github.com/osrg/gobgp@v2.0.0+incompatible/docs/sources/rpki.md (about) 1 # RPKI 2 3 This page explains how to use a Resource Public Key Infrastructure 4 (RPKI) server to do Origin AS Validation. 5 6 ## Prerequisites 7 8 Assume you finished [Getting Started](getting-started.md). 9 10 ## Contents 11 12 - [Configuration](#configuration) 13 - [Validation](#validation) 14 - [Policy with validation results](#policy-with-validation-results) 15 - [Force Re-validation](#force-re-validation) 16 17 ## Configuration 18 19 You need to add **[RpkiServers]** section to your configuration 20 file. We use the following file. Note that this is for route server 21 setup but RPKI can be used with non route server setup. 22 23 ```toml 24 [global.config] 25 as = 64512 26 router-id = "10.0.255.254" 27 28 [[neighbors]] 29 [neighbors.config] 30 peer-as = 65001 31 neighbor-address = "10.0.255.1" 32 [neighbors.route-server.config] 33 route-server-client = true 34 35 [[neighbors]] 36 [neighbors.config] 37 peer-as = 65002 38 neighbor-address = "10.0.255.2" 39 [neighbors.route-server.config] 40 route-server-client = true 41 42 [[rpki-servers]] 43 [rpki-servers.config] 44 address = "210.173.170.254" 45 port = 323 46 ``` 47 48 ## Validation 49 50 You can verify whether gobgpd successfully connects to the RPKI server 51 and get the ROA (Route Origin Authorization) information in the 52 following way: 53 54 ```bash 55 $ gobgp rpki server 56 Session State Uptime #IPv4/IPv6 records 57 210.173.170.254:323 Up 00:03:06 14823/2168 58 ``` 59 60 ```bash 61 $ gobgp rpki table 210.173.170.254|head -n4 62 Network Maxlen AS 63 2.0.0.0/12 16 3215 64 2.0.0.0/16 16 3215 65 2.1.0.0/16 16 3215 66 ``` 67 68 By default, IPv4's ROA information is shown. You can see IPv6's like: 69 70 ```bash 71 $ gobgp rpki -a ipv6 table 210.173.170.254|head -n4 72 fujita@ubuntu:~$ gobgp rpki -a ipv6|head -n3 73 Network Maxlen AS 74 2001:608::/32 32 5539 75 2001:610::/32 48 1103 76 2001:610:240::/42 42 3333 77 ``` 78 79 We configure the peer 10.0.255.1 to send three routes: 80 81 1. 2.0.0.0/12 (Origin AS: 3215) 82 2. 2.1.0.0/16 (Origin AS: 65001) 83 3. 192.186.1.0/24 (Origin AS: 65001) 84 85 From the above ROA information, the first is valid. the second is 86 invalid (the origin should be 3215 too). the third is a private IPv4 87 address so it should not be in the ROA. 88 89 Let's check out the adjacent rib-in of the peer: 90 91 ```bash 92 $ gobgp neighbor 10.0.255.1 adj-in 93 Network Next Hop AS_PATH Age Attrs 94 V 2.0.0.0/12 10.0.255.1 3215 00:08:39 [{Origin: i}] 95 I 2.1.0.0/16 10.0.255.1 65001 00:08:39 [{Origin: i}] 96 N 192.168.1.0/24 10.0.255.1 65001 00:08:39 [{Origin: i}] 97 ``` 98 99 As you can see, the first is marked as "V" (Valid), the second as "I" 100 (Invalid), and the third as "N" (Not Found). 101 102 ## Policy with validation results 103 104 The validation result can be used as [Policy's condition](policy.md). You 105 can do any actions (e.g., drop the route, adding some extended 106 community attribute, etc) according to the validation result. As an 107 example, this section shows how to drop an invalid route. 108 109 Currently, all the routes from peer 10.0.255.1 are included in peer 10.0.255.2's local RIB. 110 111 ```bash 112 $ gobgp neighbor 10.0.255.2 local 113 Network Next Hop AS_PATH Age Attrs 114 V*> 2.0.0.0/12 10.0.255.1 3215 00:23:47 [{Origin: i}] 115 I*> 2.1.0.0/16 10.0.255.1 65001 00:23:47 [{Origin: i}] 116 N*> 192.168.1.0/24 10.0.255.1 65001 00:23:47 [{Origin: i}] 117 ``` 118 119 We add a policy to the above configuration. 120 121 ```toml 122 [global.config] 123 as = 64512 124 router-id = "10.0.255.254" 125 126 [[neighbors]] 127 [neighbors.config] 128 peer-as = 65001 129 neighbor-address = "10.0.255.1" 130 [neighbors.route-server.config] 131 route-server-client = true 132 133 [[neighbors]] 134 [neighbors.config] 135 peer-as = 65002 136 neighbor-address = "10.0.255.2" 137 [neighbors.route-server.config] 138 route-server-client = true 139 [neighbors.apply-policy-config] 140 import-policy-list = ["AS65002-IMPORT-RPKI"] 141 142 143 [[rpki-servers]] 144 [rpki-servers.config] 145 address = "210.173.170.254" 146 port = 323 147 148 [[policy-definitions]] 149 name = "AS65002-IMPORT-RPKI" 150 [[policy-definitions.statements]] 151 name = "statement1" 152 [policy-definitions.statements.conditions.bgp-conditions] 153 rpki-validation-result = "invalid" 154 [policy-definitions.statements.conditions.actions.route-disposition] 155 reject-route = true 156 ``` 157 158 The value for **RpkiValidationResult** are defined as below. 159 160 | Validation Result | Value | 161 |-------------------|-----------------| 162 | Not Found | "not-found" | 163 | Valid | "valid" | 164 | Invalid | "invalid" | 165 166 With the new configuration, the IMPORT policy rejects the invalid 2.1.0.0/16. 167 168 ```bash 169 $ gobgp neighbor 10.0.255.2 local 170 Network Next Hop AS_PATH Age Attrs 171 V*> 2.0.0.0/12 10.0.255.1 3215 00:00:21 [{Origin: i}] 172 N*> 192.168.1.0/24 10.0.255.1 65001 00:00:21 [{Origin: i}] 173 ``` 174 175 ### Detailed Information about validation 176 177 You can get the detailed information about announced routes. 178 179 ```bash 180 $ gobgp neighbor 10.0.255.1 adj-in 2.1.0.0/16 validation 181 Target Prefix: 2.1.0.0/16, AS: 65001 182 This route is invalid reason: as 183 No VRP ASN matches the route origin ASN. 184 185 Matched VRPs: 186 No Entry 187 Unmatched AS VRPs: 188 Network AS MaxLen 189 2.0.0.0/12 3215 16 190 2.1.0.0/16 3215 16 191 Unmatched Length VRPs: 192 No Entry 193 ``` 194 195 From this, we can notice that 2.1.0.0/16 (Origin AS: 65001) is invalid due to its origin AS, 196 the origin AS should be 3215. 197 198 ## Force Re-validation 199 200 Validation is executed every time bgp update messages arrive. The 201 changes of ROAs doesn't trigger off validation. The following command 202 enables you to validate all the routes. 203 204 ```bash 205 $ gobgp rpki validate 206 ```