malhuda/alice-lg
1
0
Fork 0
Code Issues 39 Pull Requests 11 Actions Packages Projects Releases 2 Wiki Activity

RPKI flags & exported routes #57

New Issue
Closed
opened 2021-04-12 16:35:21 +08:00 by Kergorn · 35 comments
Kergorn commented 2021-04-12 16:35:21 +08:00 (Migrated from github.com)
Copy Link

Hello team!

We have been using Alice for several months now, but we have not been able to use some of the functionality.

  1. We tried to use flags along with RPKI functionality (to get RPKI icons, like here: https://lg.de-cix.net/routeservers/rs1_fra_ipv4/protocols/R194_42/routes ), however, as soon as routes match with community from RPKI section , the routes in the neighbor's section on the alice stop loading.

The config looks like this:

[rpki]
enabled = true
valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

Could this be due to the fact that we are using both large community and extended community at the same time on the same prefix?

  1. Also, we are looking for a way to show the exported prefixes for a specific neighbor.
    Now, we can show only their total numbers, but we cannot upload to the neighbor's page, as it happens with accepted, filtered and not exported routes.
    Is there any way to do this?

Thanks!

Hello team! We have been using Alice for several months now, but we have not been able to use some of the functionality. 1. We tried to use flags along with RPKI functionality (to get RPKI icons, like here: https://lg.de-cix.net/routeservers/rs1_fra_ipv4/protocols/R194_42/routes ), however, as soon as routes match with community from RPKI section , the routes in the neighbor's section on the alice stop loading. The config looks like this: ``` [rpki] enabled = true valid = 50952:1000:0 unknown = 50952:1000:1 not_checked = 50952:1000:2 invalid = 50952:1000:3 ``` Could this be due to the fact that we are using both large community and extended community at the same time on the same prefix? 2. Also, we are looking for a way to show the exported prefixes for a specific neighbor. Now, we can show only their total numbers, but we cannot upload to the neighbor's page, as it happens with accepted, filtered and not exported routes. Is there any way to do this? Thanks!
bluikko commented 2021-07-02 12:10:14 +08:00 (Migrated from github.com)
Copy Link

I have the same issue but I am using only extended communities for RPKI, as in:

[rpki]
enabled = true
valid = generic:0x43000000:0x0
unknown = generic:0x43000000:0x1
invalid = generic:0x43000000:0x2
not_checked = generic:0x43000000:0x3
I have the same issue but I am using only extended communities for RPKI, as in: ``` [rpki] enabled = true valid = generic:0x43000000:0x0 unknown = generic:0x43000000:0x1 invalid = generic:0x43000000:0x2 not_checked = generic:0x43000000:0x3 ```
Kergorn commented 2021-07-05 17:27:08 +08:00 (Migrated from github.com)
Copy Link

I tried both options (extended or large), unfortunately the result is the same :(

I tried both options (extended or large), unfortunately the result is the same :(
Kergorn commented 2021-07-08 22:15:53 +08:00 (Migrated from github.com)
Copy Link

Ok, think I found the problem. When I use the flag option in [routes_columns] like here:

[routes_columns]
flags = ""
network = Network
bgp.next_hop = Next-Hop
bgp.local_pref = Local Pref
bgp.as_path = AS Path
bgp.med = MED

[routes_columns_order]
0 = flags
1 = network
2 = bgp.next_hop
3 = bgp.local_pref
4 = bgp.as_path
5 = bgp.med

On the routes page of a specific neighbor, routes that contain a large community are not displayed. As soon as I comment out the flag option, I see routes with a large community

However, it is not yet clear how this is interconnected ...

Ok, think I found the problem. When I use the flag option in [routes_columns] like here: ``` [routes_columns] flags = "" network = Network bgp.next_hop = Next-Hop bgp.local_pref = Local Pref bgp.as_path = AS Path bgp.med = MED [routes_columns_order] 0 = flags 1 = network 2 = bgp.next_hop 3 = bgp.local_pref 4 = bgp.as_path 5 = bgp.med ``` On the routes page of a specific neighbor, routes that contain a large community are not displayed. As soon as I comment out the flag option, I see routes with a large community However, it is not yet clear how this is interconnected ...
bluikko commented 2021-07-09 09:32:52 +08:00 (Migrated from github.com)
Copy Link

Where have you found flags column? If I try to add this column in [routes_columns] then listing routes stops working.

Where have you found `flags` column? If I try to add this column in `[routes_columns]` then listing routes stops working.
Kergorn commented 2021-07-09 15:32:38 +08:00 (Migrated from github.com)
Copy Link

Where have you found flags column? If I try to add this column in [routes_columns] then listing routes stops working.

I saw the flag option in the DE-CIX configuration, tried it myself (Alice 4.2.0) and it worked, but only for the "best routes" (like here - http://lg.dataix.ru/routeservers/rs1-spb-v4/protocols/as3267_654/routes). Unfortunately, for large communities it doesn't work for me.

> Where have you found `flags` column? If I try to add this column in `[routes_columns]` then listing routes stops working. I saw the flag option in the DE-CIX configuration, tried it myself (Alice 4.2.0) and it worked, but only for the "best routes" (like here - http://lg.dataix.ru/routeservers/rs1-spb-v4/protocols/as3267_654/routes). Unfortunately, for large communities it doesn't work for me.
bluikko commented 2021-07-09 15:59:42 +08:00 (Migrated from github.com)
Copy Link

I saw the flag option in the DE-CIX configuration

I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation.

> I saw the flag option in the DE-CIX configuration I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation.
Kergorn commented 2021-07-09 18:38:30 +08:00 (Migrated from github.com)
Copy Link

I saw the flag option in the DE-CIX configuration

I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation.

Some links are on the alice-lg wiki
For example: https://lg.de-cix.net/api/v1/config

> > I saw the flag option in the DE-CIX configuration > > I've been wanting to take a look at that, where is it available? I don't recall seeing a link in here/documentation. Some links are on the alice-lg wiki For example: https://lg.de-cix.net/api/v1/config
bluikko commented 2021-07-09 18:41:58 +08:00 (Migrated from github.com)
Copy Link

Thanks. I didn't know the config can be queried like that! I also don't know where is the wiki - clicking "Wiki" in this GitHub repo does nothing here.

Thanks. I didn't know the config can be queried like that! I also don't know where is the wiki - clicking "Wiki" in this GitHub repo does nothing here.
annikahannig commented 2021-07-09 19:39:38 +08:00 (Migrated from github.com)
Copy Link

I didn't know the config can be queried like that

Only the parts required for rendering the frontend of course. :-)

Also, looks like I forgot to document the flags column.

> I didn't know the config can be queried like that Only the parts required for rendering the frontend of course. :-) Also, looks like I forgot to document the `flags` column.
annikahannig commented 2021-07-09 19:41:19 +08:00 (Migrated from github.com)
Copy Link

I just activated the wiki!

I just activated the wiki!
Kergorn commented 2021-07-09 19:50:08 +08:00 (Migrated from github.com)
Copy Link

I didn't know the config can be queried like that

Only the parts required for rendering the frontend of course. :-)

Also, looks like I forgot to document the flags column.

Hi Annika -)

What are your thinking about large communities and flag options that don't work together?

> > I didn't know the config can be queried like that > > Only the parts required for rendering the frontend of course. :-) > > Also, looks like I forgot to document the `flags` column. Hi Annika -) What are your thinking about large communities and flag options that don't work together?
annikahannig commented 2021-07-09 19:58:15 +08:00 (Migrated from github.com)
Copy Link
valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

the config format looks correct.

Not rendering anything suggests that there is a bug in the JS frontend while rendering the flags column.

Is there maybe a hint / error in the js dev console?

``` valid = 50952:1000:0 unknown = 50952:1000:1 not_checked = 50952:1000:2 invalid = 50952:1000:3 ``` the config format looks correct. Not rendering anything suggests that there is a bug in the JS frontend while rendering the `flags` column. Is there maybe a hint / error in the js dev console?
Kergorn commented 2021-07-09 21:01:05 +08:00 (Migrated from github.com)
Copy Link
valid = 50952:1000:0
unknown = 50952:1000:1
not_checked = 50952:1000:2
invalid = 50952:1000:3

the config format looks correct.

Not rendering anything suggests that there is a bug in the JS frontend while rendering the flags column.

Is there maybe a hint / error in the js dev console?

Yes, i really see error in JS console at the moment of the availability of routes with a large community :
Uncaught (in promise) TypeError: lookup is null

But if i disable flag option - all works good.

> ``` > valid = 50952:1000:0 > unknown = 50952:1000:1 > not_checked = 50952:1000:2 > invalid = 50952:1000:3 > ``` > > the config format looks correct. > > Not rendering anything suggests that there is a bug in the JS frontend while rendering the `flags` column. > > Is there maybe a hint / error in the js dev console? Yes, i really see error in JS console at the moment of the availability of routes with a large community : `Uncaught (in promise) TypeError: lookup is null` But if i disable flag option - all works good.
annikahannig commented 2021-07-09 21:12:22 +08:00 (Migrated from github.com)
Copy Link

Uncaught (in promise) TypeError: lookup is null

can you maybe provide the rest of the error?
Some stacktrace - etc...

I'm pretty sure I can narrow it down where to look but I did not yet encountered this error and need a bit more details to fix this.

But if i disable flag option - all works good.

Well, if it's not rendered the code path in question will not be executed. So no surprise here...

> `Uncaught (in promise) TypeError: lookup is null` can you maybe provide the rest of the error? Some stacktrace - etc... I'm pretty sure I can narrow it down where to look but I did not yet encountered this error and need a bit more details to fix this. > But if i disable flag option - all works good. Well, if it's not rendered the code path in question will not be executed. So no surprise here...
bluikko commented 2021-07-09 21:18:48 +08:00 (Migrated from github.com)
Copy Link

can you maybe provide the rest of the error?
Some stacktrace - etc...

app.js?4.3.2:4416 Uncaught (in promise) TypeError: Cannot read property '65533' of null
    at resolveCommunity (app.js?4.3.2:4416)
    at resolveCommunities (app.js?4.3.2:4458)
    at isRejectCandidate (app.js?4.3.2:4493)
    at _RejectCandidateIndicator.render (app.js?4.3.2:8058)
    at ReactCompositeComponentWrapper._renderValidatedComponentWithoutOwnerOrContext (app.js?4.3.2:28178)
    at ReactCompositeComponentWrapper._renderValidatedComponent (app.js?4.3.2:28201)
    at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27741)
    at ReactCompositeComponentWrapper.mountComponent (app.js?4.3.2:27637)
    at Object.mountComponent (app.js?4.3.2:33854)
    at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27750)
> can you maybe provide the rest of the error? > Some stacktrace - etc... ``` app.js?4.3.2:4416 Uncaught (in promise) TypeError: Cannot read property '65533' of null at resolveCommunity (app.js?4.3.2:4416) at resolveCommunities (app.js?4.3.2:4458) at isRejectCandidate (app.js?4.3.2:4493) at _RejectCandidateIndicator.render (app.js?4.3.2:8058) at ReactCompositeComponentWrapper._renderValidatedComponentWithoutOwnerOrContext (app.js?4.3.2:28178) at ReactCompositeComponentWrapper._renderValidatedComponent (app.js?4.3.2:28201) at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27741) at ReactCompositeComponentWrapper.mountComponent (app.js?4.3.2:27637) at Object.mountComponent (app.js?4.3.2:33854) at ReactCompositeComponentWrapper.performInitialMount (app.js?4.3.2:27750) ```
annikahannig commented 2021-07-09 21:20:25 +08:00 (Migrated from github.com)
Copy Link

ah we are getting somewhere!

ah we are getting somewhere!
bluikko commented 2021-07-09 21:22:15 +08:00 (Migrated from github.com)
Copy Link

I note that the error seems different from https://github.com/alice-lg/alice-lg/issues/57#issuecomment-877169392 ... mine has the asn value in it.

I note that the error seems different from https://github.com/alice-lg/alice-lg/issues/57#issuecomment-877169392 ... mine has the `asn` value in it.
annikahannig commented 2021-07-09 21:24:08 +08:00 (Migrated from github.com)
Copy Link

hmmm can I see your reject candidates config?

hmmm can I see your reject candidates config?
bluikko commented 2021-07-09 21:26:59 +08:00 (Migrated from github.com)
Copy Link

hmmm can I see your reject candidates config?

There are none. I did not understand what this is exactly, some kind of "communities under construction" thing? The whole rejection_candidates stanza is commented out.

> hmmm can I see your reject candidates config? There are none. I did not understand what this is exactly, some kind of "communities under construction" thing? The whole `rejection_candidates` stanza is commented out.
annikahannig commented 2021-07-09 21:28:16 +08:00 (Migrated from github.com)
Copy Link

Ah that might explain things.

The reject candidates is intended to signal to the user that these prefixes will be rejected in the future when $condition is enforced.

Ah that might explain things. The reject candidates is intended to signal to the user that these prefixes will be rejected in the future when $condition is enforced.
annikahannig commented 2021-07-09 21:29:51 +08:00 (Migrated from github.com)
Copy Link

Are you building from source?

Are you building from source?
bluikko commented 2021-07-09 21:31:21 +08:00 (Migrated from github.com)
Copy Link

This is a self-built docker image, built using https://github.com/bluikko/alice-lg/tree/github-action-docker

The communities we have are final, nothing more in the pipeline now. Should I add some placeholder candidate community then?

Edit: That's it, added 1 community to rejection_candidates and it works now. I can see RPKI status icons in flags field.

This is a self-built docker image, built using https://github.com/bluikko/alice-lg/tree/github-action-docker The communities we have are final, nothing more in the pipeline now. Should I add some placeholder candidate community then? Edit: That's it, added 1 community to `rejection_candidates` and it works now. I can see RPKI status icons in `flags` field.
annikahannig commented 2021-07-09 21:33:13 +08:00 (Migrated from github.com)
Copy Link

I guess the fastest fix is to just add some bogus communities.

I'll add a small path to the develop branch.

I guess the fastest fix is to just add some bogus communities. I'll add a small path to the develop branch.
annikahannig commented 2021-07-09 21:45:59 +08:00 (Migrated from github.com)
Copy Link

I'll prepare a new release over the weekend :-)

I'll prepare a new release over the weekend :-)
annikahannig commented 2021-07-09 21:46:30 +08:00 (Migrated from github.com)
Copy Link

Well, as soon as the OpenBGPD support is confirmed OK.

Well, as soon as the OpenBGPD support is confirmed OK.
Kergorn commented 2021-07-09 21:47:44 +08:00 (Migrated from github.com)
Copy Link

Thx, my problem is solved too due to use fake community in rejection field -)

Thx, my problem is solved too due to use fake community in `rejection` field -)
annikahannig commented 2021-07-09 21:48:27 +08:00 (Migrated from github.com)
Copy Link

Awesome xD

Awesome xD
bluikko commented 2021-07-10 18:10:24 +08:00 (Migrated from github.com)
Copy Link

I can see RPKI status icons in flags field.

Correction: "best route" flag shows now. With the [rpki] settings listed in https://github.com/alice-lg/alice-lg/issues/57#issuecomment-872698053 the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work.

> I can see RPKI status icons in `flags` field. Correction: "best route" flag shows now. With the `[rpki]` settings listed in https://github.com/alice-lg/alice-lg/issues/57#issuecomment-872698053 the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work.
Kergorn commented 2021-07-10 18:44:33 +08:00 (Migrated from github.com)
Copy Link

I can see RPKI status icons in flags field.

Correction: "best route" flag shows now. With the [rpki] settings listed in #57 (comment) the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work.

The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me.

> > I can see RPKI status icons in `flags` field. > > Correction: "best route" flag shows now. With the `[rpki]` settings listed in [#57 (comment)](https://github.com/alice-lg/alice-lg/issues/57#issuecomment-872698053) the RPKI flags are not shown. The communities are detected right since they show in the "communities drop-down box" but flags do not work. The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me.
bluikko commented 2021-07-12 09:41:00 +08:00 (Migrated from github.com)
Copy Link

The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me.

That is very disappointing because arouteserver doesn't provide a configurable RPKI verdict community. It provides configurable RPKI status community in a different way that is not compatible with the flags.

I see no reason why RPKI verdict could not be an extended community - or even a standard community. I hope it could be supported, I wonder why such a limitation in the first place.

> The RPKI flag will appear only when using the large community, with the extended ones it also didn't work for me. That is very disappointing because arouteserver doesn't provide a configurable RPKI verdict community. It provides configurable RPKI status community in a different way that is not compatible with the flags. I see no reason why RPKI verdict could not be an extended community - or even a standard community. I hope it could be supported, I wonder why such a limitation in the first place.
annikahannig commented 2021-07-12 23:03:07 +08:00 (Migrated from github.com)
Copy Link

I wonder why such a limitation in the first place.

Using anything other than large communities for this just never came up. 🤷‍♀️
I'm not sure if you meant it like this - but this is a very demanding attitude of you.

Feel free to implement it and send a PR <3

> I wonder why such a limitation in the first place. Using anything other than large communities for this just never came up. :woman_shrugging: I'm not sure if you meant it like this - but this is a very demanding attitude of you. Feel free to implement it and send a PR <3
bluikko commented 2021-07-13 11:41:06 +08:00 (Migrated from github.com)
Copy Link

I'm not sure if you meant it like this - but this is a very demanding attitude of you.

Please excuse me, it was not meant in that way at all.

It was meant to say exactly that - I really do wonder why such a limitation. I know nothing about the internals but configuring alice-lg I see there is already processing of the 3 different kind of communities and there is no error adding an extended community.

To an ignorant user it seems like a very arbitrary limitation due to the above and one that could possibly be very easily rectified. Of course it could also be a very difficult change.

I will then rather see if in arouteserver side the RPKI verdict could be made configurable.

Edit: To be honest I was not prepared for such a defensive reply at all. Perhaps the limitation should be documented to avoid future feather ruffling.

> I'm not sure if you meant it like this - but this is a very demanding attitude of you. Please excuse me, it was not meant in that way at all. It was meant to say exactly that - I really do wonder why such a limitation. I know nothing about the internals but configuring alice-lg I see there is already processing of the 3 different kind of communities and there is no error adding an extended community. To an ignorant user it seems like a very arbitrary limitation due to the above and one that could _possibly_ be very easily rectified. Of course it could also be a very difficult change. I will then rather see if in arouteserver side the RPKI verdict could be made configurable. Edit: To be honest I was not prepared for such a defensive reply at all. Perhaps the limitation should be documented to avoid future feather ruffling.
annikahannig commented 2021-07-13 16:47:03 +08:00 (Migrated from github.com)
Copy Link

Good morning @bluikko - I had a very bad day yesterday and read it in really non charitable way - my apologies. :-(

Good morning @bluikko - I had a very bad day yesterday and read it in really non charitable way - my apologies. :-(
bluikko commented 2021-07-13 17:01:17 +08:00 (Migrated from github.com)
Copy Link

No worries. I appreciate what you are doing for the project.

No worries. I appreciate what you are doing for the project.
bluikko commented 2021-07-19 09:30:48 +08:00 (Migrated from github.com)
Copy Link

By the way - the extended communities that we are using come from RFC8097. So there is an actual RFC for RPKI communities - but based on a quick survey of Alice-LG users it seems the Euro-IX recommendations far exceed the RFC usage.

Edit: we might be abandoning the RFC as well and move to the Euro-IX scheme.

By the way - the extended communities that we are using come from RFC8097. So there is an actual RFC for RPKI communities - but based on a quick survey of Alice-LG users it seems the Euro-IX recommendations far exceed the RFC usage. Edit: we might be abandoning the RFC as well and move to the Euro-IX scheme.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
dependencies
Pull requests that update a dependency file
duplicate
This issue or pull request already exists
enhancement
New feature or request
go
Pull requests that update Go code
good first issue
Good for newcomers
help wanted
Extra attention is needed
invalid
This doesn't seem right
javascript
Pull requests that update Javascript code
priority
question
Further information is requested
wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: malhuda/alice-lg#57
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?