nanog mailing list archives
RPKI race
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Wed, 17 Jun 2020 01:34:32 +0200
Hello I noticed that we regressed and started failing the test at https://isbgpsafeyet.com/. Investigating I found that we apparently had some routes in the validation state "unknown" that should have been either invalid or valid. Including the test prefix which was received via NL-IX (and Cogent on IPv6). We do however have plenty of prefixes that are validated and received from the same sources. This is a Juniper MX204 router running 20.1R1.11. I tried a few things including "clear bgp neighbor xxx soft-inbound" (supposed to rerun the import policy where RPKI marking and check happens) which did not fix it. Doing a "clear bgp neighbor xxx", which disconnects the peer and reconnects after a slight delay, did however fix the issue. But I have to do that for every peer we received the prefix from and potentially we could have trouble with every peer we have :-( This router was software upgraded and rebooted two days ago. I suspect a race condition. What if the router started BGP sessions before it was able to communicate with the RPKI validation server or before the RPKI database was synchronized? I find it a bit disappointing that we this easily ended up with a bad validation state and apparently there is little I can do about it, except for walking through all our peers and BGP reset them. Which frankly is an unacceptable disruption of traffic flow. Regards, Baldur
Current thread:
- RPKI race Baldur Norddahl (Jun 16)
- Re: RPKI race Rubens Kuhl (Jun 16)
- Re: RPKI race Baldur Norddahl (Jun 17)
- Re: RPKI race Mark Tinka (Jun 17)
- Message not available
- Re: RPKI race Baldur Norddahl (Jun 17)
- Re: RPKI race Mark Tinka (Jun 17)
- Re: RPKI race Melchior Aelmans (Jun 17)
- Re: RPKI race Baldur Norddahl (Jun 17)
- Re: RPKI race Rubens Kuhl (Jun 16)