ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?

• Previous message (by thread): DualStack (CGNAT) vs Other Transition methods
• Next message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear all,


We just turned on our RPKI Route Origin Validation yesterday, then
something weird happened:
[Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR
1000 Series router. I know, I know, we haven’t started a second validator
yet.]

When we tested against the two testers:
https://sg-pub.ripe.net/jasper/rpki-web-test/
and
https://isbgpsafeyet.com/
the IPv4-only net-segment passed with flying color.
[by the way, very sneaky you Cloudflare, registering the invalid block to
the AS0 is a nice touch; I had to configure the router to really drop the
invalid routes instead of just lowering their preference. Good show, mate!]

However, when we tested on dual-stack net-segment, the first test passed,
but Cloudflare invalids sneak through on the IPv6 side, causing the second
test to fail.

So, here comes the question:
What rookie mistake(s) did I make?
IPv4 and IPv6 configuration are supposed to be symmetry, right?
Or did I miss something?

And since I already start asking:
For a “second validator”, which choice is better: second copy of the same
software, or different software altogether?

Thanks in advance for all comments and advices,

-- 
Pirawat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210302/641a1714/attachment.html>

• Previous message (by thread): DualStack (CGNAT) vs Other Transition methods
• Next message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]