[RPKI] Routes containing aggregated AS-set becomes invalid

cf at telia.net cf at telia.net
Wed Jul 22 11:50:28 UTC 2020 

Hi Jan,

We do have RPKI validation setup on all edge routers in 1299, but due to
PR/1463306 (Junos RPKI validation not conforming with RFC6907) we do have
some difficulties validating some routes containing an AS_SET on some
routers. The last routers in 1299 affected by this PR are set to be
dismantled or upgraded after summer. The irritating part is that we have no
ability to filter below routes manually either, as there is no policy
function to match on AS_SET in Juniper routers...

Please also bear in mind that there are different views on how to interpret
these parts of RFC6907.  The big router vendors have interpreted RPKI to be
truly Origin Validation and therefore they only validate/check against the
rightmost element in the AS path, the originating ASN. The part mentioned
earlier stating that any route containing an AS_SET as part of its AS path
should be Invalid is only in the comment section. BIRD checks the complete
path. Checking the complete AS path would be more complex, use more valuable
router CPU resources and is closer to what we aim for ASPA to do in the
future. The routes with an AS_SET in the middle of a path will still be
validated against the Origin ASN.

BR,
// CF

-----Original Message-----
From: RPKI <rpki-bounces at lists.nlnetlabs.nl> On Behalf Of Jan Chrillesen via
RPKI
Sent: den 22 juli 2020 08:25
To: Chriztoffer Hansen <ch at ntrv.dk>
Cc: rpki at lists.nlnetlabs.nl
Subject: Re: [RPKI] Routes containing aggregated AS-set becomes invalid

On ons., 15 jul. 2020, Chriztoffer Hansen <ch at ntrv.dk> wrote:

> The exact same question popped up on the BIRD mailing list the other 
> day, https://marc.info/?l=bird-users&m=159463583531316&w=2
> 
> "This is expected behaviour, see RFC 6907 7.1.9:
> 
>    Comment:  In the spirit of [RFC6472], any route with an AS_SET in it
>       should not be considered valid (by ROA-based validation).  If
>       the route contains an AS_SET and a covering ROA prefix exists for
the
>       route prefix, then the route should get an Invalid status.
> 
>       (Note: AS match or mismatch consideration does not apply.)"

Hi Chriztoffer

I have been looking further into this and it seems that Telia/1299 does not
consider these types of routes as RPKI invalids! 

(I base this on the fact that Telia publicly stated that they do drop
invalids, however I receive the following prefixes on one of our Telia
transit ports)

*  77.75.37.0/24      213.248.93.92          100     50      0 1299 2914
9121 9121 42926 {206991} i
*  77.83.56.0/22      213.248.93.92          100     50      0 1299 1273
24785 16003 {8455,27970} i
*  83.230.0.0/19      213.248.93.92          100     50      0 1299 6830
35434 {202220} i
*  83.230.32.0/20     213.248.93.92          100     50      0 1299 6830
35434 {199551} i
*  103.15.41.0/24     213.248.93.92          100     50      0 1299 4637
9498 58682 {54994} i
*  119.30.80.0/20     213.248.93.92          100     50      0 1299 6762
38193 58470 23966 {131471,132788} i

Before I turn on validation on our transit sessions I would like to hear
some feedback from networks that already drops invalids. Will dropping these
routes with AS_SET in the path cause any issues? Or are you dropping these
without any known problems?

- Jan
--
RPKI mailing list
RPKI at lists.nlnetlabs.nl
https://lists.nlnetlabs.nl/mailman/listinfo/rpki

More information about the RPKI mailing list