Hi, how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last; but I don't understand where the prints go. Thanks, Fabiano
Hi, On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
but I don't understand where the prints go.
They go to syslog. Make sure to match in this: bgp_path.last_nonaggregated Kind regards, Job
Thanks! But can I also use birdc to check rejected prefixes? Anyway why do you suggest to use bgp_path.last_noaggregated? Il giorno dom 19 apr 2020 alle ore 19:19 Job Snijders <job@ntt.net> ha scritto:
Hi,
On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
but I don't understand where the prints go.
They go to syslog.
Make sure to match in this: bgp_path.last_nonaggregated
Kind regards,
Job
On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote:
Thanks! But can I also use birdc to check rejected prefixes?
If you add a community, it will be visible with `show route all filtered`
Anyway why do you suggest to use bgp_path.last_noaggregated?
Because you don’t want to check ROA against another ASN in the aggregated path. -- Alarig
Hi, In my route server bird.conf I did this: define FILTERED_RPKI_INVALID = (1,1101,13); filter filter_rpki{ if roa_check(..)=ROA_INVALID then {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} } But when I do 'show route all filtered' I get nothing, I also tried with 'show route bgp_large_community ~ [(1,1101,13)]' and I have the same result. Because I would like to have some statistics about VALID/INVALID/UNKOWN prefixes and I saw that I could use the 'show route stats' command. Thanks, Fabiano Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay <alarig@swordarmor.fr> ha scritto:
On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote:
Thanks! But can I also use birdc to check rejected prefixes?
If you add a community, it will be visible with `show route all filtered`
Anyway why do you suggest to use bgp_path.last_noaggregated?
Because you don’t want to check ROA against another ASN in the aggregated path.
-- Alarig
And do you have import keep filtered; in your config? Maria On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
Hi, In my route server bird.conf I did this: define FILTERED_RPKI_INVALID = (1,1101,13);
filter filter_rpki{ if roa_check(..)=ROA_INVALID then {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} }
But when I do 'show route all filtered' I get nothing, I also tried with 'show route bgp_large_community ~ [(1,1101,13)]' and I have the same result. Because I would like to have some statistics about VALID/INVALID/UNKOWN prefixes and I saw that I could use the 'show route stats' command.
Thanks,
Fabiano
Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> ha scritto:
On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > Thanks! > But can I also use birdc to check rejected prefixes?
If you add a community, it will be visible with `show route all filtered`
> Anyway why do you suggest to use bgp_path.last_noaggregated?
Because you don’t want to check ROA against another ASN in the aggregated path.
-- Alarig
Yes, I just enabled it: protocol bgp { ... ipv4{ import keep fitlered; import limit 250 action restart; import filter filter_rpki; table t_0002_as2; } } RPKI is working because if I check the syslog I find the invalid printed prefixes, but 'show route all filtered' doesn't show anything. Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka <maria.matejka@nic.cz> ha scritto:
And do you have import keep filtered; in your config? Maria
On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
Hi, In my route server bird.conf I did this: define FILTERED_RPKI_INVALID = (1,1101,13);
filter filter_rpki{ if roa_check(..)=ROA_INVALID then {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} }
But when I do 'show route all filtered' I get nothing, I also tried with 'show route bgp_large_community ~ [(1,1101,13)]' and I have the same result. Because I would like to have some statistics about VALID/INVALID/UNKOWN prefixes and I saw that I could use the 'show route stats' command.
Thanks,
Fabiano
Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> ha scritto:
On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > Thanks! > But can I also use birdc to check rejected prefixes?
If you add a community, it will be visible with `show route all filtered`
> Anyway why do you suggest to use bgp_path.last_noaggregated?
Because you don’t want to check ROA against another ASN in the aggregated path.
-- Alarig
show route all filtered shows only routes from master4 and master6 tables to show routes from this protocol, use show route table t_0002_as2 all filtered Maria On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
Yes, I just enabled it: protocol bgp { ... ipv4{ import keep fitlered; import limit 250 action restart; import filter filter_rpki; table t_0002_as2; } }
RPKI is working because if I check the syslog I find the invalid printed prefixes, but 'show route all filtered' doesn't show anything.
Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
And do you have import keep filtered; in your config? Maria
On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > Hi, > In my route server bird.conf I did this: > define FILTERED_RPKI_INVALID = (1,1101,13); > > filter filter_rpki{ > if roa_check(..)=ROA_INVALID then > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > } > > But when I do 'show route all filtered' I get nothing, I also tried with > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the same result. > Because I would like to have some statistics about > VALID/INVALID/UNKOWN prefixes and I saw that I could use the 'show route > stats' command. > > Thanks, > > Fabiano > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>> ha scritto: > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > Thanks! > > But can I also use birdc to check rejected prefixes? > > If you add a community, it will be visible with `show route all > filtered` > > > Anyway why do you suggest to use bgp_path.last_noaggregated? > > Because you don’t want to check ROA against another ASN in the > aggregated path. > > -- > Alarig >
Thanks, it worked. So the community isn't needed? I tried 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints: Table t_0002_as2: Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka <maria.matejka@nic.cz> ha scritto:
show route all filtered
shows only routes from master4 and master6 tables
to show routes from this protocol, use
show route table t_0002_as2 all filtered
Maria
On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
Yes, I just enabled it: protocol bgp { ... ipv4{ import keep fitlered; import limit 250 action restart; import filter filter_rpki; table t_0002_as2; } }
RPKI is working because if I check the syslog I find the invalid printed prefixes, but 'show route all filtered' doesn't show anything.
Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
And do you have import keep filtered; in your config? Maria
On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > Hi, > In my route server bird.conf I did this: > define FILTERED_RPKI_INVALID = (1,1101,13); > > filter filter_rpki{ > if roa_check(..)=ROA_INVALID then > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > } > > But when I do 'show route all filtered' I get nothing, I also tried with > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the same result. > Because I would like to have some statistics about > VALID/INVALID/UNKOWN prefixes and I saw that I could use the 'show route > stats' command. > > Thanks, > > Fabiano > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>> ha scritto: > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > Thanks! > > But can I also use birdc to check rejected prefixes? > > If you add a community, it will be visible with `show route all > filtered` > > > Anyway why do you suggest to use bgp_path.last_noaggregated? > > Because you don’t want to check ROA against another ASN in the > aggregated path. > > -- > Alarig >
The tilde operator is not symmetric, although it visually seems to be. It can be (at least in this case) vaguely interpreted as »left operand is contained by the right operand«. In other words, exchange the operands of the tilde. Maria On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
Thanks, it worked. So the community isn't needed? I tried 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints: Table t_0002_as2:
Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
show route all filtered
shows only routes from master4 and master6 tables
to show routes from this protocol, use
show route table t_0002_as2 all filtered
Maria
On 4/20/20 2:50 PM, Fabiano D'Agostino wrote: > Yes, I just enabled it: > protocol bgp { > ... > ipv4{ > import keep fitlered; > import limit 250 action restart; > import filter filter_rpki; > table t_0002_as2; > } > } > > RPKI is working because if I check the syslog I find the invalid printed > prefixes, but 'show route all filtered' doesn't show anything. > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>> ha scritto: > > And do you have > import keep filtered; > in your config? > Maria > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > > Hi, > > In my route server bird.conf I did this: > > define FILTERED_RPKI_INVALID = (1,1101,13); > > > > filter filter_rpki{ > > if roa_check(..)=ROA_INVALID then > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > > } > > > > But when I do 'show route all filtered' I get nothing, I also > tried with > > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the > same result. > > Because I would like to have some statistics about > > VALID/INVALID/UNKOWN prefixes and I saw that I could use the > 'show route > > stats' command. > > > > Thanks, > > > > Fabiano > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>> ha scritto: > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > > Thanks! > > > But can I also use birdc to check rejected prefixes? > > > > If you add a community, it will be visible with `show route all > > filtered` > > > > > Anyway why do you suggest to use bgp_path.last_noaggregated? > > > > Because you don’t want to check ROA against another ASN in the > > aggregated path. > > > > -- > > Alarig > > >
Thanks, I did it but it is still not working. Nevermind I will use 'show route filtered'. Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka <maria.matejka@nic.cz> ha scritto:
The tilde operator is not symmetric, although it visually seems to be. It can be (at least in this case) vaguely interpreted as »left operand is contained by the right operand«.
In other words, exchange the operands of the tilde.
Maria
On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
Thanks, it worked. So the community isn't needed? I tried 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints: Table t_0002_as2:
Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
show route all filtered
shows only routes from master4 and master6 tables
to show routes from this protocol, use
show route table t_0002_as2 all filtered
Maria
On 4/20/20 2:50 PM, Fabiano D'Agostino wrote: > Yes, I just enabled it: > protocol bgp { > ... > ipv4{ > import keep fitlered; > import limit 250 action restart; > import filter filter_rpki; > table t_0002_as2; > } > } > > RPKI is working because if I check the syslog I find the invalid printed > prefixes, but 'show route all filtered' doesn't show anything. > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>> ha scritto: > > And do you have > import keep filtered; > in your config? > Maria > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > > Hi, > > In my route server bird.conf I did this: > > define FILTERED_RPKI_INVALID = (1,1101,13); > > > > filter filter_rpki{ > > if roa_check(..)=ROA_INVALID then > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > > } > > > > But when I do 'show route all filtered' I get nothing, I also > tried with > > 'show route bgp_large_community ~ [(1,1101,13)]' and I have the > same result. > > Because I would like to have some statistics about > > VALID/INVALID/UNKOWN prefixes and I saw that I could use the > 'show route > > stats' command. > > > > Thanks, > > > > Fabiano > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>> ha scritto: > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > > Thanks! > > > But can I also use birdc to check rejected prefixes? > > > > If you add a community, it will be visible with `show route all > > filtered` > > > > > Anyway why do you suggest to use bgp_path.last_noaggregated? > > > > Because you don’t want to check ROA against another ASN in the > > aggregated path. > > > > -- > > Alarig > > >
Ooops, filtered. The filtered routes are by default excluded from the filters. You have to explicitly ask for filtered routes to make BIRD work with them. Maria On 4/20/20 3:47 PM, Fabiano D'Agostino wrote:
Thanks, I did it but it is still not working. Nevermind I will use 'show route filtered'.
Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
The tilde operator is not symmetric, although it visually seems to be. It can be (at least in this case) vaguely interpreted as »left operand is contained by the right operand«.
In other words, exchange the operands of the tilde.
Maria
On 4/20/20 3:19 PM, Fabiano D'Agostino wrote: > Thanks, it worked. So the community isn't needed? I tried 'show route > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints: > Table t_0002_as2: > > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>> ha scritto: > > show route all filtered > > shows only routes from master4 and master6 tables > > to show routes from this protocol, use > > show route table t_0002_as2 all filtered > > Maria > > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote: > > Yes, I just enabled it: > > protocol bgp { > > ... > > ipv4{ > > import keep fitlered; > > import limit 250 action restart; > > import filter filter_rpki; > > table t_0002_as2; > > } > > } > > > > RPKI is working because if I check the syslog I find the invalid > printed > > prefixes, but 'show route all filtered' doesn't show anything. > > > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka > > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> > <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>>> ha scritto: > > > > And do you have > > import keep filtered; > > in your config? > > Maria > > > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > > > Hi, > > > In my route server bird.conf I did this: > > > define FILTERED_RPKI_INVALID = (1,1101,13); > > > > > > filter filter_rpki{ > > > if roa_check(..)=ROA_INVALID then > > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > > > } > > > > > > But when I do 'show route all filtered' I get nothing, I also > > tried with > > > 'show route bgp_large_community ~ [(1,1101,13)]' and I > have the > > same result. > > > Because I would like to have some statistics about > > > VALID/INVALID/UNKOWN prefixes and I saw that I could use the > > 'show route > > > stats' command. > > > > > > Thanks, > > > > > > Fabiano > > > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > > > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>> > > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>>> ha > scritto: > > > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > > > Thanks! > > > > But can I also use birdc to check rejected prefixes? > > > > > > If you add a community, it will be visible with `show > route all > > > filtered` > > > > > > > Anyway why do you suggest to use > bgp_path.last_noaggregated? > > > > > > Because you don’t want to check ROA against another > ASN in the > > > aggregated path. > > > > > > -- > > > Alarig > > > > > >
How can I ask for that? Now I am using just RPKI as filter and I can check invalid roa in syslog or with 'show route table name all filtered'. I would like to check valid/unknown roa too and I could do something like this: if (roa_check(r4, net, bgp_path.last) = ROA_VALID) then { print "RPKI valid ", net, " for ASN ", bgp_path.last; } and then check the syslog, but I think using communities would be better so that I can use a command such as this one: 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' or 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)] count' . But how can I make BIRD working with filtered routes? Thanks, Fabiano Il giorno lun 20 apr 2020 alle ore 15:50 Maria Matejka <maria.matejka@nic.cz> ha scritto:
Ooops, filtered. The filtered routes are by default excluded from the filters. You have to explicitly ask for filtered routes to make BIRD work with them.
Maria
On 4/20/20 3:47 PM, Fabiano D'Agostino wrote:
Thanks, I did it but it is still not working. Nevermind I will use 'show route filtered'.
Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> ha scritto:
The tilde operator is not symmetric, although it visually seems to be. It can be (at least in this case) vaguely interpreted as »left operand is contained by the right operand«.
In other words, exchange the operands of the tilde.
Maria
On 4/20/20 3:19 PM, Fabiano D'Agostino wrote: > Thanks, it worked. So the community isn't needed? I tried 'show route > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and it prints: > Table t_0002_as2: > > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>> ha scritto: > > show route all filtered > > shows only routes from master4 and master6 tables > > to show routes from this protocol, use > > show route table t_0002_as2 all filtered > > Maria > > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote: > > Yes, I just enabled it: > > protocol bgp { > > ... > > ipv4{ > > import keep fitlered; > > import limit 250 action restart; > > import filter filter_rpki; > > table t_0002_as2; > > } > > } > > > > RPKI is working because if I check the syslog I find the invalid > printed > > prefixes, but 'show route all filtered' doesn't show anything. > > > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka > > <maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>> > <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz> <mailto:maria.matejka@nic.cz <mailto:maria.matejka@nic.cz>>>> ha scritto: > > > > And do you have > > import keep filtered; > > in your config? > > Maria > > > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote: > > > Hi, > > > In my route server bird.conf I did this: > > > define FILTERED_RPKI_INVALID = (1,1101,13); > > > > > > filter filter_rpki{ > > > if roa_check(..)=ROA_INVALID then > > > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;} > > > } > > > > > > But when I do 'show route all filtered' I get nothing, I also > > tried with > > > 'show route bgp_large_community ~ [(1,1101,13)]' and I > have the > > same result. > > > Because I would like to have some statistics about > > > VALID/INVALID/UNKOWN prefixes and I saw that I could use the > > 'show route > > > stats' command. > > > > > > Thanks, > > > > > > Fabiano > > > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le Lay > > > <alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>> > > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>> > <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr> <mailto:alarig@swordarmor.fr <mailto:alarig@swordarmor.fr>>>>> ha > scritto: > > > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano D'Agostino wrote: > > > > Thanks! > > > > But can I also use birdc to check rejected prefixes? > > > > > > If you add a community, it will be visible with `show > route all > > > filtered` > > > > > > > Anyway why do you suggest to use > bgp_path.last_noaggregated? > > > > > > Because you don’t want to check ROA against another > ASN in the > > > aggregated path. > > > > > > -- > > > Alarig > > > > > >
On Sun, Apr 19, 2020 at 07:18:37PM +0200, Job Snijders wrote:
Hi,
On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
but I don't understand where the prints go.
They go to syslog.
Make sure to match in this: bgp_path.last_nonaggregated
Hi No. If you want proper RPKI match consistent with RFC 6907 7.1.9-11, you should use bgp_path.last, not bgp_path.last_nonaggregated. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello Ondrej, Thanks for pointing this out. In the network I maintain, we were using bgp_path.last_nonaggregated. This resulted in 200 IPv4 and 1100 IPv6 prefixed to be marked as RPKI invalid while they were in fact valid. So, like the worst thing that could happen. But this only happened on a few EBGP sessions. On other sessions on the same router, with the same settings (apart from obvious things, like remote ASN) they were valid. Very strange behavior. All this is done with Bird 1.6.6, installed from the Debian 10 repos. I've changed the config to bgp_path.last and all is fine now. Kind regards, Cybertinus On 2020-04-20 04:45, Ondrej Zajicek wrote:
On Sun, Apr 19, 2020 at 07:18:37PM +0200, Job Snijders wrote:
Hi,
On Sun, Apr 19, 2020, at 19:09, Fabiano D'Agostino wrote:
how can I check which prefixes are not valid and so rejected? It seems the rpki is working, but I'd like to be sure. I have this: if (roa_check(r4, net, bgp_path.last) = ROA_INVALID) then { print "Ignore RPKI invalid ", net, " for ASN ", bgp_path.last;
but I don't understand where the prints go.
They go to syslog.
Make sure to match in this: bgp_path.last_nonaggregated
Hi
No. If you want proper RPKI match consistent with RFC 6907 7.1.9-11, you should use bgp_path.last, not bgp_path.last_nonaggregated.
participants (6)
-
Alarig Le Lay -
Cybertinus -
Fabiano D'Agostino -
Job Snijders -
Maria Matejka -
Ondrej Zajicek