BGP RPKI Cache Servers¶
Resource Public Key Infrastructure (RPKI) is a means by which TNSR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.
This validation is not performed by TNSR or other routers directly, but by trusted servers which cache the information.
RPKI happens over a plain TCP connection but TNSR can protect this by performing the validation over SSH.
To configure RPKI, use the
rpki command from
config-frr-bgp mode to
tnsr(config-frr-bgp)# rpki tnsr(config-rpki)#
config-rpki mode the following commands are available:
- cache (ssh|tcp) <host> port <port-val>
Create a new cache server entry using either SSH or TCP to a given host and port. This command enters
The protocol to use when communicating with the cache server, either
ssh. TCP is simple but insecure. SSH is encrypted and secure but requires more complex configuration.
The IPv4 address or hostname of the remote cache server.
The TCP port used by the cache server for accepting client connections.
- expire-interval <interval>
The amount of time, in seconds, after which TNSR will consider cached information invalid and expires it from the cache. May be overridden by values sent from the server.
The default interval is
- polling-period <period>
The amount of time, in seconds, TNSR waits until it attempts to request updated data from the cache server. May be overridden by values sent from the server.
The default period is
- retry-interval <interval>
The amount of time, in seconds, TNSR waits between connection attempts to the cache server if a request fails. May be overridden by values sent from the server.
The default period is
RPKI Timer Behavior¶
The timer behavior depends upon the RPKI protocol version used by the server.
- Protocol Version 0
The RPKI client on TNSR will use the timer values as configured.
- Protocol Version 1
The server sends its own timer values that the client must use at the end of its data messages.
The timer values configured on the client are only used until the client makes a connection to the RPKI server and receives the values sent from the server.
Configuring RPKI Cache Servers¶
When configuring a cache server, both
mode have the following command:
- preference <pref>
A preference value TNSR can use to choose between RPKI cache information from multiple servers.
config-rpki-ssh mode has more configuration commands:
- private-key <key-ref>
A PKI SSH key entry containing the private SSH key TNSR will use to connect to the cache server.
- server-public-key <key-ref>
A PKI SSH key entry containing the public SSH key TNSR will use to validate the remote cache server, similar to an SSH “known hosts” entry.
- source <ip4addr>
A local IPv4 address on this router which TNSR will use when connecting to the remote cache server.
- user-name <name>
The user name TNSR will use when connecting to the remote cache server.
Acting on RPKI Information¶
The configuration thus far enables TNSR to query an RPKI validation cache server but acting on the RPKI status information requires additional work.
match rpki statement in Route Map Matching Criteria enables the formation of
conditional behavior based on the status of RPKI validation for a peer.
For example, a route map similar to the following, when used in a statement supporting route maps, would deny routes from peers which failed RPKI validation:
tnsr(config)# route dynamic route-map DENY-NO-RPKI tnsr(config-route-map)# sequence 10 tnsr(config-route-map-rule)# policy deny tnsr(config-route-map-rule)# match rpki invalid tnsr(config-route-map-rule)# exit tnsr(config-route-map)# exit