Route Origin Validation With Routinator - A MANRS Approach for Operators
2 likes793 views
This document provides an overview of Route Origin Validation (ROV) using Resource Public Key Infrastructure (RPKI) and the Routinator software. It discusses how RPKI and Route Origin Authorizations (ROAs) allow network operators to validate the origin AS of IP prefixes through a digital certificate and signature-based system. The document outlines the steps to set up Routinator as an RPKI validator, generate ROAs, and configure routers to perform ROV. It also provides examples of analyzing invalid route origins and working with network owners to resolve routing issues.
![Installation
• curl https://sh.rustup.rs -sSf | sh
• sudo apt install cargo
• source ~/.cargo/env
• cargo install routinator
• routinator init --accept-arin-rpa
• routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 –d
• routinator -v vrps
https://rpki.readthedocs.io/en/latest/routinator/installation.html](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-19-320.jpg)
![Adding Into Crontab
• nano /etc/rovscript.sh
#!/bin/bash
/home/[USER]/.cargo/bin/routinator init -f --accept-arin-rpa &
/home/[USER]/.cargo/bin/routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 -d &
• sudo chmod +x rovscript.sh
• crontab -e
@reboot /etc/rovscript.sh
5 13 * * * /home/nano/.cargo/bin/routinator -v vrps &
5 0 * * * /home/nano/.cargo/bin/routinator -v vrps &](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-20-320.jpg)
![Router Configuration
router bgp [ASN]
rpki server [SERVER IP]
transport tcp port 3323
refresh-time 120
address-family ipv4 unicast
bgp origin-as validation signal ibgp
address-family ipv6 unicast
bgp origin-as validation signal ibgp
Configuration of IOS-XR](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-22-320.jpg)
![Router Configuration
• routing-options {
autonomous-system [ASN];
validation {
group rpki-validator {
Session [Server IP] {
refresh-time 120;
Port 3323;
local-address X.X.X.253;
}
}
}
}
Configuration of Junos](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-23-320.jpg)
![Checking
• ps ax| grep routinator
1369 ? Sl 124:05 /home/[USER]/.cargo/bin/routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 -d
7487 pts/0 S+ 0:00 grep --color=auto routinator
• sh bgp rpki server summary
Sun Nov 3 12:27:37.333 UTC
Hostname/Address Transport State Time ROAs (IPv4/IPv6)
[SERVER IP] TCP:3323 ESTAB 6d19h 97473/16440](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-24-320.jpg)
![Monitoring
• apt install prometheus
• nano /etc/prometheus/prometheus.yml
- job_name: 'Routinator'
# Override the global default and scrape targets from this job every 5 seconds.
scrape_interval: 5s
scrape_timeout: 10s
# metrics_path defaults to '/metrics'
# scheme defaults to 'http'.
target_groups:
- targets: ['[SERVER IP]:9556']
service prometheus stop
service prometheus start
https://prometheus.io/docs/introduction/overview/](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-25-320.jpg)
![Monitoring
# HELP routinator_valid_roas number of valid ROAs seen
# HELP routinator_vrps_total total number of VRPs seen
# HELP routinator_last_update_start seconds since last update started
# HELP routinator_last_update_duration duration in seconds of last update
# HELP routinator_last_update_done seconds since last update finished
# HELP routinator_serial current RTR serial number
# HELP routinator_rsync_status exit status of rsync command
# HELP routinator_rsync_duration duration of rsync in seconds
# HELP routinator_rrdp_status status code for getting notification file
# HELP routinator_rrdp_duration duration of rsync in seconds
http://[server ip]:9556/metrics](https://image.slidesharecdn.com/rpki-v31577682664-200113005217/85/Route-Origin-Validation-With-Routinator-A-MANRS-Approach-for-Operators-26-320.jpg)
Route Origin Validation With Routinator - A MANRS Approach for Operators
- 1. Route Origin Validation With Routinator - A MANRS Approach for Operators Md. Zobair Khan Fiber@Home Limited
- 2. Acknowledgement • This paper is made taking notes, diagram, configurations from MANRS, APNIC training materials, NLnet Labs & Dr. Philip Smith along with the operational experience of the author.
- 3. MANRS • Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats.
- 4. MANRS • MANRS outlines four simple but concrete actions that network operators should take: • Filtering • Anti-spoofing • Coordination • Global Validation
- 5. Global Validation • Publish your data, so others can validate routing information on a global scale • Automated information validation needs arrangements • Securing global routing information is done by RPKI
- 6. Resource Public Key Infrastructure (RPKI) • RPKI allows holders of Internet number resources to make verifiable statements about how they intend to use their resources. • RPKI is a way to define data in an out-of-band system such that the information that are exchanged by BGP can be validated to be correct. • RPKI is used to make Internet routing more secure.
- 7. Importance of RPKI • Secured Routing Table • Dynamic LOA checking • Maintaining a Dynamic Chain of Trust • Digitally Signed Resources Certificate (X.509 Certificates-RFC5280) • Helps to Stop Route Hijack
- 8. Route Origin Authorizations (ROA) • Using the RPKI system, the legitimate holder of a block of IP addresses can use their resource certificate to make an authoritative, signed statement about which autonomous system is authorized to originate their prefix in BGP. • These statements are called Route Origin Authorizations (ROAs).
- 9. Route Origin Validation (ROV) • RPKI system tries to closely mimic what route objects in the IRR intend to do, but then in a more trustworthy manner. • This process is called route origin validation (ROV)
- 10. Validity • Valid - Resources found in database which is called Validated ROA Payload (VRP). • Invalid – Resources found but partial/whole information doesn’t match with database. • Not Found - The prefix in this announcement is not covered by a VRP.
- 11. RPKI - Chain Of Trust
- 12. Ecosystem
- 13. Working Steps • Creating ROA for owned resources for RPKI • Implementing Validator relying software for ROV • Enforcing policies for based on Validation
- 14. Creating ROA • Go to Resources > Route Management and select Create route https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
- 15. Creating ROA • Mention your prefix with ASN & desired subnet & Submit https://www.apnic.net/wp-content/uploads/2017/12/ROUTE_MANAGEMENT_GUIDE.pdf
- 16. Relying Party Software NLnet Labs Routinator https://www.nlnetlabs.nl/projects/rpki/routinator/ https://github.com/NLnetLabs/routinator Dragon Research validator https://rpki.net https://github.com/dragonresearch/rpki.net/ RIPE NCC validator https://github.com/RIPE-NCC/rpki-validator-3/wiki LACNIC/NIC Mexico validator (FORT) https://github.com/NICMx/FORT-validator Cloudflare validator (OctoRPKI) https://github.com/cloudflare/cfrpki
- 17. Routinator • Routinator is free, open source RPKI Relying Party software written by NLnet Labs in the Rust programming language. • Routinator connects to the Trust Anchors of the five Regional Internet Registries (RIRs) — APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC — downloads all of the certificates and ROAs in the various repositories, verifies the signatures and makes the result available for use in the BGP workflow. • The validated cache can be fed directly into RPKI-capable routers via the RPKI to Router Protocol (RPKI-RTR), described in RFC 8210. https://rpki.readthedocs.io/en/latest/routinator/index.html
- 18. Why Routinator? • Designed to have a small footprint and great portability • Can run on any Unix-like operating system, but also works on Microsoft Windows via API • Have a mailing list for general discussion and exchanging operational experiences (https://nlnetlabs.nl/mailman/listinfo/rpki) • Problem report & feature request is possible (https://github.com/NLnetLabs/routinator/issues) • Used in production by AT&T, NTT, AMS-IX, DECIX and many more https://rpki.readthedocs.io/en/latest/routinator/index.html
- 19. Installation • curl https://sh.rustup.rs -sSf | sh • sudo apt install cargo • source ~/.cargo/env • cargo install routinator • routinator init --accept-arin-rpa • routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 –d • routinator -v vrps https://rpki.readthedocs.io/en/latest/routinator/installation.html
- 20. Adding Into Crontab • nano /etc/rovscript.sh #!/bin/bash /home/[USER]/.cargo/bin/routinator init -f --accept-arin-rpa & /home/[USER]/.cargo/bin/routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 -d & • sudo chmod +x rovscript.sh • crontab -e @reboot /etc/rovscript.sh 5 13 * * * /home/nano/.cargo/bin/routinator -v vrps & 5 0 * * * /home/nano/.cargo/bin/routinator -v vrps &
- 21. Allow In Iptables • -A INPUT -i ens18 -p tcp -m tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --sport 873 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --dport 9556 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --sport 9556 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --dport 3323 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --sport 3323 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --dport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --sport 9100 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --dport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT • -A INPUT -i ens18 -p tcp -m tcp --sport 9090 -m state --state NEW,ESTABLISHED -j ACCEPT
- 22. Router Configuration router bgp [ASN] rpki server [SERVER IP] transport tcp port 3323 refresh-time 120 address-family ipv4 unicast bgp origin-as validation signal ibgp address-family ipv6 unicast bgp origin-as validation signal ibgp Configuration of IOS-XR
- 23. Router Configuration • routing-options { autonomous-system [ASN]; validation { group rpki-validator { Session [Server IP] { refresh-time 120; Port 3323; local-address X.X.X.253; } } } } Configuration of Junos
- 24. Checking • ps ax| grep routinator 1369 ? Sl 124:05 /home/[USER]/.cargo/bin/routinator server --rtr [SERVER IP]:3323 --http [SERVER IP]:9556 -d 7487 pts/0 S+ 0:00 grep --color=auto routinator • sh bgp rpki server summary Sun Nov 3 12:27:37.333 UTC Hostname/Address Transport State Time ROAs (IPv4/IPv6) [SERVER IP] TCP:3323 ESTAB 6d19h 97473/16440
- 25. Monitoring • apt install prometheus • nano /etc/prometheus/prometheus.yml - job_name: 'Routinator' # Override the global default and scrape targets from this job every 5 seconds. scrape_interval: 5s scrape_timeout: 10s # metrics_path defaults to '/metrics' # scheme defaults to 'http'. target_groups: - targets: ['[SERVER IP]:9556'] service prometheus stop service prometheus start https://prometheus.io/docs/introduction/overview/
- 26. Monitoring # HELP routinator_valid_roas number of valid ROAs seen # HELP routinator_vrps_total total number of VRPs seen # HELP routinator_last_update_start seconds since last update started # HELP routinator_last_update_duration duration in seconds of last update # HELP routinator_last_update_done seconds since last update finished # HELP routinator_serial current RTR serial number # HELP routinator_rsync_status exit status of rsync command # HELP routinator_rsync_duration duration of rsync in seconds # HELP routinator_rrdp_status status code for getting notification file # HELP routinator_rrdp_duration duration of rsync in seconds http://[server ip]:9556/metrics
- 27. Monitoring
- 28. Monitoring
- 29. Decision • Since now the validation states are visible to you, you can decide what to do with invalids • You can – – Use them with low preference – Or drop them
- 30. Policy route-policy RPKI if validation-state is invalid then set local-preference 50 else if validation-state is valid then set local-preference 200 else pass endif endif end-policy route-policy RPKI if validation-state is invalid then drop else if validation-state is valid then set local-preference 200 else pass endif endif end-policy Configuration of IOS-XR
- 31. Observation • sh bgp origin-as validity invalid | exclude 9498 | exclude 6453 | exclude 2914 | exclude 132602 Network Next Hop Metric LocPrf Weight Path *>i103.206.228.0/24 103.7.251.241 450 0 137491 137491 137491 137491 134146 134146 132735 135037 i *>i104.134.130.0/24 103.7.251.241 0 850 0 15169 395973 i *> 119.30.36.0/24 163.47.157.86 450 0 24389 24389 64512 i *> 120.50.24.0/21 163.47.157.82 0 450 0 38712 i * 163.47.157.94 0 450 0 38712 38712 38712 38712 38712 i *> 103.134.59.0/24 103.7.248.110 450 0 58689 58689 58689 58689 135615 139834 i *> 103.139.9.0/24 103.7.248.110 450 0 58689 65507 i
- 32. Observation - 1 • 103.206.228.0/24 - 135037 I • Techno Asia BD • Originated from 135037 • ROA created for parent block - /22 • Route Object ok • Current Status : Issue Resolved by Owner after notification
- 33. Observation - 2 • 104.134.130.0/24 - 395973 I • Google • Originated from 395973 • ROA created accordingly • Route Object not updated • Current Status : No response yet after sending notification
- 34. Observation - 3 • 119.30.36.0/24 - 64512 I • Grameenphone • Originated from 64512 (Private ASN) • ROA created for parent block not for /24 ( ROA shows public & private ASN) • Route Object not updated • Current Status : Issue Resolved by Owner after notification
- 35. Observation - 4 • 120.50.24.0/21 - 38712 I • Telnet Communication Limited • Originated from 38712 • ROA created for parent block - /19 • Route Object ok • Current Status : Issue Resolved by Owner after notification
- 36. Observation - 5 • 103.134.59.0/24 - 139834 i • Achiever Broadband Internet • Originated from 139834 • ROA created for parent block - /22 • Route Object ok • Current Status : Issue Resolved by Owner after notification
- 37. Observation - 6 • 103.139.9.0/24 - 65507 i • ICC COMMUNICATION LTD. • Originated from 65507 • ROA created for parent block - /23 • Route Object ok • Current Status : Issue Resolved by Owner after notification
- 39. Reference • https://www.manrs.org/about/ • https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/ • http://www.bgp4all.com.au/pfs/training/apnic48/agenda • https://www.nlnetlabs.nl/projects/rpki/routinator/ • https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources • https://github.com/cloudflare/cfrpki#octorpki