ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
Douglas Fischer
fischerdouglas at gmail.com
Tue Mar 2 15:09:27 UTC 2021
Based on the difficulties I have already experienced, I would bet on some
default route (or for example 2001::/16) statically placed on your FIB
pointing to an Upstream.
Or even the simple absence of the default route (::/0) pointing to null.
Em ter., 2 de mar. de 2021 às 11:21, Pirawat WATANAPONGSE via NANOG <
nanog at nanog.org> escreveu:
> Dear all,
>
>
> We just turned on our RPKI Route Origin Validation yesterday, then
> something weird happened:
> [Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco
> ASR 1000 Series router. I know, I know, we haven’t started a second
> validator yet.]
>
> When we tested against the two testers:
> https://sg-pub.ripe.net/jasper/rpki-web-test/
> and
> https://isbgpsafeyet.com/
> the IPv4-only net-segment passed with flying color.
> [by the way, very sneaky you Cloudflare, registering the invalid block to
> the AS0 is a nice touch; I had to configure the router to really drop the
> invalid routes instead of just lowering their preference. Good show, mate!]
>
> However, when we tested on dual-stack net-segment, the first test passed,
> but Cloudflare invalids sneak through on the IPv6 side, causing the second
> test to fail.
>
> So, here comes the question:
> What rookie mistake(s) did I make?
> IPv4 and IPv6 configuration are supposed to be symmetry, right?
> Or did I miss something?
>
> And since I already start asking:
> For a “second validator”, which choice is better: second copy of the same
> software, or different software altogether?
>
> Thanks in advance for all comments and advices,
>
> --
> Pirawat.
>
>
--
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210302/f19cfd0e/attachment.html>
More information about the NANOG
mailing list