Thanks for your response,
I add the record-lifetime with 60 seconds, but the behaivor is the same.
set routing-options validation group rpkiServers session 10.0.0.96 refresh-time 120
set routing-options validation group rpkiServers session 10.0.0.96 hold-time 600
set routing-options validation group rpkiServers session 10.0.0.96 record-lifetime 60
set routing-options validation group rpkiServers session 10.0.0.96 port 3323
set routing-options validation group rpkiServers session 10.0.0.97 refresh-time 120
set routing-options validation group rpkiServers session 10.0.0.97 hold-time 600
set routing-options validation group rpkiServers session 10.0.0.97 record-lifetime 60
set routing-options validation group rpkiServers session 10.0.0.97 port 323
Tests
Cache session fall down at 11:39:11
> show system uptime
Current time: 2025-02-24 11:39:11 -03
{master}
> show validation session
Session State Flaps Uptime #IPv4/IPv6 records
10.0.0.96 Connect 2 530053/129350
10.0.0.97 Connect 100 0/0
{master}
> show system uptime
Current time: 2025-02-24 11:39:16 -03
Validation Database was empty at 11:39:16
> show validation database
error: Empty database
{master}
11:42:45 the validations looks that´s still present
> show system uptime
Current time: 2025-02-24 11:42:45 -03
> show route table Internet.inet.0 hidden
Internet.inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
1.0.0.0/24 [BGP ] 2d 18:37:37, localpref 100
AS path: 18144 I, validation-state: invalid
> to 10.0.0.9 via ae1000.0
{master}
> show route table Internet.inet.0
Internet.inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
1.0.2.0/24 *[BGP/170] 4d 18:49:14, localpref 100
AS path: 18144 I, validation-state: unknown
> to 10.0.0.9 via ae1000.0
1.0.64.0/18 *[BGP/170] 00:24:06, localpref 100
AS path: 18144 I, validation-state: valid
> to 10.0.0.9 via ae1000.0
Regards
------------------------------
JOSE RESTAINO
------------------------------
Original Message:
Sent: 02-21-2025 16:11
From: Flashover_
Subject: RPKI Origin validation behavior when validation database is lost
Hi,
Could changing the following setting help with your question? :
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/session-edit-routing-options-validation.html
- record-lifetime <$seconds>
- Configure the amount of time that route validation (RV) records learned from an RPKI cache server remain valid after the session to the cache server goes down. RV records expire if the session to the cache server goes down and remains down for the time configured.
You can set it to a value as low as 60s it seems.
I guess the routes should then match your policy: "term rpki_unknown then accept" one minute after the session is down.
Original Message:
Sent: 02-20-2025 09:43
From: JOSE RESTAINO
Subject: RPKI Origin validation behavior when validation database is lost
Good morning,
I am trying to implement Origin Validation using RPKI in my network. One issue I am encountering in our lab tests is that when we shut down the RPKI Cache Servers to observe the behavior, we notice that invalid routes continue to be filtered.
I would like to know if this is the expected behavior and, if so, whether it can be modified so that verification is not performed when the validation database is lost.
Policy configured
set policy-options policy-statement rpki_in term rpki_invalid from protocol bgp
set policy-options policy-statement rpki_in term rpki_invalid from validation-database invalid
set policy-options policy-statement rpki_in term rpki_invalid then validation-state invalid
set policy-options policy-statement rpki_in term rpki_invalid then reject
set policy-options policy-statement rpki_in term rpki_valid from protocol bgp
set policy-options policy-statement rpki_in term rpki_valid from validation-database valid
set policy-options policy-statement rpki_in term rpki_valid then validation-state valid
set policy-options policy-statement rpki_in term rpki_valid then accept
set policy-options policy-statement rpki_in term rpki_unknown from protocol bgp
set policy-options policy-statement rpki_in term rpki_unknown from validation-database unknown
set policy-options policy-statement rpki_in term rpki_unknown then validation-state unknown
set policy-options policy-statement rpki_in term rpki_unknown then accept
set policy-options policy-statement rpki_in term passAll then accept
Validation Database
> show validation database
error: Empty database
{master}
Rejected route
> show route table Internet.inet.0 1.0.0.0/24 detail hidden
Internet.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
1.0.0.0/24 (1 entry, 0 announced)
BGP /-101
Next hop type: Router, Next hop index: 628
Address: 0xc62025c
Next-hop reference count: 5, key opaque handle: 0x0, non-key opaque handle: 0x0
Source: 192.168.0.2
Next hop: 192.168.0.2 via ae1000.0, selected
Session Id: 321
State: <Hidden Ext Changed>
Peer AS: 18144
Age: 18:42:11
Validation State: invalid
Task: BGP_18144_6057.192.168.0.2
AS path: 18144 I
Localpref: 100
Router ID: 10.0.0.18
Hidden reason: Rejected by import policy
Thread: junos-main
Route Record: Not-Recorded nexthop 0xc62025c
as-index: 2 (Recorded) com-index 0 (Not-Recorded)
Unkwnon and Valid routes
1.0.2.0/24 *[BGP/170] 18:41:28, localpref 100
AS path: 18144 I, validation-state: unknown
> to 192.168.0.2 via ae1000.0
1.0.64.0/18 *[BGP/170] 18:43:58, localpref 100
AS path: 18144 I, validation-state: valid
> to 192.168.0.2 via ae1000.0
I will appreciate if someone could help me.
Regards
José
------------------------------
JOSE RESTAINO
------------------------------