Following previous article on RPKI – Use Routinator with Cisco IOS-XR, you will find here some tips to run routinator in a production environnement.
routinator configuration
Routinator can be started with a configuration file as below :
routinator@srv-rpki01:~$ cat .routinator.conf # Routinator Configuration # # The configuration file is a TOML file. It consists of a sequence of # key-value pairs, each on its own line. Strings are to be enclosed in # double quotes. Lists of values can be given by enclosing a # comma-separated sequence of these values in square brackets. # # See https://github.com/toml-lang/toml for detailed information on the # format. # # This file contains all configuration settings with explanations and their # default values. # Repository directory # # This is where Routinator stores the local copy of the RPKI repository. # Any relative path is interpreted with respect to the directory this config # lives in. # # This setting is mandatory. # repository-dir = "/home/routinator/.rpki-cache/repository/" # Trust Anchor Locator (TAL) directory # # All the files with the extension ".tal" in this directory are treated as # trust anchor locators for RPKI validation. # # A relative path is interpreted with respect to the directory this config # lives in. # # This setting is mandatory. # tal-dir = "/home/routinator/.rpki-cache/tals/" # Local exceptions files # # This settings contains a array of paths to files that contain local # exceptions. The files are JSON files according to RFC 8416 (aka SLURM). exceptions = [ "/home/routinator/.exceptions.slurm" ] # Strict mode # # If strict mode, Routinator will stick to the requirements in the respective # RFCs very strictly. See # https://github.com/NLnetLabs/rpki-rs/blob/master/doc/relaxed-validation.md # for information on what is allowed when strict mode is off. #strict = false # Rsync command # # This is the command to run as rsync. This is only command, no options. rsync-command = "rsync" # Rsync arguments # # This is a list of arguments to give to rsync. #rsync-args = [] # Number of parallel rsync commands # # This is the maximum number of rsync commands that are run in parallel. # We are not sure, if the current default is any good. Some feedback whether # it is causing trouble or whether a higher value would even be fine is very # much appreciated. # #rsync-count = 4 # Number of validation threads # # The number of threads that are used for validating the repository. The # default value is the number of CPUs. validation-threads = 2 # Refresh interval # # How often the repository should be updated and validated in RTR mode. # Specifically, this is the number of seconds the process will wait after # having finished validation before starting the next update. # # The default is the value indirectly recommended by RFC 8210. refresh = 3600 # RTR retry interval # # This is the time an RTR client is told to wait before retrying a failed # query in seconds. retry = 600 # RTR expire interval # # This is the time an RTR client is told to keep using data if it can't # refresh it. # default = 7200 (2h) set to 6h expire = 21600 # History size # # The number of deltas to keep. If a client requests an older delta, it is # served the entire set again. # # There was no particular reason for choosing the default ... history-size = 10 # Listen addresses for RTR TCP transport. # # This is an array of strings, each string a socket address of the form # "address:port" with IPv6 address in square brackets. rtr-listen = ["0.0.0.0:3323"] # Listen addresses for Prometheus HTTP monitoring endpoint. # # This is an array of strings, each string a socket address of the form # "address:port" with IPv6 address in square brackets. # # Port 9556 is allocated for the routinator exporter. # https://github.com/prometheus/prometheus/wiki/Default-port-allocations # http-listen = ["0.0.0.0:8080"] # Log level # # The maximum log level ("off", "error", "warn", "info", or "debug") for # which to log messages. log-level = "info" # Log target # # Where to log to. One of "stderr" for stderr, "syslog" for syslog, or "file" # for a file. If "file" is given, the "log-file" field needs to be given, too. # # Can also be "default", in which case "syslog" is used in daemon mode and # "stderr" otherwise log = "file" # Syslog facility # # The syslog facility to log to if syslog logging is used. #syslog-facility = "daemon" # Log file # # The path to the file to log to if file logging is used. If the path is # relative, it is relative to the directory this config file lives in. log-file = "/home/routinator/logs/routinator.log" # Daemon PID file # # When in daemon mode, Routinator can store its process ID in a file given # through this entry. It will keep that file locked while running. By default, # no pid file is used. pid-file = "/home/routinator/routinator.pid" # Daemon working directory # # If this entry is given, the daemon process will change its working directory # to this directory. Otherwise it remains in the current directory. #working-dir = "/home/routinator/" # Daemon Chroot # # If this entry is given, the daemon process will change its root directory to # this directory. Startup will fail if any of the other directories given is # not within this directory. #chroot = ...
Please note the file /home/routinator/.exceptions.slurm will be used to create ROA/ROV exceptions.
Example below shows how to drop ROA received from TAL for ASN 65551, then create after local ROA exceptions for the prefix TEST-NET2 198.51.100.0/24, with a maxPrefixLength /24 and from ASN 65551.
routinator@srv-rpki01:~$ cat .exceptions.slurm { "slurmVersion": 1, "validationOutputFilters": { "prefixFilters": [ { "asn": 65551, "comment": "All VRPs matching our ASN 65551 as we do assertions below" } ], "bgpsecFilters": [ ] }, "locallyAddedAssertions": { "prefixAssertions": [ { "asn": 65551, "prefix": "198.51.100.0/24", "maxPrefixLength": 24, "comment": "IPv4 TEST-NET2" } ], "bgpsecAssertions": [ ] } }
Doing so will permit to create an ROA exception, distributed to your routers running RPKI. It will allow to permit this prefix to be considered as valid on your BGP infrastructure / routers running ROV, despite TAL valid, invalid and/or unknown RPKI state.
Note : this is not propagated to TAL. And it should used only in emergency for certain circumstances. I create a temporary hack deployed by Ansible for invalid ROAs which are not well declared by the originator (yes it happen). It could occur for some prefixes when moving property of some blocks or moving from RIR to another. In this case, unwanted behaviour for your customer can occur and you need to create temporary exceptions to keep the route in your BGP RIB.
If you need more details on how SLURM are defined and used, please take a look on :
- RFC 8416 : Simplified Local Internet Number Resource Management with the RPKI (SLURM)
- Github Routinator Examples : routinator/test/slurm/
systemd and routinator
To start automatically routinator with systemd, you just have to create the following unit file :
root@srv-rpki01:~# cat /etc/systemd/system/routinator.service [Unit] Description=Routinator RPKI daemon After=network.target [Service] User=routinator Group=routinator RuntimeDirectory=routinator RuntimeDirectoryPreserve=yes RuntimeDirectoryMode=755 Environment="" PIDFile=/home/routinator/routinator.pid ExecStart=/home/routinator/.cargo/bin/routinator server --pid-file /home/routinator/routinator.pid --user routinator Restart=on-failure [Install] WantedBy=multi-user.target
Then enable and start it :
root@srv-rpki01:~# systemctl start routinator.service && tail -f /home/routinator/logs/* root@srv-rpki01:~# systemctl status routinator.service ● routinator.service - Routinator RPKI daemon Loaded: loaded (/etc/systemd/system/routinator.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-01-13 12:31:40 UTC; 2 weeks 3 days ago Main PID: 13469 (routinator) Tasks: 9 (limit: 2361) CGroup: /system.slice/routinator.service └─13469 /home/routinator/.cargo/bin/routinator server --pid-file /home/routinator/routinator.pid --user routinator Jan 13 12:31:40 srv-rpki01 systemd[1]: Started Routinator RPKI daemon. root@srv-rpki01:~# systemctl daemon-reload root@srv-rpki01:~# systemctl enable routinator.service
Next : How to monitor Routinator !
[…] RPKI – More Routinator … […]
[…] RPKI – More Routinator … 30/01/2020 […]