[RPKI] RPKI on IOS-XR and VRF's
Jay Borkenhagen
rpki at braeburn.org
Wed Apr 10 19:54:25 UTC 2019
Hi Jan,
Some time ago I filed this Cisco DDTS:
CSCvg37740 - Specify source address or interface for RPKI server
I do not know whether a fix was made available in any versions of
IOS-XR. (However, I do know that no SMU fixing that DDTS has yet been
accepted into our (as7018) certification process.)
That said, the workaround we are using in production is to use the SSH
Transport option, section 9.1 of https://tools.ietf.org/html/rfc8210
Our versions of IOS-XR do allow specifying the source address for ssh
client connections via:
ssh client source-interface Loopback0
Note that if you do go this way, the "show running" configuration will
show the rpki server username and "transport ssh port 22", but the ssh
password will not be visible. It will be stored in a database
internal to IOS-XR -- it just won't be apparent.
Sorry -- I never tried setting up validation in a VRF. Good luck.
Hope that helps somewhat.
Jay B.
Jan Chrillesen writes:
> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and
> I'm facing two issues. The first one is that traffic is being sourced
> from the outgoing interface, and it isn't possible to specify a source
> interface (like a loopback interface). It's the same issue as described
> here
> https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html
>
> The second one is the lack of documentation for using RPKI validation in
> VRF's - is it even supported? I made the following config
>
> router bgp xxxxx
> rpki server 212.x.y.z
> transport tcp port 3323
> refresh-time 600
>
> vrf internet
> [...]
> bgp bestpath origin-as use validity
> bgp bestpath origin-as allow invalid
> address-family ipv4 unicast
> [...]
> bgp origin-as validation signal ibgp
>
>
> Connection to the validator (Routinator 3000 seems fine):
>
> #sh bgp rpki summary
> Wed Apr 10 19:39:46.294 CEST
>
> RPKI cache-servers configured: 1
> RPKI database
> Total IPv4 net/path: 64091/68179
> Total IPv6 net/path: 11324/12344
>
> If I check the validity of a route received from a peer on the router I
> get:
>
> #sh bgp vrf internet x.y.0.0/19
> [...]
> Origin-AS validity: (disabled)
>
> I would expect the validity to be valid, invalid or not found
>
> Also updated the ingress route-map of the peer to check for
> validation-state but I would expect that the route should have a
> validity even if I don't do anything with it in the route map
>
> Found this old post
> https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218
> but it didn't provide any hints to wheter validation is even supported
> in VRF's on XR
>
> (To those who might suggest I run my peers in GRT - it's not currently
> an option)
>
> - Jan
> --
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list