validation (Origin Validation for BGP)
Syntax
validation {
traceoptions {
file filename <files number> <size size> <(world-readable | no-world-readable)>;
flag flag flag-modifier;
}
notification-rib test;
group group-name {
max-sessions number;
session server-ip-address {
traceoptions {
file filename <files number> <size size> <(world-readable | no-world-readable)>;
flag flag flag-modifier;
}
refresh-time number;
hold-time number;
record-lifetime number;
preference number;
port number;
local-address local-ip-address;
}
}
static {
record record-destination {
maximum-length prefix-length {
origin-autonomous-system asn-number {
validation-state (invalid | valid);
}
}
}
}
database database-name {
static {
record destination {
maximum-length prefix-length {
origin-autonomous-system as-number {
validation-state valid;
}
}
}
}
}
}
Hierarchy Level
[edit logical-systems logical-system-name routing-instances instance-name routing-options], [edit logical-systems logical-system-name routing-options], [edit routing-instances instance-name routing-options], [edit routing-options]
Description
Configure resource public key infrastructure (RPKI) BGP route validation.
Options
| notification-rib [ notification-rib ... ]; |
Specify the routing tables that are notified when the validation state changes. |
When validation policies are used for BGP peers in routing instances, the policy engine tries to lookup within the local Validated Route Payload (VRP) database of that particular routing instance. If the RPKI session is not in that routing instance, then it falls back to the VRP database of the default routing instance. Modification of VRP records in the fall back VRP database will not be picked up by the non-default routing instance. As a result, routing table entries of the default and non-default routing instances will differ.
To offset this, configure the notification-rib option in the default
routing instance to ensure that the modifications to the default routing instance
trigger a re-evaluation of the routing tables for the specified routing
instance.
Junos OS Release 22.3R1 introduced support for named validation databases in addition to the default VRP database.
To specify a named validation database, use the validation-state (invalid |
valid) option at the [edit routing-options validation database
database-name static record
destination maximum-length prefix-length
origin-autonomous-system as-number] hierarchy level.
To specify a target route-validation database for a validation session, use the
database database-name option at the [edit routing-options
validation group group-name session] hierarchy
level.
As a result, we no longer need to configure notification-ribs explicitly. They are created internally to track which VRP databases are being consulted by which routing-instances.
The remaining statements are explained separately. See CLI Explorer or click a linked statement in the Syntax section for details.
Required Privilege Level
routing—To view this statement in the configuration.
routing-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.2.