bestroute origin-as-validation (BGP-IPv4 unicast address family view)

Usage Scenario

Attackers can steal user data by advertising routes that are more specific than those advertised by carriers. Resource Public Key Infrastructure (RPKI) can address this issue by validating the origin ASs of BGP routes and apply the BGP origin AS validation result to route selection. To apply the BGP origin AS validation result to route selection, run the bestroute origin-as-validation command.

The validation result can be Valid, Not Found, or Invalid. BGP selects routes in the order of Valid, Not Found, and Invalid. If allow-invalid is not specified in the command, BGP ignores the routes with validation result Invalid during route selection.

Prerequisites

BGP origin AS validation has been enabled using the prefix origin-validation enable command.

Precautions

The origin AS validation function of RPKI verifies only the routes received from EBGP peers, but not the routes received from IBGP peers. After the bestroute origin-as-validation command is run:

• The origin AS verification results of the routes received from EBGP peers are applied to BGP route selection. The route selection priority is Valid > NotFound > Invalid.
• If the routes received from IBGP peers carry verification results, BGP uses the verification results during route selection.
• If the routes received from IBGP peers carry no verification results, BGP uses NotFound as the verification results during route selection.