ROVv6 does not behave the same way as ROVv4: What rookie mistake(s) did I make?

Dear all,

We just turned on our RPKI Route Origin Validation yesterday, then something weird happened:
[Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR 1000 Series router. I know, I know, we haven’t started a second validator yet.]

When we tested against the two testers:
https://sg-pub.ripe.net/jasper/rpki-web-test/
and
https://isbgpsafeyet.com/
the IPv4-only net-segment passed with flying color.
[by the way, very sneaky you Cloudflare, registering the invalid block to the AS0 is a nice touch; I had to configure the router to really drop the invalid routes instead of just lowering their preference. Good show, mate!]

However, when we tested on dual-stack net-segment, the first test passed, but Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.

So, here comes the question:
What rookie mistake(s) did I make?
IPv4 and IPv6 configuration are supposed to be symmetry, right?
Or did I miss something?

And since I already start asking:
For a “second validator”, which choice is better: second copy of the same software, or different software altogether?

Thanks in advance for all comments and advices,

Based on the difficulties I have already experienced, I would bet on some default route (or for example 2001::/16) statically placed on your FIB pointing to an Upstream.
Or even the simple absence of the default route (::/0) pointing to null.

Hello,

We just turned on our RPKI Route Origin Validation yesterday, then something weird happened:
[Reference: We are running NLnet Labs’ Routinator 3000, feeding a
Cisco ASR 1000 Series router. I know, I know, we haven’t started a
second validator yet.]

If you are doing ROV on IOS(-XE), you need to be aware of the
surprising default behaviours. See:

https://www.mail-archive.com/nanog@nanog.org/msg104776.html

https://www.mail-archive.com/cisco-nsp@puck.nether.net/msg68472.html

Also see:

[by the way, very sneaky you Cloudflare, registering the invalid block to the
AS0 is a nice touch; I had to configure the router to really drop the invalid
routes instead of just lowering their preference. Good show, mate!]

Not sure what you are saying, but you need to completely drop invalid
routes. Lowering local-preference is not enough. This has nothing to
do with AS0 ROA's.

However, when we tested on dual-stack net-segment, the first test passed, but
Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.

You research the IPv6 address used for the invalid test, and check why
it is reachable from your routers. Are invalid v6 routes in your BGP
table? Do you have a default-route? What does the FIB do and why? This
has less to do with ROV and is more about basic network
troubleshooting (BGP -> RIB -> FIB).

host \-tAAAA invalid\.rpki\.cloudflare\.com invalid\.rpki\.cloudflare\.com has IPv6 address 2606:4700:7000::6715:f40f invalid\.rpki\.cloudflare\.com has IPv6 address 2606:4700:7000::6715:f40e

So it looks like 2606:4700:7000::/48.

So, here comes the question:
What rookie mistake(s) did I make?
IPv4 and IPv6 configuration are supposed to be symmetry, right?
Or did I miss something?

Just start with normal, basic troubleshooting, looking at FIB, RIB and
BGP table outputs of the offending IP.

And since I already start asking:
For a “second validator”, which choice is better: second copy of the same software, or different software altogether?

A different software stack can be beneficial, yes. I suggest you take
a look at the Fort validator, it's a great piece of software.

Lukas

Tue, Mar 02, 2021 at 09:18:06PM +0700, Pirawat WATANAPONGSE via NANOG:

For a “second validator”, which choice is better: second copy of the same
software, or different software altogether?

Arrcus ArcIQ has a validator, RTR server, and has monitoring capabilities
and support.