ROSv7b8 and RPKI

lostdave · June 15, 2020, 11:24pm

Hi All,
Has anyone successfully setup and had running rpki in ROS7B8?
If so, which validator are you using?
Is there any undocumented debug for RPKI?(from the MT side)

The reason I ask Is i have setup a test lab
2 routers connected p2p
R1 sends 3 routes
1 Valid
1 Invalid
1 Unknown

No Filtering on, all routes are received @ R2.
If i use the example fliter listed in the doco (to drop invalids) the only routes that make it into the FIB are the Unknown.
It is marking all Valid or Invalid as Invalid.

This is using Routinator as a validator.

If anyone has any test results of their own, and would like to share, that would be great!

Dave

schadom · June 17, 2020, 9:26pm

Seems to be unfunctional / broken …

lostdave · June 17, 2020, 10:54pm

@schadom
What was your setup?

Which validator were you using?

With all of the cries out on the forums for RPKI, I find it hard to believe that we are the only two people to have tested this?

paulct · June 18, 2020, 6:21am

http://as58280.net/en/articles/RPKI-on-Mikrotik

mrz · June 18, 2020, 7:08am

Post the rules that is not working.
Did you run through verify rule with (rpki-verify=xxx) before trying to match state with rpki-match?

lostdave · June 18, 2020, 9:31pm

Hi MRz

Config Below..

/routing/bgp/rpki/print
Flags: X - disabled 
 0   group=rpki-test address=192.168.57.130 port=3323 refresh-interval=300

AND

/routing/filter/rule/print 
Flags: X - disabled, I - invalid 
 0   chain=bgp_out match-prfx-value=dst<equal>x.x.x.x/24 action=accept 

 1   chain=bgp_in rpki-verify=rpki-test 

 2   chain=bgp_in match-rpki=valid action=accept 

 3   chain=bgp_in match-rpki=invalid action=reject 

 4   chain=bgp_in action=accept

Chain Applied to Template

/routing/bgp/template/print        
Flags: * - default, X - disabled, I - inactive 
 0 * name="default" routing-table=main instance=default as=XXXXXX 
     output.filter=bgp_out 
     input.filter=bgp_in

Route Table

/routing/route/print  
Flags: A - ACTIVE; c - CONNECT, s - STATIC, b - BGP, l - LDP-MAPPING
Columns: DST-ADDRESS, GATEWAY, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
      DST-ADDRESS       GATEWAY     DI  SCO  TA  IMMEDIATE-GW     
  Ab  61.4X.XXX.0/24    172.16.0.1  20   40  10  172.16.0.1%ether2
  As  61.4X.XXX.0/24    blackhole    1  250  10                   
  Ab  61.4X.XXX.0/24    172.16.0.1  20   40  10  172.16.0.1%ether2  ####This is the invalid route that gets installed

If I remove the rpki-verify=valid accept rule…everything gets flagged as invalid…

mrz · June 19, 2020, 10:53am

I can confirm the problem, we are looking into it.

lostdave · June 19, 2020, 10:58am

Thanks for the confirmation @ MRZ

lostdave · July 23, 2020, 12:46am

I have already updatd MRZ, but just to keep it in the open:
7.1b1 still has some issues.
Valid and invalid is being flagged as invalid.
Not found are being correctly classified as Unknown.

There are some issues as well with non compliance to the RFC around reachability
IE:- If the Validtors become unavailable, then all receveid routes should be received and at least marked as unknown.
as it currently sits, NO ROUTES are admited.

As stated, this has already been reported and MT are commiting to sort this out ASAP

mrz · July 27, 2020, 7:34am

Hello,
Which RFC you are referring to?

If you mean something like this:
https://rpki.readthedocs.io/en/latest/about/faq.html#what-if-the-rpki-system-becomes-unavailable-or-some-other-catastrophe-occurs-will-my-signed-prefixes-become-unreachable-to-others-will-other-prefixes-my-routers-learned-over-bgp-become-unreachable-for-me

Then it is for validator no RTR client. If RTR client cannot connect to validator, then there will be no RPKI states.
Or maybe we are missing something?

sdroy · July 28, 2020, 6:19pm

Also facing the same issue..
RPKI check is working fine but while filtering it block valid Routes also.. Check the post#33
http://forum.mikrotik.com/t/v7-1beta1-development-is-released/141516/32