[c-nsp] RPKI validation weirdness
Pierre Emeriaud
petrus.lt at gmail.com
Thu May 7 16:02:36 EDT 2020
Hello all
First of all, sorry for the long text wall, but I thin I have a bit of
an interesting issue here. I have a router that announces a prefix
that is not RPKI signed at all, hence sould neither appear valid nor
invalid.
It _does appear valid_ though on an asr1k running 03.16.06.S. Here is the setup.
Said network (44.151.210.0/23) is announced by AS206155 to a transit
operator (AS204092) on two peerings:
- one direct from as206155 (89.234.186.158 - router id 80.67.190.204)
to 204092 ("asbr01" - asr1k - 89.234.186.153)
- one indirect from as206155 (185.1.89.27) to 204092 ("asbr02" -
linux/bird - router id 89.234.186.34) though an IX RS.
- this only happens if peering with asbr02 goes up before asbr01,
otherwise asbr02 prefers the route through asbr01.
asbr01 and 02 from as204092 are using the same two validators, one
running routinator, the other is using FORT.
44.151.210.0/23 is not signed, nor is 44.128.0.0/10. Those prefixes do
not appear as valid in the rpki table:
asbr01#show ip bgp rpki table | i 44.151.210
asbr01#
However the /23 appears signed and hence is prefered:
asbr01#show ip bgp | be 44.151.21
N* 44.151.210.0/23 80.67.167.221 20 0 57199
34019 3215 206155 i
N* 193.200.43.85 10 0 34019
3215 206155 i
N* 89.234.186.158 50 200 0 206155 i
V*>i 185.1.89.27 150 150 0 206155
i <<< BEST & ROA VALID!?
asbr01#show ip bgp 44.151.210.0
BGP routing table entry for 44.151.210.0/23, version 487298116
BGP Bestpath: deterministic-med: med
Paths: (8 available, best #7, table default)
Advertised to update-groups:
75 114 118 122
<snip>
Refresh Epoch 1
206155
89.234.186.158 from 89.234.186.158 (80.67.190.204)
Origin IGP, metric 50, localpref 200, valid, external
Community: 64496:200
path 7FA510447288 RPKI State not found <<<< ok, expected.
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
206155, (Received from a RR-client)
185.1.89.27 (metric 11) from 89.234.186.34 (89.234.186.34)
Origin IGP, metric 150, localpref 150, valid, internal, best
Community: 64496:100 64496:2150
unknown transitive attribute: flag 0xE0 type 0x20 length 0x18
value 0003 1D3C 0000 0064 0000 0096 0003 1D3C
0003 1D3C 0000 0064
path 7FA51044F508 RPKI State valid <<<<<<< ???
rx pathid: 0, tx pathid: 0x0
The bird on asbr02 do not show the prefix as roa valid:
bird> show route for 44.151.210.0 all
Table master4:
44.151.210.0/23 unicast [bgp_breizhix_ipv4 2020-04-30 from
185.1.89.1] * (100) [AS206155i]
via 185.1.89.27 on enp3s0f0.22
Type: BGP univ
igp_metric: 20
BGP.origin: IGP
BGP.as_path: 206155
BGP.next_hop: 185.1.89.27
BGP.local_pref: 150
BGP.community: (64496,100)
BGP.ext_community: (generic, 0x43000000, 0x1) <<< ROA not found
BGP.large_community: (204092, 100, 150)
unicast [bgp_cogent_ipv4 14:13:53.541] (100) [AS206155i]
I've captured the update from asbr02 to asbr01 and there isn't the
0x43 extended community. However after this first update asbr01
reflects it to the other ibgp peers _with_ the validation state 0x00!
The capture is available here: https://paste.swordarmor.fr/tHOf
I'm quite new at RPKI, so I might be missing something entirely, but
the Cisco behaviour looks wrong at best, if not dangerous, as this
makes unsigned prefixes look valid.
I've skimmed for known rpki bugs on XE and haven't found anything
conclusive, hence my attempt at having more eyeballs looking at this
:)
What's the list view on this issue?
thanks
pierre
More information about the cisco-nsp
mailing list