summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-01-29 11:18:40 +0100
committerChristian Poessinger <christian@poessinger.com>2021-01-29 11:18:40 +0100
commit83c82dee8b5b156a99236ce0eb10f8403784c13a (patch)
tree14118297bf27230bf59cc781fed191bdf6a604a1
parentd0ad9cf4a02cee44671fe6eaea2c5c5e025177b5 (diff)
downloadvyos-documentation-83c82dee8b5b156a99236ce0eb10f8403784c13a.tar.gz
vyos-documentation-83c82dee8b5b156a99236ce0eb10f8403784c13a.zip
rpki: update to reflect changes in the current branch
-rw-r--r--docs/configuration/protocols/rpki.rst89
1 files changed, 87 insertions, 2 deletions
diff --git a/docs/configuration/protocols/rpki.rst b/docs/configuration/protocols/rpki.rst
index c3ff442b..d9884296 100644
--- a/docs/configuration/protocols/rpki.rst
+++ b/docs/configuration/protocols/rpki.rst
@@ -34,6 +34,10 @@ in :rfc:`8210`.
tools). It also has some `help and operational guidance`_ including
"What can I do about my route having an Invalid state?"
+***************
+Getting started
+***************
+
First you will need to deploy an RPKI validator for your routers to use. The
RIPE NCC helpfully provide `some instructions`_ to get you started with
several different options. Once your server is running you can start
@@ -71,14 +75,95 @@ Imported prefixes during the validation may have values:
reading about Krill_ if this is a rabbit hole you need or especially want
to dive down.
+Features of the Current Implementation
+======================================
+
+In a nutshell, the current implementation provides the following features:
+
+* The BGP router can connect to one or more RPKI cache servers to receive
+ validated prefix to origin AS mappings. Advanced failover can be implemented
+ by server sockets with different preference values.
+
+* If no connection to an RPKI cache server can be established after a
+ pre-defined timeout, the router will process routes without prefix origin
+ validation. It still will try to establish a connection to an RPKI cache
+ server in the background.
+
+* By default, enabling RPKI does not change best path selection. In particular,
+ invalid prefixes will still be considered during best path selection. However,
+ the router can be configured to ignore all invalid prefixes.
+
+* Route maps can be configured to match a specific RPKI validation state. This
+ allows the creation of local policies, which handle BGP routes based on the
+ outcome of the Prefix Origin Validation.
+
+* Updates from the RPKI cache servers are directly applied and path selection is
+ updated accordingly. (Soft reconfiguration must be enabled for this to work).
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: protocols rpki polling-period <1-86400>
+
+ Define the time interval to update the local cache
+
+ The default value is 300 seconds.
+
+.. cfgcmd:: protocols rpki cache <address> port <port>
+
+ Defined the IPv4, IPv6 or FQDN and port number of the caching RPKI caching
+ instance which is used.
+
+ This is a mandatory setting.
+
+.. cfgcmd:: protocols rpki cache <address> preference <preference>
+
+ Multiple RPKI caching instances can be supplied and they need a preference in
+ which their result sets are used.
+
+ This is a mandatory setting.
+
+SSH
+===
+
+Connections to the RPKI caching server can not only be established by HTTP/TLS
+but you can also rely on a secure SSH session to the server. To enable SSH you
+first need to create yoursels an SSH client keypair using ``generate ssh
+client-key /config/auth/id_rsa_rpki``. Once your key is created you can setup
+the connection.
+
+.. cfgcmd:: protocols rpki cache <address> ssh username <user>
+
+ SSH username to establish an SSH connection to the cache server.
+
+.. cfgcmd:: protocols rpki cache <address> ssh known-hosts-file <filepath>
+
+ Local path that includes the known hosts file.
+
+.. cfgcmd:: protocols rpki cache <address> ssh private-key-file <filepath>
+
+ Local path that includes the private key file of the router.
+
+.. cfgcmd:: protocols rpki cache <address> ssh public-key-file <filepath
+
+ Local path that includes the public key file of the router.
+
+.. note:: When using SSH, known-hosts-file, private-key-file and public-key-file
+ are mandatory options.
+
+*******
+Example
+*******
+
We can build route-maps for import based on these states. Here is a simple
RPKI configuration, where `routinator` is the RPKI-validating "cache"
server with ip `192.0.2.1`:
.. code-block:: none
- set protocols rpki cache routinator address '192.0.2.1'
- set protocols rpki cache routinator port '3323'
+ set protocols rpki cache 192.0.2.1 port '3323'
+ set protocols rpki cache 192.0.2.1 preference '1'
Here is an example route-map to apply to routes learned at import. In this
filter we reject prefixes with the state `invalid`, and set a higher