RPKI / roa_check() question - BIRD 2.0.2
Matthias Waehlisch
m.waehlisch at fu-berlin.de
Wed Apr 11 19:06:19 CEST 2018
Hi Radu,
the path includes an AS-set ({30884 65004 65005}).
"Both first and last return zero if there is no appropriate ASN, for
example if the path contains an AS set element as the first (or the
last) part. If the path ends with an AS set, last_nonaggregated may be
used to get last ASN before any AS set. "
AS-sets are deprecated: https://tools.ietf.org/html/rfc6472
Strictly speaking, you you don't know which AS in AS-set is the actual
origin.
Cheers
matthias
On Wed, 11 Apr 2018, Radu Anghel wrote:
> Hello,
>
> I have found this while doing RPKI validation:
>
> net = 94.127.104.0/21
> bgp_path = 48112 6830 174 13110 {30884 65004 65005}
> BGP.aggregator: 10.253.27.1 AS13110 (don't know how to read this from a var)
>
> roa_check(rpki4, net, bgp_path.last) returns ROA_INVALID because BIRD
> thinks bgp_path.last = 0
>
> There is a valid ROA for 94.127.104.0/21 and AS13110, so I guess the
> validation should be done on the aggregator AS.
>
> Could you tell me what is the corect way to handle this?
>
> TIA,
> Radu
>
--
Matthias Waehlisch
. Freie Universitaet Berlin, Computer Science
.. http://www.cs.fu-berlin.de/~waehl
More information about the Bird-users
mailing list