nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "Is BGP safe yet?" test

From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 21 Apr 2020 00:27:43 +0200
On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko <
nuclearcat () nuclearcat com> wrote:


If i am not wrong, for most routers implementing RPKI means spinning up
VM
with RPKI cache that need significant tinkering?
I guess it is a blocker for many, unless some "ready made" solutions
offered
by vendors.
Also, if ISP configure his router and it did crashed because he
installed
some "no warranty whatsoever" software from cloudflare github, what is
next?
I guess this might be not welcome in support contracts.



The RPKI software is something you need to run on a server somewhere. Not
on the router itself.

For our Juniper MX204 routers this was all that I needed to do:

First install https://github.com/NLnetLabs/routinator on a server or VM
somewhere. The server IP address would be 10.x.y.z in this example.

set routing-options validation group rpki-validator session 10.x.y.z port
3323 local-address 10.a.b.c
set policy-options community origin-validation-state-invalid members 0x4300:
0.0.0.0:2
set policy-options community origin-validation-state-unknown members 0x4300:
0.0.0.0:1
set policy-options community origin-validation-state-valid members 0x4300:
0.0.0.0:0
set policy-options policy-statement RPKI-CHECK term valid from protocol bgp
set policy-options policy-statement RPKI-CHECK term valid from
validation-database valid
set policy-options policy-statement RPKI-CHECK term valid then
validation-state valid
set policy-options policy-statement RPKI-CHECK term valid then community
add origin-validation-state-valid
set policy-options policy-statement RPKI-CHECK term invalid from protocol
bgp
set policy-options policy-statement RPKI-CHECK term invalid from
validation-database invalid
set policy-options policy-statement RPKI-CHECK term invalid then
validation-state invalid
set policy-options policy-statement RPKI-CHECK term invalid then community
add origin-validation-state-invalid
set policy-options policy-statement RPKI-CHECK term unknown from protocol
bgp
set policy-options policy-statement RPKI-CHECK term unknown from
validation-database unknown
set policy-options policy-statement RPKI-CHECK term unknown then
validation-state unknown
set policy-options policy-statement RPKI-CHECK term unknown then community
add origin-validation-state-unknown
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK
from policy RPKI-CHECK
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID
from community origin-validation-state-invalid
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID
then reject
set routing-instances internet protocols bgp group nlix import
REJECT-RPKI-INVALID
set routing-instances internet protocols bgp group cogent import
REJECT-RPKI-INVALID

And just like that we had RPKI invalid filtering on the NLIX routing server
and Cogent IP transit sessions. Since all of that is redundant, I took that
opportunity to sanity check that we still had the expected amount of routes
installed from these sources sans the invalids.

Attribution I did not invent most of the above. It is from the free book
Day One Deploying BGP routing security from Juniper.

Regards,

Baldur
Previous By Date Next
Previous By Thread Next

Current thread: