Invalid ROA
Cybertinus
bird at cybertinus.nl
Tue Apr 28 12:50:40 CEST 2020
Hello Ondrej,
Thanks for pointing this out. In the network I maintain, we were using
bgp_path.last_nonaggregated. This resulted in 200 IPv4 and 1100 IPv6
prefixed to be marked as RPKI invalid while they were in fact valid. So,
like the worst thing that could happen. But this only happened on a few
EBGP sessions. On other sessions on the same router, with the same
settings (apart from obvious things, like remote ASN) they were valid.
Very strange behavior. All this is done with Bird 1.6.6, installed from
the Debian 10 repos.
I've changed the config to bgp_path.last and all is fine now.
Kind regards,
Cybertinus
On 2020-04-20 04:45, Ondrej Zajicek wrote:
> On Sun, Apr 19, 2020 at 07:18:37PM +0200, Job Snijders wrote:
>> Hi,
>>
>> On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
>> > how can I check which prefixes are not valid and so rejected? It seems
>> > the rpki is working, but I'd like to be sure. I have this:
>> > if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then
>> > {
>> > print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
>> >
>> > but I don't understand where the prints go.
>>
>> They go to syslog.
>>
>> Make sure to match in this: bgp_path.last_nonaggregated
>
> Hi
>
> No. If you want proper RPKI match consistent with RFC 6907 7.1.9-11,
> you should use bgp_path.last, not bgp_path.last_nonaggregated.
More information about the Bird-users
mailing list