Router Configuration

Router Configurations for RPKI

RPKI Configuration With Junos OS

Juniper provides official support for RPKI since release 12.2.
Juniper has detailed documentation available on configuring Origin Validation for BGP.

Step 1: Set Up Your Junos OS Configuration

a) Set up communication with the RPKI Validator service

The first step for using origin validation data within your Juniper router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP 10.1.1.6 and the router identifies itself as 10.1.1.5.

routing-options {
autonomous-system 64511;
validation {

group rpki-validator {
session 10.1.1.6 {
refresh-time 120;
hold-time 180;
port 8282;
local-address 10.1.1.5;
}
}
}
}

b) Assign a local-preference to the RPKI validity attribute of the prefix

The next step is to define your routing policy based upon the validation state. We will follow the best current operational practice to drop RPKI invalid BGP routes. It's up to you as an operator to decide if and how you want to use this information.

policy-statement rpki {
term reject_invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
reject;
}
}
term mark_valid {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
next policy;
}
}
then {
validation-state unknown;
next policy;
}
}

Step 2: Verify the connection to the RPKI Validator service

Now that everything is configured, test if the connection to the RPKI Validator service is working properly.

junos.rpki.example.net> show validation session detail       
Session 10.1.1.6, State: up, Session index: 2
Group: rpki-validator, Preference: 100
Local IPv4 address: 10.1.1.5, Port: 8282
Refresh time: 120s
Hold time: 180s
Record Life time: 3600s
Serial (Full Update): 441
Serial (Incremental Update): 441
Session flaps: 989
Session uptime: 00:10:08
Last PDU received: 00:00:08
IPv4 prefix count: 1183
IPv6 prefix count: 305
junos.rpki.example.net> show validation statistics
Total RV records: 1487
Total Replication RV records: 2946
Prefix entries: 1382
Origin-AS entries: 1487
Memory utilization: 440802 bytes
Policy origin-validation requests: 13065187
Valid: 35605
Invalid: 37896
Unknown: 12991686
BGP import policy reevaluation notifications: 27306
inet.0, 27306
inet6.0, 0
junos.rpki.example.net> show validation database
RV database for instance master

Prefix Origin-AS Session State Mismatch
24.232.0.0/16-32 10318 10.1.1.6 valid
31.3.8.0/21-21 5524 10.1.1.6 valid
31.7.8.0/21-21 8676 10.1.1.6 valid

2a03:b600::/32-32 41659 10.1.1.6 valid
2a03:cd80::/32-32 16354 10.1.1.6 valid
2a03:fa00::/32-32 28760 10.1.1.6 valid

IPv4 records: 1164
IPv6 records: 302

Step 3: Verify if your policy is applied correctly

Lastly, verify if your routing policy is correctly applied to your routes.

Show caches
# run show validation session

Show ROA
# run show validation database
# run show validation database record 45.141.16.0/22

Show BGP prefix
# run show route 45.141.16.0/22

Show invalid prefixes
# run show route validation-state invalid

Show unknown prefixes
# run show route validation-state unknown

Show valid prefixes
# run show route validation-state valid

Note: There is an additional state in Junos OS called “unverified”, which indicates prefixes that haven't been policed. This means there may be a BGP neighbour session that doesn't have an import policy route-validation applied. You can verify this with the following command:

junos.rpki.example.net> show route protocol bgp validation-state unverified

RPKI Configuration with OpenBGPD

OpenBSD is distributed with an integrated RPKI validator and BGP daemon.

OpenBGPD can perform Origin Validation based on RPKI information received via the RTR protocol, or via direct inclusion from the filesystem. The following example illustrates direct inclusion of validated RPKI data.

First confirm that the rpki-client root crontab entry is enabled.

# crontab -l | grep rpki
~ * * * * -ns rpki-client && bgpctl reload

Then use the include statement to import the rpki-client generated config and instruct bgpd to reject RPKI invalid routes. Edit /etc/bgpd.conf as following.

# Import VRPs from rpki-client
include "/var/db/rpki-client/openbgpd"

# Apply RPKI information to reject invalids on import and export
deny quick from ebgp ovs invalid
deny quick to ebgp ovs invalid

Verify ROAs are loaded with the following command:

# bgpctl show sets
Type     Name            #IPv4   #IPv6   #ASnum   Last Change
ROA      RPKI ROA       194847   37498        -      00:51:53

A route's validation state can be inspected through show rib, the 'V' in the ovs column signifies the route is RPKI valid.

# bgpctl show rib 2001:67c:2e8::/48
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
       S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination       gateway     lpref med aspath origin
I*>     V 2001:67c:2e8::/48 2001:db8::1   100  10 2914 12859 3333 i

RPKI Configuration with Arista EOS

route-map RPKI permit 10
   match origin-as validity valid
   set local-preference 200
   set community 65535:10
!
route-map RPKI permit 20
   match origin-as validity not-found
   set local-preference 100
   set community 65535:20
!
route-map RPKI deny 30
   match origin-as validity invalid
!
router bgp 65530
   neighbor 172.16.3.1 remote-as 65501
   neighbor 172.16.3.1 route-map RPKI in
   neighbor 172.16.3.1 maximum-routes 0
   neighbor fd00:1::3:1 remote-as 65501
   neighbor fd00:1::3:1 route-map RPKI in
   neighbor fd00:1::3:1 maximum-routes 0
   !
   address-family ipv4
      neighbor 172.16.3.1 activate
   !
   address-family ipv6
      neighbor fd00:1::3:1 activate
   !
   rpki cache ripencc
      host 91.217.235.45 port 8323
   !
   rpki cache routinator
      host 91.217.235.47 port 8323
   !
   rpki cache octorpki
      host 91.217.235.50 port 8323
   !
   rpki origin-validation
      ebgp local
      ibgp send
Show caches
#show bgp rpki cache

Show ROA
#show bgp rpki roa summary
#show bgp rpki roa ipv4 1.1.1.0/24

Show BGP prefix
#show bgp ipv4 unicast 1.1.1.0/24

Show invalid prefixes

show ip bgp neighbors received-routes filtered

Show unknown prefixes
#show bgp ipv4 unicast community 65535:20

Show valid prefixes
#show bgp ipv4 unicast community 65535:10

RPKI Configuration with Nokia SR OS

Nokia provides official support for RPKI since release 12.0.R4.

Nokia has detailed documentation available on configuring BGP Prefix Origin Validation.

Step 1: Set Up Your SR OS Configuration

a) Set up communication with the RPKI Validator service

The first step for using origin validation data within your Nokia router is to set up communication with the RPKI Validator toolset. In this example, it is running at IP address 192.168.1.1.

Classic CLI configuration:
A:br1-nyc>config>router>origin-validation# info detail
            rpki-session 192.168.1.1
                description "Routinator RPKI Server"
                no shutdown
            exit 
MD-CLI configuration:
[ex:configure router "Base" origin-validation]
A:[email protected]# info
    rpki-session 192.168.1.1 {
        admin-state enable
        description "Routinator RPKI Server"
    }

 

b) Assign a local-preference to the RPKI validity attribute of the prefix

The next step is to define your routing policy based upon the validation state. We will follow the advice in the IETF standards by preferring valid over unknown, and valid and unknown over invalid. In this example, we'll set the local preference as the determinator for the routing policy. It's up to you as an operator to decide if and how you want to use this information.

Classic CLI configuration:
A:br1-nyc>config>router>policy-options# info
            community "VRP_VALID_COMM" members "ext:4300:0"
            community "VRP_INVALID_COMM" members "ext:4300:2"
            community "VRP_NOT_FOUND_COMM" members "ext:4300:1"
            policy-statement "ORIGIN_POLICY"
                entry 10
                    from
                        origin-validation-state invalid
                    exit
                    action drop
                        community add "VRP_INVALID_COMM"
                        local-preference 90
                    exit
                exit
                entry 20

                    from
                        origin-validation-state notFound
                    exit
                    action accept
                        community add "VRP_NOT_FOUND_COMM"
                        local-preference 100
                    exit
                exit                 
                entry 30
                    from
                        origin-validation-state valid
                    exit
                    action accept
                        community add "VRP_VALID_COMM"
                        local-preference 110
                    exit
                exit
            exit
MD-CLI configuration:
[ex:configure policy-options]
A:[email protected]# info
    community "VRP_INVALID_COMM" {
        member "ext:4300:2" { }
    }
    community "VRP_NOT_FOUND_COMM" {
        member "ext:4300:1" { }
    }
    community "VRP_VALID_COMM" {
        member "ext:4300:0" { }
    }
    policy-statement "ORIGIN_POLICY" {
        entry 10 {
            from {
                origin-validation-state invalid
            }
            action {
                action-type reject
                local-preference 90
                community {
                    add ["VRP_INVALID_COMM"]
                }
            }
        }
        entry 20 {
            from {
                origin-validation-state not-found
            }
            action {
                action-type accept
                local-preference 100
                community {
                    add ["VRP_NOT_FOUND_COMM"]
                }
            }
        }
        entry 30 {
            from {
                origin-validation-state valid
            }
            action {
                action-type accept
                local-preference 110
                community {
                    add ["VRP_VALID_COMM"]
                }
            }
        }
    }

 

c) Configure origin validation and the BGP neighbours

The last steps are to enable origin validation and to apply the import policy to the BGP neighbours: in this case, the group named “EBGP_PEERING”.  Origin validation can also be configured directly under a neighbor.

Classic CLI configuration:
A:br1-nyc>config>router>bgp# info
            best-path-selection
                compare-origin-validation-state
                origin-invalid-unusable
            exit
            group "EBGP_PEERING”
import "ORIGIN_POLICY" enable-origin-validation ipv4 ipv6 exit no shutdown

 

MD-CLI configuration:
[ex:configure router "Base" bgp]
A:[email protected]# info
    peer-ip-tracking true
    best-path-selection {
        compare-origin-validation-state true
        origin-invalid-unusable true
    }
    group "EBGP_PEERING" {
        origin-validation {
            ipv4 true
            ipv6 true
        }
import { policy ["ORIGIN_POLICY"] } }

 

Step 2: Verify the connection to the RPKI Validator service

Now that everything is configured, test if the connection to the RPKI Validator service is working properly.  The show commands are the same in the classic and the MD-CLI.

[]
A:[email protected]# show router origin-validation rpki-session detail
Rpki Session Information
IP Address         : 192.168.1.1
Port               :  323               Oper State         : established
UpTime             : 0d 00:35:05        Flaps              : 0
Active IPv4 records: 68723              Active IPv6 records: 12417
Admin State        : Up                 Local Address      : n/a
Hold Time          : 600                Refresh Time       : 300
Stale Route Time   : 3600               Connect Retry      : 120
Serial ID          : 2767               Session ID         : 6
No. of Rpki-Sessions : 1

[]

A:[email protected]# show router origin-validation database origin-as 38016
Static and Dynamic VRP Database Entries
Prefix Range [Flags]                                            Origin AS
   Session IP [Flags]                                          
124.252.0.0/16-16 [Dynamic]                                     38016
    192.168.1.1 [B]                                              
124.252.255.0/24-24 [Dynamic]                                   38016
    192.168.1.1 [B]                                              
2406:c800::/32-32 [Dynamic]                                     38016
    192.168.1.1 [B]                                              
2406:c800:a1ca::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              
2406:c800:e000::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              
2406:c800:f000::/48-48 [Dynamic]                                38016
    192.168.1.1 [B]                                              

No. of Vrp Database Entries: 6
Flags: B = Base instance session
       M = Management instance session
       Static-V = Static-Valid; Static-I = Static-Invalid

Thanks to Ximon Eighteen at NLnet Labs for the working example with the Routinator RPKI validator.

 

Please contact us if you need more information.

Stay up to date!

Follow the #RPKI hashtag on Twitter.