You are here: Home > Manage IPs and ASNs > Documentation for Resource Management > Resource Public Key Infrastructure (RPKI) > Router Configuration

Router Configuration

Router Configurations for RPKI

RPKI Configuration with Junos OS
RPKI Configuration with OpenBGPD
RPKI Configuration with Arista EOS
RPKI Configuration with Nokia SR OS

RPKI Configuration With Junos OS

Juniper provides official support for RPKI since release 12.2.
Juniper has detailed documentation available on configuring Origin Validation for BGP.

Step 1: Set Up Your Junos OS Configuration

a) Set up communication with the RPKI Validator service

The first step for using origin validation data within your Juniper router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP 10.1.1.6 and the router identifies itself as 10.1.1.5.

routing-options {
    autonomous-system 64511;
    validation {

        group rpki-validator {
            session 10.1.1.6 {
                refresh-time 120;
                hold-time 180;
                port 8282;
                local-address 10.1.1.5;
            }
        }
    }
}

b) Assign a local-preference to the RPKI validity attribute of the prefix

The next step is to define your routing policy based upon the validation state. We will follow the best current operational practice to drop RPKI invalid BGP routes. It's up to you as an operator to decide if and how you want to use this information.

policy-statement rpki {
  term reject_invalid {
    from {
      protocol bgp;
        validation-database invalid;
    }
    then {
      validation-state invalid;
      reject;
    }
  }
  term mark_valid {
    from {
      protocol bgp;
      validation-database valid;
    }
    then {
      validation-state valid;
      next policy;
    }
  }
  then {
    validation-state unknown;
    next policy;
  }
}

Step 2: Verify the connection to the RPKI Validator service

Now that everything is configured, test if the connection to the RPKI Validator service is working properly.

junos.rpki.example.net> show validation session detail       
Session 10.1.1.6, State: up, Session index: 2
  Group: rpki-validator, Preference: 100
  Local IPv4 address: 10.1.1.5, Port: 8282
  Refresh time: 120s
  Hold time: 180s
  Record Life time: 3600s
  Serial (Full Update): 441
  Serial (Incremental Update): 441
    Session flaps: 989
    Session uptime: 00:10:08
    Last PDU received: 00:00:08
    IPv4 prefix count: 1183
    IPv6 prefix count: 305

junos.rpki.example.net> show validation statistics
Total RV records: 1487
Total Replication RV records: 2946
  Prefix entries: 1382
  Origin-AS entries: 1487
Memory utilization: 440802 bytes
Policy origin-validation requests: 13065187
  Valid: 35605
  Invalid: 37896
  Unknown: 12991686
BGP import policy reevaluation notifications: 27306
  inet.0, 27306
  inet6.0, 0

junos.rpki.example.net> show validation database
RV database for instance master

Prefix	             Origin-AS 	Session	        State	Mismatch
24.232.0.0/16-32	10318	10.1.1.6	valid  
31.3.8.0/21-21	        5524	10.1.1.6	valid  
31.7.8.0/21-21	        8676	10.1.1.6	valid  
…
2a03:b600::/32-32	41659	10.1.1.6	valid  
2a03:cd80::/32-32	16354	10.1.1.6	valid  
2a03:fa00::/32-32	28760	10.1.1.6	valid  

  IPv4 records: 1164
  IPv6 records: 302

Step 3: Verify if your policy is applied correctly

Lastly, verify if your routing policy is correctly applied to your routes.

Show caches
# run show validation session

Show ROA
# run show validation database
# run show validation database record 45.141.16.0/22

Show BGP prefix
# run show route 45.141.16.0/22

Show invalid prefixes
# run show route validation-state invalid

Show unknown prefixes
# run show route validation-state unknown

Show valid prefixes
# run show route validation-state valid

Note: There is an additional state in Junos OS called “unverified”, which indicates prefixes that haven't been policed. This means there may be a BGP neighbour session that doesn't have an import policy route-validation applied. You can verify this with the following command:

junos.rpki.example.net> show route protocol bgp validation-state unverified

RPKI Configuration with OpenBGPD

This is an example how to do Origin Validation without the RPKI-To-Router protocol. Ensure the |rpki-client| root crontab entry is enabled and runs every hour.

|# crontab -l | grep rpki ~ * * * * -ns rpki-client && bgpctl reload |

Import the |rpki-client| generated config and instruct |bgpd| to reject RPKI invalid routes

| include "/var/db/rpki-client/openbgpd" # consume VRPs from rpki-client deny quick from ebgp ovs invalid # dont import invalids deny quick to ebgp ovs invalid # dont export invalids |

It is REALLY NOT recommended to make set or modify any BGP Path Attributes based on the Origin Validation state (keyword: |ovs|).

RPKI Configuration with Arista EOS

route-map RPKI permit 10
   match origin-as validity valid
   set local-preference 200
   set community 65535:10
!
route-map RPKI permit 20
   match origin-as validity not-found
   set local-preference 100
   set community 65535:20
!
route-map RPKI deny 30
   match origin-as validity invalid
!
router bgp 65530
   neighbor 172.16.3.1 remote-as 65501
   neighbor 172.16.3.1 route-map RPKI in
   neighbor 172.16.3.1 maximum-routes 0
   neighbor fd00:1::3:1 remote-as 65501
   neighbor fd00:1::3:1 route-map RPKI in
   neighbor fd00:1::3:1 maximum-routes 0
   !
   address-family ipv4
      neighbor 172.16.3.1 activate
   !
   address-family ipv6
      neighbor fd00:1::3:1 activate
   !
   rpki cache ripencc
      host 91.217.235.45 port 8323
   !
   rpki cache routinator
      host 91.217.235.47 port 8323
   !
   rpki cache octorpki
      host 91.217.235.50 port 8323
   !
   rpki origin-validation
      ebgp local
      ibgp send

Show caches
#show bgp rpki cache

Show ROA
#show bgp rpki roa summary
#show bgp rpki roa ipv4 1.1.1.0/24

Show BGP prefix
#show bgp ipv4 unicast 1.1.1.0/24

Show invalid prefixes

show ip bgp neighbors received-routes filtered

Show unknown prefixes
#show bgp ipv4 unicast community 65535:20

Show valid prefixes
#show bgp ipv4 unicast community 65535:10

RPKI Configuration with Nokia SR OS

Nokia provides official support for RPKI since release 12.0.R4.

Nokia has detailed documentation available on configuring BGP Prefix Origin Validation.

Step 1: Set Up Your SR OS Configuration

a) Set up communication with the RPKI Validator service

The first step for using origin validation data within your Nokia router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP address 192.168.1.1.

Classic CLI configuration:

A:br1-nyc>config>router>origin-validation# info detail
            rpki-session 192.168.1.1
                description "Routinator RPKI Server"
                no shutdown
            exit

MD-CLI configuration:

[ex:configure router "Base" origin-validation]
A:[email protected]# info
    rpki-session 192.168.1.1 {
        admin-state enable
        description "Routinator RPKI Server"
    }

b) Assign a local-preference to the RPKI validity attribute of the prefix

The next step is to define your routing policy based upon the validation state. We will follow the advice in the IETF standards by preferring valid over unknown, and valid and unknown over invalid. In this example, we'll set the local preference as the determinator for the routing policy. It's up to you as an operator to decide if and how you want to use this information.

Classic CLI configuration:

A:br1-nyc>config>router>policy-options# info
            community "VRP_VALID_COMM" members "ext:4300:0"
            community "VRP_INVALID_COMM" members "ext:4300:2"
            community "VRP_NOT_FOUND_COMM" members "ext:4300:1"
            policy-statement "ORIGIN_POLICY"
                entry 10
                    from
                        origin-validation-state invalid
                    exit
                    action drop
                        community add "VRP_INVALID_COMM"
                        local-preference 90
                    exit
                exit
                entry 20
                    from
                        origin-validation-state notFound
                    exit
                    action accept
                        community add "VRP_NOT_FOUND_COMM"
                        local-preference 100
                    exit
                exit                 
                entry 30
                    from
                        origin-validation-state valid
                    exit
                    action accept
                        community add "VRP_VALID_COMM"
                        local-preference 110
                    exit
                exit
            exit

MD-CLI configuration:

[ex:configure policy-options]
A:[email protected]# info
    community "VRP_INVALID_COMM" {
        member "ext:4300:2" { }
    }
    community "VRP_NOT_FOUND_COMM" {
        member "ext:4300:1" { }
    }
    community "VRP_VALID_COMM" {
        member "ext:4300:0" { }
    }
    policy-statement "ORIGIN_POLICY" {
        entry 10 {
            from {
                origin-validation-state invalid
            }
            action {
                action-type reject
                local-preference 90
                community {
                    add ["VRP_INVALID_COMM"]
                }
            }
        }
        entry 20 {
            from {
                origin-validation-state not-found
            }
            action {
                action-type accept
                local-preference 100
                community {
                    add ["VRP_NOT_FOUND_COMM"]
                }
            }
        }
        entry 30 {
            from {
                origin-validation-state valid
            }
            action {
                action-type accept
                local-preference 110
                community {
                    add ["VRP_VALID_COMM"]
                }
            }
        }
    }

c) Configure origin validation and the BGP neighbours

The last steps are to enable origin validation and to apply the import policy to the BGP neighbours: in this case, the group named “EBGP_PEERING”. Origin validation can also be configured directly under a neighbor.

Classic CLI configuration:

A:br1-nyc>config>router>bgp# info
            best-path-selection
                compare-origin-validation-state
                origin-invalid-unusable
            exit
            group "EBGP_PEERING”
                import "ORIGIN_POLICY"
                enable-origin-validation ipv4 ipv6
            exit
            no shutdown

MD-CLI configuration:

[ex:configure router "Base" bgp]
A:[email protected]# info
    peer-ip-tracking true
    best-path-selection {
        compare-origin-validation-state true
        origin-invalid-unusable true
    }
    group "EBGP_PEERING" {
        origin-validation {
            ipv4 true
            ipv6 true
        }
        import {
            policy ["ORIGIN_POLICY"]
        }
    }

Step 2: Verify the connection to the RPKI Validator service

Now that everything is configured, test if the connection to the RPKI Validator service is working properly. The show commands are the same in the classic and the MD-CLI.

[]
A:[email protected]# show router origin-validation rpki-session detail
Rpki Session Information
IP Address         : 192.168.1.1
Port               :  323               Oper State         : established
UpTime             : 0d 00:35:05        Flaps              : 0
Active IPv4 records: 68723              Active IPv6 records: 12417
Admin State        : Up                 Local Address      : n/a
Hold Time          : 600                Refresh Time       : 300
Stale Route Time   : 3600               Connect Retry      : 120
Serial ID          : 2767               Session ID         : 6
No. of Rpki-Sessions : 1

[]
A:[email protected]# show router origin-validation database origin-as 38016
Static and Dynamic VRP Database Entries
Prefix Range [Flags]                                            Origin AS
   Session IP [Flags]                                          
124.252.0.0/16-16 [Dynamic]                                     38016
    192.168.1.1 [B]                                              
124.252.255.0/24-24 [Dynamic]                                   38016
    192.168.1.1 [B]                                              
2406:c800::/32-32 [Dynamic]                                     38016
    192.168.1.1 [B]                                              
2406:c800:a1ca::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              
2406:c800:e000::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              
2406:c800:f000::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              

No. of Vrp Database Entries: 6
Flags: B = Base instance session
       M = Management instance session
       Static-V = Static-Valid; Static-I = Static-Invalid

Thanks to Ximon Eighteen at NLnet Labs for the working example with the Routinator RPKI validator.


<< Making Better Routing Decisions Through RPKI Validation

Contact

Please contact us if you need more information.

Stay up to date!

Follow the #RPKI hashtag on Twitter.