RPKI validation on startup

Maria Matějka maria.matejka at nic.cz
Mon Nov 11 12:39:48 CET 2019


Hello, this is due to the RPKI table being empty on startup. As a workaround, I suggest having bgp sessions with delayed start.

The problem is also that bird doesn't reevaluate affected routes after ROA has changed. This is going to be fixed in near future, yet now the best thing to do is probably to reload the affected bgp protocols manually every time bird gets some updates from the RPKI protocol.

Maria

On 11/11/19 12:43 AM, Brooks Swinnerton wrote:
> Hello,
> 
> I have RPKI validation working correctly, but it seems that when BIRD first starts it does not reject invalid RPKI routes. If I run `reload in <protocol>` everything works great.
> 
> I suspect this is some sort of race condition in 2.0.7. Has anyone else come across this?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3028 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20191111/ee4954f2/attachment.p7s>


More information about the Bird-users mailing list