Large communities indicating RPKI VALID status

Nigel Kukard nkukard at LBSD.net
Mon Apr 29 21:57:52 CEST 2024 

On 4/29/24 19:33, Job Snijders wrote:
> On Mon, 29 Apr 2024 at 21:27, Nigel Kukard via Bird-users 
> <bird-users at network.cz> wrote:
>
>     Hi there Richard,
>
>     On 4/29/24 19:14, Richard Laager wrote:
>>     Perhaps I am naive, but I assumed one would validate RPKI on the eBGP edge and simply reject INVALID routes.
>>
>>     Why would one want to accept INVALID at all?
>>
>>     If we agree one would reject INVALID, then what is left to tag?
>
>     For my specific use case I wanted to add a community for VALID and
>     UNKNOWN. I'm going to look into the non-transitive extended
>     communities to see how this works out.
>
>
>
> Sure, but why add such communities? It reduces performance and doesn’t 
> add security benefits.
>
> OTOH - it can satisfy curiosity about where traffic is flowing - then 
> again, using a traffic analyser like pmacct or Kentik helps offer 
> insight how much traffic is going to Valid vs Not-Found destinations, 
> without the need to add any communities.
>
> I’m not saying you shouldn’t pursue adding a few non-transitive 
> extended communities here and there for your use case; just that 
> generally speaking, operators probably should not apply different 
> policies for Valid and Not-Found states.
>
Well, basically to summarize, I have quite a number of edges. My 
filtering occurs on the edges, including filtering of INVALID. I'm using 
bird to gather all prefixes from all routers using add-paths so I can 
easily do searches on my dashboard and graphically map paths to 
destinations and visually see other possible paths that are not best 
path. As my filtering occurs on the edge I don't have a way on my 
dashboard to see if the prefix was VALID or UNKNOWN.

I thought it would be something useful to see so I can color the routes 
that are VALID in a dark green or have a small green box with [RPKI 
VALID] in it next to the prefix. But I certainly see the points raised.

It's not used for anything more than analysis and visual display.

I'm looking into pmacct and Opensearch to see if I can get Netflow/IPFIX 
data to help with insight into traffic flows (slightly different to 
visually seeing possible traffic paths). I'm very new to Elasticseach 
and Opensearch though and would appreciate if anyone has any 
recommendations of opensource platforms I can use to give me some info 
from Netflow/IPFIX data I'd really appreciate it.

I did check out Kentik and Elastiflow, but my network is small and 
doesn't really have the income to support a paid product right now if I 
can achieve reasonable results with other options.

-N

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20240429/90d2c99b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20240429/90d2c99b/attachment.sig>

More information about the Bird-users mailing list