BIRD - RoA with aggregated prefixes - issue
Hello, We're using BIRD 1.6.4 as Route Server. Recently we have implemented ROA prefix validation but we have hit the issue with prefixes that are aggregated only. What do I mean: When the prefix is aggregate and has something like 1234 { 10, 20 } in AS_PATH in last asn, bgp_path.last value returns zero ( 0 ). As result of this we just discarding such prefixes. Our approach is the following: 1) We're using static RoA tables with prefixes for example: roa table r1234 { roa 10.10.10.0/24 max 32 as 1234; roa 10.10.11.0/24 max 32 as 1234; roa 10.10.12.0/24 max 32 as 1234; } 2) Then create a different function for each member like this and applying it on each protocol BGP as latest function: function AS1234_roa() { if roa_check(r1234, net, bgp_path.last) = ROA_INVALID then { print "ROA check failed: invalid prefix - ", net, " origin ASN ", bgp_path.last , " - AS-PATH", bgp_path , " via ", proto; return false; } if roa_check(r1234, net, bgp_path.last) = ROA_UNKNOWN then { print "ROA check failed: unallowed prefix - ", net, " origin ASN ", bgp_path.last , " - AS-PATH", bgp_path , " via ", proto; return false; } return true; } Could someone BIRD developer to suggest some solution for this issue? Thanks in advance! Best~ -- --- Javor Kliachev Senior Engineer IP Services office: +359 2 974 33 11 mobile: +359 885 98 84 95 [ http://www.neterra.net/ | www.neterra.net ] [ https://bg.linkedin.com/pub/javor-kliachev/11/b46/843 | ]
On Mon, Jul 13, 2020 at 09:32:16AM +0300, Javor Kliachev wrote:
Hello,
We're using BIRD 1.6.4 as Route Server.
Recently we have implemented ROA prefix validation but we have hit the issue with prefixes that are aggregated only.
What do I mean: When the prefix is aggregate and has something like 1234 { 10, 20 } in AS_PATH in last asn, bgp_path.last value returns zero ( 0 ). As result of this we just discarding such prefixes. ... Could someone BIRD developer to suggest some solution for this issue? Thanks in advance!
Hi This is expected behavior, see RFC 6907 7.1.9: Comment: In the spirit of [RFC6472], any route with an AS_SET in it should not be considered valid (by ROA-based validation). If the route contains an AS_SET and a covering ROA prefix exists for the route prefix, then the route should get an Invalid status. (Note: AS match or mismatch consideration does not apply.) -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Javor, On Mon, 13 Jul 2020 at 08:32, Javor Kliachev <jkliachev@neterra.net> wrote:
We're using BIRD 1.6.4 as Route Server.
Recently we have implemented ROA prefix validation but we have hit the issue with prefixes that are aggregated only.
What do I mean: When the prefix is aggregate and has something like 1234 { 10, 20 } in AS_PATH in the last ASN, bgp_path.last value returns zero ( 0 ). As a result of this, we just discarding such prefixes.
Do not use BGP aggregate routes? RPKI validation is not feasible for BGP aggregate routes. E.g. the ROA for AS 10 is valid and invalid for AS 20. What do you do in this case if AS-path is 1234 { 10, 20 }? Say OK and accept it or reject the unknown, due to the impossibility of validation the BGP route fairly in accordance with the earlier mentioned expected RFC behaviour. I general, the amounts of BGP aggregate routes in the DFZ is low (measured -at most- in the hundreds if not in the tens). -- Chriztoffer
Hello, Thank you very much for the quick responses. We don't use BGP aggregated routes but our customers are using. Best~ Javor Kliachev Senior Engineer IP Services office: +359 2 974 33 11 mobile: +359 885 98 84 95 [ http://www.neterra.net/ | www.neterra.net ] [ https://bg.linkedin.com/pub/javor-kliachev/11/b46/843 | ] ----- Original Message ----- From: "Chriztoffer Hansen" <ch@ntrv.dk> To: "bird-users" <bird-users@network.cz> Cc: "nmt-ip" <nmt-ip@neterra.net>, "Javor Kliachev" <jkliachev@neterra.net> Sent: Monday, 13 July, 2020 20:38:22 Subject: Re: BIRD - RoA with aggregated prefixes - issue Javor, On Mon, 13 Jul 2020 at 08:32, Javor Kliachev <jkliachev@neterra.net> wrote:
We're using BIRD 1.6.4 as Route Server.
Recently we have implemented ROA prefix validation but we have hit the issue with prefixes that are aggregated only.
What do I mean: When the prefix is aggregate and has something like 1234 { 10, 20 } in AS_PATH in the last ASN, bgp_path.last value returns zero ( 0 ). As a result of this, we just discarding such prefixes.
Do not use BGP aggregate routes? RPKI validation is not feasible for BGP aggregate routes. E.g. the ROA for AS 10 is valid and invalid for AS 20. What do you do in this case if AS-path is 1234 { 10, 20 }? Say OK and accept it or reject the unknown, due to the impossibility of validation the BGP route fairly in accordance with the earlier mentioned expected RFC behaviour. I general, the amounts of BGP aggregate routes in the DFZ is low (measured -at most- in the hundreds if not in the tens). -- Chriztoffer
On Tue, 14 Jul 2020 at 07:40, Javor Kliachev <jkliachev@neterra.net> wrote:
We don't use BGP aggregated routes but our customers are using.
Do your best to discourage your customer using aggregate BGP routes? (since if not you, your upstreams deploying ROA validation on sessions towards you will discard the aggregate routes announced by your customers) -- Cheers, Chriztoffer
participants (3)
-
Chriztoffer Hansen -
Javor Kliachev -
Ondrej Zajicek