"Is BGP safe yet?" test

• Previous message (by thread): "Is BGP safe yet?" test
• Next message (by thread): "Is BGP safe yet?" test
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko <
nuclearcat at nuclearcat.com> wrote:

> If i am not wrong, for most routers implementing RPKI means spinning up
> VM
> with RPKI cache that need significant tinkering?
> I guess it is a blocker for many, unless some "ready made" solutions
> offered
> by vendors.
> Also, if ISP configure his router and it did crashed because he
> installed
> some "no warranty whatsoever" software from cloudflare github, what is
> next?
> I guess this might be not welcome in support contracts.
>
>
The RPKI software is something you need to run on a server somewhere. Not
on the router itself.

For our Juniper MX204 routers this was all that I needed to do:

First install https://github.com/NLnetLabs/routinator on a server or VM
somewhere. The server IP address would be 10.x.y.z in this example.

set routing-options validation group rpki-validator session 10.x.y.z port
3323 local-address 10.a.b.c
set policy-options community origin-validation-state-invalid members 0x4300:
0.0.0.0:2
set policy-options community origin-validation-state-unknown members 0x4300:
0.0.0.0:1
set policy-options community origin-validation-state-valid members 0x4300:
0.0.0.0:0
set policy-options policy-statement RPKI-CHECK term valid from protocol bgp
set policy-options policy-statement RPKI-CHECK term valid from
validation-database valid
set policy-options policy-statement RPKI-CHECK term valid then
validation-state valid
set policy-options policy-statement RPKI-CHECK term valid then community
add origin-validation-state-valid
set policy-options policy-statement RPKI-CHECK term invalid from protocol
bgp
set policy-options policy-statement RPKI-CHECK term invalid from
validation-database invalid
set policy-options policy-statement RPKI-CHECK term invalid then
validation-state invalid
set policy-options policy-statement RPKI-CHECK term invalid then community
add origin-validation-state-invalid
set policy-options policy-statement RPKI-CHECK term unknown from protocol
bgp
set policy-options policy-statement RPKI-CHECK term unknown from
validation-database unknown
set policy-options policy-statement RPKI-CHECK term unknown then
validation-state unknown
set policy-options policy-statement RPKI-CHECK term unknown then community
add origin-validation-state-unknown
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK
from policy RPKI-CHECK
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID
from community origin-validation-state-invalid
set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID
then reject
set routing-instances internet protocols bgp group nlix import
REJECT-RPKI-INVALID
set routing-instances internet protocols bgp group cogent import
REJECT-RPKI-INVALID

And just like that we had RPKI invalid filtering on the NLIX routing server
and Cogent IP transit sessions. Since all of that is redundant, I took that
opportunity to sanity check that we still had the expected amount of routes
installed from these sources sans the invalids.

Attribution I did not invent most of the above. It is from the free book
Day One Deploying BGP routing security from Juniper.

Regards,

Baldur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200421/7ffe6f2d/attachment.html>

• Previous message (by thread): "Is BGP safe yet?" test
• Next message (by thread): "Is BGP safe yet?" test
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]