github.com/osrg/gobgp/v3@v3.30.0/docs/sources/rpki.md (about) 1 # RPKI 2 3 This page explains how to use a Resource Public Key Infrastructure 4 (RPKI) server to do Origin AS Validation. 5 6 ## Prerequisites 7 8 Assume you finished [Getting Started](getting-started.md). 9 10 ## Contents 11 12 - [RPKI](#rpki) 13 - [Prerequisites](#prerequisites) 14 - [Contents](#contents) 15 - [Configuration](#configuration) 16 - [Validation](#validation) 17 - [Policy with validation results](#policy-with-validation-results) 18 - [Detailed Information about validation](#detailed-information-about-validation) 19 20 ## Configuration 21 22 You need to add **[RpkiServers]** section to your configuration 23 file. We use the following file. Note that this is for route server 24 setup but RPKI can be used with non route server setup. 25 26 ```toml 27 [global.config] 28 as = 64512 29 router-id = "10.0.255.254" 30 31 [[neighbors]] 32 [neighbors.config] 33 peer-as = 65001 34 neighbor-address = "10.0.255.1" 35 [neighbors.route-server.config] 36 route-server-client = true 37 38 [[neighbors]] 39 [neighbors.config] 40 peer-as = 65002 41 neighbor-address = "10.0.255.2" 42 [neighbors.route-server.config] 43 route-server-client = true 44 45 [[rpki-servers]] 46 [rpki-servers.config] 47 address = "210.173.170.254" 48 port = 323 49 ``` 50 51 ## Validation 52 53 You can verify whether gobgpd successfully connects to the RPKI server 54 and get the ROA (Route Origin Authorization) information in the 55 following way: 56 57 ```bash 58 $ gobgp rpki server 59 Session State Uptime #IPv4/IPv6 records 60 210.173.170.254:323 Up 00:03:06 14823/2168 61 ``` 62 63 ```bash 64 $ gobgp rpki table 210.173.170.254|head -n4 65 Network Maxlen AS 66 2.0.0.0/12 16 3215 67 2.0.0.0/16 16 3215 68 2.1.0.0/16 16 3215 69 ``` 70 71 By default, IPv4's ROA information is shown. You can see IPv6's like: 72 73 ```bash 74 $ gobgp rpki -a ipv6 table 210.173.170.254|head -n4 75 fujita@ubuntu:~$ gobgp rpki -a ipv6|head -n3 76 Network Maxlen AS 77 2001:608::/32 32 5539 78 2001:610::/32 48 1103 79 2001:610:240::/42 42 3333 80 ``` 81 82 We configure the peer 10.0.255.1 to send three routes: 83 84 1. 2.0.0.0/12 (Origin AS: 3215) 85 2. 2.1.0.0/16 (Origin AS: 65001) 86 3. 192.186.1.0/24 (Origin AS: 65001) 87 88 From the above ROA information, the first is valid. the second is 89 invalid (the origin should be 3215 too). the third is a private IPv4 90 address so it should not be in the ROA. 91 92 Let's check out the adjacent rib-in of the peer: 93 94 ```bash 95 $ gobgp neighbor 10.0.255.1 adj-in 96 Network Next Hop AS_PATH Age Attrs 97 V 2.0.0.0/12 10.0.255.1 3215 00:08:39 [{Origin: i}] 98 I 2.1.0.0/16 10.0.255.1 65001 00:08:39 [{Origin: i}] 99 N 192.168.1.0/24 10.0.255.1 65001 00:08:39 [{Origin: i}] 100 ``` 101 102 As you can see, the first is marked as "V" (Valid), the second as "I" 103 (Invalid), and the third as "N" (Not Found). 104 105 ## Policy with validation results 106 107 The validation result can be used as [Policy's condition](policy.md). You 108 can do any actions (e.g., drop the route, adding some extended 109 community attribute, etc) according to the validation result. As an 110 example, this section shows how to drop an invalid route. 111 112 Currently, all the routes from peer 10.0.255.1 are included in peer 10.0.255.2's local RIB. 113 114 ```bash 115 $ gobgp neighbor 10.0.255.2 local 116 Network Next Hop AS_PATH Age Attrs 117 V*> 2.0.0.0/12 10.0.255.1 3215 00:23:47 [{Origin: i}] 118 I*> 2.1.0.0/16 10.0.255.1 65001 00:23:47 [{Origin: i}] 119 N*> 192.168.1.0/24 10.0.255.1 65001 00:23:47 [{Origin: i}] 120 ``` 121 122 We add a policy to the above configuration. 123 124 ```toml 125 [global.config] 126 as = 64512 127 router-id = "10.0.255.254" 128 129 [[neighbors]] 130 [neighbors.config] 131 peer-as = 65001 132 neighbor-address = "10.0.255.1" 133 [neighbors.route-server.config] 134 route-server-client = true 135 136 [[neighbors]] 137 [neighbors.config] 138 peer-as = 65002 139 neighbor-address = "10.0.255.2" 140 [neighbors.route-server.config] 141 route-server-client = true 142 [neighbors.apply-policy-config] 143 import-policy-list = ["AS65002-IMPORT-RPKI"] 144 145 146 [[rpki-servers]] 147 [rpki-servers.config] 148 address = "210.173.170.254" 149 port = 323 150 151 [[policy-definitions]] 152 name = "AS65002-IMPORT-RPKI" 153 [[policy-definitions.statements]] 154 name = "statement1" 155 [policy-definitions.statements.conditions.bgp-conditions] 156 rpki-validation-result = "invalid" 157 [policy-definitions.statements.actions] 158 route-disposition = "reject-route" 159 ``` 160 161 The value for **RpkiValidationResult** are defined as below. 162 163 | Validation Result | Value | 164 | ----------------- | ----------- | 165 | Not Found | "not-found" | 166 | Valid | "valid" | 167 | Invalid | "invalid" | 168 169 With the new configuration, the IMPORT policy rejects the invalid 2.1.0.0/16. 170 171 ```bash 172 $ gobgp neighbor 10.0.255.2 local 173 Network Next Hop AS_PATH Age Attrs 174 V*> 2.0.0.0/12 10.0.255.1 3215 00:00:21 [{Origin: i}] 175 N*> 192.168.1.0/24 10.0.255.1 65001 00:00:21 [{Origin: i}] 176 ``` 177 178 ### Detailed Information about validation 179 180 You can get the detailed information about announced routes. 181 182 ```bash 183 $ gobgp neighbor 10.0.255.1 adj-in 2.1.0.0/16 validation 184 Target Prefix: 2.1.0.0/16, AS: 65001 185 This route is invalid reason: as 186 No VRP ASN matches the route origin ASN. 187 188 Matched VRPs: 189 No Entry 190 Unmatched AS VRPs: 191 Network AS MaxLen 192 2.0.0.0/12 3215 16 193 2.1.0.0/16 3215 16 194 Unmatched Length VRPs: 195 No Entry 196 ``` 197 198 From this, we can notice that 2.1.0.0/16 (Origin AS: 65001) is invalid due to its origin AS, 199 the origin AS should be 3215.