Skip to content →

RPKI – More Routinator …

Following previous article on RPKI – Use Routinator with Cisco IOS-XR, you will find here some tips to run routinator in a production environnement.

routinator configuration

Routinator can be started with a configuration file as below :

routinator@srv-rpki01:~$ cat .routinator.conf
# Routinator Configuration
#
# The configuration file is a TOML file. It consists of a sequence of
# key-value pairs, each on its own line. Strings are to be enclosed in
# double quotes. Lists of values can be given by enclosing a
# comma-separated sequence of these values in square brackets.
#
# See https://github.com/toml-lang/toml for detailed information on the
# format.
#
# This file contains all configuration settings with explanations and their
# default values.
# Repository directory
#
# This is where Routinator stores the local copy of the RPKI repository.
# Any relative path is interpreted with respect to the directory this config
# lives in.
#
# This setting is mandatory.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Please note the file /home/routinator/.exceptions.slurm will be used to create ROA/ROV exceptions.

Example below shows how to drop ROA received from TAL for ASN 65551, then create after local ROA exceptions for the prefix TEST-NET2 198.51.100.0/24, with a maxPrefixLength /24 and from ASN 65551.

routinator@srv-rpki01:~$ cat .exceptions.slurm
{
"slurmVersion": 1,
"validationOutputFilters": {
"prefixFilters": [
{
"asn": 65551,
"comment": "All VRPs matching our ASN 65551 as we do assertions below"
}
],
"bgpsecFilters": [
]
},
"locallyAddedAssertions": {
"prefixAssertions": [
{
"asn": 65551,
"prefix": "198.51.100.0/24",
"maxPrefixLength": 24,
"comment": "IPv4 TEST-NET2"
}
],
"bgpsecAssertions": [
]
}
}
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Doing so will permit to create an ROA exception, distributed to your routers running RPKI. It will allow to permit this prefix to be considered as valid on your BGP infrastructure / routers running ROV, despite TAL valid, invalid and/or unknown RPKI state.

Note : this is not propagated to TAL. And it should used only in emergency for certain circumstances. I create a temporary hack deployed by Ansible for invalid ROAs which are not well declared by the originator (yes it happen). It could occur for some prefixes when moving property of some blocks or moving from RIR to another. In this case, unwanted behaviour for your customer can occur and you need to create temporary exceptions to keep the route in your BGP RIB.

If you need more details on how SLURM are defined and used, please take a look on :

systemd and routinator

To start automatically routinator with systemd, you just have to create the following unit file :

root@srv-rpki01:~# cat /etc/systemd/system/routinator.service
[Unit]
Description=Routinator RPKI daemon
After=network.target
[Service]
User=routinator
Group=routinator
RuntimeDirectory=routinator
RuntimeDirectoryPreserve=yes
RuntimeDirectoryMode=755
Environment=""
PIDFile=/home/routinator/routinator.pid
ExecStart=/home/routinator/.cargo/bin/routinator server --pid-file /home/routinator/routinator.pid --user routinator
Restart=on-failure
[Install]
WantedBy=multi-user.target
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Then enable and start it :

root@srv-rpki01:~# systemctl start routinator.service && tail -f /home/routinator/logs/*
root@srv-rpki01:~# systemctl status routinator.service
● routinator.service - Routinator RPKI daemon
Loaded: loaded (/etc/systemd/system/routinator.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-01-13 12:31:40 UTC; 2 weeks 3 days ago
Main PID: 13469 (routinator)
Tasks: 9 (limit: 2361)
CGroup: /system.slice/routinator.service
└─13469 /home/routinator/.cargo/bin/routinator server --pid-file /home/routinator/routinator.pid --user routinator
Jan 13 12:31:40 srv-rpki01 systemd[1]: Started Routinator RPKI daemon.
root@srv-rpki01:~# systemctl daemon-reload
root@srv-rpki01:~# systemctl enable routinator.service
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Next : How to monitor Routinator !

Published in Réseau

2 Comments

Comments are closed.

en_USEN