
<div><div dir="auto">Oops, I see a fat typo slipped in - the correct URL is <div><a href="https://github.com/job/rpki-ov-checker">https://github.com/job/rpki-ov-checker</a> :-)</div><div dir="auto"><br></div><div dir="auto">Kind regards,</div><div dir="auto"><br></div><div dir="auto">Job</div></div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 6, 2020 at 20:35 Job Snijders <<a href="mailto:job@ntt.net">job@ntt.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear ops,<br>

<br>

I wrote a simple tool to figure out what kind of invalid a rpki invalid<br>

is, this can aid people in understanding the impact of "invalid ==<br>

reject" routing policies. Only "invalid_unreachable" routes present<br>

an operational issue in my opinion, IP addresses covered by "notfound"<br>

or "valid" less specific routes will still be reachable.<br>

<br>

You pass it a file name (or via stdin) with one prefix and origin ASN<br>

per line (white space separated) representing your full BGP RIB, and<br>

then you can grep specific for the task at hand to extract the info you<br>

need:<br>

<br>

$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head<br>

invalid_covered_by_notfound <a href="http://123.101.0.0/21" rel="noreferrer" target="_blank">123.101.0.0/21</a> 4809 covering route:<br>

<a href="http://123.101.0.0/16" rel="noreferrer" target="_blank">123.101.0.0/16</a> 4134<br>

invalid_covered_by_valid <a href="http://46.3.74.0/24" rel="noreferrer" target="_blank">46.3.74.0/24</a> 134121 covering route: <a href="http://46.3.0.0/16" rel="noreferrer" target="_blank">46.3.0.0/16</a> 207636<br>

invalid_unreachable <a href="http://83.231.209.0/24" rel="noreferrer" target="_blank">83.231.209.0/24</a> 3949<br>

invalid_unreachable <a href="http://124.30.247.0/24" rel="noreferrer" target="_blank">124.30.247.0/24</a> 9583<br>

invalid_covered_by_valid <a href="http://125.21.232.0/24" rel="noreferrer" target="_blank">125.21.232.0/24</a> 9730 covering route: <a href="http://125.21.0.0/16" rel="noreferrer" target="_blank">125.21.0.0/16</a> 9498<br>

invalid_unreachable <a href="http://120.29.92.0/24" rel="noreferrer" target="_blank">120.29.92.0/24</a> 17639<br>

invalid_unreachable <a href="http://31.40.164.0/24" rel="noreferrer" target="_blank">31.40.164.0/24</a> 200872<br>

invalid_covered_by_notfound <a href="http://45.12.139.0/24" rel="noreferrer" target="_blank">45.12.139.0/24</a> 40676 covering route:<br>

<a href="http://45.12.136.0/22" rel="noreferrer" target="_blank">45.12.136.0/22</a> 35913<br>

invalid_covered_by_valid <a href="http://122.160.178.0/24" rel="noreferrer" target="_blank">122.160.178.0/24</a> 24560 covering route:<br>

<a href="http://122.160.0.0/16" rel="noreferrer" target="_blank">122.160.0.0/16</a> 24560<br>

invalid_covered_by_valid <a href="http://61.90.251.0/24" rel="noreferrer" target="_blank">61.90.251.0/24</a> 21734 covering route:<br>

<a href="http://61.90.192.0/18" rel="noreferrer" target="_blank">61.90.192.0/18</a> 7470<br>

<br>

NTT is using this to figure out who we need to help fix their ROA or<br>

correct their BGP announcements.<br>

<br>

Get the goods at <a href="https://githqub.com/job/rpki-ov-checker" rel="noreferrer" target="_blank">https://githqub.com/job/rpki-ov-checker</a><br>

<br>

Enjoy!<br>

<br>

Kind regards,<br>

<br>

Job<br>

</blockquote></div></div>