Le jeu. 7 mai 2020 à 22:56, Spyros Kakaroukas <[email protected]> a écrit : > > Hi Pierre, > > This reminds me of a case of my own while labbing RPKI on XE. Only eBGP > routes are subject to RPKI validation. iBGP routes are automatically > considered to be valid. Cisco's implementation in XE will automatically > modify the best path selection to prefer valid over unknown over invalid very > high in the selection ruleset. This is what I assume happens : > > If asbr02 goes up first, it gets the prefix, considers it a best path, sends > it to asbr01 via iBGP. Then asbr01 goes up, compares an unknown external path > to a valid internal one and chooses the second. Thus, traffic flows through > there. > > If asbr01 goes up first, it gets the prefix from its external neighbor, > considers it best, sends it to asbr02. Asbr02 comes up but I'm guessing BIRD > is actually preferring the route from asbr01. Thus, it never sends its own > external route to asbr01. So, asbr01 keeps preferring its own external > unknown one.
This is exactly what's happening. But why did Cisco rpki algorithm chose to trust ibgp relationship over the validators, even though extcommunity wasn't sent, this is weird... > If I understand your design correctly, you might want to research whether > BIRD can signal RPKI state via iBGP, as this would cause eventual consistency. Yes, my fellow netadmin Alarig at as204092 just asked on bird's mailing list why didn't bird sent the extcommunity. https://bird.network.cz/pipermail/bird-users/2020-May/014559.html for the interested. > Regarding the extcommunity, I'm not sure if it's the best of ideas to > announce state on iBGP routes, let alone reflected ones. I'd have to check > whether the RFC actually specifies this before I form an opinion on what's > happening. Assuming you do have asbr01 configured to announce rpki state > though, it could be the expected behavior. While I can grasp why one could announce (and trust) rpki state over ibgp, in this situation the asr1k had both a validator and no extcommunity whatsoever received, this I don't understand why it would validate such a prefix... Anyhow, thanks a lot for the debugging Spyros. I'll follow up with the bird folks on this matter. regards pierre _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
