Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

Dropping RPKI/ROA invalid routes on Arista EOS

Written by Arnaud no comments

If needed, please read my previous blog post to configure your RPKI/ROA validators and sFlow visualisation with pmacct/influxDB/Grafana. It's always better to see what you are doing :)

I found several interesting documentation on the Arista website :
- Standalone BGP Origin Validation with RPKI :
- Securing Inter Domain Routing with RPKI :
- BGP Prefix Origin Validation with Resource Public Key Infrastructure (RPKI) :

This page is a memo of the useful commands I used (and some tips) :


Enable the multi-agent ArBGP (You will have to reboot the whole box)

service routing protocols model multi-agent

RPKI cache Configuration

router bgp <asn>
   rpki cache <name>
      host <ipv4|ipv6|hostname> [vrf <vrfname>] [port <1-65535>] # default port is 323
      local-interface <interface>
      preference <1-10>                    # the lower the value, the more preferred
                                           # default is 5
      refresh-interval <1-86400 seconds>   # default is 3600
      expire-interval <600-172800 seconds> # default is 7200
      retry-interval <1-7200 seconds>      # default is 600

If multiple caches are configured, the preference controls the priority. Caches which are more preferred will be connected to first, if they are not reachable then connections will be attempted to less preferred caches. If caches have the same preference value, they will all be connected to and the ROAs that are synced from them will be merged together.

Show commands
Viewing RPKI client configuration

show bgp rpki cache [<name>]
show bgp rpki cache counters [errors]
show bgp rpki roa summary

show bgp rpki roa (ipv4|ipv6) [prefix]

Clearing RPKI client configuration

clear bgp rpki cache <name> counters
clear bgp rpki cache all

The resyncing is done in such a way that Bgp only reacts to the changes since the last sync.

Enabling Route Origin Validation (ROV)

router bgp <asn>
   rpki origin-validation
      ebgp local            # use the ROA table retrieved from the RPKI cache server
      ibgp prefer-community # use the Prefix Origin Validation State extended community (RFC 8097)
                            # if available, otherwise perform local validation
      ibgp send             # send the validation state with the "POVS" extended community
      validation route-map <route-map name>

The validation route-map is optional. If provided, it selects routes for which validation should be skipped for all ibgp or ebgp peers. This route map can also be used to set a validity for the routes that are skipped. If the validity is not set, the skipped routes will remain in an unknown validity state.

Configuring the RPKI ROV does not have any effect on BGP behavior until policy are configured, you will only see a new column for ROV state :

#show ip bgp
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown

          Network                Next Hop              Metric  AIGP       LocPref Weight  Path
 * >    I              0       -          100     0       209523 i
 * >    V            0       -          100     0       209523 i


Filtering routes based on the ROV status

There is a new match clause available in the route-map, here is a basic example to drop invalid routes, apply this kind of route-map on your eBGP sessions (inboud, of cours) :

route-map RTM-DROP-INVALID-IN deny 10
   match origin-as validity invalid
route-map RTM-DROP-INVALID-IN permit 20

 Remember that this will have a very limited impact (actually none) if you have a static default-route configured and that your transit provider does not drop invalid routes.

Also note that if your customers want to advertise RTBH routes, they may announce /32 routes for IPv4 (and /128 for IPv6), that might be considered as invalid, so adjust your route-map (or validation route-map) accordingly!

Comments are closed.

Rss feed of the article's comments