[Nanog] BGPMon RPKI Validation Failed (Code: 9)

Michel_Py · August 2, 2018, 8:27pm

Hi Nanog,

I received recently some of these messages, and I don't understand the logic of them.
If there is no ROA found, the code should be 1, and the status unknown / not found.
What is the logic behind getting a Validation failure if there is no ROA ?

Please help RPKI n00b,
Thanks.

Job_Snijders3 · August 2, 2018, 8:31pm

Dear Michel,

This question is probably best answered by Andree Toonk from the
BGPMon project. I've CCed him.

Kind regards,

Job

Andree_Toonk · August 3, 2018, 1:28am

Hi Michel,

it looks likes you have RPKI validation enabled for this prefix in
BGPmon.net.
This will tell BGPmon to run the RPKI validation checks for the prefix
and alert you if there's no valid ROA found.

This bgpmon alert below is from July 20 which was right around the time
the ROA was created, so I'm guessing the ROA hadn't fully propagated or
rsync'd with our systems yet.

Either way the BGPmon systems considers this prefix as RPKI valid now
and it looks like these alerts have stopped for you:

$ whois -h whois.bgpmon.net 216.230.25.0/24

Prefix: 216.230.25.0/24
Prefix description: Created by CCI on behalf of TSI Semiconductors
Country code: US
Origin AS: 14051
Origin AS Name: Consolidated Communications, Inc.
*RPKI status: ROA validation successful*
First seen: 2018-04-24
Last seen: 2018-08-01

Little known but handy feature to get all ROA details from the CLI:

$ whois -h whois.bgpmon.net " --roa 14051 216.230.25.0/24"

*0 - Valid*

Michel_Py · August 3, 2018, 5:09pm

Hi Andree,

Andree Toonk wrote :
it looks likes you have RPKI validation enabled for this prefix in BGPmon.net.
This will tell BGPmon to run the RPKI validation checks for the prefix and alert you if there's no valid ROA found.

Makes perfect sense now. Code 9 is a BGPMon extension to code 1. Thanks much for the clarification.

Michel.

TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named above and contain information that may be confidential or privileged. If you are not the intended recipient, you must not forward, copy, use or otherwise disclose this communication or the information contained herein. In the event you have received this message in error, please notify the sender immediately by replying to this message, and then delete all copies of it from your system. Thank you!...