[c-nsp] RPKI validation weirdness

Pierre Emeriaud petrus.lt at gmail.com
Thu May 7 17:29:03 EDT 2020


Le jeu. 7 mai 2020 à 22:56, Spyros Kakaroukas
<s.kakaroukas at connecticore.com> a écrit :
>
> Hi Pierre,
>
> This reminds me of a case of my own while labbing RPKI on XE. Only eBGP routes are subject to RPKI validation. iBGP routes are automatically considered to be valid. Cisco's implementation in XE will automatically modify the best path selection to prefer valid over unknown over invalid very high in the selection ruleset. This is what I assume happens :
>
> If asbr02 goes up first, it gets the prefix, considers it a best path, sends it to asbr01 via iBGP. Then asbr01 goes up, compares an unknown external path to a valid internal one and chooses the second. Thus, traffic flows through there.
>
> If asbr01 goes up first, it gets the prefix from its external neighbor, considers it best, sends it to asbr02. Asbr02 comes up but I'm guessing BIRD is actually preferring the route from asbr01. Thus, it never sends its own external route to asbr01. So, asbr01 keeps preferring its own external unknown one.

This is exactly what's happening. But why did Cisco rpki algorithm
chose to trust ibgp relationship over the validators, even though
extcommunity wasn't sent, this is weird...

> If I understand your design correctly, you might want to research whether BIRD can signal RPKI state via iBGP, as this would cause eventual consistency.
Yes, my fellow netadmin Alarig at as204092 just asked on bird's
mailing list why didn't bird sent the extcommunity.
https://bird.network.cz/pipermail/bird-users/2020-May/014559.html for
the interested.

> Regarding the extcommunity, I'm not sure if it's the best of ideas to announce state on iBGP routes, let alone reflected ones. I'd have to check whether the RFC actually specifies this before I form an opinion on what's happening. Assuming you do have asbr01 configured to announce rpki state though, it could be the expected behavior.

While I can grasp why one could announce (and trust) rpki state over
ibgp, in this situation the asr1k had both a validator and no
extcommunity whatsoever received, this I don't understand why it would
validate such a prefix...

Anyhow, thanks a lot for the debugging Spyros. I'll follow up with the
bird folks on this matter.

regards
pierre


More information about the cisco-nsp mailing list