RPKI iBGP Mesh (No Signaling)

Load rpki.ibgp.mesh.no.signaling.init.cfg

#IOS-XE (R1-R6)
config replace flash:rpki.ibgp.mesh.no.signaling.init.cfg

#IOS-XR (XR1-XR3)
configure
load bootflash:rpki.ibgp.mesh.no.signaling.init.cfg
commit replace
y

BGP is already fully setup. There is a partial iBGP mesh for AS 1245. (All routers peer only with R2 and XR1).

Configure BGP path validation but allow invalid prefixes on both R2 and XR1. Valid prefixes should be preferred over invalid prefixes. The RPKI server is reachable at 10.100.100.1 on port 3323.

Currently R4 is preferring the invalid path to 1.1.4.0/22, 1.6.0.0/22, 2001:260::/32 and 2001:288::/32 via R2 instead of the valid path via XR1. Similarly, XR3 prefers invalid paths to XR1 over valid paths to R2. Configuring only the edge routers, make a change so that internal routers will prefer the valid paths over invalid paths. Do this without signaling path validity to the iBGP internal peers.

Answer

#R2
route-map EBGP_IN
 match rpki invalid
 set local-pref 90
route-map EBGP_IN permit 20
!
router bgp 1245
 bgp rpki server tcp 10.100.100.1 port 3323 refresh 600
 !
 add ipv4
  bgp bestpath prefix-validate allow-invalid
  neighbor 10.1.2.1 route-map EBGP_IN in
  neighbor 20.2.3.3 route-map EBGP_IN in
 add ipv6
  bgp bestpath prefix-validate allow-invalid
  neighbor 2001:10:1:2::1 route-map EBGP_IN in
  neighbor 2001:20:2:3::3 route-map EBGP_IN in

#XR1
route-policy EBGP_IN
  if validation-state is invalid then
    set local-preference 90
  endif
  pass
end-policy
!
router bgp 1245
 rpki server 10.100.100.1
  transport tcp port 3323
 !
 address-family ipv4 unicast
  bgp origin-as validation enable
  bgp bestpath origin-as use validity
  bgp bestpath origin-as allow invalid
 ! 
 address-family ipv6 unicast
  bgp origin-as validation enable
  bgp bestpath origin-as use validity
  bgp bestpath origin-as allow invalid
 !
 neighbor 20.6.19.6
  address-family ipv4 unicast
   route-policy EBGP_IN in
 !
 neighbor 10.19.20.20
  address-family ipv4 unicast
   route-policy EBGP_IN in
 !
 neighbor 2001:20:6:19::6
  address-family ipv6 unicast
   route-policy EBGP_IN in
 !
 neighbor 2001:10:19:20::20
  address-family ipv6 unicast
   route-policy EBGP_IN in

Explanation/Verification

Currently R2 and XR1 are allowing invalid prefixes. R2 and XR1 are not peering with one another. All iBGP internal peers only peer with R2 and XR1.

Before we add the route-map, notice that R4 has all bestpaths via R2 due to the lower IGP metric to R2 vs. XR1.

Likewise R5 and XR3 will have all routes via XR1. (Only XR3 is shown below).

The solution to this involves setting LP lower for invalid routes on R2 and XR1. This allows the routers to indirectly signal the prefix validity.

#R2
route-map EBGP_IN
 match rpki invalid
 set local-pref 90
route-map EBGP_IN permit 20
!
router bgp 1245
 address-family ipv4
  neighbor 10.1.2.1 route-map EBGP_IN in
  neighbor 20.2.3.3 route-map EBGP_IN in
 exit-address-family
 !
 address-family ipv6
  neighbor 2001:10:1:2::1 route-map EBGP_IN in
  neighbor 2001:20:2:3::3 route-map EBGP_IN in

Likewise XR1 uses an RPL to do the same.

#XR1
route-policy EBGP_IN
  if validation-state is invalid then
    set local-preference 90
  endif
  pass
end-policy
!
router bgp 1245
 neighbor 20.6.19.6
  address-family ipv4 unicast
   route-policy EBGP_IN in
 !
 neighbor 10.19.20.20
  address-family ipv4 unicast
   route-policy EBGP_IN in
 !
 neighbor 2001:20:6:19::6
  address-family ipv6 unicast
   route-policy EBGP_IN in
 !
 neighbor 2001:10:19:20::20
  address-family ipv6 unicast
   route-policy EBGP_IN in

Verify on R2 and XR1 that prefixes with an invalid status have LP=90

A nice trick on IOS-XR is to filter the output based on validity as follows:

All internal routers will now prefer the valid prefix over the invalid prefix. R4 is shown below. For example, 1.6.0.0/22 is now via XR5. Same for 2001:288::/32.