BGP RPKI Cache Servers¶
Resource Public Key Infrastructure (RPKI) is a means by which TNSR can enact Prefix Origin Validation (POV) to ensure that it is talking to the correct origin for a given AS.
This validation is not performed by TNSR or other routers directly, but by trusted servers which cache the information.
RPKI happens over a plain TCP connection but TNSR can protect this by performing the validation over SSH.
Configuring RPKI¶
To configure RPKI, use the rpki
command from config-frr-bgp
mode to
enter config-rpki
mode.
tnsr(config-frr-bgp)# rpki
tnsr(config-rpki)#
In config-rpki
mode the following commands are available:
- cache (ssh|tcp) <host> port <port-val>:
Create a new cache server entry using either SSH or TCP to a given host and port. This command enters
config-rpki-ssh
orconfig-rpki-tcp
mode.- (ssh|tcp):
The protocol to use when communicating with the cache server, either
tcp
orssh
. TCP is simple but insecure. SSH is encrypted and secure but requires more complex configuration.- <host>:
The IPv4 address or hostname of the remote cache server.
- <port-val>:
The TCP port used by the cache server for accepting client connections.
- expire-interval <interval>:
The amount of time, in seconds, after which TNSR will consider cached information invalid and expires it from the cache. May be overridden by values sent from the server.
The default interval is
7200
seconds.- polling-period <period>:
The amount of time, in seconds, TNSR waits until it attempts to request updated data from the cache server. May be overridden by values sent from the server.
The default period is
3600
seconds.- retry-interval <interval>:
The amount of time, in seconds, TNSR waits between connection attempts to the cache server if a request fails. May be overridden by values sent from the server.
The default period is
600
seconds.
RPKI Timer Behavior¶
The timer behavior depends upon the RPKI protocol version used by the server.
- Protocol Version 0:
The RPKI client on TNSR will use the timer values as configured.
- Protocol Version 1:
The server sends its own timer values that the client must use at the end of its data messages.
The timer values configured on the client are only used until the client makes a connection to the RPKI server and receives the values sent from the server.
Configuring RPKI Cache Servers¶
When configuring a cache server, both config-rpki-ssh
or config-rpki-tcp
mode have the following command:
- preference <pref>:
A preference value TNSR can use to choose between RPKI cache information from multiple servers.
Additionally, config-rpki-ssh
mode has more configuration commands:
- private-key <key-ref>:
A PKI SSH key entry containing the private SSH key TNSR will use to connect to the cache server.
- server-public-key <key-ref>:
A PKI SSH key entry containing the public SSH key TNSR will use to validate the remote cache server, similar to an SSH “known hosts” entry.
- source <ip4addr>:
A local IPv4 address on this router which TNSR will use when connecting to the remote cache server.
- user-name <name>:
The user name TNSR will use when connecting to the remote cache server.
Acting on RPKI Information¶
The configuration thus far enables TNSR to query an RPKI validation cache server but acting on the RPKI status information requires additional work.
The match rpki
statement in Route Map Matching Criteria enables the formation of
conditional behavior based on the status of RPKI validation for a peer.
For example, a route map similar to the following, when used in a statement supporting route maps, would deny routes from peers which failed RPKI validation:
tnsr(config)# route dynamic route-map DENY-NO-RPKI
tnsr(config-route-map)# sequence 10
tnsr(config-route-map-rule)# policy deny
tnsr(config-route-map-rule)# match rpki invalid
tnsr(config-route-map-rule)# exit
tnsr(config-route-map)# exit
See also
See Dynamic Routing Route Maps for information on working with route maps in general.
See the entry for match rpki
in Route Map Matching Criteria for information on
matching RPKI status information.