Hello,
On Tue, 2 Mar 2021 at 15:18, Pirawat WATANAPONGSE via NANOG <nanog@nanog.org> wrote: > We just turned on our RPKI Route Origin Validation yesterday, then something > weird happened: > [Reference: We are running NLnet Labs’ Routinator 3000, feeding a > Cisco ASR 1000 Series router. I know, I know, we haven’t started a > second validator yet.] If you are doing ROV on IOS(-XE), you need to be aware of the surprising default behaviours. See: https://www.mail-archive.com/nanog@nanog.org/msg104776.html https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg68472.html Also see: http://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-classic-ios-and-ios-xe > [by the way, very sneaky you Cloudflare, registering the invalid block to the > AS0 is a nice touch; I had to configure the router to really drop the invalid > routes instead of just lowering their preference. Good show, mate!] Not sure what you are saying, but you need to completely drop invalid routes. Lowering local-preference is not enough. This has nothing to do with AS0 ROA's. > However, when we tested on dual-stack net-segment, the first test passed, but > Cloudflare invalids sneak through on the IPv6 side, causing the second test > to fail. You research the IPv6 address used for the invalid test, and check why it is reachable from your routers. Are invalid v6 routes in your BGP table? Do you have a default-route? What does the FIB do and why? This has less to do with ROV and is more about basic network troubleshooting (BGP -> RIB -> FIB). $ host -tAAAA invalid.rpki.cloudflare.com invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40f invalid.rpki.cloudflare.com has IPv6 address 2606:4700:7000::6715:f40e $ So it looks like 2606:4700:7000::/48. > So, here comes the question: > What rookie mistake(s) did I make? > IPv4 and IPv6 configuration are supposed to be symmetry, right? > Or did I miss something? Just start with normal, basic troubleshooting, looking at FIB, RIB and BGP table outputs of the offending IP. > And since I already start asking: > For a “second validator”, which choice is better: second copy of the same > software, or different software altogether? A different software stack can be beneficial, yes. I suggest you take a look at the Fort validator, it's a great piece of software. Lukas
