RPKI / roa_check() question - BIRD 2.0.2

Matthias Waehlisch m.waehlisch at fu-berlin.de
Wed Apr 11 19:06:19 CEST 2018


Hi Radu,

  the path includes an AS-set ({30884 65004 65005}).

"Both first and last return zero if there is no appropriate ASN, for 
example if the path contains an AS set element as the first (or the 
last) part. If the path ends with an AS set, last_nonaggregated may be 
used to get last ASN before any AS set. "

  AS-sets are deprecated: https://tools.ietf.org/html/rfc6472

  Strictly speaking, you you don't know which AS in AS-set is the actual 
origin.



Cheers
  matthias


On Wed, 11 Apr 2018, Radu Anghel wrote:

> Hello,
> 
> I have found this while doing RPKI validation:
> 
> net = 94.127.104.0/21
> bgp_path = 48112 6830 174 13110 {30884 65004 65005}
> BGP.aggregator: 10.253.27.1 AS13110 (don't know how to read this from a var)
> 
> roa_check(rpki4, net, bgp_path.last) returns ROA_INVALID because BIRD
> thinks bgp_path.last = 0
> 
> There is a valid ROA for 94.127.104.0/21 and AS13110, so I guess the
> validation should be done on the aggregator AS.
> 
> Could you tell me what is the corect way to handle this?
> 
> TIA,
> Radu
> 


-- 
Matthias Waehlisch
.  Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl


More information about the Bird-users mailing list