Question for proper RPKI check integration in the bird v2.0.4 with Euro-IX Informational BGP communities

Ondrej Zajicek santiago at crfreenet.org
Wed Sep 25 16:14:54 CEST 2019


On Wed, Sep 25, 2019 at 11:36:20AM +0100, Barry O'Donovan wrote:
> Hi Irene,
> 
> looks like you're trying to put together a route server config?
> 
> First thing that jumps out at me is you have "roa check" but it should
> be "roa_check".
> 
> We have full working sample configs that are used in our continuous
> integration tests for IXP Manager - here's a v4 version which includes RPKI:
> 
> https://github.com/inex/IXP-Manager/blob/master/data/travis-ci/known-good/ci-apiv4-b2-rs1-lan1-ipv4.conf

Hi

One note - for roa_check(), you should not use bgp_path.last_nonaggregated,
you should use bgp_path.last, or better just use implicit form:

 roa_check(t_roa)

If there is AS_SET on end position, then result should be invalid if
there are related ROAs, or unknown otherwise, (see RFC 6907), it should
not be check based on neighboring (nonaggregated) ASN.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."


More information about the Bird-users mailing list