rpki validation - internet2 · 2017. 10. 27. · bgp rpki server tcp 163.253.39.165 port 8282...
TRANSCRIPT
RPKI Validation
Karl NewellInternet2
[ 2 ]
RIPE RPKI Validation
• https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources
• https://hub.docker.com/r/karlnewell/rpki-validator-docker/
[ 3 ]
Topology
GoBGP
JuniperMX960
15.1F6-S6.4
CiscoCSR100V03.16.06.S
RIPE Validator
2.23
[ 4 ]
Juniper Configs
routing-options {validation {group rpki-validator {
session 163.253.39.165 {refresh-time 120;hold-time 240;port 8282;local-address 156.56.5.60;
}}
}}
[ 5 ]
Juniper Configspolicy-options {
policy-statement rpki-validation {term valid {
from {protocol bgp;validation-database valid;
}then {
local-preference 110;validation-state valid;next policy;
}}
term invalid {from {
protocol bgp;validation-database invalid;
}then {
local-preference 90;validation-state invalid;next policy;
}}
term unknown {from {
protocol bgp;validation-database unknown;
}then {
local-preference 100;validation-state unknown;next policy;
}}
}}
[ 6 ]
Cisco Configsrouter bgp 11537bgp rpki server tcp 163.253.39.165 port 8282 refresh 600bgp bestpath prefix-validate allow-invalidneighbor 163.253.39.165 remote-as 65000neighbor 163.253.39.165 route-map rpki-loc-pref in
route-map rpki-loc-pref permit 10match rpki invalidset local-preference 90!route-map rpki-loc-pref permit 20match rpki not-foundset local-preference 100!route-map rpki-loc-pref permit 30match rpki validset local-preference 110
[ 7 ]
Various ”show” commands
• Juniper– show validation session– show validation statistics– show validation database– show route protocol bgp validation-state valid
• Cisco– show ip bgp rpki server– show ip bgp rpki table
[ 8 ]
Validation state
State Description Means
invalid Invalid route validation stateMismatch in ASN/prefix mapping; more specific not covered by valid ROA
unknown Unknown route validation state No ROA found
valid Valid route validation state Matching ROA found
unverified Unverified route validation state*Junos specific; no policy triggers database lookup
[ 9 ]
Validating routes
• gobgp global rib add -a ipv4 194.0.36.0/24 aspath "123 456 42”
• gobgp global rib add -a ipv4 194.0.36.0/24 aspath "123 456 43"
• gobgp global rib add -a ipv4 128.196.0.0/16 aspath "1706"
[ 10 ]
Topology
GoBGP
JuniperMX960
15.1F6-S6.4
CiscoCSR100V03.16.06.S
RIPE Validator
2.23
ASN: 42Prefix: 194.0.36.0/24MaxLength: 24