RPKI validation state community not reflected
Hi, I’m facing a weird situation where a BIRD receives a prefix from on session, add the community for the RPKI state, but doesn’t reflect it to a rr client. It’s the exact same case as https://puck.nether.net/pipermail/cisco-nsp/2020-May/107542.html (although I’m not trying to debug the cisco here :D) I’m just on the BIRD part while Pierre is on the Cisco part. Here is some complementary output from BIRD: bird> show protocols all ibgp_nominoe_ipv4 Name Proto Table State Since Info ibgp_nominoe_ipv4 BGP --- up 2020-04-26 Established Description: fullmesh iBGP BGP state: Established Neighbor address: 89.234.186.33 Neighbor AS: 204092 Local AS: 204092 Neighbor ID: 89.234.186.33 Local capabilities Multiprotocol AF announced: ipv4 Route refresh Graceful restart 4-octet AS numbers Enhanced refresh Long-lived graceful restart Neighbor capabilities Multiprotocol AF announced: ipv4 Route refresh 4-octet AS numbers Enhanced refresh Session: internal multihop route-reflector AS4 Source address: 89.234.186.34 Hold timer: 171.386/180 Keepalive timer: 38.337/60 Channel ipv4 State: UP Table: master4 Preference: 100 Input filter: (unnamed) Output filter: (unnamed) Routes: 99289 imported, 0 filtered, 721270 exported, 97651 preferred Route change stats: received rejected filtered ignored accepted Import updates: 2734159 0 0 394005 2340154 Import withdraws: 14320933 0 --- 13300654 1020279 Export updates: 12994153 2019568 20 --- 10974565 Export withdraws: 414224 --- --- --- 636177 BGP Next hop: 89.234.186.34 IGP IPv4 table: master4 bird> template bgp iBGP_IPv4 { local as 204092; ipv4 { import where source = RTS_BGP; import keep filtered; import filter { if ((65535,666) ~ bgp_community || (204092,65535,666) ~ bgp_large_community) then { dest = RTD_BLACKHOLE; accept; } else { accept; } }; export where source = RTS_BGP; gateway recursive; }; rr client; } protocol bgp ibgp_nominoe_ipv4 from iBGP_IPv4 { description "fullmesh iBGP"; neighbor 89.234.186.33 as 204092; ipv4 { export filter { if (source != RTS_BGP) then { reject; } else { bgp_large_community.add((204092,204092,100)); bgp_community.add((64496,2150)); accept; } }; }; } I’m not seeing anything that should remove this community from the filters, but we do not receive it on the other side (tried with another BIRD too). Is it an expected behaviour or am I missing something obvious there? Thanks, -- Alarig Le Lay
On Thu, May 07, 2020 at 10:28:59PM +0200, Alarig Le Lay wrote:
Hi,
I’m facing a weird situation where a BIRD receives a prefix from on session, add the community for the RPKI state, but doesn’t reflect it to a rr client.
It’s the exact same case as https://puck.nether.net/pipermail/cisco-nsp/2020-May/107542.html (although I’m not trying to debug the cisco here :D) I’m just on the BIRD part while Pierre is on the Cisco part.
Here is some complementary output from BIRD:
Hi Your filter adds two communities:
bgp_large_community.add((204092,204092,100)); bgp_community.add((64496,2150));
These are in the cisco output: Community: 64496:100 64496:2150 unknown transitive attribute: flag 0xE0 type 0x20 length 0x18 value 0003 1D3C 0000 0064 0000 0096 0003 1D3C 0003 1D3C 0000 0064 So what is missing? The ext_community? I think we had some bug in handling transitive ext. community. See this patch: https://gitlab.labs.nic.cz/labs/bird/-/commit/ec331acf48535211fb5b50c87e74bf... Also note that your template has both 'import where' and 'import filter', which are the same, so the first is replaced by the second. Also, for import 'where source = RTS_BGP' does not make much sense outside of pipes. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi, On Fri 08 May 2020 00:43:17 GMT, Ondrej Zajicek wrote:
I think we had some bug in handling transitive ext. community.
See this patch: https://gitlab.labs.nic.cz/labs/bird/-/commit/ec331acf48535211fb5b50c87e74bf...
Thank you so much, it works! The route is now well seen as unknown by the cisco router: Refresh Epoch 1 206155 89.234.186.158 from 89.234.186.158 (80.67.190.204) Origin IGP, metric 50, localpref 200, valid, external, best Community: 64496:200 path 7FA510447288 RPKI State not found rx pathid: 0, tx pathid: 0x0 Thanks also for the advices on the configuration. It dates from some times ago now and has endured many modifications ;) Kind regards, -- Alarig Le Lay
participants (2)
-
Alarig Le Lay -
Ondrej Zajicek