[RPKI] Routes containing aggregated AS-set becomes invalid
Chriztoffer Hansen
ch at ntrv.dk
Wed Jul 15 18:18:17 UTC 2020
Hi Jan,
On Wed, 15 Jul 2020 at 08:13, Jan Chrillesen via RPKI
<rpki at lists.nlnetlabs.nl> wrote:
> I am in the process of turning on validation in our network and I have
> an issue with 2001:948::/32
>
> When receiving the route over various IX's I get the following AS-path:
>
> 2603
> {224,39590,64520,64530,65001,65002,65003,65004,65005,65006,65007,65008,65009,65010,65423,65426}
>
> However when received via transit the AS-path doesn't contain the
> aggregated list of AS numbers (see
> https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/5441-aggregation.html#aggregatingwiththeassetargument
> for an explanation of aggregation with as-set)
>
> Our Cisco ASR9000 running 6.6.3 considers the route with the aggregated
> as-set as RPKI invalid. Is this expected behaviour or a bug?
Yes!
The exact same question popped up on the BIRD mailing list the other
day, https://marc.info/?l=bird-users&m=159463583531316&w=2
"This is expected behaviour, see RFC 6907 7.1.9:
Comment: In the spirit of [RFC6472], any route with an AS_SET in it
should not be considered valid (by ROA-based validation). If
the route contains an AS_SET and a covering ROA prefix exists for the
route prefix, then the route should get an Invalid status.
(Note: AS match or mismatch consideration does not apply.)"
--
Cheers,
CHRIZTOFFER
More information about the RPKI
mailing list