No ASN in output when checking invalids ROAs with as-set
When checking ROAs, and the source ASN happens to have an AS-SET, bird does not output the ASN itself. Here is an example without an AS-SET: $ birdc 'show route primary table master4 where roa_check(roa_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID' | grep 186.28 186.28.232.0/24 unreachable [BGP1v4 2021-02-11 from 46.30.8.72] * (100) [AS263710i] Here is an example with an AS-SET: $ birdc 'show route primary table master4 where roa_check(roa_v4, net, bgp_path.last_nonaggregated) = ROA_INVALID' | grep 185.186 185.186.206.0/24 unreachable [BGP3v4 2021-02-07 from 192.110.255.57] * (100) [?] The source ASN in the first shows as 263710, but the second shows none at all. This is the actual live prefix for the second: bird> show route all for 185.186.206.0/24 Table master4: 185.186.206.0/24 unreachable [BGP3v4 2021-02-07 from 192.110.255.57] * (100) [?] Type: BGP univ BGP.origin: Incomplete BGP.as_path: 13030 8529 28885 {206350} As the query is specifying last_nonaggregated, I'd expect the output to contain that ASN. Thanks D
On Mon, Feb 15, 2021 at 06:51:18PM -0500, Darren O'Connor wrote:
When checking ROAs, and the source ASN happens to have an AS-SET, bird does not output the ASN itself.
The output does not depend on filter expression (that is just used to specify which routes to print, unless the filter explicitly modifies routes). The output is (and is supposed to be) the same as the output of 'show route' (for given table and network). Also note that using roa_check(.., bgp_path.last_nonaggregated) is discouraged, proper RPKI check as defined ny appropriate RFCs is done with roa_check(roa_v4, net, bgp_path.last), or just roa_check(roa_v4). -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Thanks Ondrej. I'm not fully understanding your first point. When doing a show route, I do indeed see only [?] for 185.186.206.0/24 - But is this view 'correct' ? Basically I'm trying to collect a list of ASNs originating invalids but if any of them have as-sets in them there is no easy way to check. I'd have to first find all invalids, then any invalid without an ASN do a second 'all' lookup to see which ASN was actually advertising that prefix. As for the check, I wasn't aware that "roa_check(roa_v4)" alone would work but it looks good so I'll switch to that. Thanks! D On Mon, 15 Feb 2021 at 19:36, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Mon, Feb 15, 2021 at 06:51:18PM -0500, Darren O'Connor wrote:
When checking ROAs, and the source ASN happens to have an AS-SET, bird does not output the ASN itself.
The output does not depend on filter expression (that is just used to specify which routes to print, unless the filter explicitly modifies routes). The output is (and is supposed to be) the same as the output of 'show route' (for given table and network).
Also note that using roa_check(.., bgp_path.last_nonaggregated) is discouraged, proper RPKI check as defined ny appropriate RFCs is done with roa_check(roa_v4, net, bgp_path.last), or just roa_check(roa_v4).
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Darren O'Connor -
Ondrej Zajicek