Hi All
Been scratching my head today. As per Juniper's documentation, you can indeed
setup RPKI/ROA validation session inside a routing-instance. You can also have
it query against that instance on an import policy for that VRF specifically,
and if there's no session, it will revert to the default RPKI RV database (if
configured) under the main routing-options {} stanza to check for
valid/invalid, etc...
https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp_origin_validation.html
Thats all fine and dandy, but it seems that JNPR's implementation of RPKI/ROA
*assumes* that your RV database is always configured in the main routing
instance (i.e. the main routing-options validation {} stanza, thus your RPKI
server MUST be available via inet.0 ).
Unfortunately, the situation I am faced with is the opposite.
My RPKI/ROA server is only available via our "admin" VRF (which is how we
manage the device) - Our inet.0 contains the global internet/IGP and links and
loopbacks/Labels/etc. all "admin" related functions RADIUS/TACACS, SNMP, RPKI,
Syslog, ssh, you-name-it, etc. are all "nailed" to our admin VRF. Hence when I
try to do ROA validation of an eBGP peer in inet.0 via a standard import
policy, the RV "validation-database" is unfortunately locked inside the
admin-vrf, and thus isn't queried for valid/invalid/unknown etc.
Hence, nothing on the eBGP session in inet.0 is being validated.
Is there some KNOB I'm missing, to allow a policy, executed upon routes in
inet.0, to use the RV database in a non-default VRF? Or copy the VRF's RV to
the default's RV? or is this some oversight of JNPR's RPKI implementation, that
it must be inside the default:default LI:RI?
- CK.
NOTE: my Google-fu and/or "set ?" skills aren't yielding any useful results.
Apologies if there's "a simple fix" for this, or an example of this situation I
haven't found.
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
