On Sun, Apr 19, 2020 at 07:18:37PM +0200, Job Snijders wrote:
Hi,
On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
but I don't understand where the prints go.
They go to syslog.
Make sure to match in this: bgp_path.last_nonaggregated
Hi No. If you want proper RPKI match consistent with RFC 6907 7.1.9-11, you should use bgp_path.last, not bgp_path.last_nonaggregated. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."