We just turned on our RPKI Route Origin Validation yesterday, then something weird happened:
[Reference: We are running NLnet Labs’ Routinator 3000, feeding a Cisco ASR 1000 Series router. I know, I know, we haven’t started a second validator yet.]
When we tested against the two testers:
the IPv4-only net-segment passed with flying color.
[by the way, very sneaky you Cloudflare, registering the invalid block to the AS0 is a nice touch; I had to configure the router to really drop the invalid routes instead of just lowering their preference. Good show, mate!]
However, when we tested on dual-stack net-segment, the first test passed, but Cloudflare invalids sneak through on the IPv6 side, causing the second test to fail.
So, here comes the question:
What rookie mistake(s) did I make?
IPv4 and IPv6 configuration are supposed to be symmetry, right?
Or did I miss something?
And since I already start asking:
For a “second validator”, which choice is better: second copy of the same software, or different software altogether?
Thanks in advance for all comments and advices,