roa_check not re-evaluating after roa table update

Ondrej Zajicek santiago at crfreenet.org
Tue Jun 13 13:40:26 CEST 2017


On Fri, Jun 09, 2017 at 01:17:08PM +0200, Stefan Plug wrote:
> Hi guys,
> 
> Bird 1.6.3
> 
> Just testing about with the RPKI roa_check and it seems that my routes are not being re-evaluated after a "configure" when my roa table is updated.
> I do this check during the import phase so the routes are already in the table once I update the roa table.
> 
> simple check example:
> 	roa table roa_table {
>     		roa 200.0.0.0/24 max 24 as 1340;
> 	}
>     	if (roa_check( roa_table, net, bgp_path.last)) = ROA_INVALID then {
>             if hardFilterRPKI > 0 then {
>                 return false;
>             }
>             else {
>                 return true;
>             }
> 	}
> 
> Now I update the config to:
> 	roa table roa_table {
>     		roa 200.0.0.0/24 max 24 as 1340;
>     		roa 200.0.0.0/24 max 24 as 1339;
> 	}
> 
> When I now reconfigure BIRD this makes no changes at all. If I restart BIRD and thus the routes get re-sent then they do both get through the check as
> expected. when adding/deleting roa entries using the command line I see the same behaviour.
> 
> Do note when I change the "hardFilterRPKI" which decides to actually filter or not, then the routes DO get re-evaluated like they should.

Hi

Currently, BIRD re-evaluates routes when a filter or protocol changes
(that is why it is re-evaluates when hardFilterRPKI is changed). But it
does not re-evaluate it when just the content of ROA table is changed.

You could re-evaluate appropariate protocols by hand using 'reload' command.

Or you could workaround that by having something like:
define roa_generation = 123;

And then reference this constant from appropriate filters, even by some
dummy reference, like: if (roa_generation = 0) reject;

And increase roa_generation value each time you change roa_table.
That will trigger re-evaluation.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."


More information about the Bird-users mailing list