RPKI: An Operator’s Implementation
2 likes953 views
SEACOM's document outlines the steps they took to deploy RPKI (Resource Public Key Infrastructure) across their network, including creating BPKI and ROA profiles, certifying IP resources, and configuring routers running IOS, IOS XE, and Junos to validate routes using RPKI. It provides examples of commands to verify RPKI validation on routes advertised in BGP, and notes they encountered bugs in IOS XE that violated RFC 6811. The document concludes by stating SEACOM will report on CA services for downstream customers at an upcoming conference.
![COMMERCIAL–IN-CO NFI DENCE
Router Setup – Junos
tinka@lab# show routing-options validation
group rpki-validation-caches {
session 192.0.2.1 {
refresh-time 300;
port 43779;
local-address 192.0.2.254;
}
session 192.0.2.2 {
refresh-time 300;
port 43779;
local-address 192.0.2.254;
}
}
group rpki-validation-caches6 {
session 2001:db8::1 {
refresh-time 300;
port 43779;
local-address 2001:db8::254;
}
session 2001:db8::2 {
refresh-time 300;
port 43779;
local-address 2001:db8::254;
}
}
{master}[edit]
tinka@lab#](https://image.slidesharecdn.com/marktinka-mynog-rpki-experiences1439824033-150824040400-lva1-app6892/85/RPKI-An-Operator-s-Implementation-11-320.jpg)
RPKI: An Operator’s Implementation
- 1. COMMERCIAL–IN-CO NFI DENCECOMMERCIAL–IN-CO NFI DENCE SEACOM’s Experience Deploying RPKI
- 2. COMMERCIAL–IN-CO NFI DENCE RPKI • Resource Public Key Infrastructure. • Certify IP resources. • Validate route origination. • Phase 2 is to validate path. • Let’s talk about the steps (AFRINIC region).
- 4. COMMERCIAL–IN-CO NFI DENCE AuthorizedBPKI Profiles
- 5. COMMERCIAL–IN-CO NFI DENCE Resource Certification
- 6. COMMERCIAL–IN-CO NFI DENCE Create ROA’s
- 7. COMMERCIAL–IN-CO NFI DENCE View CreatedROA’s
- 8. COMMERCIAL–IN-CO NFI DENCE Download& Install RPKI Project (… was our choice) http://rpki.net/wiki/doc/RPKI/Installation
- 9. COMMERCIAL–IN-CO NFI DENCE Router Setup – IOS & IOS XE router bgp ASN bgp rpki server tcp 2001:DB8::1 port 43779 refresh 300 bgp rpki server tcp 2001:DB8::2 port 43779 refresh 300 bgp rpki server tcp 192.0.2.1 port 43779 refresh 300 bgp rpki server tcp 192.0.2.2 port 43779 refresh 300
- 10. COMMERCIAL–IN-CO NFI DENCE Router Setup – IOS XR router bgp ASN rpki server 192.0.2.1 transport tcp port 43779 refresh-time 300 ! rpki server 192.0.2.2 transport tcp port 43779 refresh-time 300 ! rpki server 2001:db8::1 transport tcp port 43779 refresh-time 300 ! rpki server 2001:db8::2 transport tcp port 43779 refresh-time 300 !
- 11. COMMERCIAL–IN-CO NFI DENCE Router Setup – Junos tinka@lab# show routing-options validation group rpki-validation-caches { session 192.0.2.1 { refresh-time 300; port 43779; local-address 192.0.2.254; } session 192.0.2.2 { refresh-time 300; port 43779; local-address 192.0.2.254; } } group rpki-validation-caches6 { session 2001:db8::1 { refresh-time 300; port 43779; local-address 2001:db8::254; } session 2001:db8::2 { refresh-time 300; port 43779; local-address 2001:db8::254; } } {master}[edit] tinka@lab#
- 12. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za>sh ip bgp 105.16.0.0 BGP routing table entry for 105.16.0.0/12, version 70256714 Paths: (2 available, best #2, table default) Not advertised to any peer Refresh Epoch 1 37100 105.22.32.1 from 105.22.32.1 (105.16.0.163) Origin IGP, metric 0, localpref 100, valid, external Community: 37100:1000 path 0F87C714 RPKI State valid rx pathid: 0, tx pathid: 0 Refresh Epoch 1 37100 105.22.40.1 from 105.22.40.1 (105.16.0.162) Origin IGP, metric 0, localpref 100, valid, external, best Community: 37100:1000 path 1B430634 RPKI State valid rx pathid: 0, tx pathid: 0x0 lg-01-jnb.za>
- 13. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za>sh bgp ipv6 unicast 2c0f:feb0::/32 BGP routing table entry for 2C0F:FEB0::/32, version 19272326 Paths: (2 available, best #2, table default) Not advertised to any peer Refresh Epoch 1 37100 2C0F:FEB0:B:2::1 (FE80::86B5:9C00:15FC:2400) from 2C0F:FEB0:B:2::1 (105.16.0.163) Origin IGP, metric 0, localpref 100, valid, external Community: 37100:1000 path 2BEDB1FC RPKI State valid rx pathid: 0, tx pathid: 0 Refresh Epoch 1 37100 2C0F:FEB0:B:3::1 (FE80::86B5:9C00:15F5:7C00) from 2C0F:FEB0:B:3::1 (105.16.0.162) Origin IGP, metric 0, localpref 100, valid, external, best Community: 37100:1000 path 2A2AC60C RPKI State valid rx pathid: 0, tx pathid: 0x0 lg-01-jnb.za>
- 14. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh ip bgp rpki table 14946 BGP sovc network entries using 1315248 bytes of memory 15543 BGP sovc record entries using 310860 bytes of memory Network Maxlen Origin-AS Source Neighbor 2.0.0.0/16 16 3215 0 105.16.160.2/43779 2.0.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/43779 2.0.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/43779 2.0.0.0/16 16 3215 0 105.16.112.2/43779 2.0.0.0/12 16 3215 0 105.16.160.2/43779 2.0.0.0/12 16 3215 0 2C0F:FEB0:B:1::2/43779 2.1.0.0/16 16 3215 0 105.16.160.2/43779 2.1.0.0/16 16 3215 0 2C0F:FEB0:B:1::2/43779 2.1.0.0/16 16 3215 0 2C0F:FEB0:2:1::2/43779 2.1.0.0/16 16 3215 0 105.16.112.2/43779 <snip> … lg-01-jnb.za#
- 15. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh bgp ipv6 unicast rpki table 2217 BGP sovc network entries using 248304 bytes of memory 2309 BGP sovc record entries using 46180 bytes of memory Network Maxlen Origin-AS Source Neighbor 2001:500:4::/48 48 10745 0 105.16.160.2/43779 2001:500:4::/48 48 10745 0 2C0F:FEB0:B:1::2/43779 2001:500:4::/48 48 10745 0 2C0F:FEB0:2:1::2/43779 2001:500:4::/48 48 10745 0 105.16.112.2/43779 2001:500:13::/48 48 393225 0 105.16.160.2/43779 2001:500:13::/48 48 393225 0 2C0F:FEB0:B:1::2/43779 2001:500:13::/48 48 393225 0 2C0F:FEB0:2:1::2/43779 2001:500:13::/48 48 393225 0 105.16.112.2/43779 2001:500:30::/48 48 10745 0 105.16.160.2/43779 2001:500:30::/48 48 10745 0 2C0F:FEB0:B:1::2/43779 <snip> … lg-01-jnb.za#
- 16. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh ip bgp BGP table version is 100925789, local router ID is 105.22.40.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path N* 1.0.0.0/24 105.22.32.1 0 0 37100 15169 i N*> 105.22.40.1 0 0 37100 15169 i N* 1.0.4.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 i N* 1.0.5.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 i N* 1.0.6.0/24 105.22.32.1 0 0 37100 6939 4826 38803 56203 56203 56203 i N*> 105.22.40.1 0 0 37100 6939 4826 38803 56203 56203 56203 i N* 1.0.64.0/18 105.22.32.1 0 0 37100 2497 7670 7670 18144 i N*> 105.22.40.1 0 0 37100 2497 7670 7670 18144 i N*> 1.0.128.0/18 105.22.32.1 0 0 37100 2914 38040 9737 i N* 105.22.40.1 0 0 37100 2914 38040 9737 i N*> 1.0.128.0/17 105.22.32.1 0 0 37100 2914 38040 9737 i N* 105.22.40.1 0 0 37100 2914 38040 9737 i N* 1.0.129.0/24 105.22.32.1 0 0 37100 4651 9737 23969 i N*> 105.22.40.1 0 0 37100 4651 9737 23969 i N* 1.0.130.0/24 105.22.32.1 0 0 37100 4651 9737 23969 I <snip> … lg-01-jnb.za#
- 17. COMMERCIAL–IN-CO NFI DENCE Verifying(… IOS & IOS XE example) lg-01-jnb.za#sh bgp ipv6 unicast BGP table version is 22720683, local router ID is 105.22.40.2 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, x best-external, a additional-path, c RIB-compressed, Origin codes: i - IGP, e - EGP, ? - incomplete RPKI validation codes: V valid, I invalid, N Not found Network Next Hop Metric LocPrf Weight Path N* 2001::/32 2C0F:FEB0:B:2::1 0 0 37100 6939 i N*> 2C0F:FEB0:B:3::1 0 0 37100 6939 i N*> 2001:4:112::/48 2C0F:FEB0:B:3::1 0 0 37100 112 i N* 2C0F:FEB0:B:2::1 0 0 37100 112 i N*> 2001:200::/32 2C0F:FEB0:B:3::1 0 0 37100 2914 2500 i N* 2C0F:FEB0:B:2::1 0 0 37100 2914 2500 i N* 2001:200:900::/40 2C0F:FEB0:B:2::1 0 0 37100 6939 2516 7660 i N*> 2C0F:FEB0:B:3::1 0 0 37100 6939 2516 7660 i <snip> … lg-01-jnb.za#
- 18. COMMERCIAL–IN-CO NFI DENCE Verifying(… pretty GUI’s,HE example)
- 19. COMMERCIAL–IN-CO NFI DENCE Verifying(… pretty GUI’s,HE example)
- 20. COMMERCIAL–IN-CO NFI DENCE Issues – Bad IOS XE Bug!
- 21. COMMERCIAL–IN-CO NFI DENCE Issues – Bad IOS XE Bug!
- 22. COMMERCIAL–IN-CO NFI DENCE Issues – IOS & IOS XE RFC 6811 Violation!
- 23. COMMERCIAL–IN-CO NFI DENCE Issues – IOS & IOS XE RFC 6811 Violation!
- 24. COMMERCIAL–IN-CO NFI DENCE MyNOG-6 • For MyNOG-6, will report on CA services for downstream customers.
- 25. COMMERCIAL–IN-CO NFI DENCE Thank You Q&A mark.tinka@seacom.mu 25