ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?

• Previous message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Next message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,


On Tue, 2 Mar 2021 at 15:18, Pirawat WATANAPONGSE via NANOG
<nanog at nanog.org> wrote:
> We just turned on our RPKI Route Origin Validation yesterday, then something weird happened:
> [Reference: We are running NLnet Labs’ Routinator 3000, feeding a
> Cisco ASR 1000 Series router. I know, I know, we haven’t started a
> second validator yet.]

If you are doing ROV on IOS(-XE), you need to be aware of the
surprising default behaviours. See:

https://www.mail-archive.com/[email protected]/msg104776.html

https://www.mail-archive.com/[email protected]/msg68472.html


Also see:

http://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-classic-ios-and-ios-xe


> [by the way, very sneaky you Cloudflare, registering the invalid block to the
> AS0 is a nice touch; I had to configure the router to really drop the invalid
> routes instead of just lowering their preference. Good show, mate!]

Not sure what you are saying, but you need to completely drop invalid
routes. Lowering local-preference is not enough. This has nothing to
do with AS0 ROA's.


> However, when we tested on dual-stack net-segment, the first test passed, but
> Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.

You research the IPv6 address used for the invalid test, and check why
it is reachable from your routers. Are invalid v6 routes in your BGP
table? Do you have a default-route? What does the FIB do and why? This
has less to do with ROV and is more about basic network
troubleshooting (BGP -> RIB -> FIB).

$ host -tAAAA invalid.rpki.cloudflare.com
invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40f
invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40e
$

So it looks like 2606:4700:7000::/48.


> So, here comes the question:
> What rookie mistake(s) did I make?
> IPv4 and IPv6 configuration are supposed to be symmetry, right?
> Or did I miss something?

Just start with normal, basic troubleshooting, looking at FIB, RIB and
BGP table outputs of the offending IP.


> And since I already start asking:
> For a “second validator”, which choice is better: second copy of the same software, or different software altogether?

A different software stack can be beneficial, yes. I suggest you take
a look at the Fort validator, it's a great piece of software.


Lukas

• Previous message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Next message (by thread): ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]