[FROG] rpki start

Donald Sharp donaldsharp72 at gmail.com
Wed Mar 22 11:50:29 UTC 2023 

sharpd at janelle:~$ sudo systemctl start frr
sharpd at janelle:~$ vtysh -c "show rpki cache-connection"
No connection to RPKI cache server.
sharpd at janelle:~$ vtysh -c "show rpki cache-connection"
Connected to group 1
rpki tcp cache rpki-validator.realmv6.org 8282 pref 1 (connected)
sharpd at janelle:~$ vtysh -c "show run" | grep -A 3 "rpki"
 match rpki valid
exit
!
route-map VERIFY deny 20
 match rpki invalid
exit
!
ip protocol bgp route-map DENY
--
rpki
 rpki cache rpki-validator.realmv6.org 8282 preference 1
exit
!
end

I'm not sure what to say, but it works for me.  I am running a version of
latest from the last week or so on this box.

donald


On Wed, Mar 22, 2023 at 7:36 AM Chris Knipe <cknipe at opticnetworks.net>
wrote:

> Hi,
>
>
>
> So modified the config:
>
> service advanced-vty
>
> service password-encryption
>
> rpki
>
> rpki polling_period 1000
>
> rpki cache rtr.rpki.cloudflare.com 8282 preference 2
>
> rpki cache rtr.rpki.cloudflare.com 8283 preference 3
>
> exit
>
>
>
> Restarted FRR
>
> za-ctn-rs01a# sh rpki cache-connection
>
> No connection to RPKI cache server.
>
>
>
> za-ctn-rs01a# wr mem
>
> Note: this version of vtysh never writes vtysh.conf
>
> Building Configuration...
>
> Integrated configuration saved to /etc/frr/frr.conf
>
>
>
> write mem removes the exit too.
>
> service password-encryption
>
> rpki
>
> rpki polling_period 1000
>
> rpki cache rtr.rpki.cloudflare.com 8282 preference 2
>
> rpki cache rtr.rpki.cloudflare.com 8283 preference 3
>
> service advanced-vty
>
>
>
> Complete config just for clarity (didn’t want to spam the list, but seems
> that it is needed):
>
> frr version 8.1
>
> frr defaults traditional
>
> hostname za-ctn-rs01a
>
> log syslog informational
>
> no log unique-id
>
> service advanced-vty
>
> service password-encryption
>
> no ip forwarding
>
> no ipv6 forwarding
>
> service advanced-vty
>
> service password-encryption
>
> service advanced-vty
>
> service password-encryption
>
> service advanced-vty
>
> service password-encryption
>
> rpki
>
> rpki polling_period 300
>
> rpki retry_interval 10
>
> rpki cache rtr.rpki.cloudflare.com 8282 preference 2
>
> rpki cache rtr.rpki.cloudflare.com 8283 preference 3
>
> exit
>
> service advanced-vty
>
> service password-encryption
>
> service integrated-vtysh-config
>
> !
>
> ip router-id a.b.c.131
>
> ip route 0.0.0.0/0 a.b.c.129
>
> ip route 0.0.0.0/0 a.b.c.130 10
>
> ip route a.b.c.0/23 Null0 tag 20
>
> ip route a.b.c.0/24 Null0 tag 30
>
> ip route a.b.d.0/24 Null0 tag 30
>
> ip route e.f.g.0/24 Null0 tag 25
>
> ipv6 route ::/0 a:b:c:6000::81
>
> ipv6 route ::/0 a:b:c:6000::82 10
>
> ipv6 route a:b:c::/48 Null0 tag 25
>
> !
>
> interface ens32
>
> bandwidth 10000
>
> ipv6 ospf6 area 0
>
> exit
>
> !
>
> router bgp 65530
>
> bgp router-id a.b.c.131
>
> bgp log-neighbor-changes
>
> bgp always-compare-med
>
> no bgp suppress-duplicates
>
> no bgp default ipv4-unicast
>
> bgp cluster-id a.b.c.128
>
> bgp disable-ebgp-connected-route-check
>
> bgp graceful-shutdown
>
> bgp graceful-restart
>
> bgp route-reflector allow-outbound-policy
>
> neighbor a.b.c.132 remote-as 65530
>
> neighbor a.b.c.132 description ZA-JNB-RS01B
>
> neighbor a.b.c.139 remote-as 65530
>
> neighbor a.b.c.139 description ZA-CTN-RS01B
>
> neighbor a.b.c.140 remote-as 65530
>
> neighbor a.b.c.140 description ZA-JNB-RS01A
>
> neighbor a.b.c.254 remote-as 65530
>
> neighbor a.b.c.254 description ZA-CTN-CR01B
>
> neighbor a.b.c.255 remote-as 65530
>
> neighbor a.b.c.255 description ZA-CTN-CR01A
>
> neighbor a:b:c:6000::84 remote-as 65530
>
> neighbor a:b:c:6000::84 description ZA-JNB-RS01B
>
> neighbor a:b:c:6000::8b remote-as 65530
>
> neighbor a:b:c:6000::8b description ZA-CTN-RS01B
>
> neighbor a:b:c:6000::8c remote-as 65530
>
> neighbor a:b:c:6000::8c description ZA-JNB-RS01A
>
> neighbor a:b:c:6000::fe remote-as 65530
>
> neighbor a:b:c:6000::fe description ZA-CTN-CR01B
>
> neighbor a:b:c:6000::ff remote-as 65530
>
> neighbor a:b:c:6000::ff description ZA-CTN-CR01A
>
> bgp fast-convergence
>
> !
>
> address-family ipv4 unicast
>
>   redistribute static
>
>   bgp dampening
>
>   neighbor a.b.c.132 activate
>
>   neighbor a.b.c.132 addpath-tx-all-paths
>
>   neighbor a.b.c.132 soft-reconfiguration inbound
>
>   neighbor a.b.c.132 allowas-in origin
>
>   neighbor a.b.c.132 route-map BGP-RS-OUTv4 out
>
>   neighbor a.b.c.132 attribute-unchanged next-hop
>
>   neighbor a.b.c.139 activate
>
>   neighbor a.b.c.139 addpath-tx-all-paths
>
>   neighbor a.b.c.139 soft-reconfiguration inbound
>
>   neighbor a.b.c.139 allowas-in origin
>
>   neighbor a.b.c.139 attribute-unchanged next-hop
>
>   neighbor a.b.c.254 activate
>
>   neighbor a.b.c.254 route-reflector-client
>
>   neighbor a.b.c.254 soft-reconfiguration inbound
>
>   neighbor a.b.c.254 allowas-in origin
>
>   neighbor a.b.c.254 route-map BGP-TRANS-OUTv4 out
>
>   neighbor a.b.c.255 activate
>
>   neighbor a.b.c.255 route-reflector-client
>
>   neighbor a.b.c.255 soft-reconfiguration inbound
>
>   neighbor a.b.c.255 allowas-in origin
>
>   neighbor a.b.c.255 route-map BGP-TRANS-OUTv4 out
>
> exit-address-family
>
> !
>
> address-family ipv6 unicast
>
>   redistribute static
>
>   bgp dampening
>
>   neighbor a:b:c:6000::8b activate
>
>   neighbor a:b:c:6000::8b addpath-tx-all-paths
>
>   neighbor a:b:c:6000::8b soft-reconfiguration inbound
>
>   neighbor a:b:c:6000::8b allowas-in origin
>
>   neighbor a:b:c:6000::8b attribute-unchanged as-path next-hop med
>
>   neighbor a:b:c:6000::8c activate
>
>   neighbor a:b:c:6000::8c addpath-tx-all-paths
>
>   neighbor a:b:c:6000::8c soft-reconfiguration inbound
>
>   neighbor a:b:c:6000::8c allowas-in origin
>
>   neighbor a:b:c:6000::8c attribute-unchanged as-path next-hop
>
>  neighbor a:b:c:6000::fe activate
>
>   neighbor a:b:c:6000::fe route-reflector-client
>
>   neighbor a:b:c:6000::fe soft-reconfiguration inbound
>
>   neighbor a:b:c:6000::fe allowas-in origin
>
>   neighbor a:b:c:6000::fe route-map BGP-TRANS-OUTv6 out
>
>   neighbor a:b:c:6000::fe attribute-unchanged as-path next-hop med
>
>   neighbor a:b:c:6000::ff activate
>
>   neighbor a:b:c:6000::ff route-reflector-client
>
>   neighbor a:b:c:6000::ff soft-reconfiguration inbound
>
>   neighbor a:b:c:6000::ff allowas-in origin
>
>   neighbor a:b:c:6000::ff route-map BGP-TRANS-OUTv6 out
>
>   neighbor a:b:c:6000::ff attribute-unchanged as-path next-hop med
>
> exit-address-family
>
> exit
>
> !
>
> router ospf
>
> ospf router-id a.b.c.131
>
> log-adjacency-changes detail
>
> compatible rfc1583
>
> auto-cost reference-bandwidth 10000
>
> graceful-restart
>
> network a.b.c.128/29 area 0
>
> capability opaque
>
> exit
>
> !
>
> router ospf6
>
> ospf6 router-id a.b.c.131
>
> log-adjacency-changes detail
>
> auto-cost reference-bandwidth 10000
>
> graceful-restart
>
> exit
>
> !
>
>
>
>
>
>
>
> *From:* Donald Sharp <donaldsharp72 at gmail.com>
> *Sent:* Wednesday, 22 March 2023 13:24
> *To:* Chris Knipe <cknipe at opticnetworks.net>
> *Cc:* ch <ch at ntrv.dk>; frog at lists.frrouting.org
> *Subject:* Re: [FROG] rpki start
>
>
>
> Add a `exit` to the end of rpki configuration section
>
>
>
> rpki
>
>    rpki polling_period 1000
>
>    rpki cache rtr.rpki.cloudflare.com 8282 preference 2
>
>    rpki cache rtr.rpki.cloudflare.com 8283 preference 3
>
> exit
>
>
>
> On Wed, Mar 22, 2023 at 5:16 AM Chris Knipe <cknipe at opticnetworks.net>
> wrote:
>
> Hi,
>
>
>
> daemons.conf:
>
> vtysh_enable=yes
>
> zebra_options="  -A 127.0.0.1 -s 90000000"
>
> bgpd_options="   -A 127.0.0.1 -M rpki"
>
> ospfd_options="  -A 127.0.0.1"
>
> ospf6d_options=" -A ::1"
>
>
>
> za-ctn-rs01a# sh rpki cache-server
>
> host: rtr.rpki.cloudflare.com port: 8282
>
> host: rtr.rpki.cloudflare.com port: 8283
>
> za-ctn-rs01a# sh rpki cache-connection
>
> No connection to RPKI cache server.
>
> za-ctn-rs01a# sh ver
>
> FRRouting 8.1 (za-ctn-rs01a).
>
> Copyright 1996-2005 Kunihiro Ishiguro, et al.
>
> configured with:
>
>     '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--disable-option-checking' '--disable-silent-rules'
> '--libdir=${prefix}/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr'
> '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager'
> '--libdir=/usr/lib/x86_64-linux-gnu/frr'
> '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules'
> '--disable-dependency-tracking' '--enable-rpki' '--disable-scripting'
> '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp'
> '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi'
> '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr'
> '--enable-group=frr' '--enable-vty-group=frrvty'
> '--enable-configfile-mask=0640' '--enable-logfile-mask=0640'
> 'build_alias=x86_64-linux-gnu' 'PYTHON=python3'
>
>
>
> config
>
> Current configuration:
>
> !
>
> frr version 8.1
>
> frr defaults traditional
>
> hostname za-ctn-rs01a
>
> log syslog informational
>
> no log unique-id
>
> service advanced-vty
>
> service password-encryption
>
> no ip forwarding
>
> no ipv6 forwarding
>
> service advanced-vty
>
> service password-encryption
>
> service advanced-vty
>
> service password-encryption
>
> service advanced-vty
>
> service password-encryption
>
> rpki
>
> rpki polling_period 1000
>
> rpki cache rtr.rpki.cloudflare.com 8282 preference 2
>
> rpki cache rtr.rpki.cloudflare.com 8283 preference 3
>
> service advanced-vty
>
> service password-encryption
>
> service integrated-vtysh-config
>
>
>
> RPKI doesn’t do anything until I execute rpki start
>
> za-ctn-rs01a# rpki start
>
> za-ctn-rs01a# sh rpki cache-connection
>
> Connected to group 2
>
> rpki tcp cache rtr.rpki.cloudflare.com 8282 pref 2
>
>
>
> --
>
> C
>
>
>
> *From:* Donald Sharp <donaldsharp72 at gmail.com>
> *Sent:* Wednesday, 22 March 2023 01:00
> *To:* Chris Knipe <cknipe at opticnetworks.net>
> *Cc:* ch <ch at ntrv.dk>; frog at lists.frrouting.org
> *Subject:* Re: [FROG] rpki start
>
>
>
> What does your config look like?  Mine starts automatically, rpki is
> programmed to start it when you leave the rpki subnode
>
>
>
> donald
>
>
>
> On Tue, Mar 21, 2023 at 5:15 PM Chris Knipe via frog <
> frog at lists.frrouting.org> wrote:
>
>
>
>
> ---------- Forwarded message ----------
> From: Chris Knipe <cknipe at opticnetworks.net>
> To: ch <ch at ntrv.dk>, "frog at lists.frrouting.org" <frog at lists.frrouting.org>
> Cc:
> Bcc:
> Date: Tue, 21 Mar 2023 19:00:29 +0000
> Subject: RE: [FROG] rpki start
> Hi,
>
> >
> >Or are you referring to an RPKI (caching) server FRR connects to?
> >
>
> Correct.  RPKI doesn't automatically connect to the RPKI servers unless I
> issue a "rpki start" command.
>
> Configuration etc. is 100%, works absolutely fine.  Just doesn't
> automatically connect to the RPKI servers.
>
> --
> Chris.
>
>
>
>
> ---------- Forwarded message ----------
> From: Chris Knipe via frog <frog at lists.frrouting.org>
> To: ch <ch at ntrv.dk>, "frog at lists.frrouting.org" <frog at lists.frrouting.org>
> Cc:
> Bcc:
> Date: Tue, 21 Mar 2023 19:00:29 +0000
> Subject: Re: [FROG] rpki start
> _______________________________________________
> frog mailing list
> frog at lists.frrouting.org
> https://lists.frrouting.org/listinfo/frog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20230322/28ee66fd/attachment-0001.htm>

More information about the frog mailing list