Invalid ROA
Fabiano D'Agostino
fabiano.dagostino96 at gmail.com
Tue Apr 28 14:37:05 CEST 2020
How can I ask for that?
Now I am using just RPKI as filter and I can check invalid roa in syslog
or with 'show route table name all filtered'.
I would like to check valid/unknown roa too and I could do something like
this:
if (roa_check(r4, net, bgp_path.last) = ROA_VALID) then
{
print "RPKI valid ", net, " for ASN ", bgp_path.last; }
and then check the syslog, but I think using communities would be better so
that I can use a command such as this one:
'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]'
or 'show route table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]
count' .
But how can I make BIRD working with filtered routes?
Thanks,
Fabiano
Il giorno lun 20 apr 2020 alle ore 15:50 Maria Matejka <maria.matejka at nic.cz>
ha scritto:
> Ooops, filtered. The filtered routes are by default excluded from the
> filters. You have to explicitly ask for filtered routes to make BIRD
> work with them.
>
> Maria
>
> On 4/20/20 3:47 PM, Fabiano D'Agostino wrote:
> > Thanks, I did it but it is still not working. Nevermind I will use 'show
> > route filtered'.
> >
> > Il giorno lun 20 apr 2020 alle ore 15:27 Maria Matejka
> > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>> ha scritto:
> >
> > The tilde operator is not symmetric, although it visually seems to
> be.
> > It can be (at least in this case) vaguely interpreted as »left
> operand
> > is contained by the right operand«.
> >
> > In other words, exchange the operands of the tilde.
> >
> > Maria
> >
> > On 4/20/20 3:19 PM, Fabiano D'Agostino wrote:
> > > Thanks, it worked. So the community isn't needed? I tried 'show
> > route
> > > table t_0002_as2 where bgp_large_community ~ [(1,1101,13)]' and
> > it prints:
> > > Table t_0002_as2:
> > >
> > > Il giorno lun 20 apr 2020 alle ore 15:00 Maria Matejka
> > > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>
> > <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>>> ha
> scritto:
> > >
> > > show route all filtered
> > >
> > > shows only routes from master4 and master6 tables
> > >
> > > to show routes from this protocol, use
> > >
> > > show route table t_0002_as2 all filtered
> > >
> > > Maria
> > >
> > > On 4/20/20 2:50 PM, Fabiano D'Agostino wrote:
> > > > Yes, I just enabled it:
> > > > protocol bgp {
> > > > ...
> > > > ipv4{
> > > > import keep fitlered;
> > > > import limit 250 action restart;
> > > > import filter filter_rpki;
> > > > table t_0002_as2;
> > > > }
> > > > }
> > > >
> > > > RPKI is working because if I check the syslog I find the
> > invalid
> > > printed
> > > > prefixes, but 'show route all filtered' doesn't show
> anything.
> > > >
> > > > Il giorno lun 20 apr 2020 alle ore 14:05 Maria Matejka
> > > > <maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>
> > <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>>
> > > <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>
> > <mailto:maria.matejka at nic.cz <mailto:maria.matejka at nic.cz>>>> ha
> > scritto:
> > > >
> > > > And do you have
> > > > import keep filtered;
> > > > in your config?
> > > > Maria
> > > >
> > > > On 4/20/20 11:19 AM, Fabiano D'Agostino wrote:
> > > > > Hi,
> > > > > In my route server bird.conf I did this:
> > > > > define FILTERED_RPKI_INVALID = (1,1101,13);
> > > > >
> > > > > filter filter_rpki{
> > > > > if roa_check(..)=ROA_INVALID then
> > > > >
> > {bgp_large_community.add(FILTERED_RPKI_INVALID);reject;}
> > > > > }
> > > > >
> > > > > But when I do 'show route all filtered' I get
> > nothing, I also
> > > > tried with
> > > > > 'show route bgp_large_community ~ [(1,1101,13)]'
> and I
> > > have the
> > > > same result.
> > > > > Because I would like to have some statistics about
> > > > > VALID/INVALID/UNKOWN prefixes and I saw that I
> > could use the
> > > > 'show route
> > > > > stats' command.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Fabiano
> > > > >
> > > > > Il giorno dom 19 apr 2020 alle ore 21:30 Alarig Le
> Lay
> > > > > <alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
> > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>
> > > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
> > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>>
> > > > <mailto:alarig at swordarmor.fr
> > <mailto:alarig at swordarmor.fr> <mailto:alarig at swordarmor.fr
> > <mailto:alarig at swordarmor.fr>>
> > > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>
> > <mailto:alarig at swordarmor.fr <mailto:alarig at swordarmor.fr>>>>> ha
> > > scritto:
> > > > >
> > > > > On Sun 19 Apr 2020 20:42:21 GMT, Fabiano
> > D'Agostino wrote:
> > > > > > Thanks!
> > > > > > But can I also use birdc to check rejected
> > prefixes?
> > > > >
> > > > > If you add a community, it will be visible with
> > `show
> > > route all
> > > > > filtered`
> > > > >
> > > > > > Anyway why do you suggest to use
> > > bgp_path.last_noaggregated?
> > > > >
> > > > > Because you don’t want to check ROA against
> another
> > > ASN in the
> > > > > aggregated path.
> > > > >
> > > > > --
> > > > > Alarig
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20200428/fbf40696/attachment.htm>
More information about the Bird-users
mailing list