RPKI OV implementation in route-map

[Job Snijders <job () instituut net>]

Dear Mark, group,

On Tue, Mar 31, 2020 at 03:50:23PM +0200, Mark Tinka wrote:
> On 31/Mar/20 15:21, Dorian Kim wrote:
> > Unfortunately we don’t have any testing done or experience with RPKI
> > on XE or Classic boxes as we don’t have any deployed outside of OOB
> > infrastructure.
>
> Cherish your blessings, and for the time being, keep them that way :-).

Since it was a quiet day in early April, Ben and I whipped up something
to generate config in industry standard format to mimic the RFC 6811
RPKI based BGP Origin Validation procedure. It uses the 'route-map'
configuration construct found in some older BGP implementations.

    https://github.com/job/rpki-ov-route-map

We didn't test this in production, but I reckon you can upload the
generated output into the router's 'running-config' using a hourly
crontab, TFTP, RANCID, and expect(1). Here is an example config to
copy+paste. If we don't hear back from you we'll assume success. 

    (warning: large text file)
    https://raw.githubusercontent.com/job/rpki-ov-route-map/master/example-route-map-configuration.txt

After applying the above you can reference 'rpki-ov' at each of your
EBGP peers as ingress policy: "neighbor x.x.x.x route-map rpki-ov in".

Be careful though, performance may not be as good as a native RPKI OV
implementation!

Cheers,

Job & Ben