BIRD 2 does not re-validate RPKI status?

Tim Bruijnzeels tim at nlnetlabs.nl
Fri Jun 21 09:09:15 CEST 2019


Hi,

I am not sure if this is an artefact of my set-up, or a missing feature / bug in Bird.

I recently set up a lab with Bird 2.0.4, connecting to routinator using the rpki-rtr protocol. All works fine so-far. Many thanks for supporting this!

However, I found that when ROAs get updated and the cache has new Verified ROA Payloads (VRPs), the existing routes are not re-evaluated. Bird seems to do this validation only when an actual update is seen. I.e. if a prefix was dropped because it was RPKI invalid it stays dropped even if it is now RPKI valid, and vice versa: if it was accepted because it was (in my config case) RPKI unknown or valid, it stays accepted even if it is now RPKI invalid.

According to RFC6811 affected prefixes MUST be re-validated when the cache has changes:
https://tools.ietf.org/html/rfc6811#section-4

My work-around was to restart the sessions with peers and this forced re-validation. But it is not the best solution. I also loose all the routes temporarily.

Is this a local issue? Did I miss something in my set-up? Or is this expected behaviour in Bird? If so, is supporting re-validation on the roadmap?

For a lab this doesn't matter too much, but in a real networking environment I think it's important that this works. Otherwise changes in RPKI only become effective when there are changes in BGP (I assume it's doing validation just when updates are seen), and if wrong ROAs are issued by accident, and fixed again, then prefixes may stay unreachable until a session is restarted.

Kind regards,

Tim Bruijnzeels


More information about the Bird-users mailing list