Invalid ROA

Maria Matejka maria.matejka at nic.cz
Mon Apr 20 15:27:00 CEST 2020


The tilde operator is not symmetric, although it visually seems to be.
It can be (at least in this case) vaguely interpreted as »left operand 
is contained by the right operand«.

In other words, exchange the operands of the tilde.

Maria

On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
> Thanks, it worked. So the community isn't needed? I tried 'show route 
> table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints:
> Table t_0002_as2:
> 
> Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka 
> <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>> ha scritto:
> 
>              show route all filtered
> 
>     shows only routes from master4 and master6 tables
> 
>     to show routes from this protocol, use
> 
>              show route table t_0002_as2 all filtered
> 
>     Maria
> 
>     On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
>      > Yes, I just enabled it:
>      > protocol bgp {
>      >      ...
>      >      ipv4{
>      >             import keep fitlered;
>      >             import limit 250 action restart;
>      >             import filter filter_rpki;
>      >             table t_0002_as2;
>      >     }
>      > }
>      >
>      > RPKI is working because if I check the syslog I find the invalid
>     printed
>      > prefixes, but 'show route all filtered' doesn't show anything.
>      >
>      > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka
>      > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>
>     <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>>> ha scritto:
>      >
>      >     And do you have
>      >     import keep filtered;
>      >     in your config?
>      >     Maria
>      >
>      >     On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
>      >      > Hi,
>      >      > In my route server bird.conf I did this:
>      >      > define FILTERED_RPKI_INVALID = (1,1101,13);
>      >      >
>      >      > filter filter_rpki{
>      >      > if roa_check(..)=ROA_INVALID then
>      >      > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
>      >      > }
>      >      >
>      >      > But when I do 'show route all filtered' I get nothing, I also
>      >     tried with
>      >      > 'show route bgp_large_community ~ [(1,1101,13)]' and I
>     have the
>      >     same result.
>      >      > Because I would like to have some statistics about
>      >      > VALID/INVALID/UNKOWN prefixes and I saw that I could use the
>      >     'show route
>      >      > stats' command.
>      >      >
>      >      > Thanks,
>      >      >
>      >      > Fabiano
>      >      >
>      >      > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay
>      >      > <alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
>     <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>
>      >     <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
>     <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>>> ha
>     scritto:
>      >      >
>      >      >     On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote:
>      >      >      > Thanks!
>      >      >      > But can I also use birdc to check rejected prefixes?
>      >      >
>      >      >     If you add a community, it will be visible with `show
>     route all
>      >      >     filtered`
>      >      >
>      >      >      > Anyway why do you suggest to use
>     bgp_path.last_noaggregated?
>      >      >
>      >      >     Because you don’t want to check ROA against another
>     ASN in the
>      >      >     aggregated path.
>      >      >
>      >      >     --
>      >      >     Alarig
>      >      >
>      >
> 


More information about the Bird-users mailing list