BGP RPKI Cache Servers¶

Resource Public Key Infrastructure (RPKI) is a means by which TNSR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.

This validation is not performed by TNSR or other routers directly, but by trusted servers which cache the information.

Note

For more details, see RFC 6810 for the protocol and RFC 6811 for validation.

RPKI happens over a plain TCP connection but TNSR can protect this by performing the validation over SSH.

Configuring RPKI¶

To configure RPKI, use the rpki command from config-frr-bgp mode to enter config-rpki mode.

tnsr(config-frr-bgp)# rpki
tnsr(config-rpki)#

In config-rpki mode the following commands are available:

cache (ssh|tcp) <host> port <port-val>

Create a new cache server entry using either SSH or TCP to a given host and port. This command enters config-rpki-ssh or config-rpki-tcp mode.

(ssh|tcp): The protocol to use when communicating with the cache server, either tcp or ssh. TCP is simple but insecure. SSH is encrypted and secure but requires more complex configuration.
<host>: The IPv4 address or hostname of the remote cache server.
<port-val>: The TCP port used by the cache server for accepting client connections.

expire-interval <interval>

The amount of time, in seconds, after which TNSR will consider cached information invalid and expires it from the cache. May be overridden by values sent from the server.

The default interval is 7200 seconds.

polling-period <period>

The amount of time, in seconds, TNSR waits until it attempts to request updated data from the cache server. May be overridden by values sent from the server.

The default period is 300 seconds.

retry-interval <interval>

The amount of time, in seconds, TNSR waits between connection attempts to the cache server if a request fails. May be overridden by values sent from the server.

The default period is 600 seconds.

RPKI Timer Behavior¶

The timer behavior depends upon the RPKI protocol version used by the server.

Protocol Version 0

The RPKI client on TNSR will use the timer values as configured.

Protocol Version 1

The server sends its own timer values that the client must use at the end of its data messages.

The timer values configured on the client are only used until the client makes a connection to the RPKI server and receives the values sent from the server.

Configuring RPKI Cache Servers¶

When configuring a cache server, both config-rpki-ssh or config-rpki-tcp mode have the following command:

preference <pref>: A preference value TNSR can use to choose between RPKI cache information from multiple servers.

Additionally, config-rpki-ssh mode has more configuration commands:

private-key <key-ref>: A PKI SSH key entry containing the private SSH key TNSR will use to connect to the cache server.
server-public-key <key-ref>: A PKI SSH key entry containing the public SSH key TNSR will use to validate the remote cache server, similar to an SSH “known hosts” entry.
source <ip4addr>: A local IPv4 address on this router which TNSR will use when connecting to the remote cache server.
user-name <name>: The user name TNSR will use when connecting to the remote cache server.

Acting on RPKI Information¶

The configuration thus far enables TNSR to query an RPKI validation cache server but acting on the RPKI status information requires additional work.

The match rpki statement in Route Map Matching Criteria enables the formation of conditional behavior based on the status of RPKI validation for a peer.

For example, a route map similar to the following, when used in a statement supporting route maps, would deny routes from peers which failed RPKI validation:

tnsr(config)# route dynamic route-map DENY-NO-RPKI
tnsr(config-route-map)# sequence 10
tnsr(config-route-map-rule)# policy deny
tnsr(config-route-map-rule)# match rpki invalid
tnsr(config-route-map-rule)# exit
tnsr(config-route-map)# exit