Page MenuHomeVyOS Platform

Add support for RPKI source ip
On hold, LowPublic

Description

The rpki part of frr allows to specify a source IP used to connect to the rpki validator cache server.

Would be nice if VyOS supports this like it does with NTP. For example, if you only want to whitelist on IP (for example loopback) on the firewall of the cache server or if this server is only accessible via a VRF.

I can try to create a pull request.

Details

Version
-
Is it a breaking change?
Perfectly compatible

Event Timeline

Loremo created this object in space S1 VyOS Public.
Loremo updated the task description. (Show Details)
Loremo changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.Dec 8 2023, 2:31 PM

Or you can use PBR for destination/source address /port/protocol

Hello @Viacheslav

Just so I understand you correctly, you mean:

A: It would be better to control the connection using policy-based routing.

or

B: It would be good with the source parameter, because then you can create a policy-based routing rule based on this specified IP.

@Loremo I think this contribution would be valuable. Have you made any progress with your PR?

Thanks!

Yes and no. Even before I created this ticket, I tried a small test locally. Unfortunately, I was not able to get the tests to run (even without my changes).

Since I only know VyOS as a user in my private lab and nothing of the internals, I was then unsure after @Viacheslav 's comment whether this makes sense at all and didn't try any further.

But if the change is desired, I can invest more time.

For me personally this change makes sense: a router has multiple interfaces, the Source IP is selected in different ways, and especially for RPKI servers outside the network (public ones), this could even break connectivity. Vendors like Juniper had this issue and eventually added the option, which means probably VyOS will benefit too, especially since "it's just setting a value in FRR's config"™ (famous last words ;).

I am happy to work on this together, if you feel there's a benefit, and since I can't see your contact details on Phabricator, you can find mine on daknob.net -- Just e-mail me :)

It is easy to add
In FRR it looks like:

r4(config-rpki)# rpki cache 192.0.2.1 8888 
  SSH_UNAME   SSH user name
  preference  Preference of the cache server
  source      Configure source IP address of RPKI connection

Needs to add source check to the template https://github.com/vyos/vyos-1x/blob/ca15e16f3f1b5174dc7ee2efa531aa974d3e97db/data/templates/frr/rpki.frr.j2#L8-L10
And add XML source option for configuration https://github.com/vyos/vyos-1x/blob/current/interface-definitions/protocols_rpki.xml.in

natali-rs1985 changed the task status from Open to In progress.May 10 2024, 3:28 PM
natali-rs1985 claimed this task.
natali-rs1985 changed the task status from In progress to On hold.Jun 13 2024, 3:10 PM

Have to pospone it untill upgrade FRRouting to version 10.1