RPKI doesn’t work with a FQDN

Alarig Le Lay alarig at swordarmor.fr
Sat Jan 11 16:04:09 CET 2020 

Hi,

I have this configuration:
asbr02 ~ # cat /etc/bird.conf.d/protocol_rpki/*
protocol rpki rpki_alarig {
        roa4 { table r4; };
        roa6 { table r6; };

        #remote "msi.no.swordarmor.fr";
        remote 2a0e:f42::1;
}
protocol rpki rpki_conan {
        roa4 { table r4; };
        roa6 { table r6; };

        remote "conan.grifon.fr";
}

The first protocol establish with the second fails

bird> show protocols all rpki_alarig
Name       Proto      Table      State  Since         Info
rpki_alarig RPKI       ---        up     15:54:25.902  Established
  Cache server:     2a0e:f42::1:323
  Status:           Established
  Transport:        Unprotected over TCP
  Protocol version: 1
  Session ID:       28569
  Serial number:    285
  Last update:      before 84.055 s
  Refresh timer   : 323.944/408
  Retry timer     : ---
  Expire timer    : 7115.944/7200
  Channel roa4
    State:          UP
    Table:          r4
    Preference:     100
    Input filter:   ACCEPT
    Output filter:  REJECT
    Routes:         100516 imported, 0 exported, 100516 preferred
    Route change stats:     received   rejected   filtered    ignored   accepted
      Import updates:         100816          0          0          0     100816
      Import withdraws:          300          0        ---          0        300
      Export updates:              0          0          0        ---          0
      Export withdraws:            0        ---        ---        ---          0
  Channel roa6
    State:          UP
    Table:          r6
    Preference:     100
    Input filter:   ACCEPT
    Output filter:  REJECT
    Routes:         16578 imported, 0 exported, 16578 preferred
    Route change stats:     received   rejected   filtered    ignored   accepted
      Import updates:          16641          0          0          0      16641
      Import withdraws:           63          0        ---          0         63
      Export updates:              0          0          0        ---          0
      Export withdraws:            0        ---        ---        ---          0

bird> show protocols all rpki_conan
Name       Proto      Table      State  Since         Info
rpki_conan RPKI       ---        start  15:54:25.847  Transport-Error
  Cache server:     conan.grifon.fr:323
  Status:           Transport-Error
  Transport:        Unprotected over TCP
  Protocol version: 1
  Session ID:       ---
  Serial number:    ---
  Last update:      ---
  Refresh timer   : ---
  Retry timer     : 451.669/600
  Expire timer    : ---
  Channel roa4
    State:          DOWN
    Table:          r4
    Preference:     100
    Input filter:   ACCEPT
    Output filter:  REJECT
  Channel roa6
    State:          DOWN
    Table:          r6
    Preference:     100
    Input filter:   ACCEPT
    Output filter:  REJECT

I see the DNS request (and the answer):
15:54:25.851095 IP6 asbr02.cogent-rns.grifon.fr.35411 > drogon.grifon.fr.domain: 167+ A? conan.grifon.fr. (33)
15:54:25.851105 IP6 asbr02.cogent-rns.grifon.fr.35411 > drogon.grifon.fr.domain: 14516+ AAAA? conan.grifon.fr. (33)
15:54:25.851495 IP6 drogon.grifon.fr.domain > asbr02.cogent-rns.grifon.fr.35411: 167 1/0/0 A 89.234.186.8 (49)
15:54:25.851515 IP6 drogon.grifon.fr.domain > asbr02.cogent-rns.grifon.fr.35411: 14516 1/0/0 AAAA 2a00:5884::8 (61)

But no SYN over 323.
However, I can telnet to it:
asbr02 ~ # mtr -bzwe msi.no.swordarmor.fr
Start: Sat Jan 11 15:55:59 2020
HOST: asbr02.cogent-rns.grifon.fr                                       Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS204092 regis.swordarmor.fr (2a00:5884::1f)                        0.0%    10    0.2   0.2   0.1   0.3   0.0
  2. AS208627 tinc0.core02-arendal.no.swordarmor.fr (2a0e:f42:fffe::6)   0.0%    10   51.5  51.7  51.2  52.2   0.0
  3. AS208627 msi.no.swordarmor.fr (2a0e:f42::1)                         0.0%    10   52.0  52.3  51.4  52.8   0.0
asbr02 ~ # mtr -bzwe conan.grifon.fr
Start: Sat Jan 11 15:57:47 2020
HOST: asbr02.cogent-rns.grifon.fr             Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS204092 conan.grifon.fr (2a00:5884::8)   0.0%    10    0.3   0.3   0.2   0.5   0.0
asbr02 ~ # telnet msi.no.swordarmor.fr 323
Trying 2a0e:f42::1...
Connected to msi.no.swordarmor.fr.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
asbr02 ~ # telnet conan.grifon.fr 323
Trying 2a00:5884::8...
Connected to conan.grifon.fr.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

And then I see the SYN:
16:01:28.787297 IP6 asbr02.cogent-rns.grifon.fr.60330 > conan.grifon.fr.323: Flags [S], seq 1340260165, win 28800, options [mss 1440,sackOK,TS val 4034128416 ecr 0,nop,wscale 7], le
ngth 0
16:01:28.787677 IP6 conan.grifon.fr.323 > asbr02.cogent-rns.grifon.fr.60330: Flags [S.], seq 287295091, ack 1340260166, win 64260, options [mss 1440,sackOK,TS val 4292064010 ecr 403
4128416,nop,wscale 7], length 0
16:01:28.787713 IP6 asbr02.cogent-rns.grifon.fr.60330 > conan.grifon.fr.323: Flags [.], ack 1, win 225, options [nop,nop,TS val 4034128416 ecr 4292064010], length 0
16:01:31.114241 IP6 asbr02.cogent-rns.grifon.fr.60330 > conan.grifon.fr.323: Flags [F.], seq 1, ack 1, win 225, options [nop,nop,TS val 4034130743 ecr 4292064010], length 0
16:01:31.114709 IP6 conan.grifon.fr.323 > asbr02.cogent-rns.grifon.fr.60330: Flags [F.], seq 1, ack 2, win 503, options [nop,nop,TS val 4292066337 ecr 4034130743], length 0
16:01:31.114725 IP6 asbr02.cogent-rns.grifon.fr.60330 > conan.grifon.fr.323: Flags [.], ack 2, win 225, options [nop,nop,TS val 4034130743 ecr 4292066337], length 0

The first protocol only established when I put the IP address directly.

Plus, not having the brackets over the literal IPv6 address is a bit
confusing. The IP isn’t 2a0e:f42::1:323.

Regards,
-- 
Alarig

More information about the Bird-users mailing list