Routing

View Only

Back to discussions

Expand all | Collapse all

RPKI validation problem

1. RPKI validation problem

Recommend
JOSE RESTAINO
Posted 13 days ago
Edited by JOSE RESTAINO 13 days ago

Reply Reply Privately
Hello,

I have deployed RPKI on a Juniper MX304 router. I noticed that for the prefix 1.7.229.0/24, I have two ROA entries in my RPKI cache, which I assume is due to a misconfiguration by the prefix owner.

I have one ROA for 1.7.229.0/24-24 indicating Origin AS 4755, and another one for 1.7.228.0/22-24 indicating Origin AS 9583.

Plaintext

> show validation database record 1.7.229.0/24

RV database: default

Prefix Origin-AS Session State Mismatch

1.7.229.0/24-24 4755 10.0.0.1 valid

1.7.229.0/24-24 4755 10.0.0.2 valid

IPv4 records: 2

IPv6 records: 0

{master}

> show validation database record 1.7.229.0/22

RV database: default

Prefix Origin-AS Session State Mismatch

1.7.228.0/22-24 9583 10.0.0.1 valid

1.7.228.0/22-24 9583 10.0.0.2 valid

1.7.229.0/24-24 4755 10.0.0.1 valid

1.7.229.0/24-24 4755 10.0.0.2 valid

IPv4 records: 4

IPv6 records: 0

{master}

I am receiving the route with Origin AS 9583, and it is being marked as invalid. I would like to know if this is the correct behavior or if it should be accepted instead.

Reading the rfc6811 section "2.1. Pseudo-Code" i think that the route should be valid.

I would appreciate any clarification on this.

Best regards

------------------------------
JOSE RESTAINO
------------------------------
2. RE: RPKI validation problem

Recommend
Guilherme Contino Santana
Posted 13 days ago
Edited by Guilherme Contino Santana 13 days ago

Reply Reply Privately
What looks unusual here is not necessarily the Junos behavior itself, but the ROA design.

It is quite uncommon to see two different origin ASNs simultaneously authorized for overlapping space like this:

1.7.228.0/22-24 → AS9583

1.7.229.0/24-24 → AS4755

Usually this happens during ASN migration, partial delegation, DDoS mitigation scenarios, or temporary ROA misconfiguration.

On my MX304, the route is currently still being validated as valid via AS9583:

---------------------------------------

> show route 1.7.229.0/24

1.7.229.0/24 *[BGP/170] 19:01:17

AS path: 64049 55836 9583 I, validation-state: valid

-

> show validation database record 1.7.229.0/24
Prefix Origin-AS Session State Mismatch
1.7.229.0/24-24 4755 -- valid

-

> show validation database record 1.7.229.0/22

Prefix Origin-AS Session State Mismatch

1.7.228.0/22-24 9583 -- valid

1.7.229.0/24-24 4755 -- valid

---------------------------------------

So, if your router is still marking the route as invalid while the covering AS9583 ROA is present in the validation database, it may be related to route validation refresh/reprocessing timing inside the router, a stale validation state, or some local policy/version-specific behavior.

A route refresh, RPKI session reset, or forcing BGP re-evaluation could help confirm whether the route becomes valid after reprocessing.

------------------------------
Guilherme Contino Santana
IP Network Engineer
Link Brasil Telecomunicações
------------------------------
3. RE: RPKI validation problem

Recommend
JOSE RESTAINO
Posted 12 days ago

Reply Reply Privately
Thanks for your kindly response. Yesterday i also open a ticket with my local Juniper partner, Juniper TAC says that it´s probable that my router is affected by the Problem Report PR1865114. We will try to upgrade the Junos Version.

Thanks

------------------------------
JOSE RESTAINO
------------------------------

Original Message

Routing

RPKI validation problem

JOSE RESTAINO13 days ago

Guilherme Contino Santana13 days ago

JOSE RESTAINO12 days ago

1. RPKI validation problem

2. RE: RPKI validation problem

3. RE: RPKI validation problem