ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
Dear all, We just turned on our RPKI Route Origin Validation yesterday, then something weird happened: [Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR 1000 Series router. I know, I know, we haven’t started a second validator yet.] When we tested against the two testers: https://sg-pub.ripe.net/jasper/rpki-web-test/ and https://isbgpsafeyet.com/ the IPv4-only net-segment passed with flying color. [by the way, very sneaky you Cloudflare, registering the invalid block to the AS0 is a nice touch; I had to configure the router to really drop the invalid routes instead of just lowering their preference. Good show, mate!] However, when we tested on dual-stack net-segment, the first test passed, but Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail. So, here comes the question: What rookie mistake(s) did I make? IPv4 and IPv6 configuration are supposed to be symmetry, right? Or did I miss something? And since I already start asking: For a “second validator”, which choice is better: second copy of the same software, or different software altogether? Thanks in advance for all comments and advices, -- Pirawat.
Based on the difficulties I have already experienced, I would bet on some default route (or for example 2001::/16) statically placed on your FIB pointing to an Upstream. Or even the simple absence of the default route (::/0) pointing to null. Em ter., 2 de mar. de 2021 às 11:21, Pirawat WATANAPONGSE via NANOG < nanog@nanog.org> escreveu:
Dear all,
We just turned on our RPKI Route Origin Validation yesterday, then something weird happened: [Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR 1000 Series router. I know, I know, we haven’t started a second validator yet.]
When we tested against the two testers: https://sg-pub.ripe.net/jasper/rpki-web-test/ and https://isbgpsafeyet.com/ the IPv4-only net-segment passed with flying color. [by the way, very sneaky you Cloudflare, registering the invalid block to the AS0 is a nice touch; I had to configure the router to really drop the invalid routes instead of just lowering their preference. Good show, mate!]
However, when we tested on dual-stack net-segment, the first test passed, but Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.
So, here comes the question: What rookie mistake(s) did I make? IPv4 and IPv6 configuration are supposed to be symmetry, right? Or did I miss something?
And since I already start asking: For a “second validator”, which choice is better: second copy of the same software, or different software altogether?
Thanks in advance for all comments and advices,
-- Pirawat.
-- Douglas Fernando Fischer Engº de Controle e Automação
Hello, On Tue, 2 Mar 2021 at 15:18, Pirawat WATANAPONGSE via NANOG <nanog@nanog.org> wrote:
We just turned on our RPKI Route Origin Validation yesterday, then something weird happened: [Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR 1000 Series router. I know, I know, we haven’t started a second validator yet.]
If you are doing ROV on IOS(-XE), you need to be aware of the surprising default behaviours. See: https://www.mail-archive.com/nanog@nanog.org/msg104776.html https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg68472.html Also see: http://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-classic-ios-an...
[by the way, very sneaky you Cloudflare, registering the invalid block to the AS0 is a nice touch; I had to configure the router to really drop the invalid routes instead of just lowering their preference. Good show, mate!]
Not sure what you are saying, but you need to completely drop invalid routes. Lowering local-preference is not enough. This has nothing to do with AS0 ROA's.
However, when we tested on dual-stack net-segment, the first test passed, but Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.
You research the IPv6 address used for the invalid test, and check why it is reachable from your routers. Are invalid v6 routes in your BGP table? Do you have a default-route? What does the FIB do and why? This has less to do with ROV and is more about basic network troubleshooting (BGP -> RIB -> FIB). $ host -tAAAA invalid.rpki.cloudflare.com invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40f invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40e $ So it looks like 2606:4700:7000::/48.
So, here comes the question: What rookie mistake(s) did I make? IPv4 and IPv6 configuration are supposed to be symmetry, right? Or did I miss something?
Just start with normal, basic troubleshooting, looking at FIB, RIB and BGP table outputs of the offending IP.
And since I already start asking: For a “second validator”, which choice is better: second copy of the same software, or different software altogether?
A different software stack can be beneficial, yes. I suggest you take a look at the Fort validator, it's a great piece of software. Lukas
participants (4)
-
Douglas Fischer -
heasley -
Lukas Tribus -
Pirawat WATANAPONGSE