BGP RPKI Cache Servers

Resource Public Key Infrastructure (RPKI) is a means by which FRR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.

This validation is not performed by FRR or other routers directly, but by trusted servers which cache the information.

Note

For more details, see RFC 6810 for the protocol and RFC 6811 for validation.

RPKI happens over a plain TCP connection but FRR can protect this by performing the validation over SSH.

Route maps can be used to filter routes based on a validated origin.

RPKI Cache Servers are managed at Services > FRR BGP on the RPKI Cache Servers tab.

RPKI Cache Server Configuration

The RPKI Cache Servers tab contains a list of current RPKI Cache Servers, if any, and controls to manage the entires (e.g. edit, delete). The fa-plus Add button creates a new RPKI Cache Server.

When creating or editing an RPKI Cache Server, the following options are available:

Address:

Required. The IP Address or hostname of the RPKI Cache Server, and the Port number upon which the service is listening.

Preference:

Required. A preference value FRR can use to decide between multiple RPKI Cache Servers.

SSH Options:

The best practice is to encrypt communication with the RPKI Cache Server using SSH. The remaining options setup an SSH session, and all are optional.

Username:

The username to use when connecting to the server via SSH.

Private Key Path:

Full filesystem path to the private key for this router.

Warning

This must not have a passphrase as there is no way to securely store and use a passphrase. Protect the private key file appropriately, but it must also be accessible to FRR.

Public Key Path:

Full filesystem path to the public key for this router.

Known hosts Path:

Full filesystem path to a file containing valid public keys for RPKI Cache Servers in SSH known_hosts format.