new tool: rpki-ov-checker

Thu Feb 6 18:43:27 UTC 2020

> On Feb 6, 2020, at 03:35 , Job Snijders <job at ntt.net> wrote:
> 
> Dear ops,
> 
> I wrote a simple tool to figure out what kind of invalid a rpki invalid
> is, this can aid people in understanding the impact of "invalid ==
> reject" routing policies. Only "invalid_unreachable" routes present
> an operational issue in my opinion, IP addresses covered by "notfound"
> or "valid" less specific routes will still be reachable.

No guarantees about that last one…

A legitimate more specific announcement via a different origin AS may or may not
be reachable via the AS advertising the valid less specific.

Admittedly, this is a self-inflicted injury on the part of the AS providing the invalid ROA,
but no guarantees that it is harmless.

Owen

> You pass it a file name (or via stdin) with one prefix and origin ASN
> per line (white space separated) representing your full BGP RIB, and
> then you can grep specific for the task at hand to extract the info you
> need:
> 
> $ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head
> invalid_covered_by_not-found 123.101.0.0/21 4809 covering route:
> 123.101.0.0/16 4134
> invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 207636
> invalid_unreachable 83.231.209.0/24 3949
> invalid_unreachable 124.30.247.0/24 9583
> invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 9498
> invalid_unreachable 120.29.92.0/24 17639
> invalid_unreachable 31.40.164.0/24 200872
> invalid_covered_by_notfound 45.12.139.0/24 40676 covering route:
> 45.12.136.0/22 35913
> invalid_covered_by_valid 122.160.178.0/24 24560 covering route:
> 122.160.0.0/16 24560
> invalid_covered_by_valid 61.90.251.0/24 21734 covering route:
> 61.90.192.0/18 7470
> 
> NTT is using this to figure out who we need to help fix their ROA or
> correct their BGP announcements.
> 
> Get the goods at https://githqub.com/job/rpki-ov-checker
> 
> Enjoy!
> 
> Kind regards,
> 
> Job