RPKI / roa_check() question - BIRD 2.0.2
Radu Anghel
radu.anghel at xindi.ro
Wed Apr 11 19:35:00 CEST 2018
Thank you, it works with last_nonaggregated, I don't know how I didn't
notice that in the doc.
Radu
On 11.04.2018 20:06, Matthias Waehlisch wrote:
> Hi Radu,
>
> the path includes an AS-set ({30884 65004 65005}).
>
> "Both first and last return zero if there is no appropriate ASN, for
> example if the path contains an AS set element as the first (or the
> last) part. If the path ends with an AS set, last_nonaggregated may be
> used to get last ASN before any AS set. "
>
> AS-sets are deprecated: https://tools.ietf.org/html/rfc6472
>
> Strictly speaking, you you don't know which AS in AS-set is the actual
> origin.
>
>
>
> Cheers
> matthias
>
>
> On Wed, 11 Apr 2018, Radu Anghel wrote:
>
>> Hello,
>>
>> I have found this while doing RPKI validation:
>>
>> net = 94.127.104.0/21
>> bgp_path = 48112 6830 174 13110 {30884 65004 65005}
>> BGP.aggregator: 10.253.27.1 AS13110 (don't know how to read this from a var)
>>
>> roa_check(rpki4, net, bgp_path.last) returns ROA_INVALID because BIRD
>> thinks bgp_path.last = 0
>>
>> There is a valid ROA for 94.127.104.0/21 and AS13110, so I guess the
>> validation should be done on the aggregator AS.
>>
>> Could you tell me what is the corect way to handle this?
>>
>> TIA,
>> Radu
>>
>
>
More information about the Bird-users
mailing list