[j-nsp] Please push Juniper to implement RFC6907
Mark Tinka
mark.tinka at seacom.mu
Thu Oct 10 08:40:53 EDT 2019
On 10/Oct/19 11:16, Weber, Markus wrote:
> Nothing [*].
You say that, but it would be interesting to learn why the validator
isn't seeing the Invalid path.
I'll take Job up on his observations and reach out to RIPE to understand
if they think this a bug.
> These should be -according to RFC6907- considered as invalid,
> not as unknown (what JunOS currently does).
Agree that Junos is broken.
>
> Cisco XR might consider 194.45.182.0/24 as unknown or in-
> valid (?), but 194.45.183.0/24 as valid (as within the
> AS_SET an AS is listed, for which a matching ROA exists)
> [source 7018].
IOS XR is seeing neither of the /24's, meaning that it's either doing
something right, or the remote peers are filtering it (I doubt the
latter very much).
>
> The consequences on JunOS: Easy bypassing the validation
> mechanism (and even works for more specifics, which you
> can't do by just "spoofing" the origin AS).
Yes, this is not cute at all.
>
> Checking lg.seacomnet.com I see both /24 accepted as with
> "RPKI State not found".
Those are IOS classic boxes (thanks, totally forgot I had those that
take a full feed, hehe).
So we know what that code does, which is akin to Junos.
Mark.
More information about the juniper-nsp
mailing list