While digging about how to drop invalid ROA, I tested Routinator setup. Installing Routinator RPKI-RTR Cache validator is pretty easy using their documentation.
curl https://sh.rustup.rs -sSf | sh source ~/.cargo/env cargo install routinator routinator init # Follow instructions provided routinator server --rtr 127.0.0.1:3323
When this is done, you can then start configuration on the router. I almost work daily on Cisco IOS-XR platform (on ASR9K hardware). And in fact, there are some tricks to do for this to work, as IOS-XR support only RTR protocol over Secure Transport (SSH for example).
Configure RPKI server and secure transport
On the RPKI server, you should create a new user for SSH secure transport for RTR protocol
Then you should setup a sub-system on sshd_config
# cat /etc/ssh/sshd_config [...] PermitRootLogin no # needed for user RPKI PasswordAuthentication yes [...] # Define an `rpki-rtr` subsystem which is actually `netcat` used to proxy STDIN/STDOUT to a running `routinator rtrd -a -l 127.0.0.1:3323` Subsystem rpki-rtr /bin/nc 127.0.0.1 3323 [...] # Certain routers may use old KEX algos and Ciphers which are no longer enabled by default. # These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3 Ciphers +3des-cbc KexAlgorithms +diffie-hellman-group1-sha1
When you’ve done this, we can move on the IOS-XR side to setup RPKI server.
Configure IOS-XR RPKI server
To configure IOS-XR, you’ll need first to setup RPKI server using SSH username and password (which will be not shown after commit in the configuration).
router bgp 64567 ! rpki server 188.8.131.52 username rpki password rpkipassword transport ssh port 22 refresh-time 3600 response-time 600
When this is done, you will need to setup SSH client, as yes, IOS-XR ssh client is still using Cisco SSH v1.99 protocol version ! You can also setup vrf source and interface source if needed. Take care, some releases, like eXR (IOS-XR x64 version) in 6.1.x will not support ssh client v2 option …
ssh client v2 ssh client vrf myVRF ssh client source-interface Loopback10
Then after, connection should be established
bgp: %ROUTING-BGP-5-RPKI_ADJCHANGE : 184.108.40.206 UP RP/0/RP0/CPU0:router#sh bgp rpki summary RPKI cache-servers configured: 1 RPKI database Total IPv4 net/path: 97550/105601 Total IPv6 net/path: 15818/17522 RP/0/RP0/CPU0:router#sh bgp rpki server 220.127.116.11 RPKI Cache-Server 18.104.22.168 Transport: SSH port 22 Connect state: ESTAB Conn attempts: 1 Total byte RX: 4080600 Total byte TX: 7652 SSH information Username: rpki Password: ***** SSH PID: 674259340 RPKI-RTR protocol information Serial number: 727 Cache nonce: 0x79CA Protocol state: DATA_END Refresh time: 3600 seconds Response time: 600 seconds Purge time: 60 seconds Protocol exchange ROAs announced: 131296 IPv4 23152 IPv6 ROAs withdrawn: 25695 IPv4 5630 IPv6 Error Reports : 0 sent 0 rcvd
Then now, you can enable ROV on IOS-XR, based on the RPKI table
RP/0/RP0/CPU0:router#sh bgp rpki table Network Maxlen Origin-AS Server 22.214.171.124/24 24 13335 126.96.36.199 188.8.131.52/24 24 13335 184.108.40.206 220.127.116.11/29 29 9583 18.104.22.168 22.214.171.124/16 24 4788 126.96.36.199 188.8.131.52/24 24 65037 184.108.40.206 220.127.116.11/24 24 24514 18.104.22.168 [...]
Enable Route Origin Validation on IOS-XR
As stated in the Cisco documentation : BGP Prefix Origin Validation Based on RPKI, and thanks to a Cisco SE, I’ve discover that “Starting from Release 6.5.1, origin-as validation is disabled by default, you must enable it per address family”.
router bgp 64567 ! address-family ipv4 unicast bgp origin-as validation enable bgp bestpath origin-as use validity bgp bestpath origin-as allow invalid ! address-family ipv6 unicast bgp origin-as validation enable bgp bestpath origin-as use validity bgp bestpath origin-as allow invalid !
In fact, if you enable “bgp bestpath origin-as use validity“, you should take care on how the BGP Best Path Selection is modified. See Patel NANOG presentation about Cisco’s Origin Validation Implementation. Reading this, BGP will prefer Valid pathes over Not-known path (over Invalid ones if you allow it). It means eBGP paths received on iBGP sessions will probably will be removed sooner from Best Path Selection algorithm, even if Local-Pref or Med is preferred on iBGP received paths due to a higher priority on the tie break for RPKI ROV.
bgp bestpath origin-as use validity behaviorDuring BGP best path selection, the default behavior, if neither of the above options is configured, is that the system will prefer prefixes in the following order:
Those with a validation state of valid.
Those with a validation state of not found.
Those with a validation state of invalid (which, by default, will not be installed in the routing table).
These preferences override metric, local preference, and other choices made during the bestpath computation.
You should use the useful command to understand and check impact.
RP/0/RP0/CPU0:router# sh bgp 22.214.171.124/24 bestpath-compare
On my side, I prefer to drop invalid using route policies on the eBGP sessions, so I can keep control. So I do not use bestpath validation :
router bgp 64567 bgp origin-as validation time 30 router bgp 64567 address-family ipv4 unicast bgp origin-as validation enable router bgp 64567 address-family ipv4 unicast bgp bestpath origin-as allow invalid router bgp 64567 address-family ipv6 unicast bgp origin-as validation enable router bgp 64567 address-family ipv6 unicast bgp bestpath origin-as allow invalid
To drop invalid on each eBGP sessions, I simply use the following standard route-policy :
route-policy RP_DROP_RPKI_INVALID if validation-state is invalid then drop endif end-policy
This RPL is called at start when dropping some Bogons Prefixes (aka Martians) or ASN.
route-policy RP_EBGP_PEER_IN apply RP_DROP_BOGONS apply RP_DROP_DEFAULT_ROUTE apply RP_DROP_RPKI_INVALID [...] end-policy
Then you’ve done 😉 Next article : how to setup Routinator with configuration file and SLURM exceptions file.