[mirror_frr.git] / doc / user / rpki.rst

.. _prefix-origin-validation-using-rpki:

Prefix Origin Validation Using RPKI
===================================

Prefix Origin Validation allows BGP routers to verify if the origin AS of an IP
prefix is legitimate to announce this IP prefix. The required attestation
objects are stored in the Resource Public Key Infrastructure (:abbr:`RPKI`).
However, RPKI-enabled routers do not store cryptographic data itself but only
validation information. The validation of the cryptographic data (so called
Route Origin Authorization, or short :abbr:`ROA`, objects) will be performed by
trusted cache servers. The RPKI/RTR protocol defines a standard mechanism to
maintain the exchange of the prefix/origin AS mapping between the cache server
and routers. In combination with a  BGP Prefix Origin Validation scheme a
router is able to verify received BGP updates without suffering from
cryptographic complexity.

The RPKI/RTR protocol is defined in :rfc:`6810` and the validation scheme in
:rfc:`6811`. The current version of Prefix Origin Validation in FRR implements
both RFCs.

For a more detailed but still easy-to-read background, we suggest:

- [Securing-BGP]_
- [Resource-Certification]_

.. _features-of-the-current-implementation:

Features of the Current Implementation
--------------------------------------

In a nutshell, the current implementation provides the following features

- The BGP router can connect to one or more RPKI cache servers to receive
  validated prefix to origin AS mappings. Advanced failover can be implemented
  by server sockets with different preference values.
- If no connection to an RPKI cache server can be established after a
  pre-defined timeout, the router will process routes without prefix origin
  validation. It still will try to establish a connection to an RPKI cache
  server in the background.
- By default, enabling RPKI does not change best path selection. In particular,
  invalid prefixes will still be considered during best path selection.
  However, the router can be configured to ignore all invalid prefixes.
- Route maps can be configured to match a specific RPKI validation state. This
  allows the creation of local policies, which handle BGP routes based on the
  outcome of the Prefix Origin Validation.
- Updates from the RPKI cache servers are directly applied and path selection
  is updated accordingly. (Soft reconfiguration **must** be enabled for this
  to work).


.. _enabling-rpki:

Enabling RPKI
-------------

.. index:: rpki
.. clicmd:: rpki

   This command enables the RPKI configuration mode. Most commands that start
   with *rpki* can only be used in this mode.

   When it is used in a telnet session, leaving of this mode cause rpki to be
   initialized.

   Executing this command alone does not activate prefix validation. You need
   to configure at least one reachable cache server. See section
   :ref:`configuring-rpki-rtr-cache-servers` for configuring a cache server.

.. index:: RPKI and daemons

When first installing FRR with RPKI support from the pre-packaged binaries.
Remember to add ``-M rpki`` to the variable ``bgpd_options`` in
:file:`/etc/frr/daemons` , like so::

   bgpd_options="   -A 127.0.0.1 -M rpki"

instead of the default setting::

   bgpd_options="   -A 127.0.0.1"

Otherwise you will encounter an error when trying to enter RPKI
configuration mode due to the ``rpki`` module not being loaded when the BGP
daemon is initialized.

Examples of the error::

   router(config)# debug rpki
   % [BGP] Unknown command: debug rpki

   router(config)# rpki
   % [BGP] Unknown command: rpki

Note that the RPKI commands will be available in vtysh when running
``find rpki`` regardless of whether the module is loaded.

.. _configuring-rpki-rtr-cache-servers:

Configuring RPKI/RTR Cache Servers
----------------------------------

The following commands are independent of a specific cache server.

.. index:: rpki polling_period (1-3600)
.. clicmd:: rpki polling_period (1-3600)

.. index:: no rpki polling_period
.. clicmd:: no rpki polling_period

   Set the number of seconds the router waits until the router asks the cache
   again for updated data.

   The default value is 300 seconds.

.. index:: rpki timeout <1-4,294,967,296>
.. clicmd:: rpki timeout <1-4,294,967,296>

.. index:: no rpki timeout
.. clicmd:: no rpki timeout

   Set the number of seconds the router waits for the cache reply. If the cache
   server is not replying within this time period, the router deletes all
   received prefix records from the prefix table.

   The default value is 600 seconds.

.. index:: rpki initial-synchronisation-timeout <1-4,294,967,296>
.. clicmd:: rpki initial-synchronisation-timeout <1-4,294,967,296>

.. index:: no rpki initial-synchronisation-timeout
.. clicmd:: no rpki initial-synchronisation-timeout

   Set the number of seconds until the first synchronization with the cache
   server needs to be completed. If the timeout expires, BGP routing is started
   without RPKI. The router will try to establish the cache server connection in
   the background.

   The default value is 30 seconds.

   The following commands configure one or multiple cache servers.

.. index:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
.. clicmd:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE

.. index:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE
.. clicmd:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE

   Add a cache server to the socket. By default, the connection between router
   and cache server is based on plain TCP. Protecting the connection between
   router and cache server by SSH is optional. Deleting a socket removes the
   associated cache server and terminates the existing connection.

   A.B.C.D|WORD
      Address of the cache server.

   PORT
      Port number to connect to the cache server

   SSH_USERNAME
      SSH username to establish an SSH connection to the cache server.


   SSH_PRIVKEY_PATH
      Local path that includes the private key file of the router.


   SSH_PUBKEY_PATH
      Local path that includes the public key file of the router.


   KNOWN_HOSTS_PATH
      Local path that includes the known hosts file. The default value depends
      on the configuration of the operating system environment, usually
      :file:`~/.ssh/known_hosts`.


.. _validating-bgp-updates:

Validating BGP Updates
----------------------

.. index:: match rpki notfound|invalid|valid
.. clicmd:: match rpki notfound|invalid|valid

.. index:: no match rpki notfound|invalid|valid
.. clicmd:: no match rpki notfound|invalid|valid

    Create a clause for a route map to match prefixes with the specified RPKI
    state.

    **Note** that the matching of invalid prefixes requires that invalid
    prefixes are considered for best path selection, i.e.,
    ``bgp bestpath prefix-validate disallow-invalid`` is not enabled.

    In the following example, the router prefers valid routes over invalid
    prefixes because invalid routes have a lower local preference.

    .. code-block:: frr

       ! Allow for invalid routes in route selection process
       route bgp 60001
       !
       ! Set local preference of invalid prefixes to 10
       route-map rpki permit 10
        match rpki invalid
        set local-preference 10
       !
       ! Set local preference of valid prefixes to 500
       route-map rpki permit 500
        match rpki valid
        set local-preference 500


.. _debugging:

Debugging
---------

.. index:: debug rpki
.. clicmd:: debug rpki

.. index:: no debug rpki
.. clicmd:: no debug rpki

   Enable or disable debugging output for RPKI.

.. _displaying-rpki:

Displaying RPKI
---------------

.. index:: show rpki prefix-table
.. clicmd:: show rpki prefix-table

   Display all validated prefix to origin AS mappings/records which have been
   received from the cache servers and stored in the router. Based on this data,
   the router validates BGP Updates.

.. index:: show rpki cache-connection
.. clicmd:: show rpki cache-connection

   Display all configured cache servers, whether active or not.

RPKI Configuration Example
--------------------------

.. code-block:: frr

   hostname bgpd1
   password zebra
   ! log stdout
   debug bgp updates
   debug bgp keepalives
   debug rpki
   !
   rpki
    rpki polling_period 1000
    rpki timeout 10
     ! SSH Example:
     rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1
     ! TCP Example:
     rpki cache rpki-validator.realmv6.org 8282 preference 2
     exit
   !
   router bgp 60001
    bgp router-id 141.22.28.223
    network 192.168.0.0/16
    neighbor 123.123.123.0 remote-as 60002
    neighbor 123.123.123.0 route-map rpki in
   !
    address-family ipv6
     neighbor 123.123.123.0 activate
      neighbor 123.123.123.0 route-map rpki in
    exit-address-family
   !
   route-map rpki permit 10
    match rpki invalid
    set local-preference 10
   !
   route-map rpki permit 20
    match rpki notfound
    set local-preference 20
   !
   route-map rpki permit 30
    match rpki valid
    set local-preference 30
   !
   route-map rpki permit 40
   !

.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>
Commit	Line	Data
0efdf0fe	1	.. _prefix-origin-validation-using-rpki:
42fc5d26 QY	2
	3	Prefix Origin Validation Using RPKI
	4	===================================
	5
c1a54c05 QY	6	Prefix Origin Validation allows BGP routers to verify if the origin AS of an IP
	7	prefix is legitimate to announce this IP prefix. The required attestation
	8	objects are stored in the Resource Public Key Infrastructure (:abbr:`RPKI`).
	9	However, RPKI-enabled routers do not store cryptographic data itself but only
	10	validation information. The validation of the cryptographic data (so called
	11	Route Origin Authorization, or short :abbr:`ROA`, objects) will be performed by
	12	trusted cache servers. The RPKI/RTR protocol defines a standard mechanism to
	13	maintain the exchange of the prefix/origin AS mapping between the cache server
	14	and routers. In combination with a BGP Prefix Origin Validation scheme a
	15	router is able to verify received BGP updates without suffering from
	16	cryptographic complexity.
42fc5d26	17
ec8404d8 QY	18	The RPKI/RTR protocol is defined in :rfc:`6810` and the validation scheme in
	19	:rfc:`6811`. The current version of Prefix Origin Validation in FRR implements
	20	both RFCs.
42fc5d26	21
c1a54c05	22	For a more detailed but still easy-to-read background, we suggest:
42fc5d26	23
c1a54c05 QY	24	- [Securing-BGP]_
c1a54c05 QY	25	- [Resource-Certification]_
42fc5d26	26
0efdf0fe	27	.. _features-of-the-current-implementation:
42fc5d26 QY	28
	29	Features of the Current Implementation
	30	--------------------------------------
	31
	32	In a nutshell, the current implementation provides the following features
	33
c1a54c05 QY	34	- The BGP router can connect to one or more RPKI cache servers to receive
	35	validated prefix to origin AS mappings. Advanced failover can be implemented
	36	by server sockets with different preference values.
	37	- If no connection to an RPKI cache server can be established after a
42fc5d26 QY	38	pre-defined timeout, the router will process routes without prefix origin
	39	validation. It still will try to establish a connection to an RPKI cache
	40	server in the background.
c1a54c05 QY	41	- By default, enabling RPKI does not change best path selection. In particular,
	42	invalid prefixes will still be considered during best path selection.
	43	However, the router can be configured to ignore all invalid prefixes.
	44	- Route maps can be configured to match a specific RPKI validation state. This
	45	allows the creation of local policies, which handle BGP routes based on the
	46	outcome of the Prefix Origin Validation.
1dacdd8b MR	47	- Updates from the RPKI cache servers are directly applied and path selection
	48	is updated accordingly. (Soft reconfiguration must be enabled for this
	49	to work).
42fc5d26 QY	50
42fc5d26 QY	51
0efdf0fe	52	.. _enabling-rpki:
42fc5d26 QY	53
	54	Enabling RPKI
	55	-------------
	56
c1a54c05 QY	57	.. index:: rpki
c1a54c05 QY	58	.. clicmd:: rpki
42fc5d26	59
c1a54c05 QY	60	This command enables the RPKI configuration mode. Most commands that start
c1a54c05 QY	61	with rpki can only be used in this mode.
42fc5d26	62
1e18601b QY	63	When it is used in a telnet session, leaving of this mode cause rpki to be
1e18601b QY	64	initialized.
42fc5d26	65
c1a54c05 QY	66	Executing this command alone does not activate prefix validation. You need
	67	to configure at least one reachable cache server. See section
	68	:ref:`configuring-rpki-rtr-cache-servers` for configuring a cache server.
42fc5d26	69
9c830772	70	.. index:: RPKI and daemons
04a18e32	71
379064db	72	When first installing FRR with RPKI support from the pre-packaged binaries.
a4a2a475	73	Remember to add ``-M rpki`` to the variable ``bgpd_options`` in
9c830772	74	:file:`/etc/frr/daemons` , like so::
1e18601b	75
9c830772	76	bgpd_options=" -A 127.0.0.1 -M rpki"
1e18601b	77
379064db	78	instead of the default setting::
1e18601b	79
9c830772	80	bgpd_options=" -A 127.0.0.1"
1e18601b	81
379064db QY	82	Otherwise you will encounter an error when trying to enter RPKI
	83	configuration mode due to the ``rpki`` module not being loaded when the BGP
	84	daemon is initialized.
1e18601b	85
379064db	86	Examples of the error::
1e18601b	87
379064db QY	88	router(config)# debug rpki
379064db QY	89	% [BGP] Unknown command: debug rpki
1e18601b	90
379064db QY	91	router(config)# rpki
379064db QY	92	% [BGP] Unknown command: rpki
1e18601b	93
a4a2a475 QY	94	Note that the RPKI commands will be available in vtysh when running
a4a2a475 QY	95	``find rpki`` regardless of whether the module is loaded.
04a18e32	96
fdd8e252 QY	97	.. _configuring-rpki-rtr-cache-servers:
fdd8e252 QY	98
42fc5d26 QY	99	Configuring RPKI/RTR Cache Servers
	100	----------------------------------
	101
	102	The following commands are independent of a specific cache server.
	103
c1a54c05 QY	104	.. index:: rpki polling_period (1-3600)
c1a54c05 QY	105	.. clicmd:: rpki polling_period (1-3600)
42fc5d26	106
c1a54c05 QY	107	.. index:: no rpki polling_period
c1a54c05 QY	108	.. clicmd:: no rpki polling_period
42fc5d26	109
c1a54c05 QY	110	Set the number of seconds the router waits until the router asks the cache
c1a54c05 QY	111	again for updated data.
42fc5d26	112
c1a54c05	113	The default value is 300 seconds.
42fc5d26	114
c1a54c05 QY	115	.. index:: rpki timeout <1-4,294,967,296>
c1a54c05 QY	116	.. clicmd:: rpki timeout <1-4,294,967,296>
42fc5d26	117
c1a54c05 QY	118	.. index:: no rpki timeout
c1a54c05 QY	119	.. clicmd:: no rpki timeout
42fc5d26	120
c1a54c05 QY	121	Set the number of seconds the router waits for the cache reply. If the cache
	122	server is not replying within this time period, the router deletes all
	123	received prefix records from the prefix table.
42fc5d26	124
c1a54c05	125	The default value is 600 seconds.
42fc5d26	126
c1a54c05 QY	127	.. index:: rpki initial-synchronisation-timeout <1-4,294,967,296>
c1a54c05 QY	128	.. clicmd:: rpki initial-synchronisation-timeout <1-4,294,967,296>
42fc5d26	129
c1a54c05 QY	130	.. index:: no rpki initial-synchronisation-timeout
c1a54c05 QY	131	.. clicmd:: no rpki initial-synchronisation-timeout
42fc5d26	132
c1a54c05 QY	133	Set the number of seconds until the first synchronization with the cache
	134	server needs to be completed. If the timeout expires, BGP routing is started
	135	without RPKI. The router will try to establish the cache server connection in
	136	the background.
42fc5d26	137
c1a54c05	138	The default value is 30 seconds.
42fc5d26	139
c1a54c05	140	The following commands configure one or multiple cache servers.
42fc5d26	141
c1a54c05 QY	142	.. index:: rpki cache (A.B.C.D\|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
c1a54c05 QY	143	.. clicmd:: rpki cache (A.B.C.D\|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
42fc5d26	144
c1a54c05 QY	145	.. index:: no rpki cache (A.B.C.D\|WORD) [PORT] PREFERENCE
c1a54c05 QY	146	.. clicmd:: no rpki cache (A.B.C.D\|WORD) [PORT] PREFERENCE
42fc5d26	147
c1a54c05 QY	148	Add a cache server to the socket. By default, the connection between router
	149	and cache server is based on plain TCP. Protecting the connection between
	150	router and cache server by SSH is optional. Deleting a socket removes the
	151	associated cache server and terminates the existing connection.
42fc5d26	152
c1a54c05 QY	153	A.B.C.D\|WORD
c1a54c05 QY	154	Address of the cache server.
42fc5d26	155
c1a54c05 QY	156	PORT
c1a54c05 QY	157	Port number to connect to the cache server
42fc5d26	158
c1a54c05 QY	159	SSH_USERNAME
c1a54c05 QY	160	SSH username to establish an SSH connection to the cache server.
42fc5d26 QY	161
42fc5d26 QY	162
c1a54c05 QY	163	SSH_PRIVKEY_PATH
c1a54c05 QY	164	Local path that includes the private key file of the router.
42fc5d26 QY	165
42fc5d26 QY	166
c1a54c05 QY	167	SSH_PUBKEY_PATH
c1a54c05 QY	168	Local path that includes the public key file of the router.
42fc5d26 QY	169
42fc5d26 QY	170
c1a54c05 QY	171	KNOWN_HOSTS_PATH
	172	Local path that includes the known hosts file. The default value depends
	173	on the configuration of the operating system environment, usually
	174	:file:`~/.ssh/known_hosts`.
42fc5d26 QY	175
42fc5d26 QY	176
0efdf0fe	177	.. _validating-bgp-updates:
42fc5d26 QY	178
	179	Validating BGP Updates
	180	----------------------
	181
c1a54c05 QY	182	.. index:: match rpki notfound\|invalid\|valid
c1a54c05 QY	183	.. clicmd:: match rpki notfound\|invalid\|valid
42fc5d26	184
c1a54c05 QY	185	.. index:: no match rpki notfound\|invalid\|valid
c1a54c05 QY	186	.. clicmd:: no match rpki notfound\|invalid\|valid
42fc5d26	187
c1a54c05 QY	188	Create a clause for a route map to match prefixes with the specified RPKI
c1a54c05 QY	189	state.
42fc5d26	190
ec8404d8	191	Note that the matching of invalid prefixes requires that invalid
c1a54c05 QY	192	prefixes are considered for best path selection, i.e.,
c1a54c05 QY	193	``bgp bestpath prefix-validate disallow-invalid`` is not enabled.
42fc5d26 QY	194
	195	In the following example, the router prefers valid routes over invalid
	196	prefixes because invalid routes have a lower local preference.
a8c90e15	197
9eb95b3b	198	.. code-block:: frr
76bd1499	199
c1a54c05 QY	200	! Allow for invalid routes in route selection process
	201	route bgp 60001
	202	!
	203	! Set local preference of invalid prefixes to 10
	204	route-map rpki permit 10
	205	match rpki invalid
	206	set local-preference 10
	207	!
	208	! Set local preference of valid prefixes to 500
	209	route-map rpki permit 500
	210	match rpki valid
	211	set local-preference 500
42fc5d26 QY	212
42fc5d26 QY	213
0efdf0fe	214	.. _debugging:
42fc5d26 QY	215
	216	Debugging
	217	---------
	218
c1a54c05 QY	219	.. index:: debug rpki
c1a54c05 QY	220	.. clicmd:: debug rpki
42fc5d26	221
c1a54c05 QY	222	.. index:: no debug rpki
c1a54c05 QY	223	.. clicmd:: no debug rpki
42fc5d26	224
c1a54c05	225	Enable or disable debugging output for RPKI.
42fc5d26	226
0efdf0fe	227	.. _displaying-rpki:
42fc5d26 QY	228
	229	Displaying RPKI
	230	---------------
	231
c1a54c05 QY	232	.. index:: show rpki prefix-table
c1a54c05 QY	233	.. clicmd:: show rpki prefix-table
42fc5d26	234
c1a54c05 QY	235	Display all validated prefix to origin AS mappings/records which have been
	236	received from the cache servers and stored in the router. Based on this data,
	237	the router validates BGP Updates.
42fc5d26	238
c1a54c05 QY	239	.. index:: show rpki cache-connection
c1a54c05 QY	240	.. clicmd:: show rpki cache-connection
42fc5d26	241
c1a54c05	242	Display all configured cache servers, whether active or not.
42fc5d26 QY	243
	244	RPKI Configuration Example
	245	--------------------------
	246
9eb95b3b	247	.. code-block:: frr
42fc5d26	248
c1a54c05 QY	249	hostname bgpd1
	250	password zebra
	251	! log stdout
	252	debug bgp updates
	253	debug bgp keepalives
	254	debug rpki
	255	!
	256	rpki
	257	rpki polling_period 1000
	258	rpki timeout 10
	259	! SSH Example:
	260	rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1
	261	! TCP Example:
	262	rpki cache rpki-validator.realmv6.org 8282 preference 2
	263	exit
	264	!
	265	router bgp 60001
	266	bgp router-id 141.22.28.223
	267	network 192.168.0.0/16
	268	neighbor 123.123.123.0 remote-as 60002
	269	neighbor 123.123.123.0 route-map rpki in
	270	!
	271	address-family ipv6
	272	neighbor 123.123.123.0 activate
	273	neighbor 123.123.123.0 route-map rpki in
	274	exit-address-family
	275	!
	276	route-map rpki permit 10
	277	match rpki invalid
	278	set local-preference 10
	279	!
	280	route-map rpki permit 20
	281	match rpki notfound
	282	set local-preference 20
	283	!
	284	route-map rpki permit 30
	285	match rpki valid
	286	set local-preference 30
	287	!
	288	route-map rpki permit 40
	289	!
	290
a5a48dbf QY	291	.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
a5a48dbf QY	292	.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>