RPKI Filtering Performance Issues

kyle · November 6, 2022, 7:38pm

When applying RPKI filtering to an IPv6 BGP session it takes a few hours to finish importing all valid routes. Has anyone else run into this issue?

vyos@vyos# run show version
Version: VyOS 1.4-rolling-202211041300

Hardware:
KVM VM
Cores: 16
Ram: 8G

 interfaces {
     ethernet eth0 {
         address 172.16.4.155/24
     }
     loopback lo {
     }
     wireguard wg1 {
         address 2a06:a004:c023::2/48
         mtu 1280
         peer R48 {
             address 170.39.224.166
             allowed-ips ::/0
             allowed-ips 0.0.0.0/0
             persistent-keepalive 30
             port 51831
             public-key W0pI832mL5u7JzJjiE68dyS95mIGBDqGgSxSZromEGY=
         }
         private-key qHWfhK0eVJpllDrBYpGVY8gdADIHUsr7+EMqQQp6MlQ=
         vrf AS50842
     }
 }
 policy {
     prefix-list6 block-all {
         rule 1 {
             action deny
             ge 0
             prefix ::/0
         }
     }
     route-map R48-IN {
         rule 1 {
             action permit
             match {
                 rpki valid
             }
         }
         rule 2 {
             action deny
             match {
                 rpki notfound
             }
         }
         rule 3 {
             action deny
             match {
                 rpki invalid
             }
         }
     }
 }
 protocols {
     rpki {
         cache 2602:fb68:4:1::8 {
             port 3323
             preference 2
         }
         cache 2602:fb68:80::106 {
             port 3323
             preference 3
         }
         cache 2602:fb68:c1:1::e {
             port 3323
             preference 1
         }
     }
     static {
         route 0.0.0.0/0 {
             next-hop 172.16.4.1 {
             }
         }
         route6 ::/0 {
             next-hop 2602:fb68:c1:1:: {
             }
         }
     }
 }
 service {
     ssh {
     }
 }
 system {
     config-management {
         commit-revisions 100
     }
     conntrack {
         modules {
             ftp
             h323
             nfs
             pptp
             sip
             sqlnet
             tftp
         }
     }
     console {
         device ttyS0 {
             speed 115200
         }
     }
     host-name vyos
     name-server 8.8.8.8
     ntp {
         server 0.pool.ntp.org {
         }
         server 1.pool.ntp.org {
         }
         server 2.pool.ntp.org {
         }
     }
     syslog {
         global {
             facility all {
                 level info
             }
             facility protocols {
                 level debug
             }
         }
     }
 }
 vrf {
     name AS50842 {
         protocols {
             bgp {
                 neighbor 2a06:a004:c023::1 {
                     address-family {
                         ipv6-unicast {
                             prefix-list {
                                 export block-all
                             }
                             route-map {
                                 import R48-IN
                             }
                             soft-reconfiguration {
                                 inbound
                             }
                         }
                     }
                     remote-as 44570
                 }
                 parameters {
                     router-id 6.9.1.4
                 }
                 system-as 50842
             }
         }
         table 50842
     }
 }

Viacheslav · November 11, 2022, 12:05am

what about IPv4
is behavior the same?

kyle · November 11, 2022, 1:39am

No, IPv4 works fine. Filters pretty much instantly.