ThanksĀ Ondrej.

I'm not fully understanding your first point. When doing a show route, I do indeed see only [?] forĀ 185.186.206.0/24 - But is this view 'correct' ? Basically I'm trying to collect a list of ASNs originating invalids but if any of them have as-sets in them there is no easy way to check. I'd have to first find all invalids, then any invalid without an ASN do a second 'all' lookup to see which ASN was actually advertising that prefix.

As for the check, I wasn't aware that "roa_check(roa_v4)" alone would work but it looks good so I'll switch to that. Thanks!

D

On Mon, 15 Feb 2021 at 19:36, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Mon, Feb 15, 2021 at 06:51:18PM -0500, Darren O'Connor wrote:
> When checking ROAs, and the source ASN happens to have an AS-SET, bird does
> not output the ASN itself.

The output does not depend on filter expression (that is just used to
specify which routes to print, unless the filter explicitly modifies
routes). The output is (and is supposed to be) the same as the output
of 'show route' (for given table and network).

Also note that using roa_check(.., bgp_path.last_nonaggregated) is
discouraged, proper RPKI check as defined ny appropriate RFCs is
done with roa_check(roa_v4, net, bgp_path.last), or just
roa_check(roa_v4).

--
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."