Invalid ROA
Ondrej Zajicek
santiago at crfreenet.org
Mon Apr 20 04:45:33 CEST 2020
On Sun, Apr 19, 2020 at 07:18:37PM +0200, Job Snijders wrote:
> Hi,
>
> On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
> > how can I check which prefixes are not valid and so rejected? It seems
> > the rpki is working, but I'd like to be sure. I have this:
> > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
> > {
> > print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
> >
> > but I don't understand where the prints go.
>
> They go to syslog.
>
> Make sure to match in this: bgp_path.last_nonaggregated
Hi
No. If you want proper RPKI match consistent with RFC 6907 7.1.9-11,
you should use bgp_path.last, not bgp_path.last_nonaggregated.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list