RPKI flags & exported routes

[Kergorn]

Hello team!

We have been using Alice for several months now, but we have not been able to use some of the functionality.

1. We tried to use flags along with RPKI functionality (to get RPKI icons, like here: https://lg.de-cix.net/routeservers/rs1_fra_ipv4/protocols/R194_42/routes ), however, as soon as routes match with community from RPKI section , the routes in the neighbor's section on the alice stop loading.

The config looks like this:

[rpki]
enabled = true
valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

Could this be due to the fact that we are using both large community and extended community at the same time on the same prefix?

2. Also, we are looking for a way to show the exported prefixes for a specific neighbor.
   Now, we can show only their total numbers, but we cannot upload to the neighbor's page, as it happens with accepted, filtered and not exported routes.
   Is there any way to do this?

Thanks!

[bluikko]

I have the same issue but I am using only extended communities for RPKI, as in:

[rpki]
enabled = true
valid = generic:0x43000000:0x0
unknown = generic:0x43000000:0x1
invalid = generic:0x43000000:0x2
not_checked = generic:0x43000000:0x3

[Kergorn]

I tried both options (extended or large), unfortunately the result is the same :(

[Kergorn]

Ok, think I found the problem. When I use the flag option in [routes_columns] like here:

[routes_columns]
flags = ""
network = Network
bgp.next_hop = Next-Hop
bgp.local_pref = Local Pref
bgp.as_path = AS Path
bgp.med = MED

[routes_columns_order]
0 = flags
1 = network
2 = bgp.next_hop
3 = bgp.local_pref
4 = bgp.as_path
5 = bgp.med

On the routes page of a specific neighbor, routes that contain a large community are not displayed. As soon as I comment out the flag option, I see routes with a large community

However, it is not yet clear how this is interconnected ...

[bluikko]

Where have you found flags column? If I try to add this column in [routes_columns] then listing routes stops working.

[Kergorn]

Where have you found flags column? If I try to add this column in [routes_columns] then listing routes stops working.

I saw the flag option in the DE-CIX configuration, tried it myself (Alice 4.2.0) and it worked, but only for the "best routes" (like here - http://lg.dataix.ru/routeservers/rs1-spb-v4/protocols/as3267_654/routes). Unfortunately, for large communities it doesn't work for me.

[bluikko]

I saw the flag option in the DE-CIX configuration

I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation.

[Kergorn]

I saw the flag option in the DE-CIX configuration

I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation.

Some links are on the alice-lg wiki
For example: https://lg.de-cix.net/api/v1/config

[bluikko]

Thanks. I didn't know the config can be queried like that! I also don't know where is the wiki - clicking "Wiki" in this GitHub repo does nothing here.

[annikahannig]

I didn't know the config can be queried like that

Only the parts required for rendering the frontend of course. :-)

Also, looks like I forgot to document the flags column.

[annikahannig]

I just activated the wiki!

[Kergorn]

I didn't know the config can be queried like that

Only the parts required for rendering the frontend of course. :-)

Also, looks like I forgot to document the flags column.

Hi Annika -)

What are your thinking about large communities and flag options that don't work together?

[annikahannig]

valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

the config format looks correct.

Not rendering anything suggests that there is a bug in the JS frontend while rendering the flags column.

Is there maybe a hint / error in the js dev console?

[Kergorn]

valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

the config format looks correct.

Not rendering anything suggests that there is a bug in the JS frontend while rendering the flags column.

Is there maybe a hint / error in the js dev console?

Yes, i really see error in JS console at the moment of the availability of routes with a large community :
Uncaught (in promise) TypeError: lookup is null

But if i disable flag option - all works good.

[annikahannig]

Uncaught (in promise) TypeError: lookup is null

can you maybe provide the rest of the error?
Some stacktrace - etc...

I'm pretty sure I can narrow it down where to look but I did not yet encountered this error and need a bit more details to fix this.

But if i disable flag option - all works good.

Well, if it's not rendered the code path in question will not be executed. So no surprise here...

[bluikko]

can you maybe provide the rest of the error?
Some stacktrace - etc...

app.js?4.3.2:4416 Uncaught (in promise) TypeError: Cannot read property '65533' of null
    at resolveCommunity (app.js?4.3.2:4416)
    at resolveCommunities (app.js?4.3.2:4458)
    at isRejectCandidate (app.js?4.3.2:4493)
    at _RejectCandidateIndicator.render (app.js?4.3.2:8058)
    at ReactCompositeComponentWrapper._renderValidatedComponentWithoutOwnerOrContext (app.js?4.3.2:28178)
    at ReactCompositeComponentWrapper._renderValidatedComponent (app.js?4.3.2:28201)
    at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27741)
    at ReactCompositeComponentWrapper.mountComponent (app.js?4.3.2:27637)
    at Object.mountComponent (app.js?4.3.2:33854)
    at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27750)

[annikahannig]

ah we are getting somewhere!

[bluikko]

I note that the error seems different from #57 (comment) ... mine has the asn value in it.

[annikahannig]

hmmm can I see your reject candidates config?

[bluikko]

hmmm can I see your reject candidates config?

There are none. I did not understand what this is exactly, some kind of "communities under construction" thing? The whole rejection_candidates stanza is commented out.

[annikahannig]

Ah that might explain things.

The reject candidates is intended to signal to the user that these prefixes will be rejected in the future when $condition is enforced.

[annikahannig]

Are you building from source?

[bluikko]

This is a self-built docker image, built using https://github.com/bluikko/alice-lg/tree/github-action-docker

The communities we have are final, nothing more in the pipeline now. Should I add some placeholder candidate community then?

Edit: That's it, added 1 community to rejection_candidates and it works now. I can see RPKI status icons in flags field.

[annikahannig]

I guess the fastest fix is to just add some bogus communities.

I'll add a small path to the develop branch.

[annikahannig]

I'll prepare a new release over the weekend :-)

[annikahannig]

Well, as soon as the OpenBGPD support is confirmed OK.

[Kergorn]

Thx, my problem is solved too due to use fake community in rejection field -)

[annikahannig]

Awesome xD

[bluikko]

I can see RPKI status icons in flags field.

Correction: "best route" flag shows now. With the [rpki] settings listed in #57 (comment) the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work.

[Kergorn]

I can see RPKI status icons in flags field.

Correction: "best route" flag shows now. With the [rpki] settings listed in #57 (comment) the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work.

The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me.

[bluikko]

The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me.

That is very disappointing because arouteserver doesn't provide a configurable RPKI verdict community. It provides configurable RPKI status community in a different way that is not compatible with the flags.

I see no reason why RPKI verdict could not be an extended community - or even a standard community. I hope it could be supported, I wonder why such a limitation in the first place.

[annikahannig]

I wonder why such a limitation in the first place.

Using anything other than large communities for this just never came up. 🤷‍♀️
I'm not sure if you meant it like this - but this is a very demanding attitude of you.

Feel free to implement it and send a PR <3

[bluikko]

I'm not sure if you meant it like this - but this is a very demanding attitude of you.

Please excuse me, it was not meant in that way at all.

It was meant to say exactly that - I really do wonder why such a limitation. I know nothing about the internals but configuring alice-lg I see there is already processing of the 3 different kind of communities and there is no error adding an extended community.

To an ignorant user it seems like a very arbitrary limitation due to the above and one that could possibly be very easily rectified. Of course it could also be a very difficult change.

I will then rather see if in arouteserver side the RPKI verdict could be made configurable.

Edit: To be honest I was not prepared for such a defensive reply at all. Perhaps the limitation should be documented to avoid future feather ruffling.

[annikahannig]

Good morning @bluikko - I had a very bad day yesterday and read it in really non charitable way - my apologies. :-(

[bluikko]

No worries. I appreciate what you are doing for the project.

[bluikko]

By the way - the extended communities that we are using come from RFC8097. So there is an actual RFC for RPKI communities - but based on a quick survey of Alice-LG users it seems the Euro-IX recommendations far exceed the RFC usage.

Edit: we might be abandoning the RFC as well and move to the Euro-IX scheme.