RPKI INVALID routes tagging

Mostly to test hooks and include files in a scenario where a custom configuration allows to propagate RPKI INVALID routes to some selected clients and to tag them with locally significant BGP communities.

Hooks used:

  • announce_rpki_invalid_to_client, implemented in the header[4|6] include files and used to discriminate which clients should receive INVALIDs;

  • post_announce_to_client, implemented in the header include file and used to convert RFC8097 extended communities into locally significant ones.

  • RPKI ROAs:

    ID

    Prefix

    Max

    ASN

    1

    2.0.8.0/24

    101

    2

    2.0.9.0/24

    102

    3

    2.0.128.0/20

    23

    101

    4

    3.0.8.0/24

    103

    5

    3.0.9.0/24

    102

    6

    3.0.128.0/20

    23

    103

    ID

    Prefix

    Max

    ASN

    1

    3002:0:8::/48

    101

    2

    3002:0:9::/48

    102

    3

    3002:0:8000::/33

    34

    101

    4

    3003:0:8::/48

    103

    5

    3003:0:9::/48

    102

    6

    3003:0:8000::/33

    34

    103

  • Locally significant communities:

    Validity state

    BGP community

    VALID

    64512:1

    INVALID

    64512:2

    UNKNOWN

    64512:3

  • AS1, receives only

    Configured to receive INVALID routes using the hook announce_rpki_invalid_to_client, implemented in the local header[4|6] file.

  • AS2:

    Configured with reject_invalid False.

    Annouced prefixes:

    Prefix ID

    Prefix

    AS_PATH

    Expected result and BGP community received by AS1

    AS2_valid1

    2.0.8.0/24, 3002:0:8::/48

    2 101

    roa check ok, 64512:1 on AS1 and AS4

    AS2_valid2

    2.0.128.0/21, 3002:0:8000::/34

    2 101

    roa check ok, 64512:1 on AS1 and AS4

    AS2_invalid1

    2.0.9.0/24, 3002:0:9::/48

    2

    roa check fail (roa n. 2, bad origin ASN), 64512:2 on AS1 only

    AS2_badlen

    2.0.128.0/24, 3002:0:8000::/35

    2 101

    roa check fail (roa n. 3, bad length), 64512:2 on AS1 only

    AS2_unknown1

    2.2.0.0/16 3002:3002::/32

    2

    roa check unknown, 64512:3 on AS1 and AS4

  • AS3:

    Configured with reject_invalid True.

    Annouced prefixes:

    Prefix ID

    Prefix

    AS_PATH

    Expected result and BGP community received by AS1

    AS3_valid1

    3.0.8.0/24, 3003:0:8::/48

    3 103

    roa check ok, 64512:1 on AS1 and AS4

    AS3_valid2

    3.0.128.0/21, 3003:0:8000::/34

    3 103

    roa check ok, 64512:1 on AS1 and AS4

    AS3_invalid1

    3.0.9.0/24, 3003:0:9::/48

    3

    roa check fail (roa n. 2, bad origin ASN), rejected

    AS3_badlen

    3.0.128.0/24, 3003:0:8000::/35

    3 103

    roa check fail (roa n. 3, bad length), rejected

    AS3_unknown1

    3.2.0.0/16 3003:3003::/32

    2

    roa check unknown, 64512:3 on AS1 and AS4

  • AS4, receives only with no particular configuration.