RPKI OV implementation in route-map
Dear Mark, group, On Tue, Mar 31, 2020 at 03:50:23PM +0200, Mark Tinka wrote:
On 31/Mar/20 15:21, Dorian Kim wrote:
Unfortunately we don’t have any testing done or experience with RPKI on XE or Classic boxes as we don’t have any deployed outside of OOB infrastructure.
Cherish your blessings, and for the time being, keep them that way :-).
Since it was a quiet day in early April, Ben and I whipped up something to generate config in industry standard format to mimic the RFC 6811 RPKI based BGP Origin Validation procedure. It uses the 'route-map' configuration construct found in some older BGP implementations. https://github.com/job/rpki-ov-route-map We didn't test this in production, but I reckon you can upload the generated output into the router's 'running-config' using a hourly crontab, TFTP, RANCID, and expect(1). Here is an example config to copy+paste. If we don't hear back from you we'll assume success. (warning: large text file) https://raw.githubusercontent.com/job/rpki-ov-route-map/master/example-route... After applying the above you can reference 'rpki-ov' at each of your EBGP peers as ingress policy: "neighbor x.x.x.x route-map rpki-ov in". Be careful though, performance may not be as good as a native RPKI OV implementation! Cheers, Job & Ben
On 1/Apr/20 22:52, Job Snijders wrote:
Since it was a quiet day in early April, Ben and I whipped up something to generate config in industry standard format to mimic the RFC 6811 RPKI based BGP Origin Validation procedure. It uses the 'route-map' configuration construct found in some older BGP implementations.
https://github.com/job/rpki-ov-route-map
We didn't test this in production, but I reckon you can upload the generated output into the router's 'running-config' using a hourly crontab, TFTP, RANCID, and expect(1). Here is an example config to copy+paste. If we don't hear back from you we'll assume success.
(warning: large text file) https://raw.githubusercontent.com/job/rpki-ov-route-map/master/example-route...
After applying the above you can reference 'rpki-ov' at each of your EBGP peers as ingress policy: "neighbor x.x.x.x route-map rpki-ov in".
Be careful though, performance may not be as good as a native RPKI OV implementation!
The two of you warm my heart :-). I'd be quite keen to hear back from folk running IOS XE on the performance of this. Mark.
participants (2)
-
Job Snijders
-
Mark Tinka