Page MenuHomeVyOS Platform
Create Task
Maniphest T7432

RPKI VRF Support
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Summary

Add support for RPKI in a VRF

Op-mode commands

show rpki as-number <asn>  vrf <vrf>
show rpki cache-connection vrf <vrf>
show rpki cache-server vrf <vrf>
show rpki prefix <prefix> vrf <vrf>
show rpki prefix <prefix> as-number <asn> vrf <vrf>
show rpki prefix-table vrf <vrf>
reset rpki vrf <vrf>

Configuration Commands

set vrf name <name> protocols rpki cache <cache> port <port>
set vrf name <name> protocols rpki cache <cache> preference <pref>
set vrf name <name> protocols rpki cache <cache> source-address <src>
set vrf name <name> protocols rpki cache <cache> ssh username <username>
set vrf name <name> protocols rpki cache <cache> ssh key <key>
set vrf name <name> protocols rpki polling-period <rolling-period>
set vrf name <name> protocols rpki retry-interval <retry-interval>

Use case

Users may be running a VRF for Internet routes and want to run RPKI for these

Additional information

FRRouting added BGP RPKI VRF support in FRRouting 10.0

"BGP RPKI VRF support
Now RPKI for BGP can be configured per-VRF."

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedFEATURE REQUESTc-poT6747 frr: upgrade routing suite to 10.2
 ResolvedFEATURE REQUESTyzguyT7432 RPKI VRF Support

Event Timeline

yzguy created this task.May 5 2025, 8:14 PM
pasik subscribed.May 5 2025, 8:17 PM
yzguy updated the task description. (Show Details)May 5 2025, 8:18 PM
yzguy updated the task description. (Show Details)May 5 2025, 8:24 PM
yzguy updated the task description. (Show Details)May 5 2025, 8:37 PM
Viacheslav changed the task status from Open to In progress.May 6 2025, 9:10 AM
Viacheslav assigned this task to yzguy.
Viacheslav triaged this task as Normal priority.
Viacheslav subscribed.

Good practice to link PR to the forge task
PR https://github.com/vyos/vyos-1x/pull/4497

c-po added a parent task: T6747: frr: upgrade routing suite to 10.2.May 7 2025, 6:57 PM
c-po added a project: VyOS 1.5 Circinus.
yzguy mentioned this in rVYOSONEX05d71332442b: T7432: smoketests for RPKI VRF support.Jun 12 2025, 2:20 PM
yzguy mentioned this in rVYOSONEX1fa28abc7035: T7432: RPKI VRF Support.
Restricted Repository Identity mentioned this in rVYOSONEXdcba87b2394b: Merge pull request #4497 from yzguy/T7432.Jun 12 2025, 2:20 PM
aalmenar subscribed.EditedJun 25 2025, 5:05 PM

I have installed version:

Version:          VyOS 2025.06.24-0020-rolling
Release train:    current
Release flavor:   generic

Built by:         autobuild@vyos.net
Built on:         Tue 24 Jun 2025 00:20 UTC
Build UUID:       e9dff867-16c0-4cd1-ae14-e552e3c6abd7
Build commit ID:  3222553a260ae5

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      n/a (BIOS)

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    bc0c0310-4c7e-42f3-84fb-7e53cddab0bd

Copyright:        VyOS maintainers and contributors

this version has this changes, but after configuring it and seeing it's connected to the rpki server over the vrf routers, routers are not being validated, while using the non-vrf configuration return me the routes validated like this:

$ show ip bgp ipv4 unicast x.x.x.x/z
BGP routing table entry for x.x.x./x version 534811
Paths: (2 available, best #1, table default)
  Not advertised to any peer
  x y z
    x.x.x.x from x.x.x.x (x.x.x.x)
      Origin IGP, metric 0, localpref 145, valid, external, multipath, best (Older Path), rpki validation-state: valid
      Community: 1000:2001
      Large Community: 1000:2001:62000
      Last update: Wed Jun 25 18:32:39 2025

while the same version with rpki configure to be used over a vrf:

$ show ip bgp ipv4 unicast x.x.x.x/x
BGP routing table entry for x.x.x./x, version 534811
Paths: (2 available, best #1, table default)
  Not advertised to any peer
  x y z
    x.x.x.x from x.x.x.x (x.x.x.x)
      Origin IGP, metric 0, localpref 145, valid, external, multipath, best (Older Path)
      Community: 1000:2001
      Large Community: 1000:2001:62000
      Last update: Wed Jun 25 18:32:39 2025

i can confirm over vrf its connected to the rpki server:

$ show rpki cache-connection vrf Management
Connected to group 1
rpki tcp cache x.x.x.2 3323 pref 1 (connected)
rpki tcp cache x.x.x.3 3323 pref 2

Let me know if anything else is needed to debug

yzguy added a comment.EditedJun 25 2025, 5:10 PM

@aalmenar I believe you would need to configure RPKI in the default VRF + your management VRF. They validate prefixes for their respective VRFs
I believe this is a limitation/intention of FRRouting not VyOS itself

https://docs.frrouting.org/en/latest/bgp.html#configuring-rpki-rtr-cache-servers

RPKI/RTR can be configured independently, either in configure node, or in vrf sub context. If configured in configure node, the core bgp instance of default vrf is impacted by the configuration.

Each RPKI/RTR context is mapped to a vrf and can be made up of a specific list of cache-servers, and specific settings.
aalmenar added a comment.Jun 25 2025, 5:16 PM
In T7432#227763, @yzguy wrote:

@aalmenar I believe you would need to configure RPKI in the default VRF + your management VRF. They validate prefixes for their respective VRFs
I believe this is a limitation/intention of FRRouting not VyOS itself

https://docs.frrouting.org/en/latest/bgp.html#configuring-rpki-rtr-cache-servers

RPKI/RTR can be configured independently, either in configure node, or in vrf sub context. If configured in configure node, the core bgp instance of default vrf is impacted by the configuration.

Each RPKI/RTR context is mapped to a vrf and can be made up of a specific list of cache-servers, and specific settings.

Understood. I know it must be FRRouting and not VyOS. If its a limitation in FRRouting on purpose, i don´t see why they made it this way...

c-po edited projects, added VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed VyOS 1.5 Circinus.Jul 11 2025, 6:48 PM
c-po moved this task from Need Triage to Completed on the VyOS Rolling board.
c-po closed this task as Resolved.Jul 19 2025, 10:40 AM
c-po moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.