RPKI validation on startup - Bird-users - Mailing Lists

newer
Increasing bgp_local_pref fails

RPKI validation on startup

older
OSPF Routes

Brooks Swinnerton

10 Nov 2019 10 Nov '19

11:43 p.m.

Hello, I have RPKI validation working correctly, but it seems that when BIRD first starts it does not reject invalid RPKI routes. If I run `reload in <protocol>` everything works great. I suspect this is some sort of race condition in 2.0.7. Has anyone else come across this?

Attachments:

attachment.html (text/html — 357 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

Maria Matějka

11 Nov 11 Nov

11:39 a.m.

Hello, this is due to the RPKI table being empty on startup. As a workaround, I suggest having bgp sessions with delayed start. The problem is also that bird doesn't reevaluate affected routes after ROA has changed. This is going to be fixed in near future, yet now the best thing to do is probably to reload the affected bgp protocols manually every time bird gets some updates from the RPKI protocol. Maria On 11/11/19 12:43 AM, Brooks Swinnerton wrote:

Hello,

I have RPKI validation working correctly, but it seems that when BIRD first starts it does not reject invalid RPKI routes. If I run `reload in <protocol>` everything works great.

I suspect this is some sort of race condition in 2.0.7. Has anyone else come across this?

Reply

Sign in to reply online Use email software

Matthias Waehlisch

3:41 p.m.

On Mon, 11 Nov 2019, Maria Matějka wrote:

The problem is also that bird doesn't reevaluate affected routes after ROA has changed. This is going to be fixed in near future

based on the increasing interest in using route origin validation in BIRD, i highly encourage to fix this rather sooner than later. it is an old but really important problem to solve. cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Computer Science .. http://www.cs.fu-berlin.de/~waehl

Reply

Sign in to reply online Use email software

Ondrej Zajicek

12 Nov 12 Nov

2:55 p.m.

On Mon, Nov 11, 2019 at 10:41:24AM -0500, Matthias Waehlisch wrote:

On Mon, 11 Nov 2019, Maria Matějka wrote:

...
The problem is also that bird doesn't reevaluate affected routes after ROA has changed. This is going to be fixed in near future

based on the increasing interest in using route origin validation in BIRD, i highly encourage to fix this rather sooner than later. it is an old but really important problem to solve.

Yes, we fully agree. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."

Reply

Sign in to reply online Use email software

2405

Age (days ago)

2407

Last active (days ago)

Download

3 comments

4 participants

tags

participants (4)

Brooks Swinnerton
Maria Matějka
Matthias Waehlisch
Ondrej Zajicek