Re: SOVC - BGp RPKI

[Tom Beecher <beecher () beecher cc>]

> I see it mentioned in this doc:
>
> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book/irg-origin-as.pdf


You see SOVC mentioned, yes. But you don't see the word 'stale'.


Please don't just paste what ChatGPT says. It's not an authoritative
source.  I can find no Cisco document stating what the acronym MEANS. But
the context they use it seems to imply the word 'stale' isn't appropriate.


A prefix or prefix range and the origin-AS corresponding to it are
> considered an SOVC record. Overlapping prefix ranges are allowed. An SOVC
> table containing three records might look like this:



>  Valid—Indicates the prefix and AS pair are found in the SOVC table.


If more than one RPKI server is configured, the router will connect to all
> configured servers and download prefix information from all of them. The
> SOVC table will be made of the union of all the records received from the
> different servers.




>  In the following example, the router is configured to connect to two
> RPKI servers, from which it will receive SOVC records of BGP prefixes and
> AS numbers.


On Wed, Jan 31, 2024 at 3:34 PM Compton, Rich via NANOG <nanog () nanog org>
wrote:

> ChatGPT says:
>
> SOVC in the context of RPKI (Resource Public Key Infrastructure) on a
> Cisco router stands for "Stale Origin Validation Cache". RPKI is a security
> framework designed to secure the Internet's routing infrastructure,
> primarily through route origin validation. It ensures that the Internet
> number resources (like IP addresses and AS numbers) are used by the
> legitimate owners or authorized AS (Autonomous System).
>
> In RPKI, Route Origin Authorizations (ROAs) are used to define which AS is
> authorized to announce a specific IP address block. Network devices, like
> Cisco routers, use these ROAs to validate the authenticity of BGP (Border
> Gateway Protocol) route announcements.
>
> The term "stale" in SOVC refers to a situation where the router's
> RPKI-to-Router protocol client has lost its connection to the RPKI server,
> or when the RPKI cache data is outdated and not refreshed for some reason.
> This can happen due to network issues, configuration errors, or problems
> with the RPKI server itself. When the RPKI cache is stale, the router
> cannot reliably validate BGP route announcements against the latest ROA
> data, potentially affecting routing decisions.
>
> In a network security context, maintaining an up-to-date RPKI cache is
> crucial for ensuring that the network only accepts legitimate routing
> announcements, thereby reducing the risk of routing hijacks or
> misconfigurations. As a network security engineer, managing and monitoring
> the RPKI status on routers is an important aspect of ensuring network
> security and integrity.
>
>
>
>
>
>
>
> I see it mentioned in this doc:
>
>
> https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book/irg-origin-as.pdf
>
>
>
>
>
> *From: *NANOG <nanog-bounces+rich_compton=comcast.com () nanog org> on
> behalf of Mohammad Khalil <eng.mssk () gmail com>
> *Date: *Wednesday, January 31, 2024 at 10:35 AM
> *To: *NANOG list <nanog () nanog org>
> *Subject: *SOVC - BGp RPKI
>
> Greetings Am have tried to find out what is the abbreviation for SOVC with
> no luck. #sh bgp ipv4 unicast rpki servers  BGP SOVC neighbor is X. X. X.
> 47/323 connected to port 323 Anyone have encountered this? Thanks! ‍ ‍ ‍ ‍
> ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
>
> Greetings
>
> Am have tried to find out what is the abbreviation for SOVC with no luck.
>
>
>
> #sh bgp ipv4 unicast rpki servers
>
> BGP SOVC neighbor is X.X.X.47/323 connected to port 323
>
>
>
> Anyone have encountered this?
>
>
>
> Thanks!