[outages] Peering issue between Cogent and Tata?

Robert Heuvel RHeuvel at atom86.net
Tue Jan 10 13:14:54 EST 2023 

I stand corrected (by Job).

Output from our router shows that both AS-es are valid

show validation database | match 35.208.0.0/15
35.208.0.0/15-15           15169 192.168.28.28                           valid   *
35.208.0.0/15-15           15169 192.168.28.29                           valid   *
35.208.0.0/15-15           19527 192.168.28.28                           valid   *
35.208.0.0/15-15           19527 192.168.28.29                           valid   *

So my interpretation of info shown by routinator is not correct.
Sorry for any confusion I may have caused!

R.

-----Original Message-----
From: Outages <outages-bounces at outages.org> On Behalf Of Robert Heuvel via Outages
Sent: Tuesday, January 10, 2023 06:34 PM
To: Job Snijders <job at instituut.net>
Cc: outages at outages.org
Subject: Re: [outages] Peering issue between Cogent and Tata?

Job,

I have used the routinator client and that only shows AS15169 as being valid.

R.

-----Original Message-----
From: Job Snijders <job at instituut.net>
Sent: Tuesday, January 10, 2023 06:30 PM
To: Robert Heuvel <RHeuvel at atom86.net>
Cc: Miller, Jon <JMiller at boselaw.com>; mike tancsa <mike at sentex.net>; outages at outages.org
Subject: Re: [outages] Peering issue between Cogent and Tata?

Hi Robert, others,

On Tue, Jan 10, 2023 at 05:23:58PM +0000, Robert Heuvel via Outages wrote:
> That is a Route Validation issue.

I'm not sure it is!

> The IP 35.209.30.41 is part of 35.208.0.0/15 for which a ROA has been 
> created by AS15169 to be originated by AS15169.
>
> If check the IP on the Cogent looking glass, Cogent shows that the IP 
> is coming from AS19527 (which is not correct according to the ROA for 
> this prefix…

There are two ROAs for this prefix, one authorising 15169 and the other authorising 19527:

19527: https://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/746e0111-fafb-430f-b778-d204cfcd99a8/8314711c-e263-425a-adda-3995b7095d9d/07879125-74b8-3a42-b7b0-80fdd7b7a73f.roa.html

15169: https://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/746e0111-fafb-430f-b778-d204cfcd99a8/8314711c-e263-425a-adda-3995b7095d9d/ca819b63-a4f5-312d-a544-77c183e52a22.roa.html

The RFC 6811 BGP route validation algorithm only requires a single (one) ROA to set the state of the route as "valid". Multiple ROAs for the same prefix do not conflict with each other.

Kind regards,

Job
_______________________________________________
Outages mailing list
Outages at outages.org
https://puck.nether.net/mailman/listinfo/outages

More information about the Outages mailing list