On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko < nuclearcat@nuclearcat.com> wrote:
If i am not wrong, for most routers implementing RPKI means spinning up VM with RPKI cache that need significant tinkering? I guess it is a blocker for many, unless some "ready made" solutions offered by vendors. Also, if ISP configure his router and it did crashed because he installed some "no warranty whatsoever" software from cloudflare github, what is next? I guess this might be not welcome in support contracts.
The RPKI software is something you need to run on a server somewhere. Not on the router itself. For our Juniper MX204 routers this was all that I needed to do: First install https://github.com/NLnetLabs/routinator on a server or VM somewhere. The server IP address would be 10.x.y.z in this example. set routing-options validation group rpki-validator session 10.x.y.z port 3323 local-address 10.a.b.c set policy-options community origin-validation-state-invalid members 0x4300: 0.0.0.0:2 set policy-options community origin-validation-state-unknown members 0x4300: 0.0.0.0:1 set policy-options community origin-validation-state-valid members 0x4300: 0.0.0.0:0 set policy-options policy-statement RPKI-CHECK term valid from protocol bgp set policy-options policy-statement RPKI-CHECK term valid from validation-database valid set policy-options policy-statement RPKI-CHECK term valid then validation-state valid set policy-options policy-statement RPKI-CHECK term valid then community add origin-validation-state-valid set policy-options policy-statement RPKI-CHECK term invalid from protocol bgp set policy-options policy-statement RPKI-CHECK term invalid from validation-database invalid set policy-options policy-statement RPKI-CHECK term invalid then validation-state invalid set policy-options policy-statement RPKI-CHECK term invalid then community add origin-validation-state-invalid set policy-options policy-statement RPKI-CHECK term unknown from protocol bgp set policy-options policy-statement RPKI-CHECK term unknown from validation-database unknown set policy-options policy-statement RPKI-CHECK term unknown then validation-state unknown set policy-options policy-statement RPKI-CHECK term unknown then community add origin-validation-state-unknown set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK from policy RPKI-CHECK set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID from community origin-validation-state-invalid set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID then reject set routing-instances internet protocols bgp group nlix import REJECT-RPKI-INVALID set routing-instances internet protocols bgp group cogent import REJECT-RPKI-INVALID And just like that we had RPKI invalid filtering on the NLIX routing server and Cogent IP transit sessions. Since all of that is redundant, I took that opportunity to sanity check that we still had the expected amount of routes installed from these sources sans the invalids. Attribution I did not invent most of the above. It is from the free book Day One Deploying BGP routing security from Juniper. Regards, Baldur