| Next revision | Previous revision |
| rpki [2021/11/25 10:16] – created philip | rpki [2021/11/25 11:03] (current) – [RPKI Notes] philip |
|---|
| {{:bgp4all-logo.png?400|}} | ====== RPKI Notes ====== |
| |
| | Basically BGP implementations should/must not send a route refresh when receiving updated RPKI data, and are recommended instead to retain the received prefix that was marked as invalid should the future RPKI state change. |
| |
| ====== RPKI Notes ====== | It has been noted by several operators that their Cisco routers implementing ROV were bombarding peers with Route Refresh requests. This is difficult for those routers which are "control plane challenged" and can be construed as a denial of service on those peering routers. There are instances where networks have been depeered because of this. |
| | |
| | Refer to [[https://datatracker.ietf.org/doc/html/draft-ymbk-sidrops-rov-no-rr | RPKI-Based Policy Without Route Refresh]] for context. |
| | |
| | Also presented at [[https://ripe83.ripe.net/archives/video/636 | RIPE 83]] for additional background and context. |
| |
| ===== ROV ===== | ===== ROV ===== |
| |
| * Cisco IOS-XE: VRP update triggers a route-refresh. Workaround is to turn on "soft-reconfiguration in" | The following table documents ROV behaviours on receipt of updated RPKI information from validators. |
| * Cisco IOS-XR: VRP update triggers a route-refresh. Workaround is to turn on "soft-reconfiguration in" | |
| * Juniper JunOS: maintains Adj-RIB-In, VRP update handled locally. Adj-RIB-In can be turned off by "set protocol bgp group keep none" [[https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/ref/statement/keep-edit-protocols-bgp.html | as described here]] | "Adj-RIB-In" is the BGP table as received from BGP peers, prior to processing by inbound policy. Retaining this BGP table requires extra memory (not a hardship in this day and age), and makes processing incoming BGP policy changes simple. Without Adj-RIB-In, the router has to send a [[https://datatracker.ietf.org/doc/html/rfc2918 | Route Refresh]] to the peer to request all BGP updates again. Which can be exciting when today's IPv4 table is heading to 900k prefixes, and IPv6 table is heading to 150k prefixes. |
| * Bird 2.0.8: handles VRP updates locally | |
| * Arista EOS: maintains Adj-RIB-In, VRP updated handled locally. Adj-RIB-In can be turned off | ^ Implementation ^ Adj-RIB-In ^ ROV behaviour ^ Notes ^ |
| | | Cisco IOS-XE | No | VRP update triggers a route-refresh | Workaround is to turn on "soft-reconfiguration in" | |
| | | Cisco IOS-XR | No | VRP update triggers a route-refresh | Workaround is to turn on "soft-reconfiguration in" | |
| | | Juniper JunOS | Default | VRP update handled locally | Adj-RIB-In can be turned off by "set protocol bgp group keep none" [[https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/ref/statement/keep-edit-protocols-bgp.html | as described here]] | |
| | | Bird 2.0.8 | ? | handles VRP updates locally | "rpki reload on" is default in 2.0.8 [[https://bird.network.cz/?get_doc&v=20&f=bird-3.html#proto-rpki-reload | as described here]] | |
| | | Arista EOS | Default | VRP updated handled locally | Adj-RIB-In can be turned off | |
| | | FRR 8.1 | ? | ? | ? | |
| | |
| |
| [[start| Back to Home page]] | [[start| Back to Home page]] |
