I stand corrected (by Job). Output from our router shows that both AS-es are valid
show validation database | match 35.208.0.0/15 35.208.0.0/15-15 15169 192.168.28.28 valid * 35.208.0.0/15-15 15169 192.168.28.29 valid * 35.208.0.0/15-15 19527 192.168.28.28 valid * 35.208.0.0/15-15 19527 192.168.28.29 valid * So my interpretation of info shown by routinator is not correct. Sorry for any confusion I may have caused! R. -----Original Message----- From: Outages <[email protected]> On Behalf Of Robert Heuvel via Outages Sent: Tuesday, January 10, 2023 06:34 PM To: Job Snijders <[email protected]> Cc: [email protected] Subject: Re: [outages] Peering issue between Cogent and Tata? Job, I have used the routinator client and that only shows AS15169 as being valid. R. -----Original Message----- From: Job Snijders <[email protected]> Sent: Tuesday, January 10, 2023 06:30 PM To: Robert Heuvel <[email protected]> Cc: Miller, Jon <[email protected]>; mike tancsa <[email protected]>; [email protected] Subject: Re: [outages] Peering issue between Cogent and Tata? Hi Robert, others, On Tue, Jan 10, 2023 at 05:23:58PM +0000, Robert Heuvel via Outages wrote: > That is a Route Validation issue. I'm not sure it is! > The IP 35.209.30.41 is part of 35.208.0.0/15 for which a ROA has been > created by AS15169 to be originated by AS15169. > > If check the IP on the Cogent looking glass, Cogent shows that the IP > is coming from AS19527 (which is not correct according to the ROA for > this prefix… There are two ROAs for this prefix, one authorising 15169 and the other authorising 19527: 19527: https://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/746e0111-fafb-430f-b778-d204cfcd99a8/8314711c-e263-425a-adda-3995b7095d9d/07879125-74b8-3a42-b7b0-80fdd7b7a73f.roa.html 15169: https://console.rpki-client.org/rpki.arin.net/repository/arin-rpki-ta/5e4a23ea-e80a-403e-b08c-2171da2157d3/746e0111-fafb-430f-b778-d204cfcd99a8/8314711c-e263-425a-adda-3995b7095d9d/ca819b63-a4f5-312d-a544-77c183e52a22.roa.html The RFC 6811 BGP route validation algorithm only requires a single (one) ROA to set the state of the route as "valid". Multiple ROAs for the same prefix do not conflict with each other. Kind regards, Job _______________________________________________ Outages mailing list [email protected] https://puck.nether.net/mailman/listinfo/outages _______________________________________________ Outages mailing list [email protected] https://puck.nether.net/mailman/listinfo/outages
