BIRD 2 does not re-validate RPKI status?
Hi, I am not sure if this is an artefact of my set-up, or a missing feature / bug in Bird. I recently set up a lab with Bird 2.0.4, connecting to routinator using the rpki-rtr protocol. All works fine so-far. Many thanks for supporting this! However, I found that when ROAs get updated and the cache has new Verified ROA Payloads (VRPs), the existing routes are not re-evaluated. Bird seems to do this validation only when an actual update is seen. I.e. if a prefix was dropped because it was RPKI invalid it stays dropped even if it is now RPKI valid, and vice versa: if it was accepted because it was (in my config case) RPKI unknown or valid, it stays accepted even if it is now RPKI invalid. According to RFC6811 affected prefixes MUST be re-validated when the cache has changes: https://tools.ietf.org/html/rfc6811#section-4 My work-around was to restart the sessions with peers and this forced re-validation. But it is not the best solution. I also loose all the routes temporarily. Is this a local issue? Did I miss something in my set-up? Or is this expected behaviour in Bird? If so, is supporting re-validation on the roadmap? For a lab this doesn't matter too much, but in a real networking environment I think it's important that this works. Otherwise changes in RPKI only become effective when there are changes in BGP (I assume it's doing validation just when updates are seen), and if wrong ROAs are issued by accident, and fixed again, then prefixes may stay unreachable until a session is restarted. Kind regards, Tim Bruijnzeels
Hello! On 6/21/19 9:09 AM, Tim Bruijnzeels wrote:
I am not sure if this is an artefact of my set-up, or a missing feature / bug in Bird.
Yes, it is a documented missing feature in Bird, see the RPKI chapter in documentation: You can validate routes (RFC 6483) using function <cf/roa_check()/ in filter and set it as import filter at the BGP protocol. BIRD should re-validate all of affected routes after RPKI update by RFC 6811, but we don't support it yet! You can use a BIRD's client command <cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all routes.
[...]
According to RFC6811 affected prefixes MUST be re-validated when the cache has changes: https://tools.ietf.org/html/rfc6811#section-4
My work-around was to restart the sessions with peers and this forced re-validation. But it is not the best solution. I also loose all the routes temporarily.
Use reload in <protocolname> after ROA is changed.
Is this a local issue? Did I miss something in my set-up? Or is this expected behaviour in Bird? If so, is supporting re-validation on the roadmap?
Yes, it is even partially done, anyway it needed some internal structural changes inside BIRD. We know about it and we consider it better to have limited ROA support instead of having nothing. This is one of the hottest features to be done ASAP. Maria developer of BIRD
Hi, Quite right, Sorry about that, I missed it as I scanned the documentation - and landed on the example config.. Great to hear it's high on your roadmap :) Tim
On 21 Jun 2019, at 10:53, Maria Jan Matejka <jan.matejka@nic.cz> wrote:
Hello!
On 6/21/19 9:09 AM, Tim Bruijnzeels wrote:
I am not sure if this is an artefact of my set-up, or a missing feature / bug in Bird.
Yes, it is a documented missing feature in Bird, see the RPKI chapter in documentation:
You can validate routes (RFC 6483) using function <cf/roa_check()/ in filter and set it as import filter at the BGP protocol. BIRD should re-validate all of affected routes after RPKI update by RFC 6811, but we don't support it yet! You can use a BIRD's client command <cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all routes.
[...]
According to RFC6811 affected prefixes MUST be re-validated when the cache has changes: https://tools.ietf.org/html/rfc6811#section-4
My work-around was to restart the sessions with peers and this forced re-validation. But it is not the best solution. I also loose all the routes temporarily.
Use reload in <protocolname> after ROA is changed.
Is this a local issue? Did I miss something in my set-up? Or is this expected behaviour in Bird? If so, is supporting re-validation on the roadmap?
Yes, it is even partially done, anyway it needed some internal structural changes inside BIRD. We know about it and we consider it better to have limited ROA support instead of having nothing.
This is one of the hottest features to be done ASAP.
Maria developer of BIRD
participants (2)
-
Maria Jan Matejka -
Tim Bruijnzeels