I have two full bgp feeds and have been deploying rpki. I have things working. In an attempt to really see the effects of my RPKI work in the routing table I have set comments on the routes received in the filters as below:
Code: Select all
16 chain=RPKI rule="rpki-verify RPKI"
17 chain=RPKI rule="if (rpki invalid) {set comment RPKI_Invalid; reject}"
18 chain=RPKI rule="if (rpki unknown) {set comment RPKI_Unknown; accept}"
19 chain=RPKI rule="if (rpki valid) {set comment RPKI_Valid; accept}"
20 chain=RPKI rule="if (rpki unverified) {set comment RPKI_Unverified; accept}"
21 chain=RPKI rule="return"
Code: Select all
Flags: D - dynamic; X - disabled, I - inactive, A - active;
c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn;
H - hw-offloaded; + - ecmp
# DST-ADDRESS GATEWAY DISTANCE
D b ;;; RPKI_Valid
1.0.0.0/24 41.79.9.121 20
DAb 1.0.0.0/24 41.209.9.17 20
D b ;;; RPKI_Valid
1.0.4.0/22 41.79.9.121 20
DAb 1.0.4.0/22 41.209.9.17 20
D b ;;; RPKI_Valid
1.0.5.0/24 41.79.9.121 20
DAb 1.0.5.0/24 41.209.9.17 20
D b ;;; RPKI_Unknown
1.0.16.0/24 41.79.9.121 20
DAb 1.0.16.0/24 41.209.9.17 20
D b ;;; RPKI_Unknown
1.0.32.0/24 41.79.9.121 20
DAb 1.0.32.0/24 41.209.9.17 20
D b ;;; RPKI_Valid
1.0.64.0/18 41.79.9.121 20
DAb 1.0.64.0/18 41.209.9.17 20
Hunting for invalids I can then do this:
Code: Select all
ip route print detail where comment=RPKI_Invalid
DIb ;;; RPKI_Invalid
dst-address=5.105.108.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3
distance=20 scope=40 target-scope=10 suppress-hw-offload=no
DIb ;;; RPKI_Invalid
dst-address=5.105.130.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3
distance=20 scope=40 target-scope=10 suppress-hw-offload=no
DIb ;;; RPKI_Invalid
dst-address=5.105.153.0/24 routing-table=main gateway=41.79.9.121 immediate-gw=41.79.9.121%ether3
distance=20 scope=40 target-scope=10 suppress-hw-offload=no
I have found this handy / intriguing but is it a good idea? Can I leave these comments there or is it computationally expensive to the router and or bgp process?
Many thanks,
Alex