BIRD 2 does not re-validate RPKI status?
Maria Jan Matejka
jan.matejka at nic.cz
Fri Jun 21 10:53:56 CEST 2019
Hello!
On 6/21/19 9:09 AM, Tim Bruijnzeels wrote:
> I am not sure if this is an artefact of my set-up, or a missing feature / bug in Bird.
Yes, it is a documented missing feature in Bird, see the RPKI chapter in documentation:
You can validate routes (RFC 6483) using
function <cf/roa_check()/ in filter and set it as import filter at the BGP
protocol. BIRD should re-validate all of affected routes after RPKI update by
RFC 6811, but we don't support it yet! You can use a BIRD's client command
<cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all
routes.
> [...]
>
> According to RFC6811 affected prefixes MUST be re-validated when the cache has changes:
> https://tools.ietf.org/html/rfc6811#section-4
>
> My work-around was to restart the sessions with peers and this forced re-validation. But it is not the best solution. I also loose all the routes temporarily.
Use
reload in <protocolname>
after ROA is changed.
> Is this a local issue? Did I miss something in my set-up? Or is this expected behaviour in Bird? If so, is supporting re-validation on the roadmap?
Yes, it is even partially done, anyway it needed some internal structural changes
inside BIRD. We know about it and we consider it better to have limited ROA support
instead of having nothing.
This is one of the hottest features to be done ASAP.
Maria
developer of BIRD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3055 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20190621/36ac95c9/attachment.p7s>
More information about the Bird-users
mailing list