Community discussions

MikroTik App
 
lostdave
just joined
Topic Author
Posts: 5
Joined: Mon Jun 15, 2020 5:29 am

ROSv7b8 and RPKI

Tue Jun 16, 2020 2:24 am

Hi All,
Has anyone successfully setup and had running rpki in ROS7B8?
If so, which validator are you using?
Is there any undocumented debug for RPKI?(from the MT side)

The reason I ask Is i have setup a test lab
2 routers connected p2p
R1 sends 3 routes
1 Valid
1 Invalid
1 Unknown

No Filtering on, all routes are received @ R2.
If i use the example fliter listed in the doco (to drop invalids) the only routes that make it into the FIB are the Unknown.
It is marking all Valid or Invalid as Invalid.


This is using Routinator as a validator.

If anyone has any test results of their own, and would like to share, that would be great!


Dave
 
schadom
Member Candidate
Member Candidate
Posts: 156
Joined: Sun Jun 25, 2017 2:47 am

Re: ROSv7b8 and RPKI

Thu Jun 18, 2020 12:26 am

Seems to be unfunctional / broken ...
 
lostdave
just joined
Topic Author
Posts: 5
Joined: Mon Jun 15, 2020 5:29 am

Re: ROSv7b8 and RPKI

Thu Jun 18, 2020 1:54 am

@schadom
What was your setup?

Which validator were you using?

With all of the cries out on the forums for RPKI, I find it hard to believe that we are the only two people to have tested this?
 
paulct
Member
Member
Posts: 336
Joined: Fri Jul 12, 2013 5:38 pm

Re: ROSv7b8 and RPKI

Thu Jun 18, 2020 9:21 am

 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROSv7b8 and RPKI

Thu Jun 18, 2020 10:08 am

@schadom
What was your setup?

Which validator were you using?

With all of the cries out on the forums for RPKI, I find it hard to believe that we are the only two people to have tested this?
Post the rules that is not working.
Did you run through verify rule with (rpki-verify=xxx) before trying to match state with rpki-match?
 
lostdave
just joined
Topic Author
Posts: 5
Joined: Mon Jun 15, 2020 5:29 am

Re: ROSv7b8 and RPKI

Fri Jun 19, 2020 12:31 am

Hi MRz

Config Below..
/routing/bgp/rpki/print
Flags: X - disabled 
 0   group=rpki-test address=192.168.57.130 port=3323 refresh-interval=300 
AND
/routing/filter/rule/print 
Flags: X - disabled, I - invalid 
 0   chain=bgp_out match-prfx-value=dst<equal>x.x.x.x/24 action=accept 

 1   chain=bgp_in rpki-verify=rpki-test 

 2   chain=bgp_in match-rpki=valid action=accept 

 3   chain=bgp_in match-rpki=invalid action=reject 

 4   chain=bgp_in action=accept 
Chain Applied to Template
/routing/bgp/template/print        
Flags: * - default, X - disabled, I - inactive 
 0 * name="default" routing-table=main instance=default as=XXXXXX 
     output.filter=bgp_out 
     input.filter=bgp_in 
Route Table
/routing/route/print  
Flags: A - ACTIVE; c - CONNECT, s - STATIC, b - BGP, l - LDP-MAPPING
Columns: DST-ADDRESS, GATEWAY, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
      DST-ADDRESS       GATEWAY     DI  SCO  TA  IMMEDIATE-GW     
  Ab  61.4X.XXX.0/24    172.16.0.1  20   40  10  172.16.0.1%ether2
  As  61.4X.XXX.0/24    blackhole    1  250  10                   
  Ab  61.4X.XXX.0/24    172.16.0.1  20   40  10  172.16.0.1%ether2  ####This is the invalid route that gets installed
If I remove the rpki-verify=valid accept rule...everything gets flagged as invalid...
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROSv7b8 and RPKI

Fri Jun 19, 2020 1:53 pm

I can confirm the problem, we are looking into it.
 
lostdave
just joined
Topic Author
Posts: 5
Joined: Mon Jun 15, 2020 5:29 am

Re: ROSv7b8 and RPKI

Fri Jun 19, 2020 1:58 pm

Thanks for the confirmation @ MRZ
 
lostdave
just joined
Topic Author
Posts: 5
Joined: Mon Jun 15, 2020 5:29 am

Re: ROSv7b8 and RPKI

Thu Jul 23, 2020 3:46 am

I have already updatd MRZ, but just to keep it in the open:
7.1b1 still has some issues.
Valid and invalid is being flagged as invalid.
Not found are being correctly classified as Unknown.

There are some issues as well with non compliance to the RFC around reachability
IE:- If the Validtors become unavailable, then all receveid routes should be received and at least marked as unknown.
as it currently sits, NO ROUTES are admited.

As stated, this has already been reported and MT are commiting to sort this out ASAP :-)
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROSv7b8 and RPKI

Mon Jul 27, 2020 10:34 am

Hello,
Which RFC you are referring to?

If you mean something like this:
https://rpki.readthedocs.io/en/latest/a ... ble-for-me

Then it is for validator no RTR client. If RTR client cannot connect to validator, then there will be no RPKI states.
Or maybe we are missing something?
 
sdroy
just joined
Posts: 7
Joined: Tue Dec 13, 2016 5:40 am
Location: Dhaka, Bangladesh
Contact:

Re: ROSv7b8 and RPKI

Tue Jul 28, 2020 9:19 pm

Also facing the same issue..
RPKI check is working fine but while filtering it block valid Routes also.. Check the post#33
viewtopic.php?f=1&t=163957&p=807373#p807373

Who is online

Users browsing this forum: No registered users and 24 guests