Hi Jan, Jay, > On 10 Apr 2019, at 21:54, Jay Borkenhagen <[email protected]> wrote: > > Hi Jan, > > Some time ago I filed this Cisco DDTS: > > CSCvg37740 - Specify source address or interface for RPKI server > > I do not know whether a fix was made available in any versions of > IOS-XR. (However, I do know that no SMU fixing that DDTS has yet been > accepted into our (as7018) certification process.) > > That said, the workaround we are using in production is to use the SSH > Transport option, section 9.1 of https://tools.ietf.org/html/rfc8210 > Our versions of IOS-XR do allow specifying the source address for ssh > client connections via: > > ssh client source-interface Loopback0 > > Note that if you do go this way, the "show running" configuration will > show the rpki server username and "transport ssh port 22", but the ssh > password will not be visible. It will be stored in a database > internal to IOS-XR -- it just won't be apparent.
By way of @wk [0], this process is documented here: https://rpki.readthedocs.io/en/latest/routinator/rtr-secure-transport.html Cheers, Alex [0] https://github.com/wk > > > Sorry -- I never tried setting up validation in a VRF. Good luck. > > Hope that helps somewhat. > > Jay B. > > > Jan Chrillesen writes: >> I am trying to enable validation on IOS XR (NCS-5500 running 6.5.3) and >> I'm facing two issues. The first one is that traffic is being sourced >> from the outgoing interface, and it isn't possible to specify a source >> interface (like a loopback interface). It's the same issue as described >> here >> https://puck.nether.net/pipermail/cisco-nsp/2016-December/104236.html >> >> The second one is the lack of documentation for using RPKI validation in >> VRF's - is it even supported? I made the following config >> >> router bgp xxxxx >> rpki server 212.x.y.z >> transport tcp port 3323 >> refresh-time 600 >> >> vrf internet >> [...] >> bgp bestpath origin-as use validity >> bgp bestpath origin-as allow invalid >> address-family ipv4 unicast >> [...] >> bgp origin-as validation signal ibgp >> >> >> Connection to the validator (Routinator 3000 seems fine): >> >> #sh bgp rpki summary >> Wed Apr 10 19:39:46.294 CEST >> >> RPKI cache-servers configured: 1 >> RPKI database >> Total IPv4 net/path: 64091/68179 >> Total IPv6 net/path: 11324/12344 >> >> If I check the validity of a route received from a peer on the router I >> get: >> >> #sh bgp vrf internet x.y.0.0/19 >> [...] >> Origin-AS validity: (disabled) >> >> I would expect the validity to be valid, invalid or not found >> >> Also updated the ingress route-map of the peer to check for >> validation-state but I would expect that the route should have a >> validity even if I don't do anything with it in the route map >> >> Found this old post >> https://community.cisco.com/t5/routing/rpki-validation-for-neighbors-in-vrfs/td-p/2724218 >> but it didn't provide any hints to wheter validation is even supported >> in VRF's on XR >> >> (To those who might suggest I run my peers in GRT - it's not currently >> an option) >> >> - Jan >> -- >> RPKI mailing list >> [email protected] >> https://www.nlnetlabs.nl/mailman/listinfo/rpki > -- > RPKI mailing list > [email protected] > https://www.nlnetlabs.nl/mailman/listinfo/rpki -- RPKI mailing list [email protected] https://www.nlnetlabs.nl/mailman/listinfo/rpki
