vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-11-04 00:02:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1376 from vyos/mergify/bp/equuleus/pr-1353

Browse Source 
Refresh RPKI Document (backport #1353)
This commit is contained in:
Robert Göhler 2024-04-09 21:28:04 +02:00 committed by GitHub
commit 944bd1d4ad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 23 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
docs/configuration/protocols/rpki.rst
View File

@ -11,20 +11,19 @@ RPKI
-- `tweet by EvilMog`_, 2020-02-21
:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI
(Public Key Infrastructure)` designed to secure the Internet routing
infrastructure. It associates BGP route announcements with the correct
originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then
use to check each route against the corresponding :abbr:`ROA (Route Origin
Authorisation)` for validity. RPKI is described in :rfc:`6480`.
:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework designed to
secure the Internet routing infrastructure. It associates BGP route
announcements with the correct originating :abbr:`ASN (Autonomus System
Number)` which BGP routers can then use to check each route against the
corresponding :abbr:`ROA (Route Origin Authorisation)` for validity. RPKI is
described in :rfc:`6480`.
A BGP-speaking router like VyOS can retrieve ROA information from RPKI
"Relying Party software" (often just called an "RPKI server" or "RPKI
validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several
open source implementations to choose from, such as NLNetLabs' Routinator_
(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and
RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described
in :rfc:`8210`.
(written in Rust), OpenBSD's rpki-client_ (written in C), and StayRTR_ (written
in Go). The RTR protocol is described in :rfc:`8210`.
.. tip::
If you are new to these routing security technologies then there is an
@ -38,10 +37,9 @@ in :rfc:`8210`.
Getting started
***************
First you will need to deploy an RPKI validator for your routers to use. The
RIPE NCC helpfully provide `some instructions`_ to get you started with
several different options. Once your server is running you can start
validating announcements.
First you will need to deploy an RPKI validator for your routers to use. NLnet
Labs provides a collection of software_ you can compare and settle on one.
Once your server is running you can start validating announcements.
Imported prefixes during the validation may have values:
@ -56,16 +54,16 @@ Imported prefixes during the validation may have values:
untrustworthy route announcements.
notfound
No ROA exists which covers that prefix. Unfortunately this is the case
for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ
(default-free zone)` at the start of 2020
No ROA exists which covers that prefix. Unfortunately this is the case for
about 40%-50% of the prefixes which were announced to the :abbr:`DFZ
(default-free zone)` at the start of 2024.
.. note::
If you are responsible for the global addresses assigned to your
network, please make sure that your prefixes have ROAs associated with them
to avoid being `notfound` by RPKI. For most ASNs this will involve
publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE
NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged
NCC, APNIC, ARIN, LACNIC, or AFRINIC), and is something you are encouraged
to do whenever you plan to announce addresses into the DFZ.
Particularly large networks may wish to run their own RPKI certificate
@ -181,20 +179,21 @@ filter we reject prefixes with the state `invalid`, and set a higher
set policy route-map ROUTES-IN rule 30 match rpki 'invalid'
Once your routers are configured to reject RPKI-invalid prefixes, you can
test whether the configuration is working correctly using the `RIPE Labs RPKI
Test`_ experimental tool.
test whether the configuration is working correctly using Cloudflare's test_
website. Keep in mind that in order for this to work, you need to have no
default routes or anything else that would still send traffic to RPKI-invalid
destinations.
.. stop_vyoslinter
.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216
.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/
.. _GoRTR: https://github.com/cloudflare/gortr
.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki
.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/tools-and-resources
.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator
.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/
.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/
.. _excellent guide to RPKI: https://rpki.readthedocs.io/
.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html
.. _rpki-client: https://www.rpki-client.org/
.. _StayRTR: https://github.com/bgp/stayrtr/
.. _software: https://rpki.readthedocs.io/en/latest/ops/tools.html#relying-party-software
.. _test: https://isbgpsafeyet.com/
.. start_vyoslinter