Based on the difficulties I have already experienced, I would bet on some default route (or for example 2001::/16) statically placed on your FIB pointing to an Upstream. Or even the simple absence of the default route (::/0) pointing to null.
Em ter., 2 de mar. de 2021 às 11:21, Pirawat WATANAPONGSE via NANOG < nanog@nanog.org> escreveu: > Dear all, > > > We just turned on our RPKI Route Origin Validation yesterday, then > something weird happened: > [Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco > ASR 1000 Series router. I know, I know, we haven’t started a second > validator yet.] > > When we tested against the two testers: > https://sg-pub.ripe.net/jasper/rpki-web-test/ > and > https://isbgpsafeyet.com/ > the IPv4-only net-segment passed with flying color. > [by the way, very sneaky you Cloudflare, registering the invalid block to > the AS0 is a nice touch; I had to configure the router to really drop the > invalid routes instead of just lowering their preference. Good show, mate!] > > However, when we tested on dual-stack net-segment, the first test passed, > but Cloudflare invalids sneak through on the IPv6 side, causing the second > test to fail. > > So, here comes the question: > What rookie mistake(s) did I make? > IPv4 and IPv6 configuration are supposed to be symmetry, right? > Or did I miss something? > > And since I already start asking: > For a “second validator”, which choice is better: second copy of the same > software, or different software altogether? > > Thanks in advance for all comments and advices, > > -- > Pirawat. > > -- Douglas Fernando Fischer Engº de Controle e Automação
