Dropping RPKI/ROA invalid routes on Arista EOS
Written by Arnaud no commentsIf needed, please read my previous blog post to configure your RPKI/ROA validators and sFlow visualisation with pmacct/influxDB/Grafana. It's always better to see what you are doing :)
I found several interesting documentation on the Arista website :
- Standalone BGP Origin Validation with RPKI : https://eos.arista.com/bgp-origin-validation-rpki/
- Securing Inter Domain Routing with RPKI : https://eos.arista.com/sidr-with-rpki/
- BGP Prefix Origin Validation with Resource Public Key Infrastructure (RPKI) : https://eos.arista.com/eos-4-24-0f/bgp-prefix-origin-validation-with-resource-public-key-infrastructure-rpki/
This page is a memo of the useful commands I used (and some tips) :
Pre-Configuration
Enable the multi-agent ArBGP (You will have to reboot the whole box)
service routing protocols model multi-agent
RPKI cache Configuration
router bgp <asn>
rpki cache <name>
host <ipv4|ipv6|hostname> [vrf <vrfname>] [port <1-65535>] # default port is 323
local-interface <interface>
preference <1-10> # the lower the value, the more preferred
# default is 5
refresh-interval <1-86400 seconds> # default is 3600
expire-interval <600-172800 seconds> # default is 7200
retry-interval <1-7200 seconds> # default is 600
If multiple caches are configured, the preference controls the priority. Caches which are more preferred will be connected to first, if they are not reachable then connections will be attempted to less preferred caches. If caches have the same preference value, they will all be connected to and the ROAs that are synced from them will be merged together.
Show commands
Viewing RPKI client configuration
show bgp rpki cache [<name>]
show bgp rpki cache counters [errors]
show bgp rpki roa summary
show bgp rpki roa (ipv4|ipv6) [prefix]
Clearing RPKI client configuration
clear bgp rpki cache <name> counters
clear bgp rpki cache all
The resyncing is done in such a way that Bgp only reacts to the changes since the last sync.
Enabling Route Origin Validation (ROV)
router bgp <asn>
rpki origin-validation
ebgp local # use the ROA table retrieved from the RPKI cache server
ibgp prefer-community # use the Prefix Origin Validation State extended community (RFC 8097)
# if available, otherwise perform local validation
ibgp send # send the validation state with the "POVS" extended community
validation route-map <route-map name>
The validation route-map is optional. If provided, it selects routes for which validation should be skipped for all ibgp or ebgp peers. This route map can also be used to set a validity for the routes that are skipped. If the validity is not set, the skipped routes will remain in an unknown validity state.
Configuring the RPKI ROV does not have any effect on BGP behavior until policy are configured, you will only see a new column for ROV state :
#show ip bgp
RPKI Origin Validation codes: V - valid, I - invalid, U - unknown
Network Next Hop Metric AIGP LocPref Weight Path
* > I 10.1.1.0/24 172.16.0.3 0 - 100 0 209523 i
* > V 185.97.140.0/22 172.16.0.3 0 - 100 0 209523 i
Filtering routes based on the ROV status
There is a new match clause available in the route-map, here is a basic example to drop invalid routes, apply this kind of route-map on your eBGP sessions (inboud, of cours) :
route-map RTM-DROP-INVALID-IN deny 10
match origin-as validity invalid
route-map RTM-DROP-INVALID-IN permit 20
Remember that this will have a very limited impact (actually none) if you have a static default-route configured and that your transit provider does not drop invalid routes.
Also note that if your customers want to advertise RTBH routes, they may announce /32 routes for IPv4 (and /128 for IPv6), that might be considered as invalid, so adjust your route-map (or validation route-map)
accordingly!