Re: Invalid ROA

28 Apr 2020

      How can I ask for that?
Now I am using just RPKI as filter and I can check invalid roa in syslog
or  with 'show route table name all filtered'.

I would like to check valid/unknown roa too and I could do something like
this:
if (roa_check(r4, net, bgp_path.last) = ROA_VALID) then
{
print "RPKI valid ", net, " for ASN ", bgp_path.last;  }

and then check the syslog, but I think using communities would be better so
that I can use a command such as this one:
 'show route table t_0002_as2 where bgp_large_community  ~ [(1,1101,13)]'
or  'show route table t_0002_as2 where bgp_large_community  ~ [(1,1101,13)]
count' .
But how can I make BIRD working with filtered routes?

Thanks,
Fabiano

Il giorno lun 20 apr 2020 alle ore 15:50 Maria Matejka <maria.matejka@nic.cz>
ha scritto:
...
Ooops, filtered. The filtered routes are by default excluded from the
filters. You have to explicitly ask for filtered routes to make BIRD
work with them.
Maria
On 4/20/20 3:47 PM, Fabiano D'Agostino wrote:
...
Thanks, I did it but it is still not working. Nevermind I will use 'show
route filtered'.
Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka
<maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
The tilde operator is not symmetric, although it visually seems to
be.
    It can be (at least in this case) vaguely interpreted as »left
operand
    is contained by the right operand«.
In other words, exchange the operands of the tilde.
Maria
On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
     > Thanks, it worked. So the community isn't needed? I tried 'show
    route
     > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and
    it prints:
     > Table t_0002_as2:
     >
     > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka
     > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>
    <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>> ha
scritto:
     >
     >              show route all filtered
     >
     >     shows only routes from master4 and master6 tables
     >
     >     to show routes from this protocol, use
     >
     >              show route table t_0002_as2 all filtered
     >
     >     Maria
     >
     >     On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
     >      > Yes, I just enabled it:
     >      > protocol bgp {
     >      >      ...
     >      >      ipv4{
     >      >             import keep fitlered;
     >      >             import limit 250 action restart;
     >      >             import filter filter_rpki;
     >      >             table t_0002_as2;
     >      >     }
     >      > }
     >      >
     >      > RPKI is working because if I check the syslog I find the
    invalid
     >     printed
     >      > prefixes, but 'show route all filtered' doesn't show
anything.
     >      >
     >      > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka
     >      > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>
    <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>
     >     <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>
    <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>>> ha
    scritto:
     >      >
     >      >     And do you have
     >      >     import keep filtered;
     >      >     in your config?
     >      >     Maria
     >      >
     >      >     On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
     >      >      > Hi,
     >      >      > In my route server bird.conf I did this:
     >      >      > define FILTERED_RPKI_INVALID = (1,1101,13);
     >      >      >
     >      >      > filter filter_rpki{
     >      >      > if roa_check(..)=ROA_INVALID then
     >      >      >
    {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
     >      >      > }
     >      >      >
     >      >      > But when I do 'show route all filtered' I get
    nothing, I also
     >      >     tried with
     >      >      > 'show route bgp_large_community ~ [(1,1101,13)]'
and I
     >     have the
     >      >     same result.
     >      >      > Because I would like to have some statistics about
     >      >      > VALID/INVALID/UNKOWN prefixes and I saw that I
    could use the
     >      >     'show route
     >      >      > stats' command.
     >      >      >
     >      >      > Thanks,
     >      >      >
     >      >      > Fabiano
     >      >      >
     >      >      > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le
Lay
     >      >      > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>
    <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>
     >     <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>
    <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>
     >      >     <mailto:alarig@swordarmor.fr
    <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr
    <mailto:alarig@swordarmor.fr>>
     >     <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>
    <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>>> ha
     >     scritto:
     >      >      >
     >      >      >     On Sun 19 Apr 2020 20:42:21 GMT, Fabiano
    D'Agostino wrote:
     >      >      >      > Thanks!
     >      >      >      > But can I also use birdc to check rejected
    prefixes?
     >      >      >
     >      >      >     If you add a community, it will be visible with
    `show
     >     route all
     >      >      >     filtered`
     >      >      >
     >      >      >      > Anyway why do you suggest to use
     >     bgp_path.last_noaggregated?
     >      >      >
     >      >      >     Because you don’t want to check ROA against
another
     >     ASN in the
     >      >      >     aggregated path.
     >      >      >
     >      >      >     --
     >      >      >     Alarig
     >      >      >
     >      >
     >