Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3820
Views
5
Helpful
11
Replies

RPKI implementation issue, all route shows Valid

Fakrul Alam
Level 1
Level 1

‎01-03-2017 05:57 PM - edited ‎03-05-2019 07:47 AM

I am trying to configure RPKI in Cisco ASR1001 with IOS XE, Version 03.16.03.S. I create route map and match the prefix based on RPKI validation state:

route-map ROUTE-VALIDATION permit 10
 match rpki invalid
 set local-preference 90
!
route-map ROUTE-VALIDATION permit 20
 match rpki not-found
 set local-preference 100
!
route-map ROUTE-VALIDATION permit 30
 match rpki valid
 set local-preference 110

and add it to the neighbor:

neighbor 202.125.97.254 route-map ROUTE-VALIDATION in

But router tag all prefix to Valid.

# show ip bgp
V*>i 1.0.64.0/18      202.125.97.254           0    110      0 4608 1221 4637 2516 7670 18144 i
V*>i 1.0.128.0/24     202.125.97.254           0    110      0 4608 1221 4637 3491 38040 23969 ?
V*>i 1.0.128.0/19     202.125.97.254           0    110      0 4608 1221 4637 3491 38040 9737 i
V*>i 1.0.128.0/18     202.125.97.254           0    110      0 4608 1221 4637 3491 38040 9737 i

# show ip bgp 1.0.64.0/18
BGP routing table entry for 1.0.64.0/18, version 1520530
Paths: (1 available, best #1, table default)
  Not advertised to any peer
  Refresh Epoch 1
  4608 1221 4637 2516 7670 18144, (aggregated by 18144 219.118.225.17)
    202.125.97.254 (metric 1) from 202.125.97.254 (202.125.97.254)
      Origin IGP, metric 0, localpref 110, valid, internal, best
      Community: 302000988
      path 7FBDADCB8C78 RPKI State valid
      rx pathid: 0, tx pathid: 0x0

Session with RPKI Cache server is completely ok:

# show bgp ipv4 unicast rpki servers
BGP SOVC neighbor is 202.125.96.50/323 connected to port 323

Any idea?

1 person had this problem
Labels:
0 Helpful
11 Replies 11

Georg Pauwen
VIP
VIP

‎01-04-2017 12:51 AM

Hello,

do you have an address family configured ? Post the config of your router, you might have missed something...

0 Helpful

Fakrul Alam
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 02:08 AM

Hello,

current config:

router bgp 45192
 bgp rpki server tcp 202.125.96.47 port 323 refresh 120
 neighbor IPv4-iBGP-AS45192 peer-group
 neighbor IPv4-iBGP-AS45192 remote-as 45192
 neighbor IPv4-iBGP-AS45192 update-source Loopback0
 neighbor 202.125.97.254 peer-group IPv4-iBGP-AS45192
 !
 address-family ipv4
 neighbor IPv4-iBGP-AS45192 next-hop-self
 neighbor 202.125.97.254 activate
 neighbor IPv4-iBGP-AS45192 route-map ROUTE-VALIDATION in
 exit-address-family
!
route-map ROUTE-VALIDATION permit 10
 match rpki invalid
 set local-preference 90
!
route-map ROUTE-VALIDATION permit 20
 match rpki not-found
 set local-preference 100
!
route-map ROUTE-VALIDATION permit 30
 match rpki valid
 set local-preference 110
0 Helpful

Georg Pauwen
VIP
VIP
In response to Fakrul Alam

‎01-04-2017 04:19 AM

Hello,

the config looks good. Since it is not working however, try to add the lines in bold:

router bgp 45192
bgp rpki server tcp 202.125.96.47 port 323 refresh 120
neighbor IPv4-iBGP-AS45192 peer-group
neighbor IPv4-iBGP-AS45192 remote-as 45192
neighbor IPv4-iBGP-AS45192 update-source Loopback0
neighbor 202.125.97.254 peer-group IPv4-iBGP-AS45192
neighbor 202.125.97.254 send-community extended
neighbor 202.125.97.254 announce rpki state

0 Helpful

Fakrul Alam
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 11:31 AM

Hello,

No luck, still same. All prefixes are Valid.

By the way "announce rpki state" is for sending RPKI state to iBGP neighbor via extended community. Not for validating the prefixes. 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Fakrul Alam

‎01-04-2017 12:02 PM

Hello Fakrul,

my bad, I thought your problem was that another iBGP neighbor doesn't get the state.

Either way, you are trying to validate the routes with an iBGP neighbor, which is not going to work, as RPKI is supposed to validate routes from eBGP neighbors (in order to prevent prefix hijacking).

So, in short, RPKI works for eBGP, not iBGP.

0 Helpful

Fakrul Alam
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2017 03:39 PM

I am not sure whether Cisco has different implementation. I have separate iBGP session for the same as with GoBGP and RPKI validation works perfectly there:

fakrul@gobgp:~$ gobgp neigh
Peer AS Up/Down State |#Received Accepted
202.125.97.254 45192 1d 00:00:33 Establ | 640654 640654
2001:df2:ee01::1 45192 1d 00:00:29 Establ | 115848 115848

fakrul@gobgp:~$ gobgp global rib

N*> 37.123.24.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.25.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.26.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]
N*> 37.123.27.0/24 202.12.29.113 4608 1221 4637 6762 34984 23:57:49 [{Origin: ?} {Med: 0} {LocalPref: 105} {Communities: 4608:11100}]

ASBR router doesn't support RPKI; that's why I am trying with one iBGP router; change the localpref and influence traffic of ASBR.

I will try with eBGP session.

Thanks

Fakrul

0 Helpful

Vinit Jain
Cisco Employee
Cisco Employee
In response to Fakrul Alam

‎01-04-2017 11:58 AM

it seem you are validating IBGP learnt routes rather than EBGP learnt routes. Once the ROA entries are populated in the RPKI table, EBGP paths are then validated for Origin AS against those ROA entries. 

It doesnt look like you are performing the validation on the edge router which is receiving the Internet routes?

Please refer to RPKI validation and IBGP announcement in Cisco Press book on Troubleshooting BGP.

Hope this helps.

Regards

Vinit

Thanks
--Vinit

Fakrul Alam
Level 1
Level 1
In response to Vinit Jain

‎01-04-2017 04:40 PM

Test with eBGP sessions. Looks ok. Prefixes are tagged properly.

Thanks

Farkul

0 Helpful

Fakrul Alam
Level 1
Level 1
In response to Fakrul Alam

‎01-04-2017 08:24 PM

I checked rfc6811#section-2 and it says:

When a BGP speaker receives an UPDATE from a neighbor, it SHOULD perform a lookup as described above for each of the Routes in the UPDATE message. The lookup SHOULD also be applied to routes that are redistributed into BGP from another source, such as another protocol or a locally defined static route.

So it should behave same for iBGP / eBGP. I test with Juniper & GoBGP and it's completely fine.

Thanks

Fakrul

0 Helpful

dudster83
Level 1
Level 1
In response to Fakrul Alam

‎11-17-2018 12:58 PM

Hi Fakrul

Have you got a chance to solve it with your cisco equipment?

I'm facing a similar problem and I'll be glad if you could share some of your experience.

Thanks

David

0 Helpful

maileh
Level 1
Level 1
In response to Fakrul Alam

‎10-02-2017 10:45 AM

Hi Farkul

Please could you send me your skype to my email maile.halatuituia@tcc.to. So iwant to ask a question

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card