[j-nsp] Please push Juniper to implement RFC6907

Weber, Markus Markus.Weber at kpn.de
Thu Oct 10 05:16:47 EDT 2019


Mark wrote:
> So what is the validator's role in this decision-making?

Nothing [*].

> My IOS XR boxes have accepted the route for installation.

It's not about 194.45.182.0/23. It's about 194.45.182.0/24
and 194.45.183.0/24. 

These should be -according to RFC6907- considered as invalid,
not as unknown (what JunOS currently does).

Cisco XR might consider 194.45.182.0/24 as unknown or in-
valid (?), but 194.45.183.0/24 as valid (as within the 
AS_SET an AS is listed, for which a matching ROA exists)
[source 7018].

The consequences on JunOS: Easy bypassing the validation
mechanism (and even works for more specifics, which you
can't do by just "spoofing" the origin AS).

Checking lg.seacomnet.com I see both /24 accepted as with
"RPKI State not found".

Markus


[*] Well, the validator should - beside validating the ROAs
- as well ensure, that the <prefix,max-length,originAS> are 
"reasonable" ... ever fed <1.2.3.0/24,23,1> via rtr to JunOS
(max-length > prefix mask)? Another "hope there will never be
published ROAs passing through validators causing similar
effects" (JunOS simply takes the rtr session down when seeing
such records via rtr).

-- 
AS286 - for the time being ...



More information about the juniper-nsp mailing list