% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.48%. Comparing base (fde6232) to head (5e2ff7c).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
src/models/bgp/attributes/mod.rs	0.00%	23 Missing ⚠️
src/parser/utils.rs	92.50%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #277      +/-   ##
==========================================
- Coverage   90.59%   90.48%   -0.11%     
==========================================
  Files          84       84              
  Lines       15592    15729     +137     
==========================================
+ Hits        14125    14233     +108     
- Misses       1467     1496      +29     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.