On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko < nuclear...@nuclearcat.com> wrote:
> If i am not wrong, for most routers implementing RPKI means spinning up > VM > with RPKI cache that need significant tinkering? > I guess it is a blocker for many, unless some "ready made" solutions > offered > by vendors. > Also, if ISP configure his router and it did crashed because he > installed > some "no warranty whatsoever" software from cloudflare github, what is > next? > I guess this might be not welcome in support contracts. > > The RPKI software is something you need to run on a server somewhere. Not on the router itself. For our Juniper MX204 routers this was all that I needed to do: First install https://github.com/NLnetLabs/routinator on a server or VM somewhere. The server IP address would be 10.x.y.z in this example. set routing-options validation group rpki-validator session 10.x.y.z port 3323 local-address 10.a.b.c set policy-options community origin-validation-state-invalid members 0x4300: 0.0.0.0:2 set policy-options community origin-validation-state-unknown members 0x4300: 0.0.0.0:1 set policy-options community origin-validation-state-valid members 0x4300: 0.0.0.0:0 set policy-options policy-statement RPKI-CHECK term valid from protocol bgp set policy-options policy-statement RPKI-CHECK term valid from validation-database valid set policy-options policy-statement RPKI-CHECK term valid then validation-state valid set policy-options policy-statement RPKI-CHECK term valid then community add origin-validation-state-valid set policy-options policy-statement RPKI-CHECK term invalid from protocol bgp set policy-options policy-statement RPKI-CHECK term invalid from validation-database invalid set policy-options policy-statement RPKI-CHECK term invalid then validation-state invalid set policy-options policy-statement RPKI-CHECK term invalid then community add origin-validation-state-invalid set policy-options policy-statement RPKI-CHECK term unknown from protocol bgp set policy-options policy-statement RPKI-CHECK term unknown from validation-database unknown set policy-options policy-statement RPKI-CHECK term unknown then validation-state unknown set policy-options policy-statement RPKI-CHECK term unknown then community add origin-validation-state-unknown set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK from policy RPKI-CHECK set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID from community origin-validation-state-invalid set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID then reject set routing-instances internet protocols bgp group nlix import REJECT-RPKI-INVALID set routing-instances internet protocols bgp group cogent import REJECT-RPKI-INVALID And just like that we had RPKI invalid filtering on the NLIX routing server and Cogent IP transit sessions. Since all of that is redundant, I took that opportunity to sanity check that we still had the expected amount of routes installed from these sources sans the invalids. Attribution I did not invent most of the above. It is from the free book Day One Deploying BGP routing security from Juniper. Regards, Baldur
