nanog mailing list archives
Re: "Is BGP safe yet?" test
From: Baldur Norddahl <baldur.norddahl () gmail com>
Date: Tue, 21 Apr 2020 00:27:43 +0200
On Mon, Apr 20, 2020 at 8:47 PM Denys Fedoryshchenko < nuclearcat () nuclearcat com> wrote:
If i am not wrong, for most routers implementing RPKI means spinning up VM with RPKI cache that need significant tinkering? I guess it is a blocker for many, unless some "ready made" solutions offered by vendors. Also, if ISP configure his router and it did crashed because he installed some "no warranty whatsoever" software from cloudflare github, what is next? I guess this might be not welcome in support contracts.
The RPKI software is something you need to run on a server somewhere. Not on the router itself. For our Juniper MX204 routers this was all that I needed to do: First install https://github.com/NLnetLabs/routinator on a server or VM somewhere. The server IP address would be 10.x.y.z in this example. set routing-options validation group rpki-validator session 10.x.y.z port 3323 local-address 10.a.b.c set policy-options community origin-validation-state-invalid members 0x4300: 0.0.0.0:2 set policy-options community origin-validation-state-unknown members 0x4300: 0.0.0.0:1 set policy-options community origin-validation-state-valid members 0x4300: 0.0.0.0:0 set policy-options policy-statement RPKI-CHECK term valid from protocol bgp set policy-options policy-statement RPKI-CHECK term valid from validation-database valid set policy-options policy-statement RPKI-CHECK term valid then validation-state valid set policy-options policy-statement RPKI-CHECK term valid then community add origin-validation-state-valid set policy-options policy-statement RPKI-CHECK term invalid from protocol bgp set policy-options policy-statement RPKI-CHECK term invalid from validation-database invalid set policy-options policy-statement RPKI-CHECK term invalid then validation-state invalid set policy-options policy-statement RPKI-CHECK term invalid then community add origin-validation-state-invalid set policy-options policy-statement RPKI-CHECK term unknown from protocol bgp set policy-options policy-statement RPKI-CHECK term unknown from validation-database unknown set policy-options policy-statement RPKI-CHECK term unknown then validation-state unknown set policy-options policy-statement RPKI-CHECK term unknown then community add origin-validation-state-unknown set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-CHECK from policy RPKI-CHECK set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID from community origin-validation-state-invalid set policy-options policy-statement REJECT-RPKI-INVALID term RPKI-INVALID then reject set routing-instances internet protocols bgp group nlix import REJECT-RPKI-INVALID set routing-instances internet protocols bgp group cogent import REJECT-RPKI-INVALID And just like that we had RPKI invalid filtering on the NLIX routing server and Cogent IP transit sessions. Since all of that is redundant, I took that opportunity to sanity check that we still had the expected amount of routes installed from these sources sans the invalids. Attribution I did not invent most of the above. It is from the free book Day One Deploying BGP routing security from Juniper. Regards, Baldur
Current thread:
- Re: "Is BGP safe yet?" test, (continued)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 21)
- Re: "Is BGP safe yet?" test Andrey Kostin (Apr 20)
- Re: "Is BGP safe yet?" test Mark Tinka (Apr 20)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 20)
- Re: "Is BGP safe yet?" test Alex Band (Apr 20)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 20)
- Re: "Is BGP safe yet?" test jim deleskie (Apr 20)
- Re: "Is BGP safe yet?" test Denys Fedoryshchenko (Apr 20)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 20)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Sander Steffann (Apr 21)
- Re: "Is BGP safe yet?" test Baldur Norddahl (Apr 21)
- Re: "Is BGP safe yet?" test Alex Band (Apr 21)
- Re: "Is BGP safe yet?" test Matt Corallo via NANOG (Apr 21)
- Re: "Is BGP safe yet?" test Christopher Morrow (Apr 21)