Re: SOVC - BGp RPKI

[Owen DeLong via NANOG <nanog () nanog org>]

SOVC appears to be a Cisco-specific acronym and it’s pretty certain that the OVC stands for Origin Validation Cache. My 
best intuition based on the research I’ve been able to do is that the S stands for Secure (on the pretense that RPKI 
and Origin Validation have something to do with security and because X.509 certificate and encryption and marketing 
buzzwords YAY!)

Juniper refers to their equivalent database simply as “Route Validation (RV) Records in the RV Database.

Hope that helps.

Owen


> On Jan 31, 2024, at 14:32, Tom Beecher <beecher () beecher cc> wrote:
>
> > I see it mentioned in this doc:
> > https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book/irg-origin-as.pdf
>
> You see SOVC mentioned, yes. But you don't see the word 'stale'. 
>
>
>
> Please don't just paste what ChatGPT says. It's not an authoritative source.  I can find no Cisco document stating 
> what the acronym MEANS. But the context they use it seems to imply the word 'stale' isn't appropriate.
>
>
>
> > A prefix or prefix range and the origin-AS corresponding to it are considered an SOVC record. Overlapping prefix 
> > ranges are allowed. An SOVC table containing three records might look like this:
>  
> >  Valid—Indicates the prefix and AS pair are found in the SOVC table.
>
> > If more than one RPKI server is configured, the router will connect to all configured servers and download prefix 
> > information from all of them. The SOVC table will be made of the union of all the records received from the 
> > different servers.
>
>  
> >  In the following example, the router is configured to connect to two RPKI servers, from which it will receive SOVC 
> > records of BGP prefixes and AS numbers.
>
> On Wed, Jan 31, 2024 at 3:34 PM Compton, Rich via NANOG <nanog () nanog org <mailto:nanog () nanog org>> wrote:
> > ChatGPT says:
> >
> > SOVC in the context of RPKI (Resource Public Key Infrastructure) on a Cisco router stands for "Stale Origin 
> > Validation Cache". RPKI is a security framework designed to secure the Internet's routing infrastructure, primarily 
> > through route origin validation. It ensures that the Internet number resources (like IP addresses and AS numbers) 
> > are used by the legitimate owners or authorized AS (Autonomous System).
> >
> > In RPKI, Route Origin Authorizations (ROAs) are used to define which AS is authorized to announce a specific IP 
> > address block. Network devices, like Cisco routers, use these ROAs to validate the authenticity of BGP (Border 
> > Gateway Protocol) route announcements.
> >
> > The term "stale" in SOVC refers to a situation where the router's RPKI-to-Router protocol client has lost its 
> > connection to the RPKI server, or when the RPKI cache data is outdated and not refreshed for some reason. This can 
> > happen due to network issues, configuration errors, or problems with the RPKI server itself. When the RPKI cache is 
> > stale, the router cannot reliably validate BGP route announcements against the latest ROA data, potentially 
> > affecting routing decisions.
> >
> > In a network security context, maintaining an up-to-date RPKI cache is crucial for ensuring that the network only 
> > accepts legitimate routing announcements, thereby reducing the risk of routing hijacks or misconfigurations. As a 
> > network security engineer, managing and monitoring the RPKI status on routers is an important aspect of ensuring 
> > network security and integrity.
> >
> >  
> >
> >  
> >
> >  
> >
> > I see it mentioned in this doc:
> >
> > https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-s/irg-15-s-book/irg-origin-as.pdf
> >
> >  
> >
> >  
> >
> > From: NANOG <nanog-bounces+rich_compton=comcast.com () nanog org <mailto:comcast.com () nanog org>> on behalf of 
> > Mohammad Khalil <eng.mssk () gmail com <mailto:eng.mssk () gmail com>>
> > Date: Wednesday, January 31, 2024 at 10:35 AM
> > To: NANOG list <nanog () nanog org <mailto:nanog () nanog org>>
> > Subject: SOVC - BGp RPKI
> >
> > Greetings Am have tried to find out what is the abbreviation for SOVC with no luck. #sh bgp ipv4 unicast rpki 
> > servers  BGP SOVC neighbor is X. X. X. 47/323 connected to port 323 Anyone have encountered this? Thanks! ‍ ‍ ‍ ‍ ‍ 
> > ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
> >
> > Greetings
> >
> > Am have tried to find out what is the abbreviation for SOVC with no luck.
> >
> >  
> >
> > #sh bgp ipv4 unicast rpki servers 
> >
> > BGP SOVC neighbor is X.X.X.47/323 connected to port 323
> >
> >  
> >
> > Anyone have encountered this?
> >
> >  
> >
> > Thanks!