[c-nsp] RPKI validation weirdness

Robert Raszuk robert at raszuk.net
Thu May 7 16:55:30 EDT 2020 

Hi Pierre,

I think this is well known bug on XE.

We just had a thread week or so back on this list.

You need to enable extended community to carry the validation state as
otherwise XE considers IBGP learned paths by default as VALID.

I think Cisco is already backporting the fixes for this - but as long as
you enable ext community state propagation you will be fine.

Thx
R.

On Thu, May 7, 2020 at 10:07 PM Pierre Emeriaud <petrus.lt at gmail.com> wrote:

> Hello all
>
> First of all, sorry for the long text wall, but I thin I have a bit of
> an interesting issue here. I have a router that announces a prefix
> that is not RPKI signed at all, hence sould neither appear valid nor
> invalid.
>
> It _does appear valid_ though on an asr1k running 03.16.06.S. Here is the
> setup.
>
> Said network (44.151.210.0/23) is announced by AS206155 to a transit
> operator (AS204092) on two peerings:
> - one direct from as206155 (89.234.186.158 - router id 80.67.190.204)
> to 204092 ("asbr01" - asr1k - 89.234.186.153)
> - one indirect from as206155 (185.1.89.27) to 204092 ("asbr02" -
> linux/bird - router id 89.234.186.34) though an IX RS.
> - this only happens if peering with asbr02 goes up before asbr01,
> otherwise asbr02 prefers the route through asbr01.
>
> asbr01 and 02 from as204092 are using the same two validators, one
> running routinator, the other is using FORT.
>
> 44.151.210.0/23 is not signed, nor is 44.128.0.0/10. Those prefixes do
> not appear as valid in the rpki table:
>
> asbr01#show ip bgp rpki table | i 44.151.210
> asbr01#
>
> However the /23 appears signed and hence is prefered:
>
> asbr01#show ip bgp | be 44.151.21
> N*   44.151.210.0/23  80.67.167.221           20             0 57199
> 34019 3215 206155 i
> N*                    193.200.43.85           10             0 34019
> 3215 206155 i
> N*                    89.234.186.158          50    200      0 206155 i
> V*>i                  185.1.89.27            150    150      0 206155
> i   <<< BEST & ROA VALID!?
>
> asbr01#show ip bgp 44.151.210.0
> BGP routing table entry for 44.151.210.0/23, version 487298116
> BGP Bestpath: deterministic-med: med
> Paths: (8 available, best #7, table default)
>   Advertised to update-groups:
>      75         114        118        122
> <snip>
>   Refresh Epoch 1
>   206155
>     89.234.186.158 from 89.234.186.158 (80.67.190.204)
>       Origin IGP, metric 50, localpref 200, valid, external
>       Community: 64496:200
>       path 7FA510447288 RPKI State not found             <<<< ok, expected.
>       rx pathid: 0, tx pathid: 0
>   Refresh Epoch 1
>   206155, (Received from a RR-client)
>     185.1.89.27 (metric 11) from 89.234.186.34 (89.234.186.34)
>       Origin IGP, metric 150, localpref 150, valid, internal, best
>       Community: 64496:100 64496:2150
>       unknown transitive attribute: flag 0xE0 type 0x20 length 0x18
>         value 0003 1D3C 0000 0064 0000 0096 0003 1D3C
>               0003 1D3C 0000 0064
>       path 7FA51044F508 RPKI State valid                 <<<<<<< ???
>       rx pathid: 0, tx pathid: 0x0
>
> The bird on asbr02 do not show the prefix as roa valid:
>
> bird> show route for 44.151.210.0 all
> Table master4:
> 44.151.210.0/23      unicast [bgp_breizhix_ipv4 2020-04-30 from
> 185.1.89.1] * (100) [AS206155i]
>         via 185.1.89.27 on enp3s0f0.22
>         Type: BGP univ
>         igp_metric: 20
>         BGP.origin: IGP
>         BGP.as_path: 206155
>         BGP.next_hop: 185.1.89.27
>         BGP.local_pref: 150
>         BGP.community: (64496,100)
>         BGP.ext_community: (generic, 0x43000000, 0x1) <<< ROA not found
>         BGP.large_community: (204092, 100, 150)
>                      unicast [bgp_cogent_ipv4 14:13:53.541] (100)
> [AS206155i]
>
>
> I've captured the update from asbr02 to asbr01 and there isn't the
> 0x43 extended community. However after this first update asbr01
> reflects it to the other ibgp peers _with_ the validation state 0x00!
> The capture is available here: https://paste.swordarmor.fr/tHOf
>
> I'm quite new at RPKI, so I might be missing something entirely, but
> the Cisco behaviour looks wrong at best, if not dangerous, as this
> makes unsigned prefixes look valid.
>
> I've skimmed for known rpki bugs on XE and haven't found anything
> conclusive, hence my attempt at having more eyeballs looking at this
> :)
>
> What's the list view on this issue?
>
> thanks
> pierre
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list