RPKI & BGP: Is it computationally expensive to set comments on BGP routes?

alex_rhys-hurn · November 4, 2023, 8:14pm

Hi all,
I have two full bgp feeds and have been deploying rpki. I have things working. In an attempt to really see the effects of my RPKI work in the routing table I have set comments on the routes received in the filters as below:

 
16   chain=RPKI rule="rpki-verify RPKI" 
17   chain=RPKI rule="if (rpki invalid) {set comment  RPKI_Invalid; reject}" 
18   chain=RPKI rule="if (rpki unknown) {set comment  RPKI_Unknown; accept}" 
19   chain=RPKI rule="if (rpki valid) {set comment  RPKI_Valid; accept}" 
20   chain=RPKI rule="if (rpki unverified) {set comment RPKI_Unverified; accept}"
21   chain=RPKI rule="return"

This gives output like this (PS those routes without a comment I have not enabled it on for testing):

Flags: D - dynamic; X - disabled, I - inactive, A - active; 
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; 
H - hw-offloaded; + - ecmp 
 #       DST-ADDRESS        GATEWAY            DISTANCE
   D b   ;;; RPKI_Valid
         1.0.0.0/24         41.79.9.121              20
   DAb   1.0.0.0/24         41.209.9.17              20
   D b   ;;; RPKI_Valid
         1.0.4.0/22         41.79.9.121              20
   DAb   1.0.4.0/22         41.209.9.17              20
   D b   ;;; RPKI_Valid
         1.0.5.0/24         41.79.9.121              20
   DAb   1.0.5.0/24         41.209.9.17              20
   D b   ;;; RPKI_Unknown
         1.0.16.0/24        41.79.9.121              20
   DAb   1.0.16.0/24        41.209.9.17              20
   D b   ;;; RPKI_Unknown
         1.0.32.0/24        41.79.9.121              20
   DAb   1.0.32.0/24        41.209.9.17              20
   D b   ;;; RPKI_Valid
         1.0.64.0/18        41.79.9.121              20
   DAb   1.0.64.0/18        41.209.9.17              20

Hunting for invalids I can then do this:

ip route print detail where comment=RPKI_Invalid

   DIb   ;;; RPKI_Invalid
         dst-address=5.105.108.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3 
         distance=20 scope=40 target-scope=10 suppress-hw-offload=no 

   DIb   ;;; RPKI_Invalid
         dst-address=5.105.130.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3 
         distance=20 scope=40 target-scope=10 suppress-hw-offload=no 

   DIb   ;;; RPKI_Invalid
         dst-address=5.105.153.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3 
         distance=20 scope=40 target-scope=10 suppress-hw-offload=no

I have found this handy / intriguing but is it a good idea? Can I leave these comments there or is it computationally expensive to the router and or bgp process?

Many thanks,

Alex

DarkNate · November 5, 2023, 8:10am

Yes, it’s obviously computationally expensive. Who the hell else even does this?

irrwitzer · November 5, 2023, 10:55am

Hi,

why don’t you just use the existing flags in Router OS to filter those prefixes?

/routing/route/print where rpki=valid
/routing/route/print where rpki=invalid
/routing/route/print where rpki=unknown

That does it for me to check, whether RPKI is working as expected, or not.

BR,
Irrwitzer

alex_rhys-hurn · November 5, 2023, 4:13pm

Hi Irrwitzer,

I didn’t know that was possible, is why I wasn’t doing that. Thank you so much for pointing me in the right direction.

All the best,

Alex

Hi,

why don’t you just use the existing flags in Router OS to filter those prefixes?
/routing/route/print where rpki=valid
/routing/route/print where rpki=invalid
/routing/route/print where rpki=unknown
That does it for me to check, whether RPKI is working as expected, or not.

BR,
Irrwitzer

alex_rhys-hurn · November 5, 2023, 4:18pm

Abrasive much?

Not everybody has the complete and advanced knowledge and skills that you so obviously have.

I was taught that the only stupid question was the one I didn’t ask, but I am obviously wrong there.