[RPKI] RPKI on IOS-XR and VRF's
Job Snijders
job at ntt.net
Thu Apr 25 06:46:47 UTC 2019
Hi Jan,
Did you ever figure out whether Origin Validation is supported in
context of a VRF?
Kind regards,
Job
On Wed, Apr 10, 2019 at 5:55 PM Jan Chrillesen <jan at chrillesen.dk> wrote:
>
> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and
> I'm facing two issues. The first one is that traffic is being sourced
> from the outgoing interface, and it isn't possible to specify a source
> interface (like a loopback interface). It's the same issue as described
> here
> https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html
>
> The second one is the lack of documentation for using RPKI validation in
> VRF's - is it even supported? I made the following config
>
> router bgp xxxxx
> rpki server 212.x.y.z
> transport tcp port 3323
> refresh-time 600
>
> vrf internet
> [...]
> bgp bestpath origin-as use validity
> bgp bestpath origin-as allow invalid
> address-family ipv4 unicast
> [...]
> bgp origin-as validation signal ibgp
>
>
> Connection to the validator (Routinator 3000 seems fine):
>
> #sh bgp rpki summary
> Wed Apr 10 19:39:46.294 CEST
>
> RPKI cache-servers configured: 1
> RPKI database
> Total IPv4 net/path: 64091/68179
> Total IPv6 net/path: 11324/12344
>
> If I check the validity of a route received from a peer on the router I
> get:
>
> #sh bgp vrf internet x.y.0.0/19
> [...]
> Origin-AS validity: (disabled)
>
> I would expect the validity to be valid, invalid or not found
>
> Also updated the ingress route-map of the peer to check for
> validation-state but I would expect that the route should have a
> validity even if I don't do anything with it in the route map
>
> Found this old post
> https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218
> but it didn't provide any hints to wheter validation is even supported
> in VRF's on XR
>
> (To those who might suggest I run my peers in GRT - it's not currently
> an option)
>
> - Jan
> --
> RPKI mailing list
> RPKI at nlnetlabs.nl
> https://www.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list