Skip to content

Latest commit

 

History

History
189 lines (150 loc) · 6.18 KB

rpki.md

File metadata and controls

189 lines (150 loc) · 6.18 KB
Raw

RPKI

This page explains how to use a Resource Public Key Infrastructure (RPKI) server to do Origin AS Validation.

Prerequisites

Assume you finished Getting Started.

Contents

Configuration

You need to add [RpkiServers] section to your configuration file. We use the following file. Note that this is for route server setup but RPKI can be used with non route server setup.

[Global]
  [Global.GlobalConfig]
    As = 64512
    RouterId = "10.0.255.254"

[Neighbors]
  [[Neighbors.NeighborList]]
    [Neighbors.NeighborList.NeighborConfig]
      PeerAs = 65001
      NeighborAddress = "10.0.255.1"
    [Neighbors.NeighborList.RouteServer]
      [Neighbors.NeighborList.RouteServer.RouteServerConfig]
        RouteServerClient = true

  [[Neighbors.NeighborList]]
    [Neighbors.NeighborList.NeighborConfig]
      PeerAs = 65002
      NeighborAddress = "10.0.255.2"
    [Neighbors.NeighborList.RouteServer]
      [Neighbors.NeighborList.RouteServer.RouteServerConfig]
        RouteServerClient = true

[RpkiServers]
  [[RpkiServers.RpkiServerList]]
    [RpkiServers.RpkiServerList.RpkiServerConfig]
      Address = "210.173.170.254"
      Port = 323

Validation

You can verify whether gobgpd successfully connects to the RPKI server and get the ROA (Route Origin Authorization) information in the following way:

$ gobgp rpki server
Session            State  Uptime     #IPv4/IPv6 records
210.173.170.254    Up     00:03:06   14823/2168
$ gobgp rpki table 210.173.170.254|head -n4
Network            Maxlen AS
2.0.0.0/12         16     3215
2.0.0.0/16         16     3215
2.1.0.0/16         16     3215

By default, IPv4's ROA information is shown. You can see IPv6's like:

$ gobgp rpki -a ipv6 table 210.173.170.254|head -n4
fujita@ubuntu:~$ gobgp rpki -a ipv6|head -n3
Network                                    Maxlen AS
2001:608::/32                              32     5539
2001:610::/32                              48     1103
2001:610:240::/42                          42     3333

We configure the peer 10.0.255.1 to send three routes:

  1. 2.0.0.0/12 (Origin AS: 3215)
  2. 2.1.0.0/16 (Origin AS: 65001)
  3. 192.186.1.0/24 (Origin AS: 65001)

From the above ROA information, the first is valid. the second is invalid (the origin should be 3215 too). the third is a private IPv4 address so it should not be in the ROA.

Let's check out the adjacent rib-in of the peer:

$ gobgp neighbor 10.0.255.1 adj-in
    Network              Next Hop             AS_PATH              Age        Attrs
    V   2.0.0.0/12       10.0.255.1           3215                 00:08:39   [{Origin: i}]
    I   2.1.0.0/16       10.0.255.1           65001                00:08:39   [{Origin: i}]
    N   192.168.1.0/24   10.0.255.1           65001                00:08:39   [{Origin: i}]

As you can see, the first is marked as "V" (Valid), the second as "I" (Invalid), and the third as "N" (Not Found).

Policy with validation results

The validation result can be used as Policy's condition. You can do any actions (e.g., drop the route, adding some extended community attribute, etc) according to the validation result. As an example, this section shows how to drop an invalid route.

Currently, all the routes from peer 10.0.255.1 are included in peer 10.0.255.2's local RIB.

$ gobgp neighbor 10.0.255.2 local
    Network              Next Hop             AS_PATH              Age        Attrs
    V*> 2.0.0.0/12       10.0.255.1           3215                 00:23:47   [{Origin: i}]
    I*> 2.1.0.0/16       10.0.255.1           65001                00:23:47   [{Origin: i}]
    N*> 192.168.1.0/24   10.0.255.1           65001                00:23:47   [{Origin: i}]

We add a policy to the above configuration.

[Global]
  [Global.GlobalConfig]
    As = 64512
    RouterId = "10.0.255.254"

[Neighbors]
  [[Neighbors.NeighborList]]
    [Neighbors.NeighborList.NeighborConfig]
      PeerAs = 65001
      NeighborAddress = "10.0.255.1"
    [Neighbors.NeighborList.RouteServer]
      [Neighbors.NeighborList.RouteServer.RouteServerConfig]
        RouteServerClient = true

  [[Neighbors.NeighborList]]
    [Neighbors.NeighborList.NeighborConfig]
      PeerAs = 65002
      NeighborAddress = "10.0.255.2"
    [Neighbors.NeighborList.RouteServer]
      [Neighbors.NeighborList.RouteServer.RouteServerConfig]
        RouteServerClient = true
    [Neighbors.NeighborList.ApplyPolicy]
      [Neighbors.NeighborList.ApplyPolicy.ApplyPolicyConfig]
	ImportPolicy = ["AS65002-IMPORT-RPKI"]

[RpkiServers]
  [[RpkiServers.RpkiServerList]]
    [RpkiServers.RpkiServerList.RpkiServerConfig]
      Address = "210.173.170.254"
      Port = 323

[PolicyDefinitions]
  [[PolicyDefinitions.PolicyDefinitionList]]
    Name = "AS65002-IMPORT-RPKI"
    [PolicyDefinitions.PolicyDefinitionList.Statements]
      [[PolicyDefinitions.PolicyDefinitionList.Statements.StatementList]]
        Name = "statement1"
        [PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions]
          [PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Conditions.BgpConditions]
             RpkiValidationResult = 3

        [PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions]
          [PolicyDefinitions.PolicyDefinitionList.Statements.StatementList.Actions.RouteDisposition]
	     RejectRoute = true

The value for RpkiValidationResult are defined as below.

Validation Result Value
Not Found 1
Valid 2
Invalid 3

With the new configuration, the IMPORT policy rejects the invalid 2.1.0.0/16.

$ gobgp neighbor 10.0.255.2 local
    Network              Next Hop             AS_PATH              Age        Attrs
    V*> 2.0.0.0/12       10.0.255.1           3215                 00:00:21   [{Origin: i}]
    N*> 192.168.1.0/24   10.0.255.1           65001                00:00:21   [{Origin: i}]