Hello,
in Cisco land I worked around VRF or source interface selection
limitations for RTR by using SSH as a transport method, which then
used SSH client source-vrf/source-interface configurations.
I don't know if JunOS supports SSH transported RTR though.
Lukas
On Mon, 5 Jun 2023 at 04:52, Chris Kawchuk via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:
>
> Hi All
>
> Been scratching my head today. As per Juniper's documentation, you can indeed
> setup RPKI/ROA validation session inside a routing-instance. You can also
> have it query against that instance on an import policy for that VRF
> specifically, and if there's no session, it will revert to the default RPKI
> RV database (if configured) under the main routing-options {} stanza to check
> for valid/invalid, etc...
>
> https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp_origin_validation.html
>
> Thats all fine and dandy, but it seems that JNPR's implementation of RPKI/ROA
> *assumes* that your RV database is always configured in the main routing
> instance (i.e. the main routing-options validation {} stanza, thus your RPKI
> server MUST be available via inet.0 ).
>
> Unfortunately, the situation I am faced with is the opposite.
>
> My RPKI/ROA server is only available via our "admin" VRF (which is how we
> manage the device) - Our inet.0 contains the global internet/IGP and links
> and loopbacks/Labels/etc. all "admin" related functions RADIUS/TACACS, SNMP,
> RPKI, Syslog, ssh, you-name-it, etc. are all "nailed" to our admin VRF. Hence
> when I try to do ROA validation of an eBGP peer in inet.0 via a standard
> import policy, the RV "validation-database" is unfortunately locked inside
> the admin-vrf, and thus isn't queried for valid/invalid/unknown etc.
>
> Hence, nothing on the eBGP session in inet.0 is being validated.
>
> Is there some KNOB I'm missing, to allow a policy, executed upon routes in
> inet.0, to use the RV database in a non-default VRF? Or copy the VRF's RV to
> the default's RV? or is this some oversight of JNPR's RPKI implementation,
> that it must be inside the default:default LI:RI?
>
> - CK.
>
>
> NOTE: my Google-fu and/or "set ?" skills aren't yielding any useful results.
> Apologies if there's "a simple fix" for this, or an example of this situation
> I haven't found.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
