On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko <nuclearcat@nuclearcat.com> wrote:
If i am not wrong, for most routers implementing RPKI means spinning up
VM
with RPKI cache that need significant tinkering?
I guess it is a blocker for many, unless some "ready made" solutions
offered
by vendors.
Also, if ISP configure his router and it did crashed because he
installed
some "no warranty whatsoever" software from cloudflare github, what is
next?
I guess this might be not welcome in support contracts.


The RPKI software is something you need to run on a server somewhere. Not on the router itself.

For our Juniper MX204 routers this was all that I needed to do:

First install https://github.com/NLnetLabs/routinator on a server or VM somewhere. The server IP address would be 10.x.y.z in this example.

set routing-options validation group rpki-validator session 10.x.y.z port 3323 local-address 10.a.b.c
set policy-options community origin-validation-state-invalid members 0x4300:0.0.0.0:2
set policy-options community origin-validation-state-unknown members 0x4300:0.0.0.0:1
set policy-options community origin-validation-state-valid members 0x4300:0.0.0.0:0
set policy-options policy-statement RPKI-CHECK term valid from protocol bgp
set policy-options policy-statement RPKI-CHECK term valid from validation-database valid
set policy-options policy-statement RPKI-CHECK term valid then validation-state valid
set policy-options policy-statement RPKI-CHECK term valid then community add origin-validation-state-valid
set policy-options policy-statement RPKI-CHECK term invalid from protocol bgp
set policy-options policy-statement RPKI-CHECK term invalid from validation-database invalid
set policy-options policy-statement RPKI-CHECK term invalid then validation-state invalid
set policy-options policy-statement RPKI-CHECK term invalid then community add origin-validation-state-invalid
set policy-options policy-statement RPKI-CHECK term unknown from protocol bgp
set policy-options policy-statement RPKI-CHECK term unknown from validation-database unknown
set policy-options policy-statement RPKI-CHECK term unknown then validation-state unknown
set policy-options policy-statement RPKI-CHECK term unknown then community add origin-validation-state-unknown
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK from policy RPKI-CHECK
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID from community origin-validation-state-invalid
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID then reject
set routing-instances internet protocols bgp group nlix import REJECT-RPKI-INVALID
set routing-instances internet protocols bgp group cogent import REJECT-RPKI-INVALID

And just like that we had RPKI invalid filtering on the NLIX routing server and Cogent IP transit sessions. Since all of that is redundant, I took that opportunity to sanity check that we still had the expected amount of routes installed from these sources sans the invalids.

Attribution I did not invent most of the above. It is from the free book Day One Deploying BGP routing security from Juniper.

Regards,

Baldur