search

KatharaFramework / Docker-Images

Dockerfiles and scripts to build Kathará Docker images.
https://www.kathara.org/
GNU General Public License v3.0
22 stars 9 forks source link

frr image seems to have problems on rpki #6

Closed ychlgdr closed 2 years ago

ychlgdr commented 2 years ago

Hello, I'm having some problems with kathara/frr~ As seen, rpki cache-connection is set, but when i exec "sh ip bgp",i haven't seen any information about rpki like "RPKI validation codes: V valid, I invalid, N Not found".

image

tcaiazzi commented 2 years ago

Hi @ychlgdr,

Our image, that is based on FRR7.5, does not show any information about RPKI in the output of show ip bgp.

If you want to see if you router has correctly fetched the ROAs from the validator, you can use the command rpki show prefix-table:

as1r1# show rpki prefix-table 
host: 193.201.0.254 port: 3323
RPKI/RTR prefix table
Prefix                                   Prefix Length  Origin-AS
193.0.0.0                                   16 -  16         3333
193.201.0.0                                 16 -  16            1
193.206.0.0                                 16 -  16            6
193.205.0.0                                 16 -  16            5
193.204.0.0                                 16 -  16            4
193.203.0.0                                 16 -  16            3
193.202.0.0                                 16 -  16            2
Number of IPv4 Prefixes: 7
Number of IPv6 Prefixes: 0

If you want to manage announces using the rpki values, you have to declare some route-maps that match on such values. Here an example of configuration of BGP with rpki:

route-map rpki permit 4
  match rpki valid
  set local-preference 150

route-map rpki permit 6
  match rpki notfound
  set local-preference 10

route-map rpki deny 8
  match rpki invalid

route-map rpki permit 40

router bgp 1
 bgp router-id 10.1.2.1
 no bgp ebgp-requires-policy

neighbor PEERING peer-group
 neighbor PEERING remote-as external
 neighbor eth0 interface peer-group PEERING
 neighbor eth1 interface peer-group PEERING

address-family ipv4 unicast
  neighbor PEERING activate
  neighbor PEERING route-map rpki in
  network 193.201.0.0/16
exit-address-family

rpki
  rpki polling_period 60
  rpki cache 193.201.0.254 3323 pref 1

So the output of show ip bgp should be like this:

as1r1# show ip bgp
BGP table version is 6, local router ID is 10.1.2.1, vrf id 0
Default local pref 100, local AS 1
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 193.201.0.0/16   0.0.0.0                  0         32768 i
*> 193.202.0.0/16   10.1.2.2                 0    150      0 2 i
*> 193.203.0.0/16   10.1.2.2                      150      0 2 3 i
*> 193.204.0.0/16   10.1.2.2                      150      0 2 3 4 i
*                   10.1.5.2                      150      0 5 6 7 4 i
*> 193.205.0.0/16   10.1.5.2                 0    150      0 5 i
*> 193.206.0.0/16   10.1.5.2                      150      0 5 6 i

Displayed  6 routes and 7 total paths
as1r1#

Here all the local preference are set to 150 since all the announces are valid.

You can find a complete example in our RPKI Lab in the RPKI branch.

Don't hesistate to ask if something is not clear! :smile:

Tommaso

ychlgdr commented 1 year ago

Sorry, I just saw it, very helpful, thank you for your reply, have a nice day!