'Re: No ASN in output when checking invalids ROAs with as-set'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bird-users
Subject:    Re: No ASN in output when checking invalids ROAs with as-set
From:       "Darren O'Connor" <mellow.drifter () gmail ! com>
Date:       2021-02-16 0:56:45
Message-ID: CAGTohBGfX-kxdh0nPH2gjF3d61XWHzPDjH=wnxwKLixUAr-epQ () mail ! gmail ! com
[Download RAW message or body]

Thanks Ondrej.

I'm not fully understanding your first point. When doing a show route, I do
indeed see only [?] for 185.186.206.0/24 - But is this view 'correct' ?
Basically I'm trying to collect a list of ASNs originating invalids but if
any of them have as-sets in them there is no easy way to check. I'd have to
first find all invalids, then any invalid without an ASN do a second 'all'
lookup to see which ASN was actually advertising that prefix.

As for the check, I wasn't aware that "roa_check(roa_v4)" alone would work
but it looks good so I'll switch to that. Thanks!

D

On Mon, 15 Feb 2021 at 19:36, Ondrej Zajicek <santiago@crfreenet.org> wrote:

> On Mon, Feb 15, 2021 at 06:51:18PM -0500, Darren O'Connor wrote:
> > When checking ROAs, and the source ASN happens to have an AS-SET, bird
> does
> > not output the ASN itself.
>
> The output does not depend on filter expression (that is just used to
> specify which routes to print, unless the filter explicitly modifies
> routes). The output is (and is supposed to be) the same as the output
> of 'show route' (for given table and network).
>
> Also note that using roa_check(.., bgp_path.last_nonaggregated) is
> discouraged, proper RPKI check as defined ny appropriate RFCs is
> done with roa_check(roa_v4, net, bgp_path.last), or just
> roa_check(roa_v4).
>
> --
> Elen sila lumenn' omentielvo
>
> Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."
>

[Attachment #3 (text/html)]

<div dir="ltr">Thanks  Ondrej.<div><br></div><div>I&#39;m not fully understanding \
your first point. When doing a show route, I do indeed see only [?] for  <a \
href="http://185.186.206.0/24">185.186.206.0/24</a> - But is this view \
&#39;correct&#39; ? Basically I&#39;m trying to collect a list of ASNs originating \
invalids but if any of them have as-sets in them there is no easy way to check. \
I&#39;d have to first find all invalids, then any invalid without an ASN do a second \
&#39;all&#39; lookup to see which ASN was actually advertising that \
prefix.</div><div><br></div><div>As for the check, I wasn&#39;t aware that \
&quot;roa_check(roa_v4)&quot; alone would work but it looks good so I&#39;ll switch \
to that. Thanks!</div><div><br></div><div>D</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 15 Feb 2021 at 19:36, \
Ondrej Zajicek &lt;<a \
href="mailto:santiago@crfreenet.org">santiago@crfreenet.org</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Feb 15, 2021 \
at 06:51:18PM -0500, Darren O&#39;Connor wrote:<br> &gt; When checking ROAs, and the \
source ASN happens to have an AS-SET, bird does<br> &gt; not output the ASN \
itself.<br> <br>
The output does not depend on filter expression (that is just used to<br>
specify which routes to print, unless the filter explicitly modifies<br>
routes). The output is (and is supposed to be) the same as the output<br>
of &#39;show route&#39; (for given table and network).<br>
<br>
Also note that using roa_check(.., bgp_path.last_nonaggregated) is<br>
discouraged, proper RPKI check as defined ny appropriate RFCs is<br>
done with roa_check(roa_v4, net, bgp_path.last), or just<br>
roa_check(roa_v4).<br>
<br>
-- <br>
Elen sila lumenn&#39; omentielvo<br>
<br>
Ondrej &#39;Santiago&#39; Zajicek (email: <a href="mailto:santiago@crfreenet.org" \
target="_blank">santiago@crfreenet.org</a>)<br> OpenPGP encrypted e-mails preferred \
(KeyID 0x11DEADC3, <a href="http://wwwkeys.pgp.net" rel="noreferrer" \
target="_blank">wwwkeys.pgp.net</a>)<br> &quot;To err is human -- to blame it on a \
computer is even more so.&quot;<br> </blockquote></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic