-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request: Need better explanation of invalid ROA detection #165
Comments
Can you share a screenshot of what you’re looking at and what is confusing you? |
So in this case, other validators accept my ROAs without complaint, and I have no idea what IRRExplorer thinks is wrong, precisely. Might be my mistake still, but no way of knowing without exposing the failing validation rules. |
It's saying "there exist IRR In the snip you posted that appears to be the case - a ROA only exists for AS16796, but |
In addition to @forkwhilefork's explanation: this is indicated by the icons with crosses next to those ASN's. If you hover over them, you'll see a "route object is RPKI invalid" text. |
Also, there's a "Explanation of different messages" link at the top you can click which should explain the error found in more detail. If you have any suggestions on how to improve reporting, please let us know! |
It may be an issue of language semantics, then. To me the phrase "RPKI invalid route objects found" says that:
I had previously reviewed the detail text but somehow interpreted it as meaning something other than what it says. (Confirmation bias, presumably.) Firstly, I suggest rewording the error message so that it doesn't lead with "RPKI", which sent me down a path of assuming my ROAs were the problem. Perhaps "IRR/RPKI mismatch detected" would be more meaningful? Secondly, I think it should be a warning, not an error. I still haven't been able to get all the ancient proxy routeobjs cleaned up, after 2+yrs of intermittent effort, and I expect some of those B.S. proxy routeobjs will actually never go away until IRR itself goes away. Not to mention that it's now outright impossible to make changes ARIN-NONAUTH, as far as I can tell, unlike Bell and Level3 who merely ignore my requests. This suggests a separate feature request (#166), which I've just opened separately, as a way to mitigate the IRR-staleness issue as well as being just a generally-useful feature. |
P.S. thanks to all of you for the super-fast replies on this! |
I just figured out the language issue, it's a 1-byte error: There should be a hyphen between "RPKI" and "invalid". |
Thanks for the feedback. The 1-byte fix has been applied for now. We'll consider the other suggestions. |
The ARIN-NONAUTH datasource has been removed since it has been decommissioned (https://www.arin.net/announcements/20220128-irr/). |
I have numerous ROAs that are failing with "RPKI invalid route objects found". However, they look right, and I have no way of knowing what validation step failed, merely that <something> determined they were invalid.
I suggest either more detailed RPKI validation messages, or hover text, or the ability to drill down. As is, I don't know if the problem is the validation logic, or my ROAs. (Other validators claim there's nothing wrong.)
The text was updated successfully, but these errors were encountered: