[RPKI] RPKI on IOS-XR and VRF's

Alex Band alex at nlnetlabs.nl
Wed Apr 10 20:07:03 UTC 2019 

Hi Jan, Jay,

> On 10 Apr 2019, at 21:54, Jay Borkenhagen <rpki at braeburn.org> wrote:
> 
> Hi Jan,
> 
> Some time ago I filed this Cisco DDTS:
> 
>   CSCvg37740 - Specify source address or interface for RPKI server
> 
> I do not know whether a fix was made available in any versions of
> IOS-XR.  (However, I do know that no SMU fixing that DDTS has yet been
> accepted into our (as7018) certification process.)
> 
> That said, the workaround we are using in production is to use the SSH
> Transport option, section 9.1 of https://tools.ietf.org/html/rfc8210
> Our versions of IOS-XR do allow specifying the source address for ssh
> client connections via:
> 
> ssh client source-interface Loopback0
> 
> Note that if you do go this way, the "show running" configuration will
> show the rpki server username and "transport ssh port 22", but the ssh
> password will not be visible.  It will be stored in a database
> internal to IOS-XR -- it just won't be apparent.

By way of @wk [0], this process is documented here:

https://rpki.readthedocs.io/en/latest/routinator/rtr-secure-transport.html

Cheers,

Alex

[0] https://github.com/wk

> 
> 
> Sorry -- I never tried setting up validation in a VRF.  Good luck.
> 
> Hope that helps somewhat.
> 
> 						Jay B.
> 
> 
> Jan Chrillesen writes:
>> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and
>> I'm facing two issues. The first one is that traffic is being sourced
>> from the outgoing interface, and it isn't possible to specify a source
>> interface (like a loopback interface). It's the same issue as described
>> here
>> https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html
>> 
>> The second one is the lack of documentation for using RPKI validation in
>> VRF's - is it even supported? I made the following config
>> 
>> router bgp xxxxx
>> rpki server 212.x.y.z
>>  transport tcp port 3323
>>  refresh-time 600
>> 
>> vrf internet
>>  [...]
>>  bgp bestpath origin-as use validity
>>  bgp bestpath origin-as allow invalid
>>  address-family ipv4 unicast
>>   [...]
>>   bgp origin-as validation signal ibgp
>> 
>> 
>> Connection to the validator (Routinator 3000 seems fine):
>> 
>> #sh bgp rpki summary
>> Wed Apr 10 19:39:46.294 CEST
>> 
>> RPKI cache-servers configured: 1
>> RPKI database
>>  Total IPv4 net/path: 64091/68179
>>  Total IPv6 net/path: 11324/12344
>> 
>> If I check the validity of a route received from a peer on the router I
>> get:
>> 
>> #sh bgp vrf internet x.y.0.0/19
>> [...]
>>      Origin-AS validity: (disabled)
>> 
>> I would expect the validity to be valid, invalid or not found 
>> 
>> Also updated the ingress route-map of the peer to check for
>> validation-state but I would expect that the route should have a
>> validity even if I don't do anything with it in the route map
>> 
>> Found this old post
>> https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218
>> but it didn't provide any hints to wheter validation is even supported
>> in VRF's on XR
>> 
>> (To those who might suggest I run my peers in GRT - it's not currently
>> an option)
>> 
>> - Jan
>> -- 
>> RPKI mailing list
>> RPKI at nlnetlabs.nl
>> https://www.nlnetlabs.nl/mailman/listinfo/rpki
> -- 
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list