[FROG] rpki start

Chris Knipe cknipe at opticnetworks.net
Wed Mar 22 11:56:39 UTC 2023 

Hi,

Upgraded from 8.1 to the latest 8.5 and it is now automatically connecting.  No change in any configs.

Looks like something was broken, which is now fixed.  Ubuntu still installs 8.1 on 22.0.4 TLS, so I’ve updated manually via the frr repositories.

Ty veryone for the assistance! 😊

--
Chris.


From: Donald Sharp <donaldsharp72 at gmail.com>
Sent: Wednesday, 22 March 2023 13:50
To: Chris Knipe <cknipe at opticnetworks.net>
Cc: ch <ch at ntrv.dk>; frog at lists.frrouting.org
Subject: Re: [FROG] rpki start

sharpd at janelle:~$ sudo systemctl start frr
sharpd at janelle:~$ vtysh -c "show rpki cache-connection"
No connection to RPKI cache server.
sharpd at janelle:~$ vtysh -c "show rpki cache-connection"
Connected to group 1
rpki tcp cache rpki-validator.realmv6.org<http://rpki-validator.realmv6.org> 8282 pref 1 (connected)
sharpd at janelle:~$ vtysh -c "show run" | grep -A 3 "rpki"
 match rpki valid
exit
!
route-map VERIFY deny 20
 match rpki invalid
exit
!
ip protocol bgp route-map DENY
--
rpki
 rpki cache rpki-validator.realmv6.org<http://rpki-validator.realmv6.org> 8282 preference 1
exit
!
end

I'm not sure what to say, but it works for me.  I am running a version of latest from the last week or so on this box.

donald


On Wed, Mar 22, 2023 at 7:36 AM Chris Knipe <cknipe at opticnetworks.net<mailto:cknipe at opticnetworks.net>> wrote:
Hi,

So modified the config:
service advanced-vty
service password-encryption
rpki
rpki polling_period 1000
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3
exit

Restarted FRR
za-ctn-rs01a# sh rpki cache-connection
No connection to RPKI cache server.

za-ctn-rs01a# wr mem
Note: this version of vtysh never writes vtysh.conf
Building Configuration...
Integrated configuration saved to /etc/frr/frr.conf

write mem removes the exit too.
service password-encryption
rpki
rpki polling_period 1000
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3
service advanced-vty

Complete config just for clarity (didn’t want to spam the list, but seems that it is needed):
frr version 8.1
frr defaults traditional
hostname za-ctn-rs01a
log syslog informational
no log unique-id
service advanced-vty
service password-encryption
no ip forwarding
no ipv6 forwarding
service advanced-vty
service password-encryption
service advanced-vty
service password-encryption
service advanced-vty
service password-encryption
rpki
rpki polling_period 300
rpki retry_interval 10
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3
exit
service advanced-vty
service password-encryption
service integrated-vtysh-config
!
ip router-id a.b.c.131
ip route 0.0.0.0/0<http://0.0.0.0/0> a.b.c.129
ip route 0.0.0.0/0<http://0.0.0.0/0> a.b.c.130 10
ip route a.b.c.0/23 Null0 tag 20
ip route a.b.c.0/24 Null0 tag 30
ip route a.b.d.0/24 Null0 tag 30
ip route e.f.g.0/24 Null0 tag 25
ipv6 route ::/0 a:b:c:6000::81
ipv6 route ::/0 a:b:c:6000::82 10
ipv6 route a:b:c::/48 Null0 tag 25
!
interface ens32
bandwidth 10000
ipv6 ospf6 area 0
exit
!
router bgp 65530
bgp router-id a.b.c.131
bgp log-neighbor-changes
bgp always-compare-med
no bgp suppress-duplicates
no bgp default ipv4-unicast
bgp cluster-id a.b.c.128
bgp disable-ebgp-connected-route-check
bgp graceful-shutdown
bgp graceful-restart
bgp route-reflector allow-outbound-policy
neighbor a.b.c.132 remote-as 65530
neighbor a.b.c.132 description ZA-JNB-RS01B
neighbor a.b.c.139 remote-as 65530
neighbor a.b.c.139 description ZA-CTN-RS01B
neighbor a.b.c.140 remote-as 65530
neighbor a.b.c.140 description ZA-JNB-RS01A
neighbor a.b.c.254 remote-as 65530
neighbor a.b.c.254 description ZA-CTN-CR01B
neighbor a.b.c.255 remote-as 65530
neighbor a.b.c.255 description ZA-CTN-CR01A
neighbor a:b:c:6000::84 remote-as 65530
neighbor a:b:c:6000::84 description ZA-JNB-RS01B
neighbor a:b:c:6000::8b remote-as 65530
neighbor a:b:c:6000::8b description ZA-CTN-RS01B
neighbor a:b:c:6000::8c remote-as 65530
neighbor a:b:c:6000::8c description ZA-JNB-RS01A
neighbor a:b:c:6000::fe remote-as 65530
neighbor a:b:c:6000::fe description ZA-CTN-CR01B
neighbor a:b:c:6000::ff remote-as 65530
neighbor a:b:c:6000::ff description ZA-CTN-CR01A
bgp fast-convergence
!
address-family ipv4 unicast
  redistribute static
  bgp dampening
  neighbor a.b.c.132 activate
  neighbor a.b.c.132 addpath-tx-all-paths
  neighbor a.b.c.132 soft-reconfiguration inbound
  neighbor a.b.c.132 allowas-in origin
  neighbor a.b.c.132 route-map BGP-RS-OUTv4 out
  neighbor a.b.c.132 attribute-unchanged next-hop
  neighbor a.b.c.139 activate
  neighbor a.b.c.139 addpath-tx-all-paths
  neighbor a.b.c.139 soft-reconfiguration inbound
  neighbor a.b.c.139 allowas-in origin
  neighbor a.b.c.139 attribute-unchanged next-hop
  neighbor a.b.c.254 activate
  neighbor a.b.c.254 route-reflector-client
  neighbor a.b.c.254 soft-reconfiguration inbound
  neighbor a.b.c.254 allowas-in origin
  neighbor a.b.c.254 route-map BGP-TRANS-OUTv4 out
  neighbor a.b.c.255 activate
  neighbor a.b.c.255 route-reflector-client
  neighbor a.b.c.255 soft-reconfiguration inbound
  neighbor a.b.c.255 allowas-in origin
  neighbor a.b.c.255 route-map BGP-TRANS-OUTv4 out
exit-address-family
!
address-family ipv6 unicast
  redistribute static
  bgp dampening
  neighbor a:b:c:6000::8b activate
  neighbor a:b:c:6000::8b addpath-tx-all-paths
  neighbor a:b:c:6000::8b soft-reconfiguration inbound
  neighbor a:b:c:6000::8b allowas-in origin
  neighbor a:b:c:6000::8b attribute-unchanged as-path next-hop med
  neighbor a:b:c:6000::8c activate
  neighbor a:b:c:6000::8c addpath-tx-all-paths
  neighbor a:b:c:6000::8c soft-reconfiguration inbound
  neighbor a:b:c:6000::8c allowas-in origin
  neighbor a:b:c:6000::8c attribute-unchanged as-path next-hop
 neighbor a:b:c:6000::fe activate
  neighbor a:b:c:6000::fe route-reflector-client
  neighbor a:b:c:6000::fe soft-reconfiguration inbound
  neighbor a:b:c:6000::fe allowas-in origin
  neighbor a:b:c:6000::fe route-map BGP-TRANS-OUTv6 out
  neighbor a:b:c:6000::fe attribute-unchanged as-path next-hop med
  neighbor a:b:c:6000::ff activate
  neighbor a:b:c:6000::ff route-reflector-client
  neighbor a:b:c:6000::ff soft-reconfiguration inbound
  neighbor a:b:c:6000::ff allowas-in origin
  neighbor a:b:c:6000::ff route-map BGP-TRANS-OUTv6 out
  neighbor a:b:c:6000::ff attribute-unchanged as-path next-hop med
exit-address-family
exit
!
router ospf
ospf router-id a.b.c.131
log-adjacency-changes detail
compatible rfc1583
auto-cost reference-bandwidth 10000
graceful-restart
network a.b.c.128/29 area 0
capability opaque
exit
!
router ospf6
ospf6 router-id a.b.c.131
log-adjacency-changes detail
auto-cost reference-bandwidth 10000
graceful-restart
exit
!



From: Donald Sharp <donaldsharp72 at gmail.com<mailto:donaldsharp72 at gmail.com>>
Sent: Wednesday, 22 March 2023 13:24
To: Chris Knipe <cknipe at opticnetworks.net<mailto:cknipe at opticnetworks.net>>
Cc: ch <ch at ntrv.dk<mailto:ch at ntrv.dk>>; frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>
Subject: Re: [FROG] rpki start

Add a `exit` to the end of rpki configuration section

rpki
   rpki polling_period 1000
   rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2
   rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3
exit

On Wed, Mar 22, 2023 at 5:16 AM Chris Knipe <cknipe at opticnetworks.net<mailto:cknipe at opticnetworks.net>> wrote:
Hi,

daemons.conf:
vtysh_enable=yes
zebra_options="  -A 127.0.0.1 -s 90000000"
bgpd_options="   -A 127.0.0.1 -M rpki"
ospfd_options="  -A 127.0.0.1"
ospf6d_options=" -A ::1"

za-ctn-rs01a# sh rpki cache-server
host: rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> port: 8282
host: rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> port: 8283
za-ctn-rs01a# sh rpki cache-connection
No connection to RPKI cache server.
za-ctn-rs01a# sh ver
FRRouting 8.1 (za-ctn-rs01a).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:
    '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager' '--libdir=/usr/lib/x86_64-linux-gnu/frr' '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules' '--disable-dependency-tracking' '--enable-rpki' '--disable-scripting' '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp' '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi' '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' 'build_alias=x86_64-linux-gnu' 'PYTHON=python3'

config
Current configuration:
!
frr version 8.1
frr defaults traditional
hostname za-ctn-rs01a
log syslog informational
no log unique-id
service advanced-vty
service password-encryption
no ip forwarding
no ipv6 forwarding
service advanced-vty
service password-encryption
service advanced-vty
service password-encryption
service advanced-vty
service password-encryption
rpki
rpki polling_period 1000
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 preference 2
rpki cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8283 preference 3
service advanced-vty
service password-encryption
service integrated-vtysh-config

RPKI doesn’t do anything until I execute rpki start
za-ctn-rs01a# rpki start
za-ctn-rs01a# sh rpki cache-connection
Connected to group 2
rpki tcp cache rtr.rpki.cloudflare.com<http://rtr.rpki.cloudflare.com> 8282 pref 2

--
C

From: Donald Sharp <donaldsharp72 at gmail.com<mailto:donaldsharp72 at gmail.com>>
Sent: Wednesday, 22 March 2023 01:00
To: Chris Knipe <cknipe at opticnetworks.net<mailto:cknipe at opticnetworks.net>>
Cc: ch <ch at ntrv.dk<mailto:ch at ntrv.dk>>; frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>
Subject: Re: [FROG] rpki start

What does your config look like?  Mine starts automatically, rpki is programmed to start it when you leave the rpki subnode

donald

On Tue, Mar 21, 2023 at 5:15 PM Chris Knipe via frog <frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>> wrote:



---------- Forwarded message ----------
From: Chris Knipe <cknipe at opticnetworks.net<mailto:cknipe at opticnetworks.net>>
To: ch <ch at ntrv.dk<mailto:ch at ntrv.dk>>, "frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>" <frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>>
Cc:
Bcc:
Date: Tue, 21 Mar 2023 19:00:29 +0000
Subject: RE: [FROG] rpki start
Hi,

>
>Or are you referring to an RPKI (caching) server FRR connects to?
>

Correct.  RPKI doesn't automatically connect to the RPKI servers unless I issue a "rpki start" command.

Configuration etc. is 100%, works absolutely fine.  Just doesn't automatically connect to the RPKI servers.

--
Chris.




---------- Forwarded message ----------
From: Chris Knipe via frog <frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>>
To: ch <ch at ntrv.dk<mailto:ch at ntrv.dk>>, "frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>" <frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>>
Cc:
Bcc:
Date: Tue, 21 Mar 2023 19:00:29 +0000
Subject: Re: [FROG] rpki start
_______________________________________________
frog mailing list
frog at lists.frrouting.org<mailto:frog at lists.frrouting.org>
https://lists.frrouting.org/listinfo/frog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20230322/2a93bbc2/attachment-0001.htm>

More information about the frog mailing list