BGP RPKI Cache Servers¶
Resource Public Key Infrastructure (RPKI) is a means by which FRR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.
This validation is not performed by FRR or other routers directly, but by trusted servers which cache the information.
RPKI happens over a plain TCP connection but FRR can protect this by performing the validation over SSH.
Route maps can be used to filter routes based on a validated origin.
RPKI Cache Servers are managed at Services > FRR BGP on the RPKI Cache Servers tab.
RPKI Cache Server Configuration¶
The RPKI Cache Servers tab contains a list of current RPKI Cache Servers, if
any, and controls to manage the entires (e.g. edit, delete). The
Add button creates a new RPKI Cache Server.
When creating or editing an RPKI Cache Server, the following options are available:
- Address
Required. The IP Address or hostname of the RPKI Cache Server, and the Port number upon which the service is listening.
- Preference
Required. A preference value FRR can use to decide between multiple RPKI Cache Servers.
- SSH Options
The best practice is to encrypt communication with the RPKI Cache Server using SSH. The remaining options setup an SSH session, and all are optional.
- Username
The username to use when connecting to the server via SSH.
- Private Key Path
Full filesystem path to the private key for this router.
Warning
This must not have a passphrase as there is no way to securely store and use a passphrase. Protect the private key file appropriately, but it must also be accessible to FRR.
- Public Key Path
Full filesystem path to the public key for this router.
- Known hosts Path
Full filesystem path to a file containing valid public keys for RPKI Cache Servers in SSH
known_hosts
format.