The bestroute origin-as-validation command applies the BGP origin AS validation result to route selection.
The undo bestroute origin-as-validation command restores the default configurations.
By default, the BGP origin AS validation result is not applied to route selection.
Usage Scenario
Attackers can steal user data by advertising routes that are more specific than those advertised by carriers. Resource Public Key Infrastructure (RPKI) can address this issue by validating the origin ASs of BGP routes and apply the BGP origin AS validation result to route selection. To apply the BGP origin AS validation result to route selection, run the bestroute origin-as-validation command.
The validation result can be Valid, Not Found, or Invalid. BGP selects routes in the order of Valid, Not Found, and Invalid. If allow-invalid is not specified in the command, BGP ignores the routes with validation result Invalid during route selection.Prerequisites
BGP origin AS validation has been enabled using the prefix origin-validation enable command.
Precautions
The origin AS validation function of RPKI verifies only the routes received from EBGP peers, but not the routes received from IBGP peers. After the bestroute origin-as-validation command is run:
<HUAWEI> system-view [~HUAWEI] ip vpn-instance vpn6 [*HUAWEI-vpn-instance-vpn6] ipv4-family [*HUAWEI-vpn-instance-vpn6-af-ipv4] route-distinguisher 100:3 [*HUAWEI-vpn-instance-vpn6-af-ipv4] quit [*HUAWEI-vpn-instance-vpn6] quit [*HUAWEI] bgp 100 [*HUAWEI-bgp] ipv4-family vpn-instance vpn6 [*HUAWEI-bgp-vpn6] prefix origin-validation enable [*HUAWEI-bgp-vpn6] bestroute origin-as-validation