v10.5.2 RPKI Strict not working

[SwimGeek]

Description

Hi. It seems that even with RPKI strict configured, FRR lets in invalid BGP prefixes after a restart.

I enabled rpki strict on our v6 IP transit sessions, and I enabled it on our peering sessions with Cloudflare.

After FRR restarts, it still lets the RPKI invalid prefixes in. For testing I use these prefixes:
https://isbgpsafeyet.com

103.21.244.8
2606:4700:7000::6715:f408

When I originally requested the 'rpki strict' feature, we suspected that the connection to the RPKI servers was not yet up, and that waiting for this to be up will solve the problem... but maybe there is another reason it's letting invalid prefixes in after a restart.

As soon as I clear the sessions, it does the correct filtering and the isbpgsafeyet test (above) passes:

clear bgp CLOUDFLARE-PEER-IP soft out

Version

v10.5.2

How to reproduce

Configure peering with Cloudflare, set up filtering for invalid RPKI prefixes, restart FRR.

Expected behavior

The isbpgsafeyet RPKI invalid prefixes should be filtered out when FRR restarts.

Actual behavior

The isbpgsafeyet RPKI invalid prefixes make it into the routing table when FRR restarts.

Additional context

No response

Checklist

• I have searched the open issues for this bug.
• I have not included sensitive information in this report.

[ton31337]

Could you show the configuration you use?

[SwimGeek]

Hi

Part of our frr.conf which adds 'rpki strict' to our Cloudflare peering sessions at a few internet exchanges.

 neighbor CLOUDFLARE-NAPCPT-v4 peer-group
 neighbor CLOUDFLARE-NAPCPT-v4 remote-as 13335
 neighbor CLOUDFLARE-NAPCPT-v4 description Cloudflare NAPCPT v4
 neighbor CLOUDFLARE-NAPCPT-v4 rpki strict
 neighbor CLOUDFLARE-NAPCPT-v6 peer-group
 neighbor CLOUDFLARE-NAPCPT-v6 remote-as 13335
 neighbor CLOUDFLARE-NAPCPT-v6 description Cloudflare NAPCPT v6
 neighbor CLOUDFLARE-NAPCPT-v6 rpki strict
 neighbor CLOUDFLARE-NAPJHB-v4 peer-group
 neighbor CLOUDFLARE-NAPJHB-v4 remote-as 13335
 neighbor CLOUDFLARE-NAPJHB-v4 description Cloudflare NAPJHB v4
 neighbor CLOUDFLARE-NAPJHB-v4 rpki strict
 neighbor CLOUDFLARE-NAPJHB-v6 peer-group
 neighbor CLOUDFLARE-NAPJHB-v6 remote-as 13335
 neighbor CLOUDFLARE-NAPJHB-v6 description Cloudflare NAPJHB v6
 neighbor CLOUDFLARE-NAPJHB-v6 rpki strict

the above refers to IPs of the various routers, for example...

 neighbor 2001:43f8:6d0::nnn peer-group CLOUDFLARE-NAPJHB-v6
 neighbor 2001:43f8:6d0::nnn description CLOUDFLARE-NAPJHB-v6

[ton31337]

Do you see something in the logs, No RPKI cache server connected or RPKI strict mode enabled, but RPKI cache is not connected? rpki strict technically prevents starting/accepting BGP connections until the RPKI cache server is connected. I tested quickly - it works for me.

UPDATE => we had one commit recently ac1d13e, that might also be a fix. Could you try testing with the latest master?