Page MenuHomeVyOS Platform

Add initial RPKI support
Closed, ResolvedPublicFEATURE REQUEST

Description

We need to add RPKI support (https://tools.ietf.org/html/rfc6480)
since more and more providers start enforcing it soon, it becomes vital to have such functionality supported

Details

Version
-

Event Timeline

syncer triaged this task as High priority.

That would be very nice to be able to use.
I just tested the rolling image and when i try to start bgpd with this module loaded it cannot find it.

It would be nice to have it in 1.2 .x cause in the moment most poviders start enforcing it.

<dmbaturin> Hi! If you are ready to help with testing it, I'll be happy to make a CLI.
<dmbaturin> I think it should be orthogonal with all other features indeed, so a perfec candidate for RC3.
<dmbaturin> It would be perfect if you make a small write-up on setting it up by hand in FRR because I haven't used RPKI yet.

Here a short introduction for rpki: https://de.slideshare.net/mynog/rpki-introduction-by-randy-bush

For FRR you need tpo compile it with rpki support and load the module:

When first installing FRR with RPKI support from the pre-packaged binaries. Remember to add -M rpki to the variable bgpd_options in /etc/frr/daemons.conf , like so:

bgpd_options="   --daemon -A 127.0.0.1 -M rpki"

instead of the default setting:

bgpd_options="   --daemon -A 127.0.0.1"

Otherwise you will encounter an error when trying to enter RPKI configuration mode due to the rpki module not being loaded when the BGP daemon is initialized.

The configuration is described in: http://docs.frrouting.org/en/latest/bgp.html#prefix-origin-validation-using-rpki

The rpki validator service should not run on the router and is downloadable on :

https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources

In T865#20843, @rherold wrote:

It would be nice to have it in 1.2 .x cause in the moment most poviders start enforcing it.

Minor: You don't need this FEAT for others enforcing your ROAs. You need this FEAT to enforce received-routes on VyOS.

You don't need this FEAT for others enforcing your ROAs. You need this FEAT to enforce received-routes on VyOS.

I am aware of that. Since i am a NSP myself i would very much like to enforce it myself. I work with several providers who are going or are already enforcing it.

I have take a look and the todo would be:

Add librtr to vyos: https://github.com/rtrlib/rtrlib ( it builds on the vyos build chroot)
Build frr with librtr
make configuration templates

Hey,

As this kind of important topic is in the backlog since quite some time, I would like to ask if one of us "non-devs" could help somehow to get the feature implemented?

I tested it on one of my border routers today and it seems to be working with IPv6 (dropping 692 routes because of invalid ROA state). Sadly i am unable to test IPv4 at the moment.

UPDATE: IPv4 is working as intended.

Looks like the cache server is pushed into the FRR configuration multiple times if the configuration get's updated.

admin@rt-1# show protocols rpki
 cache routinator {
     address routinator.mylab.net
     port 3323
 }
rt-1.mylab.net# show rpki cache-server
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
host: routinator.mylab.net port: 3323
rt-1.mylab.net# show rpki cache-connection
Connected to group 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1
rpki tcp cache routinator.mylab.net 3323 pref 1

In addition to that, it would be great if we could get the RPKI FRR commands within VyOS:

rt-1.mylab.net# show rpki
  cache-connection  Show to which RPKI Cache Servers we have a connection
  cache-server      SHOW configured cache server
  prefix-table      Show validated prefixes which were received from RPKI Cache

I can confirm the error mentioned by MrXermon.

syncer renamed this task from Add RPKI support to Add initial RPKI support.Jan 20 2019, 12:08 PM

Looks like the issue with the same host displayed multiple times is fixed in the latest FRR.