From alex at nlnetlabs.nl Mon Apr 1 13:47:19 2019 From: alex at nlnetlabs.nl (Alex Band) Date: Mon, 1 Apr 2019 15:47:19 +0200 Subject: [RPKI] Routinator crashing since April 1st (not a joke); investigation ongoing Message-ID: <171C3D8A-5D54-4ECE-8D4E-447D0D2E4CC8@nlnetlabs.nl> Dear mailing list, We have gotten several reports that Routinator has stopped working since April 1st; 2019-04-01T01:19:55Z to be precise. Some instances seem to have died outright, some only lost their RTR and/or HTTP service. Restarting Routinator resolves the issue for now. We are currently investigating the issue. If you are able to run Routinator with the `RUST_BACKTRACE=1` environment variable, please try this, as this would offer us additional information in case a new crash occurs: If your instance is still running, can you stop it and run RUST_BACKTRACE=1 routinator vrps -nf none and report the output if that produces an error. Please follow GitHub issue #106 and #107 for updates: https://github.com/NLnetLabs/routinator/issues/106 https://github.com/NLnetLabs/routinator/issues/107 Kind regards, The NLnet Labs RPKI Team From martin at nlnetlabs.nl Mon Apr 1 15:45:38 2019 From: martin at nlnetlabs.nl (Martin Hoffmann) Date: Mon, 1 Apr 2019 17:45:38 +0200 Subject: [RPKI] =?utf-8?q?Routinator_0=2E3=2E3_=E2=80=98Big_Bada_Boom?= =?utf-8?q?=E2=80=99__released?= Message-ID: <20190401174538.488ae352@glaurung.nlnetlabs.nl> Dear mailing list, following up on Alex? earlier mail: We have identified the issue, confirmed it to be an embarrassing mistake on my part, and declared it serious enough to release Routinator 0.3.3. The release also includes a few other bug fixes, such as ignored config file options and complaints about broken pipes. As always, you can see the complete changes in the Changelog at https://github.com/NLnetLabs/routinator/releases/tag/v0.3.3/ and find more information at https://github.com/NLnetLabs/routinator Happy Routinating, Martin From jan at chrillesen.dk Wed Apr 10 17:48:40 2019 From: jan at chrillesen.dk (Jan Chrillesen) Date: Wed, 10 Apr 2019 19:48:40 +0200 Subject: [RPKI] RPKI on IOS-XR and VRF's Message-ID: <20190410174840.GI87786@stout2.chrillesen.dk> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and I'm facing two issues. The first one is that traffic is being sourced from the outgoing interface, and it isn't possible to specify a source interface (like a loopback interface). It's the same issue as described here https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html The second one is the lack of documentation for using RPKI validation in VRF's - is it even supported? I made the following config router bgp xxxxx rpki server 212.x.y.z transport tcp port 3323 refresh-time 600 vrf internet [...] bgp bestpath origin-as use validity bgp bestpath origin-as allow invalid address-family ipv4 unicast [...] bgp origin-as validation signal ibgp Connection to the validator (Routinator 3000 seems fine): #sh bgp rpki summary Wed Apr 10 19:39:46.294 CEST RPKI cache-servers configured: 1 RPKI database Total IPv4 net/path: 64091/68179 Total IPv6 net/path: 11324/12344 If I check the validity of a route received from a peer on the router I get: #sh bgp vrf internet x.y.0.0/19 [...] Origin-AS validity: (disabled) I would expect the validity to be valid, invalid or not found Also updated the ingress route-map of the peer to check for validation-state but I would expect that the route should have a validity even if I don't do anything with it in the route map Found this old post https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 but it didn't provide any hints to wheter validation is even supported in VRF's on XR (To those who might suggest I run my peers in GRT - it's not currently an option) - Jan From rpki at braeburn.org Wed Apr 10 19:54:25 2019 From: rpki at braeburn.org (Jay Borkenhagen) Date: Wed, 10 Apr 2019 15:54:25 -0400 Subject: [RPKI] RPKI on IOS-XR and VRF's In-Reply-To: <20190410174840.GI87786@stout2.chrillesen.dk> References: <20190410174840.GI87786@stout2.chrillesen.dk> Message-ID: <23726.18929.745007.484677@oz.mt.att.com> Hi Jan, Some time ago I filed this Cisco DDTS: CSCvg37740 - Specify source address or interface for RPKI server I do not know whether a fix was made available in any versions of IOS-XR. (However, I do know that no SMU fixing that DDTS has yet been accepted into our (as7018) certification process.) That said, the workaround we are using in production is to use the SSH Transport option, section 9.1 of https://tools.ietf.org/html/rfc8210 Our versions of IOS-XR do allow specifying the source address for ssh client connections via: ssh client source-interface Loopback0 Note that if you do go this way, the "show running" configuration will show the rpki server username and "transport ssh port 22", but the ssh password will not be visible. It will be stored in a database internal to IOS-XR -- it just won't be apparent. Sorry -- I never tried setting up validation in a VRF. Good luck. Hope that helps somewhat. Jay B. Jan Chrillesen writes: > I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and > I'm facing two issues. The first one is that traffic is being sourced > from the outgoing interface, and it isn't possible to specify a source > interface (like a loopback interface). It's the same issue as described > here > https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html > > The second one is the lack of documentation for using RPKI validation in > VRF's - is it even supported? I made the following config > > router bgp xxxxx > rpki server 212.x.y.z > transport tcp port 3323 > refresh-time 600 > > vrf internet > [...] > bgp bestpath origin-as use validity > bgp bestpath origin-as allow invalid > address-family ipv4 unicast > [...] > bgp origin-as validation signal ibgp > > > Connection to the validator (Routinator 3000 seems fine): > > #sh bgp rpki summary > Wed Apr 10 19:39:46.294 CEST > > RPKI cache-servers configured: 1 > RPKI database > Total IPv4 net/path: 64091/68179 > Total IPv6 net/path: 11324/12344 > > If I check the validity of a route received from a peer on the router I > get: > > #sh bgp vrf internet x.y.0.0/19 > [...] > Origin-AS validity: (disabled) > > I would expect the validity to be valid, invalid or not found > > Also updated the ingress route-map of the peer to check for > validation-state but I would expect that the route should have a > validity even if I don't do anything with it in the route map > > Found this old post > https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 > but it didn't provide any hints to wheter validation is even supported > in VRF's on XR > > (To those who might suggest I run my peers in GRT - it's not currently > an option) > > - Jan > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki From alex at nlnetlabs.nl Wed Apr 10 20:07:03 2019 From: alex at nlnetlabs.nl (Alex Band) Date: Wed, 10 Apr 2019 22:07:03 +0200 Subject: [RPKI] RPKI on IOS-XR and VRF's In-Reply-To: <23726.18929.745007.484677@oz.mt.att.com> References: <20190410174840.GI87786@stout2.chrillesen.dk> <23726.18929.745007.484677@oz.mt.att.com> Message-ID: Hi Jan, Jay, > On 10 Apr 2019, at 21:54, Jay Borkenhagen wrote: > > Hi Jan, > > Some time ago I filed this Cisco DDTS: > > CSCvg37740 - Specify source address or interface for RPKI server > > I do not know whether a fix was made available in any versions of > IOS-XR. (However, I do know that no SMU fixing that DDTS has yet been > accepted into our (as7018) certification process.) > > That said, the workaround we are using in production is to use the SSH > Transport option, section 9.1 of https://tools.ietf.org/html/rfc8210 > Our versions of IOS-XR do allow specifying the source address for ssh > client connections via: > > ssh client source-interface Loopback0 > > Note that if you do go this way, the "show running" configuration will > show the rpki server username and "transport ssh port 22", but the ssh > password will not be visible. It will be stored in a database > internal to IOS-XR -- it just won't be apparent. By way of @wk [0], this process is documented here: https://rpki.readthedocs.io/en/latest/routinator/rtr-secure-transport.html Cheers, Alex [0] https://github.com/wk > > > Sorry -- I never tried setting up validation in a VRF. Good luck. > > Hope that helps somewhat. > > Jay B. > > > Jan Chrillesen writes: >> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and >> I'm facing two issues. The first one is that traffic is being sourced >> from the outgoing interface, and it isn't possible to specify a source >> interface (like a loopback interface). It's the same issue as described >> here >> https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html >> >> The second one is the lack of documentation for using RPKI validation in >> VRF's - is it even supported? I made the following config >> >> router bgp xxxxx >> rpki server 212.x.y.z >> transport tcp port 3323 >> refresh-time 600 >> >> vrf internet >> [...] >> bgp bestpath origin-as use validity >> bgp bestpath origin-as allow invalid >> address-family ipv4 unicast >> [...] >> bgp origin-as validation signal ibgp >> >> >> Connection to the validator (Routinator 3000 seems fine): >> >> #sh bgp rpki summary >> Wed Apr 10 19:39:46.294 CEST >> >> RPKI cache-servers configured: 1 >> RPKI database >> Total IPv4 net/path: 64091/68179 >> Total IPv6 net/path: 11324/12344 >> >> If I check the validity of a route received from a peer on the router I >> get: >> >> #sh bgp vrf internet x.y.0.0/19 >> [...] >> Origin-AS validity: (disabled) >> >> I would expect the validity to be valid, invalid or not found >> >> Also updated the ingress route-map of the peer to check for >> validation-state but I would expect that the route should have a >> validity even if I don't do anything with it in the route map >> >> Found this old post >> https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 >> but it didn't provide any hints to wheter validation is even supported >> in VRF's on XR >> >> (To those who might suggest I run my peers in GRT - it's not currently >> an option) >> >> - Jan >> -- >> RPKI mailing list >> RPKI at nlnetlabs.nl >> https://www.nlnetlabs.nl/mailman/listinfo/rpki > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki From mats at exmandato.se Tue Apr 16 15:23:34 2019 From: mats at exmandato.se (Mats Mellstrand) Date: Tue, 16 Apr 2019 17:23:34 +0200 Subject: [RPKI] Log information Message-ID: Hi Is it possible to get information of how many ROAs that had been added, deleted or updated in the last run? I?m running routinator as a daemon. I have digged around in the logfile but I can?t find anything that indicate this. I have defined log-level = ?debug? /mm -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From job at ntt.net Thu Apr 25 06:46:47 2019 From: job at ntt.net (Job Snijders) Date: Thu, 25 Apr 2019 06:46:47 +0000 Subject: [RPKI] RPKI on IOS-XR and VRF's In-Reply-To: <20190410174840.GI87786@stout2.chrillesen.dk> References: <20190410174840.GI87786@stout2.chrillesen.dk> Message-ID: Hi Jan, Did you ever figure out whether Origin Validation is supported in context of a VRF? Kind regards, Job On Wed, Apr 10, 2019 at 5:55 PM Jan Chrillesen wrote: > > I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and > I'm facing two issues. The first one is that traffic is being sourced > from the outgoing interface, and it isn't possible to specify a source > interface (like a loopback interface). It's the same issue as described > here > https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html > > The second one is the lack of documentation for using RPKI validation in > VRF's - is it even supported? I made the following config > > router bgp xxxxx > rpki server 212.x.y.z > transport tcp port 3323 > refresh-time 600 > > vrf internet > [...] > bgp bestpath origin-as use validity > bgp bestpath origin-as allow invalid > address-family ipv4 unicast > [...] > bgp origin-as validation signal ibgp > > > Connection to the validator (Routinator 3000 seems fine): > > #sh bgp rpki summary > Wed Apr 10 19:39:46.294 CEST > > RPKI cache-servers configured: 1 > RPKI database > Total IPv4 net/path: 64091/68179 > Total IPv6 net/path: 11324/12344 > > If I check the validity of a route received from a peer on the router I > get: > > #sh bgp vrf internet x.y.0.0/19 > [...] > Origin-AS validity: (disabled) > > I would expect the validity to be valid, invalid or not found > > Also updated the ingress route-map of the peer to check for > validation-state but I would expect that the route should have a > validity even if I don't do anything with it in the route map > > Found this old post > https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 > but it didn't provide any hints to wheter validation is even supported > in VRF's on XR > > (To those who might suggest I run my peers in GRT - it's not currently > an option) > > - Jan > -- > RPKI mailing list > RPKI at nlnetlabs.nl > https://www.nlnetlabs.nl/mailman/listinfo/rpki