[mirror_frr.git] / doc / user / rpki.rst

.. _Prefix_Origin_Validation_Using_RPKI:

Prefix Origin Validation Using RPKI
===================================

Prefix Origin Validation allows BGP routers to verify if the origin AS of an IP
prefix is legitimate to announce this IP prefix. The required attestation
objects are stored in the Resource Public Key Infrastructure (:abbr:`RPKI`).
However, RPKI-enabled routers do not store cryptographic data itself but only
validation information. The validation of the cryptographic data (so called
Route Origin Authorization, or short :abbr:`ROA`, objects) will be performed by
trusted cache servers. The RPKI/RTR protocol defines a standard mechanism to
maintain the exchange of the prefix/origin AS mapping between the cache server
and routers. In combination with a  BGP Prefix Origin Validation scheme a
router is able to verify received BGP updates without suffering from
cryptographic complexity.

The RPKI/RTR protocol is defined in :rfc:`6810` and the validation scheme in
:rfc:`6811`. The current version of Prefix Origin Validation in FRR implements
both RFCs.

For a more detailed but still easy-to-read background, we suggest:

- [Securing-BGP]_
- [Resource-Certification]_

.. _Features_of_the_Current_Implementation:

Features of the Current Implementation
--------------------------------------

In a nutshell, the current implementation provides the following features

- The BGP router can connect to one or more RPKI cache servers to receive
  validated prefix to origin AS mappings. Advanced failover can be implemented
  by server sockets with different preference values.
- If no connection to an RPKI cache server can be established after a
  pre-defined timeout, the router will process routes without prefix origin
  validation. It still will try to establish a connection to an RPKI cache
  server in the background.
- By default, enabling RPKI does not change best path selection. In particular,
  invalid prefixes will still be considered during best path selection.
  However, the router can be configured to ignore all invalid prefixes.
- Route maps can be configured to match a specific RPKI validation state. This
  allows the creation of local policies, which handle BGP routes based on the
  outcome of the Prefix Origin Validation.


.. _Enabling_RPKI:

Enabling RPKI
-------------

.. index:: rpki
.. clicmd:: rpki

   This command enables the RPKI configuration mode. Most commands that start
   with *rpki* can only be used in this mode.

   When it is used in a telnet session, leaving of this mode cause rpki to be initialized.

   Executing this command alone does not activate prefix validation. You need
   to configure at least one reachable cache server. See section
   :ref:`configuring-rpki-rtr-cache-servers` for configuring a cache server.

.. _configuring-rpki-rtr-cache-servers:

Configuring RPKI/RTR Cache Servers
----------------------------------

The following commands are independent of a specific cache server.

.. index:: rpki polling_period (1-3600)
.. clicmd:: rpki polling_period (1-3600)

.. index:: no rpki polling_period
.. clicmd:: no rpki polling_period

   Set the number of seconds the router waits until the router asks the cache
   again for updated data.

   The default value is 300 seconds.

.. index:: rpki timeout <1-4,294,967,296>
.. clicmd:: rpki timeout <1-4,294,967,296>

.. index:: no rpki timeout
.. clicmd:: no rpki timeout

   Set the number of seconds the router waits for the cache reply. If the cache
   server is not replying within this time period, the router deletes all
   received prefix records from the prefix table.

   The default value is 600 seconds.

.. index:: rpki initial-synchronisation-timeout <1-4,294,967,296>
.. clicmd:: rpki initial-synchronisation-timeout <1-4,294,967,296>

.. index:: no rpki initial-synchronisation-timeout
.. clicmd:: no rpki initial-synchronisation-timeout

   Set the number of seconds until the first synchronization with the cache
   server needs to be completed. If the timeout expires, BGP routing is started
   without RPKI. The router will try to establish the cache server connection in
   the background.

   The default value is 30 seconds.

   The following commands configure one or multiple cache servers.

.. index:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
.. clicmd:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE

.. index:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE
.. clicmd:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE

   Add a cache server to the socket. By default, the connection between router
   and cache server is based on plain TCP. Protecting the connection between
   router and cache server by SSH is optional. Deleting a socket removes the
   associated cache server and terminates the existing connection.

   A.B.C.D|WORD
      Address of the cache server.

   PORT
      Port number to connect to the cache server

   SSH_USERNAME
      SSH username to establish an SSH connection to the cache server.


   SSH_PRIVKEY_PATH
      Local path that includes the private key file of the router.


   SSH_PUBKEY_PATH
      Local path that includes the public key file of the router.


   KNOWN_HOSTS_PATH
      Local path that includes the known hosts file. The default value depends
      on the configuration of the operating system environment, usually
      :file:`~/.ssh/known_hosts`.


.. _Validating_BGP_Updates:

Validating BGP Updates
----------------------

.. index:: match rpki notfound|invalid|valid
.. clicmd:: match rpki notfound|invalid|valid

.. index:: no match rpki notfound|invalid|valid
.. clicmd:: no match rpki notfound|invalid|valid

    Create a clause for a route map to match prefixes with the specified RPKI
    state.

    **Note** that the matching of invalid prefixes requires that invalid
    prefixes are considered for best path selection, i.e.,
    ``bgp bestpath prefix-validate disallow-invalid`` is not enabled.

    In the following example, the router prefers valid routes over invalid
    prefixes because invalid routes have a lower local preference.

    ::
    
       ! Allow for invalid routes in route selection process
       route bgp 60001
       !
       ! Set local preference of invalid prefixes to 10
       route-map rpki permit 10
        match rpki invalid
        set local-preference 10
       !
       ! Set local preference of valid prefixes to 500
       route-map rpki permit 500
        match rpki valid
        set local-preference 500


.. _Debugging:

Debugging
---------

.. index:: debug rpki
.. clicmd:: debug rpki

.. index:: no debug rpki
.. clicmd:: no debug rpki

   Enable or disable debugging output for RPKI.

.. _Displaying_RPKI:

Displaying RPKI
---------------

.. index:: show rpki prefix-table
.. clicmd:: show rpki prefix-table

   Display all validated prefix to origin AS mappings/records which have been
   received from the cache servers and stored in the router. Based on this data,
   the router validates BGP Updates.

.. index:: show rpki cache-connection
.. clicmd:: show rpki cache-connection

   Display all configured cache servers, whether active or not.

RPKI Configuration Example
--------------------------

::

   hostname bgpd1
   password zebra
   ! log stdout
   debug bgp updates
   debug bgp keepalives
   debug rpki
   !
   rpki
    rpki polling_period 1000
    rpki timeout 10
     ! SSH Example:
     rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1
     ! TCP Example:
     rpki cache rpki-validator.realmv6.org 8282 preference 2
     exit
   !
   router bgp 60001
    bgp router-id 141.22.28.223
    network 192.168.0.0/16
    neighbor 123.123.123.0 remote-as 60002
    neighbor 123.123.123.0 route-map rpki in
   !
    address-family ipv6
     neighbor 123.123.123.0 activate
      neighbor 123.123.123.0 route-map rpki in
    exit-address-family
   !
   route-map rpki permit 10
    match rpki invalid
    set local-preference 10
   !
   route-map rpki permit 20
    match rpki notfound
    set local-preference 20
   !
   route-map rpki permit 30
    match rpki valid
    set local-preference 30
   !
   route-map rpki permit 40
   !

.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>
Commit	Line	Data
42fc5d26 QY	1	.. _Prefix_Origin_Validation_Using_RPKI:
	2
	3	Prefix Origin Validation Using RPKI
	4	===================================
	5
c1a54c05 QY	6	Prefix Origin Validation allows BGP routers to verify if the origin AS of an IP
	7	prefix is legitimate to announce this IP prefix. The required attestation
	8	objects are stored in the Resource Public Key Infrastructure (:abbr:`RPKI`).
	9	However, RPKI-enabled routers do not store cryptographic data itself but only
	10	validation information. The validation of the cryptographic data (so called
	11	Route Origin Authorization, or short :abbr:`ROA`, objects) will be performed by
	12	trusted cache servers. The RPKI/RTR protocol defines a standard mechanism to
	13	maintain the exchange of the prefix/origin AS mapping between the cache server
	14	and routers. In combination with a BGP Prefix Origin Validation scheme a
	15	router is able to verify received BGP updates without suffering from
	16	cryptographic complexity.
42fc5d26	17
ec8404d8 QY	18	The RPKI/RTR protocol is defined in :rfc:`6810` and the validation scheme in
	19	:rfc:`6811`. The current version of Prefix Origin Validation in FRR implements
	20	both RFCs.
42fc5d26	21
c1a54c05	22	For a more detailed but still easy-to-read background, we suggest:
42fc5d26	23
c1a54c05 QY	24	- [Securing-BGP]_
c1a54c05 QY	25	- [Resource-Certification]_
42fc5d26 QY	26
	27	.. _Features_of_the_Current_Implementation:
	28
	29	Features of the Current Implementation
	30	--------------------------------------
	31
	32	In a nutshell, the current implementation provides the following features
	33
c1a54c05 QY	34	- The BGP router can connect to one or more RPKI cache servers to receive
	35	validated prefix to origin AS mappings. Advanced failover can be implemented
	36	by server sockets with different preference values.
	37	- If no connection to an RPKI cache server can be established after a
42fc5d26 QY	38	pre-defined timeout, the router will process routes without prefix origin
	39	validation. It still will try to establish a connection to an RPKI cache
	40	server in the background.
c1a54c05 QY	41	- By default, enabling RPKI does not change best path selection. In particular,
	42	invalid prefixes will still be considered during best path selection.
	43	However, the router can be configured to ignore all invalid prefixes.
	44	- Route maps can be configured to match a specific RPKI validation state. This
	45	allows the creation of local policies, which handle BGP routes based on the
	46	outcome of the Prefix Origin Validation.
42fc5d26 QY	47
	48
	49	.. _Enabling_RPKI:
	50
	51	Enabling RPKI
	52	-------------
	53
c1a54c05 QY	54	.. index:: rpki
c1a54c05 QY	55	.. clicmd:: rpki
42fc5d26	56
c1a54c05 QY	57	This command enables the RPKI configuration mode. Most commands that start
c1a54c05 QY	58	with rpki can only be used in this mode.
42fc5d26	59
c1a54c05	60	When it is used in a telnet session, leaving of this mode cause rpki to be initialized.
42fc5d26	61
c1a54c05 QY	62	Executing this command alone does not activate prefix validation. You need
	63	to configure at least one reachable cache server. See section
	64	:ref:`configuring-rpki-rtr-cache-servers` for configuring a cache server.
42fc5d26	65
c1a54c05	66	.. _configuring-rpki-rtr-cache-servers:
42fc5d26 QY	67
	68	Configuring RPKI/RTR Cache Servers
	69	----------------------------------
	70
	71	The following commands are independent of a specific cache server.
	72
c1a54c05 QY	73	.. index:: rpki polling_period (1-3600)
c1a54c05 QY	74	.. clicmd:: rpki polling_period (1-3600)
42fc5d26	75
c1a54c05 QY	76	.. index:: no rpki polling_period
c1a54c05 QY	77	.. clicmd:: no rpki polling_period
42fc5d26	78
c1a54c05 QY	79	Set the number of seconds the router waits until the router asks the cache
c1a54c05 QY	80	again for updated data.
42fc5d26	81
c1a54c05	82	The default value is 300 seconds.
42fc5d26	83
c1a54c05 QY	84	.. index:: rpki timeout <1-4,294,967,296>
c1a54c05 QY	85	.. clicmd:: rpki timeout <1-4,294,967,296>
42fc5d26	86
c1a54c05 QY	87	.. index:: no rpki timeout
c1a54c05 QY	88	.. clicmd:: no rpki timeout
42fc5d26	89
c1a54c05 QY	90	Set the number of seconds the router waits for the cache reply. If the cache
	91	server is not replying within this time period, the router deletes all
	92	received prefix records from the prefix table.
42fc5d26	93
c1a54c05	94	The default value is 600 seconds.
42fc5d26	95
c1a54c05 QY	96	.. index:: rpki initial-synchronisation-timeout <1-4,294,967,296>
c1a54c05 QY	97	.. clicmd:: rpki initial-synchronisation-timeout <1-4,294,967,296>
42fc5d26	98
c1a54c05 QY	99	.. index:: no rpki initial-synchronisation-timeout
c1a54c05 QY	100	.. clicmd:: no rpki initial-synchronisation-timeout
42fc5d26	101
c1a54c05 QY	102	Set the number of seconds until the first synchronization with the cache
	103	server needs to be completed. If the timeout expires, BGP routing is started
	104	without RPKI. The router will try to establish the cache server connection in
	105	the background.
42fc5d26	106
c1a54c05	107	The default value is 30 seconds.
42fc5d26	108
c1a54c05	109	The following commands configure one or multiple cache servers.
42fc5d26	110
c1a54c05 QY	111	.. index:: rpki cache (A.B.C.D\|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
c1a54c05 QY	112	.. clicmd:: rpki cache (A.B.C.D\|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE
42fc5d26	113
c1a54c05 QY	114	.. index:: no rpki cache (A.B.C.D\|WORD) [PORT] PREFERENCE
c1a54c05 QY	115	.. clicmd:: no rpki cache (A.B.C.D\|WORD) [PORT] PREFERENCE
42fc5d26	116
c1a54c05 QY	117	Add a cache server to the socket. By default, the connection between router
	118	and cache server is based on plain TCP. Protecting the connection between
	119	router and cache server by SSH is optional. Deleting a socket removes the
	120	associated cache server and terminates the existing connection.
42fc5d26	121
c1a54c05 QY	122	A.B.C.D\|WORD
c1a54c05 QY	123	Address of the cache server.
42fc5d26	124
c1a54c05 QY	125	PORT
c1a54c05 QY	126	Port number to connect to the cache server
42fc5d26	127
c1a54c05 QY	128	SSH_USERNAME
c1a54c05 QY	129	SSH username to establish an SSH connection to the cache server.
42fc5d26 QY	130
42fc5d26 QY	131
c1a54c05 QY	132	SSH_PRIVKEY_PATH
c1a54c05 QY	133	Local path that includes the private key file of the router.
42fc5d26 QY	134
42fc5d26 QY	135
c1a54c05 QY	136	SSH_PUBKEY_PATH
c1a54c05 QY	137	Local path that includes the public key file of the router.
42fc5d26 QY	138
42fc5d26 QY	139
c1a54c05 QY	140	KNOWN_HOSTS_PATH
	141	Local path that includes the known hosts file. The default value depends
	142	on the configuration of the operating system environment, usually
	143	:file:`~/.ssh/known_hosts`.
42fc5d26 QY	144
	145
	146	.. _Validating_BGP_Updates:
	147
	148	Validating BGP Updates
	149	----------------------
	150
c1a54c05 QY	151	.. index:: match rpki notfound\|invalid\|valid
c1a54c05 QY	152	.. clicmd:: match rpki notfound\|invalid\|valid
42fc5d26	153
c1a54c05 QY	154	.. index:: no match rpki notfound\|invalid\|valid
c1a54c05 QY	155	.. clicmd:: no match rpki notfound\|invalid\|valid
42fc5d26	156
c1a54c05 QY	157	Create a clause for a route map to match prefixes with the specified RPKI
c1a54c05 QY	158	state.
42fc5d26	159
ec8404d8	160	Note that the matching of invalid prefixes requires that invalid
c1a54c05 QY	161	prefixes are considered for best path selection, i.e.,
c1a54c05 QY	162	``bgp bestpath prefix-validate disallow-invalid`` is not enabled.
42fc5d26 QY	163
	164	In the following example, the router prefers valid routes over invalid
	165	prefixes because invalid routes have a lower local preference.
a8c90e15	166
c1a54c05 QY	167	::
	168
	169	! Allow for invalid routes in route selection process
	170	route bgp 60001
	171	!
	172	! Set local preference of invalid prefixes to 10
	173	route-map rpki permit 10
	174	match rpki invalid
	175	set local-preference 10
	176	!
	177	! Set local preference of valid prefixes to 500
	178	route-map rpki permit 500
	179	match rpki valid
	180	set local-preference 500
42fc5d26 QY	181
	182
	183	.. _Debugging:
	184
	185	Debugging
	186	---------
	187
c1a54c05 QY	188	.. index:: debug rpki
c1a54c05 QY	189	.. clicmd:: debug rpki
42fc5d26	190
c1a54c05 QY	191	.. index:: no debug rpki
c1a54c05 QY	192	.. clicmd:: no debug rpki
42fc5d26	193
c1a54c05	194	Enable or disable debugging output for RPKI.
42fc5d26 QY	195
	196	.. _Displaying_RPKI:
	197
	198	Displaying RPKI
	199	---------------
	200
c1a54c05 QY	201	.. index:: show rpki prefix-table
c1a54c05 QY	202	.. clicmd:: show rpki prefix-table
42fc5d26	203
c1a54c05 QY	204	Display all validated prefix to origin AS mappings/records which have been
	205	received from the cache servers and stored in the router. Based on this data,
	206	the router validates BGP Updates.
42fc5d26	207
c1a54c05 QY	208	.. index:: show rpki cache-connection
c1a54c05 QY	209	.. clicmd:: show rpki cache-connection
42fc5d26	210
c1a54c05	211	Display all configured cache servers, whether active or not.
42fc5d26 QY	212
	213	RPKI Configuration Example
	214	--------------------------
	215
	216	::
	217
c1a54c05 QY	218	hostname bgpd1
	219	password zebra
	220	! log stdout
	221	debug bgp updates
	222	debug bgp keepalives
	223	debug rpki
	224	!
	225	rpki
	226	rpki polling_period 1000
	227	rpki timeout 10
	228	! SSH Example:
	229	rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1
	230	! TCP Example:
	231	rpki cache rpki-validator.realmv6.org 8282 preference 2
	232	exit
	233	!
	234	router bgp 60001
	235	bgp router-id 141.22.28.223
	236	network 192.168.0.0/16
	237	neighbor 123.123.123.0 remote-as 60002
	238	neighbor 123.123.123.0 route-map rpki in
	239	!
	240	address-family ipv6
	241	neighbor 123.123.123.0 activate
	242	neighbor 123.123.123.0 route-map rpki in
	243	exit-address-family
	244	!
	245	route-map rpki permit 10
	246	match rpki invalid
	247	set local-preference 10
	248	!
	249	route-map rpki permit 20
	250	match rpki notfound
	251	set local-preference 20
	252	!
	253	route-map rpki permit 30
	254	match rpki valid
	255	set local-preference 30
	256	!
	257	route-map rpki permit 40
	258	!
	259
a5a48dbf QY	260	.. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html>
a5a48dbf QY	261	.. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html>