RPKI OV implementation in route-map

Mark Tinka mark.tinka at seacom.mu
Thu Apr 2 08:07:29 UTC 2020


On 1/Apr/20 22:52, Job Snijders wrote:

> Since it was a quiet day in early April, Ben and I whipped up something
> to generate config in industry standard format to mimic the RFC 6811
> RPKI based BGP Origin Validation procedure. It uses the 'route-map'
> configuration construct found in some older BGP implementations.
>
>     https://github.com/job/rpki-ov-route-map
>
> We didn't test this in production, but I reckon you can upload the
> generated output into the router's 'running-config' using a hourly
> crontab, TFTP, RANCID, and expect(1). Here is an example config to
> copy+paste. If we don't hear back from you we'll assume success. 
>
>     (warning: large text file)
>     https://raw.githubusercontent.com/job/rpki-ov-route-map/master/example-route-map-configuration.txt
>
> After applying the above you can reference 'rpki-ov' at each of your
> EBGP peers as ingress policy: "neighbor x.x.x.x route-map rpki-ov in".
>
> Be careful though, performance may not be as good as a native RPKI OV
> implementation!

The two of you warm my heart :-).

I'd be quite keen to hear back from folk running IOS XE on the
performance of this.

Mark.



More information about the NANOG mailing list