rpki-validator-3 icon indicating copy to clipboard operation
rpki-validator-3 copied to clipboard

Published 20 hours ago verified publisher icon RIPE-NCC

ROA for 103.138.48.0/23-24 (ASN 0 vs Origin-AS 136119)

Open ruizzito opened this issue 3 years ago • 5 comments

Hi guys, I am observing a strange behavior in your network.

Let me try to explain:

  • We used version: 3.2-2020.10.28.23.06 on our local_cache (GVPALHTA1 - 172.16.177.241)
  • On our local_validator, we have this:

[@GVPALHTA1 ~]$ curl http://localhost:8080/api/objects/validated | grep -A 3 -B 3 103.138.48.0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 "maxLength" : 24 }, { "asn" : "0", <<<<<<<< "prefix" : "103.138.48.0/23", "maxLength" : 24 }, { [...]

  • I mean, the ROA prefix "103.138.48.0/23-24" appears to be "registered by ASN-0".

  • If we check on our Juniper box, we found this:

`@GRAALHTA3> show validation database record 103.138.48.0 RV database for instance master

Prefix Origin-AS Session State Mismatch 103.138.48.0/23-24 136119 172.16.177.241 valid`

  • If we look deeper on the trace-options, we see the following:

` @GRAALHTA3> show log rpki.6.gz | match 103.138.48.0 Dec 9 04:36:44.513051 rv_change_db_entry_state: 103.138.48.0/23-24, Origin-AS 0, session 172.16.177.241, unknown -> valid

@GRAALHTA3> show log rpki.0.gz | match 103.138.48.0 Dec 10 08:31:45.390396 rv_change_db_entry_state: 103.138.48.0/23-24, Origin-AS 136119, session 172.16.177.241, unknown -> valid Dec 10 08:31:45.393136 rv_change_db_entry_state: 103.138.48.0/23-24, Origin-AS 0, session 172.16.177.241, valid -> invalid `

It appears that that on "Dec 9 04:36", the ROA state changes from "unknown" to "valid" (by ASN-0). Today (Dec 10 08:31), that ROA changes from ASN-0 to ASN-136119.

  • Can you please help me to understand this behavior?
  • Why does local_cache see ASN-0 and Juniper see ASN-136119?
  • Do you observe the same behaviour on your rtr-rpki clients?

PD-1: We also have checked your public rpki_validator_service (https://rpki-validator.ripe.net/api/export-extended.json) and see the same behavior:

[wuirfb01@gplcomadpe11 ~]$ curl https://rpki-validator.ripe.net/api/export-extended.json | grep -A 6 -B 3 103.138.48.0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 "serialNumber" : "704250436105586234317453941062193901537241673306" }, { "asn" : "0", "prefix" : "103.138.48.0/23", "maxLength" : 24, "ta" : "APNIC RPKI Root", "notBefore" : "2020-12-10T10:36:02Z", "notAfter" : "2021-12-10T10:41:02Z", "serialNumber" : "257254455200754995803974490035894331837184297494" }, { 100 46.9M 0 46.9M 0 0 31.7M 0 --:--:-- 0:00:01 --:--:-- 31.7M [wuirfb01@gplcomadpe11 ~]$

PD-2: This is our local_cache (just in case)

[@gplcomadpe11 ~]$ curl http://gvpalhta1:8080/api/export-extended.json | grep -A 6 -B 3 103.138.48.0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 "serialNumber" : "704250436105586234317453941062193901537241673306" }, { "asn" : "0", "prefix" : "103.138.48.0/23", "maxLength" : 24, "ta" : "APNIC RPKI Root", "notBefore" : "2020-12-10T10:36:02Z", "notAfter" : "2021-12-10T10:41:02Z", "serialNumber" : "257254455200754995803974490035894331837184297494" }, { 100 46.9M 0 46.9M 0 0 34.8M 0 --:--:-- 0:00:01 --:--:-- 34.8M

Thanks Rui (ASN12956)

ruizzito avatar Dec 10 '20 12:12 ruizzito