Hello, in Cisco land I worked around VRF or source interface selection limitations for RTR by using SSH as a transport method, which then used SSH client source-vrf/source-interface configurations.
I don't know if JunOS supports SSH transported RTR though. Lukas On Mon, 5 Jun 2023 at 04:52, Chris Kawchuk via juniper-nsp <juniper-nsp@puck.nether.net> wrote: > > Hi All > > Been scratching my head today. As per Juniper's documentation, you can indeed > setup RPKI/ROA validation session inside a routing-instance. You can also > have it query against that instance on an import policy for that VRF > specifically, and if there's no session, it will revert to the default RPKI > RV database (if configured) under the main routing-options {} stanza to check > for valid/invalid, etc... > > https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp_origin_validation.html > > Thats all fine and dandy, but it seems that JNPR's implementation of RPKI/ROA > *assumes* that your RV database is always configured in the main routing > instance (i.e. the main routing-options validation {} stanza, thus your RPKI > server MUST be available via inet.0 ). > > Unfortunately, the situation I am faced with is the opposite. > > My RPKI/ROA server is only available via our "admin" VRF (which is how we > manage the device) - Our inet.0 contains the global internet/IGP and links > and loopbacks/Labels/etc. all "admin" related functions RADIUS/TACACS, SNMP, > RPKI, Syslog, ssh, you-name-it, etc. are all "nailed" to our admin VRF. Hence > when I try to do ROA validation of an eBGP peer in inet.0 via a standard > import policy, the RV "validation-database" is unfortunately locked inside > the admin-vrf, and thus isn't queried for valid/invalid/unknown etc. > > Hence, nothing on the eBGP session in inet.0 is being validated. > > Is there some KNOB I'm missing, to allow a policy, executed upon routes in > inet.0, to use the RV database in a non-default VRF? Or copy the VRF's RV to > the default's RV? or is this some oversight of JNPR's RPKI implementation, > that it must be inside the default:default LI:RI? > > - CK. > > > NOTE: my Google-fu and/or "set ?" skills aren't yielding any useful results. > Apologies if there's "a simple fix" for this, or an example of this situation > I haven't found. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp