nanog mailing list archives

Re: Analysing traffic in context of rejecting RPKI invalids using pmacct

From: Steve Meuse <smeuse () mara org>
Date: Mon, 11 Mar 2019 17:37:09 -0400

On Tue, Feb 12, 2019 at 1:15 PM Job Snijders <job () ntt net> wrote:



ps. Dear Kentik & Deepfield, please copy+paste this feature! We'll
happily share development notes with you, you can even look at pmacct's
source code for inspiration. :-)



Thanks Job, I just wanted to reach back out to you and the NANOG community
that we've implemented this feature. Currently Kentik can match flow data
with the following validation state:

- VALID = Prefix fits in ROA, and ROA ASN and Prefix Origin Match
- UNKNOWN = we haven't found any matching ROA
- INVALID - ASN mismatch = BGP prefix fits in the ROA prefix's length BUT
the ROA ASN differs from the Prefix Origin ASN
- INVALID - Prefix length out of bounds = the BGP prefix doesn't have an
ROA with large enough Max-Length to refer to
- INVALID - ASN 0 specified = there is a matching ROA w/ the right
max-length but the ASN associated w/ it is 0 (explicit invalid)

If anyone would like more information please hit me up offline.

-Steve

Current thread:

Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Steve Meuse (Mar 11)
- Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Jay Borkenhagen (Mar 12)
  - Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Steve Meuse (Mar 13)
    - Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Randy Bush (Mar 13)
- <Possible follow-ups>
- Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Sriram, Kotikalapudi (Fed) via NANOG (Mar 15)
  - Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Randy Bush (Mar 15)
  - Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Jay Borkenhagen (Mar 15)
    - Re: Analysing traffic in context of rejecting RPKI invalids using pmacct Randy Bush (Mar 15)