Router Configuration
RPKI Configuration with JunOS
RPKI Configuration with Cisco IOS
RPKI Configuration with JunOS
Juniper provides official support for RPKI since release 12.2.
Juniper has detailed documentation available on configuring Origin Validation for BGP.
Step 1: Set up your JunOS configuration
a) Set up communication with the RPKI Validator service
The first step for using origin validation data within your Juniper router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP 10.1.1.6 and the router identifies itself as 10.1.1.5.
routing-options {
autonomous-system 64511;
validation {
group rpki-validator {
session 10.1.1.6 {
refresh-time 120;
hold-time 180;
port 8282;
local-address 10.1.1.5;
}
}
}
}
b) Assign a local-preference to the RPKI validity attribute of the prefix
The next step is to define your routing policy based upon the validation state. We will follow the advice in the IETF standards by preferring valid over unknown, and valid and unknown over invalid. In this example, we’ll set the localpref as the determinator for the routing policy. It's up to you as an operator to decide if and how you want to use this information.
policy-options {
policy-statement route-validation {
term valid {
from {
protocol bgp;
validation-database valid;
}
then {
local-preference 110;
validation-state valid;
accept;
}
}
term invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
local-preference 90;
validation-state invalid;
accept;
}
}
term unknown {
from {
protocol bgp;
}
then {
local-preference 100;
validation-state unknown;
accept;
}
}
}
}
c) Configure the BGP neighbours and policies
The last step is to apply the import policy to the BGP neighbours: in this case, a single router at 10.1.1.2.
protocols {
bgp {
group mypeers {
import route-validation;
peer-as 200;
neighbor 10.1.1.2;
}
}
}
Step 2: Verify the connection to the RPKI Validator service
Now that everything is configured, test if the connection to the RPKI Validator service is working properly.
junos.rpki.example.net> show validation session detail
Session 10.1.1.6, State: up, Session index: 2
Group: rpki-validator, Preference: 100
Local IPv4 address: 10.1.1.5, Port: 8282
Refresh time: 120s
Hold time: 180s
Record Life time: 3600s
Serial (Full Update): 441
Serial (Incremental Update): 441
Session flaps: 989
Session uptime: 00:10:08
Last PDU received: 00:00:08
IPv4 prefix count: 1183
IPv6 prefix count: 305
junos.rpki.example.net> show validation statistics
Total RV records: 1487
Total Replication RV records: 2946
Prefix entries: 1382
Origin-AS entries: 1487
Memory utilization: 440802 bytes
Policy origin-validation requests: 13065187
Valid: 35605
Invalid: 37896
Unknown: 12991686
BGP import policy reevaluation notifications: 27306
inet.0, 27306
inet6.0, 0
junos.rpki.example.net> show validation database
RV database for instance master
Prefix Origin-AS Session State Mismatch
24.232.0.0/16-32 10318 10.1.1.6 valid
31.3.8.0/21-21 5524 10.1.1.6 valid
31.7.8.0/21-21 8676 10.1.1.6 valid
…
2a03:b600::/32-32 41659 10.1.1.6 valid
2a03:cd80::/32-32 16354 10.1.1.6 valid
2a03:fa00::/32-32 28760 10.1.1.6 valid
IPv4 records: 1164
IPv6 records: 302
Step 3: Verify if your policy is applied correctly
Lastly, verify if your routing policy is correctly applied to your routes.
junos.rpki.example.net> show route protocol bgp validation-state valid
inet.0: 376619 destinations, 376620 routes (376617 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both
24.232.0.0/16 *[BGP/170] 6d 08:43:35, localpref 110, from 10.1.1.2
AS path: 33926 3356 12956 12956 22927 10481 10318 I, validation-state: valid
> to 193.34.50.1 via em0.0
24.232.0.0/19 *[BGP/170] 6d 08:43:35, localpref 110, from 10.1.1.2
AS path: 33926 3356 12956 12956 22927 10481 10318 I, validation-state: valid
> to 193.34.50.1 via em0.0
…
junos.rpki.example.net> show route protocol bgp validation-state invalid
inet.0: 376613 destinations, 376614 routes (376611 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both
31.24.224.0/21 *[BGP/170] 04:44:02, localpref 90, from 10.1.1.2
AS path: 33926 9009 13213 197820 I, validation-state: invalid
> to 193.34.50.1 via em0.0
31.25.151.0/24 *[BGP/170] 1w3d 19:30:36, localpref 90, from 10.1.1.2
AS path: 33926 3356 43646 48299 I, validation-state: invalid
> to 193.34.50.1 via em0.0
…
junos.rpki.example.net> show route protocol bgp validation-state unknown
inet.0: 376618 destinations, 376619 routes (376616 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both
1.0.25.0/24 *[BGP/170] 1w3d 19:31:04, localpref 100, from 10.1.1.2
AS path: 33926 3356 2516 2519 I, validation-state: unknown
> to 193.34.50.1 via em0.0
1.0.26.0/23 *[BGP/170] 1w3d 19:31:04, localpref 100, from 10.1.1.2
AS path: 33926 3356 2516 2519 I, validation-state: unknown
> to 193.34.50.1 via em0.0
…
Note: There is an additional state in JunOS called “unverified”, which indicates prefixes that haven’t been policed. This means there may be a BGP neighbour session that doesn’t have an import policy route-validation applied. You can verify this with the following command:
junos.rpki.example.net> show route protocol bgp validation-state unverified
Try it yourself in the public test bed
There are public test beds available with RPKI-capable Juniper routers, which are connected to the RIPE NCC RPKI Validator. When you create a ROA in the RIPE NCC Resource Certification service, you can check the effects on your BGP announcements yourself.
Kaia Global Networks
Public RIPE NCC RPKI Validator
Juniper Routers: 193.34.50.25, 193.34.50.26
telnet username: rpki
password: testbed
Documentation
RPKI Configuration with Cisco IOS
RPKI is officially supported on the following Cisco platforms:
ASR1000, 7200, 7600, ASR903 and ASR901 in releases 15.2(1)S or XE 3.5.
An Early Field Trial (EFT) is currently available for the following platforms:
ASR9000, CRS1, CRS3 and c12K (IOS-XR).
Please contact your local Cisco representative for an EFT image, or contact certification [at] ripe [dot] net for more information
Cisco has detailed information available on the "match rpki" command in the BGP Command Reference.
Step 1: Set up your IOS configuration
a) Set up communication with the RPKI Validator service
The first step for using origin validation data within your Cisco router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP 10.1.1.6.
cisco-rpki-rtr#show running-config | begin bgp
router bgp 64500
bgp log-neighbor-changes
bgp rpki server tcp 10.1.1.6 port 8282 refresh 600
b) Assign a local-preference to the RPKI validity attribute of the prefix
The next step is to define your routing policy based upon the validation state. We will follow the advice in the IETF standards by preferring valid over unknown, and valid and unknown over invalid. In this example, we’ll set the localpref as what determines the routing policy. It's up to you as an operator to decide if and how you want to use this information.
!
route-map rpki-loc-pref permit 10
match rpki invalid
set local-preference 90
!
route-map rpki-loc-pref permit 20
match rpki not-found
set local-preference 100
!
route-map rpki-loc-pref permit 30
match rpki valid
set local-preference 110
c) Configure the BGP neighbours and policies
The last step is to apply the import policy to the BGP neighbours: in this case, a single router at 10.1.1.2.
cisco-rpki-rtr#show running-config | begin bgp
router bgp 64500
bgp log-neighbor-changes
bgp rpki server tcp 10.1.1.6 port 8282 refresh 5
network 192.0.2.0
neighbor 10.1.1.2 remote-as 64510
neighbor 10.1.1.2 route-map rpki-loc-pref in
!
Step 2: Verify the connection to the RPKI Validator service
Now that everything is configured, test if the connection to the RPKI Validator service is working properly.
cisco-rpki-rtr>show ip bgp rpki server
BGP SOVC neighbor is 10.1.1.6/8282 connected to port 8282
Flags 64, Refresh time is 30