Expiration for ROA tables until when the VRP is valid?

Job Snijders job at fastly.com
Sun Sep 19 14:20:08 CEST 2021


On Sun, Sep 19, 2021 at 12:38:28PM +0200, Job Snijders wrote:
> The OpenBSD RPKI validator (which can generate BIRD config snippets!)
> calculates the "transitive expiration moment". This is the 'nearest'
> moment a given ROA no longer should be considered when validating BGP
> routes. Every RPKI CA periodically refreshes/resigns data related to
> their ROAs, so every time the validation process runs, it'll output
> updated expiration moments: under normal circumstances ROAs don't drop
> out of the rotation because of expiration.

To better illustrate the feature request, I'm now generating a new BIRD2
config snippet once an hour at this URL:

	http://kiera.meerval.net/bird.roa.conf.txt

I've modified this rpki-client's instance to also emit the expires %lld.
Each RPKI entry now contains an 'expires' timestamp as seconds since
epoch, which signifies the "do not use after" date. Nobody wants to
drink expired milk! :-)

Imagine a workflow where someone put in crontab:

	wget -O /etc/bird/rpki.conf http://kiera.meerval.net/bird.roa.conf.txt
	birdc configure

and in their /etc/bird/bird.conf a line like

	include "rpki.conf";

Now, if the kiera.meerval.net service would disappear for one reason or
another, the BGP daemon won't receive new RPKI ROA information.

In that scenario, having BIRD check every few minutes whether any ROAs
it previously loaded by now have expired, can be very helpful!

Kind regards,

Job


More information about the Bird-users mailing list