BGP RPKI Cache Servers¶
Resource Public Key Infrastructure (RPKI) is a means by which FRR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.
This validation is not performed by FRR or other routers directly, but by trusted servers which cache the information.
RPKI happens over a plain TCP connection but FRR can protect this by performing the validation over SSH.
Route maps can be used to filter routes based on a validated origin.
RPKI Cache Servers are managed at Services > FRR BGP on the RPKI Cache Servers tab.
RPKI Cache Server Configuration¶
The RPKI Cache Servers tab contains a list of current RPKI Cache Servers, if
any, and controls to manage the entires (e.g. edit, delete). The 
Add button creates a new RPKI Cache Server.
When creating or editing an RPKI Cache Server, the following options are available:
- Address:
Required. The IP Address or hostname of the RPKI Cache Server, and the Port number upon which the service is listening.
- Preference:
Required. A preference value FRR can use to decide between multiple RPKI Cache Servers.
- SSH Options:
The best practice is to encrypt communication with the RPKI Cache Server using SSH. The remaining options setup an SSH session, and all are optional.
- Username:
The username to use when connecting to the server via SSH.
- Private Key Path:
Full filesystem path to the private key for this router.
Warning
This must not have a passphrase as there is no way to securely store and use a passphrase. Protect the private key file appropriately, but it must also be accessible to FRR.
- Public Key Path:
Full filesystem path to the public key for this router.
- Known hosts Path:
Full filesystem path to a file containing valid public keys for RPKI Cache Servers in SSH
known_hostsformat.