]>
Commit | Line | Data |
---|---|---|
42fc5d26 QY |
1 | .. _Prefix_Origin_Validation_Using_RPKI: |
2 | ||
3 | Prefix Origin Validation Using RPKI | |
4 | =================================== | |
5 | ||
c1a54c05 QY |
6 | Prefix Origin Validation allows BGP routers to verify if the origin AS of an IP |
7 | prefix is legitimate to announce this IP prefix. The required attestation | |
8 | objects are stored in the Resource Public Key Infrastructure (:abbr:`RPKI`). | |
9 | However, RPKI-enabled routers do not store cryptographic data itself but only | |
10 | validation information. The validation of the cryptographic data (so called | |
11 | Route Origin Authorization, or short :abbr:`ROA`, objects) will be performed by | |
12 | trusted cache servers. The RPKI/RTR protocol defines a standard mechanism to | |
13 | maintain the exchange of the prefix/origin AS mapping between the cache server | |
14 | and routers. In combination with a BGP Prefix Origin Validation scheme a | |
15 | router is able to verify received BGP updates without suffering from | |
16 | cryptographic complexity. | |
42fc5d26 | 17 | |
ec8404d8 QY |
18 | The RPKI/RTR protocol is defined in :rfc:`6810` and the validation scheme in |
19 | :rfc:`6811`. The current version of Prefix Origin Validation in FRR implements | |
20 | both RFCs. | |
42fc5d26 | 21 | |
c1a54c05 | 22 | For a more detailed but still easy-to-read background, we suggest: |
42fc5d26 | 23 | |
c1a54c05 QY |
24 | - [Securing-BGP]_ |
25 | - [Resource-Certification]_ | |
42fc5d26 QY |
26 | |
27 | .. _Features_of_the_Current_Implementation: | |
28 | ||
29 | Features of the Current Implementation | |
30 | -------------------------------------- | |
31 | ||
32 | In a nutshell, the current implementation provides the following features | |
33 | ||
c1a54c05 QY |
34 | - The BGP router can connect to one or more RPKI cache servers to receive |
35 | validated prefix to origin AS mappings. Advanced failover can be implemented | |
36 | by server sockets with different preference values. | |
37 | - If no connection to an RPKI cache server can be established after a | |
42fc5d26 QY |
38 | pre-defined timeout, the router will process routes without prefix origin |
39 | validation. It still will try to establish a connection to an RPKI cache | |
40 | server in the background. | |
c1a54c05 QY |
41 | - By default, enabling RPKI does not change best path selection. In particular, |
42 | invalid prefixes will still be considered during best path selection. | |
43 | However, the router can be configured to ignore all invalid prefixes. | |
44 | - Route maps can be configured to match a specific RPKI validation state. This | |
45 | allows the creation of local policies, which handle BGP routes based on the | |
46 | outcome of the Prefix Origin Validation. | |
42fc5d26 QY |
47 | |
48 | ||
49 | .. _Enabling_RPKI: | |
50 | ||
51 | Enabling RPKI | |
52 | ------------- | |
53 | ||
c1a54c05 QY |
54 | .. index:: rpki |
55 | .. clicmd:: rpki | |
42fc5d26 | 56 | |
c1a54c05 QY |
57 | This command enables the RPKI configuration mode. Most commands that start |
58 | with *rpki* can only be used in this mode. | |
42fc5d26 | 59 | |
c1a54c05 | 60 | When it is used in a telnet session, leaving of this mode cause rpki to be initialized. |
42fc5d26 | 61 | |
c1a54c05 QY |
62 | Executing this command alone does not activate prefix validation. You need |
63 | to configure at least one reachable cache server. See section | |
64 | :ref:`configuring-rpki-rtr-cache-servers` for configuring a cache server. | |
42fc5d26 | 65 | |
c1a54c05 | 66 | .. _configuring-rpki-rtr-cache-servers: |
42fc5d26 QY |
67 | |
68 | Configuring RPKI/RTR Cache Servers | |
69 | ---------------------------------- | |
70 | ||
71 | The following commands are independent of a specific cache server. | |
72 | ||
c1a54c05 QY |
73 | .. index:: rpki polling_period (1-3600) |
74 | .. clicmd:: rpki polling_period (1-3600) | |
42fc5d26 | 75 | |
c1a54c05 QY |
76 | .. index:: no rpki polling_period |
77 | .. clicmd:: no rpki polling_period | |
42fc5d26 | 78 | |
c1a54c05 QY |
79 | Set the number of seconds the router waits until the router asks the cache |
80 | again for updated data. | |
42fc5d26 | 81 | |
c1a54c05 | 82 | The default value is 300 seconds. |
42fc5d26 | 83 | |
c1a54c05 QY |
84 | .. index:: rpki timeout <1-4,294,967,296> |
85 | .. clicmd:: rpki timeout <1-4,294,967,296> | |
42fc5d26 | 86 | |
c1a54c05 QY |
87 | .. index:: no rpki timeout |
88 | .. clicmd:: no rpki timeout | |
42fc5d26 | 89 | |
c1a54c05 QY |
90 | Set the number of seconds the router waits for the cache reply. If the cache |
91 | server is not replying within this time period, the router deletes all | |
92 | received prefix records from the prefix table. | |
42fc5d26 | 93 | |
c1a54c05 | 94 | The default value is 600 seconds. |
42fc5d26 | 95 | |
c1a54c05 QY |
96 | .. index:: rpki initial-synchronisation-timeout <1-4,294,967,296> |
97 | .. clicmd:: rpki initial-synchronisation-timeout <1-4,294,967,296> | |
42fc5d26 | 98 | |
c1a54c05 QY |
99 | .. index:: no rpki initial-synchronisation-timeout |
100 | .. clicmd:: no rpki initial-synchronisation-timeout | |
42fc5d26 | 101 | |
c1a54c05 QY |
102 | Set the number of seconds until the first synchronization with the cache |
103 | server needs to be completed. If the timeout expires, BGP routing is started | |
104 | without RPKI. The router will try to establish the cache server connection in | |
105 | the background. | |
42fc5d26 | 106 | |
c1a54c05 | 107 | The default value is 30 seconds. |
42fc5d26 | 108 | |
c1a54c05 | 109 | The following commands configure one or multiple cache servers. |
42fc5d26 | 110 | |
c1a54c05 QY |
111 | .. index:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE |
112 | .. clicmd:: rpki cache (A.B.C.D|WORD) PORT [SSH_USERNAME] [SSH_PRIVKEY_PATH] [SSH_PUBKEY_PATH] [KNOWN_HOSTS_PATH] PREFERENCE | |
42fc5d26 | 113 | |
c1a54c05 QY |
114 | .. index:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE |
115 | .. clicmd:: no rpki cache (A.B.C.D|WORD) [PORT] PREFERENCE | |
42fc5d26 | 116 | |
c1a54c05 QY |
117 | Add a cache server to the socket. By default, the connection between router |
118 | and cache server is based on plain TCP. Protecting the connection between | |
119 | router and cache server by SSH is optional. Deleting a socket removes the | |
120 | associated cache server and terminates the existing connection. | |
42fc5d26 | 121 | |
c1a54c05 QY |
122 | A.B.C.D|WORD |
123 | Address of the cache server. | |
42fc5d26 | 124 | |
c1a54c05 QY |
125 | PORT |
126 | Port number to connect to the cache server | |
42fc5d26 | 127 | |
c1a54c05 QY |
128 | SSH_USERNAME |
129 | SSH username to establish an SSH connection to the cache server. | |
42fc5d26 QY |
130 | |
131 | ||
c1a54c05 QY |
132 | SSH_PRIVKEY_PATH |
133 | Local path that includes the private key file of the router. | |
42fc5d26 QY |
134 | |
135 | ||
c1a54c05 QY |
136 | SSH_PUBKEY_PATH |
137 | Local path that includes the public key file of the router. | |
42fc5d26 QY |
138 | |
139 | ||
c1a54c05 QY |
140 | KNOWN_HOSTS_PATH |
141 | Local path that includes the known hosts file. The default value depends | |
142 | on the configuration of the operating system environment, usually | |
143 | :file:`~/.ssh/known_hosts`. | |
42fc5d26 QY |
144 | |
145 | ||
146 | .. _Validating_BGP_Updates: | |
147 | ||
148 | Validating BGP Updates | |
149 | ---------------------- | |
150 | ||
c1a54c05 QY |
151 | .. index:: match rpki notfound|invalid|valid |
152 | .. clicmd:: match rpki notfound|invalid|valid | |
42fc5d26 | 153 | |
c1a54c05 QY |
154 | .. index:: no match rpki notfound|invalid|valid |
155 | .. clicmd:: no match rpki notfound|invalid|valid | |
42fc5d26 | 156 | |
c1a54c05 QY |
157 | Create a clause for a route map to match prefixes with the specified RPKI |
158 | state. | |
42fc5d26 | 159 | |
ec8404d8 | 160 | **Note** that the matching of invalid prefixes requires that invalid |
c1a54c05 QY |
161 | prefixes are considered for best path selection, i.e., |
162 | ``bgp bestpath prefix-validate disallow-invalid`` is not enabled. | |
42fc5d26 QY |
163 | |
164 | In the following example, the router prefers valid routes over invalid | |
165 | prefixes because invalid routes have a lower local preference. | |
a8c90e15 | 166 | |
c1a54c05 QY |
167 | :: |
168 | ||
169 | ! Allow for invalid routes in route selection process | |
170 | route bgp 60001 | |
171 | ! | |
172 | ! Set local preference of invalid prefixes to 10 | |
173 | route-map rpki permit 10 | |
174 | match rpki invalid | |
175 | set local-preference 10 | |
176 | ! | |
177 | ! Set local preference of valid prefixes to 500 | |
178 | route-map rpki permit 500 | |
179 | match rpki valid | |
180 | set local-preference 500 | |
42fc5d26 QY |
181 | |
182 | ||
183 | .. _Debugging: | |
184 | ||
185 | Debugging | |
186 | --------- | |
187 | ||
c1a54c05 QY |
188 | .. index:: debug rpki |
189 | .. clicmd:: debug rpki | |
42fc5d26 | 190 | |
c1a54c05 QY |
191 | .. index:: no debug rpki |
192 | .. clicmd:: no debug rpki | |
42fc5d26 | 193 | |
c1a54c05 | 194 | Enable or disable debugging output for RPKI. |
42fc5d26 QY |
195 | |
196 | .. _Displaying_RPKI: | |
197 | ||
198 | Displaying RPKI | |
199 | --------------- | |
200 | ||
c1a54c05 QY |
201 | .. index:: show rpki prefix-table |
202 | .. clicmd:: show rpki prefix-table | |
42fc5d26 | 203 | |
c1a54c05 QY |
204 | Display all validated prefix to origin AS mappings/records which have been |
205 | received from the cache servers and stored in the router. Based on this data, | |
206 | the router validates BGP Updates. | |
42fc5d26 | 207 | |
c1a54c05 QY |
208 | .. index:: show rpki cache-connection |
209 | .. clicmd:: show rpki cache-connection | |
42fc5d26 | 210 | |
c1a54c05 | 211 | Display all configured cache servers, whether active or not. |
42fc5d26 QY |
212 | |
213 | RPKI Configuration Example | |
214 | -------------------------- | |
215 | ||
216 | :: | |
217 | ||
c1a54c05 QY |
218 | hostname bgpd1 |
219 | password zebra | |
220 | ! log stdout | |
221 | debug bgp updates | |
222 | debug bgp keepalives | |
223 | debug rpki | |
224 | ! | |
225 | rpki | |
226 | rpki polling_period 1000 | |
227 | rpki timeout 10 | |
228 | ! SSH Example: | |
229 | rpki cache example.com 22 rtr-ssh ./ssh_key/id_rsa ./ssh_key/id_rsa.pub preference 1 | |
230 | ! TCP Example: | |
231 | rpki cache rpki-validator.realmv6.org 8282 preference 2 | |
232 | exit | |
233 | ! | |
234 | router bgp 60001 | |
235 | bgp router-id 141.22.28.223 | |
236 | network 192.168.0.0/16 | |
237 | neighbor 123.123.123.0 remote-as 60002 | |
238 | neighbor 123.123.123.0 route-map rpki in | |
239 | ! | |
240 | address-family ipv6 | |
241 | neighbor 123.123.123.0 activate | |
242 | neighbor 123.123.123.0 route-map rpki in | |
243 | exit-address-family | |
244 | ! | |
245 | route-map rpki permit 10 | |
246 | match rpki invalid | |
247 | set local-preference 10 | |
248 | ! | |
249 | route-map rpki permit 20 | |
250 | match rpki notfound | |
251 | set local-preference 20 | |
252 | ! | |
253 | route-map rpki permit 30 | |
254 | match rpki valid | |
255 | set local-preference 30 | |
256 | ! | |
257 | route-map rpki permit 40 | |
258 | ! | |
259 | ||
a5a48dbf QY |
260 | .. [Securing-BGP] Geoff Huston, Randy Bush: Securing BGP, In: The Internet Protocol Journal, Volume 14, No. 2, 2011. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_14-2/142_bgp.html> |
261 | .. [Resource-Certification] Geoff Huston: Resource Certification, In: The Internet Protocol Journal, Volume 12, No.1, 2009. <http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_12-1/121_resource.html> |