diff options
author | Marek Isalski <github.com@maz.nu> | 2020-02-24 07:15:42 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-24 08:15:42 +0100 |
commit | 7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b (patch) | |
tree | ccd1707f4541ebd737d2a2152bd4bae75246a32a /docs/routing/rpki.rst | |
parent | cf8ac48b88f43061c59cf35ad58b7aafbac1e7eb (diff) | |
download | vyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.tar.gz vyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.zip |
rpki: add links to further guidance
Diffstat (limited to 'docs/routing/rpki.rst')
-rw-r--r-- | docs/routing/rpki.rst | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst index 47ca63f1..9813b1b6 100644 --- a/docs/routing/rpki.rst +++ b/docs/routing/rpki.rst @@ -4,6 +4,13 @@ RPKI #### +.. pull-quote:: + + There are two types of Network Admins who deal with BGP, those who have + created an international incident and/or outage, and those who are lying + + -- `tweet by EvilMog`_, 2020-02-21 + :abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI (Public Key Infrastructure)` designed to secure the Internet routing infrastructure. It associates BGP route announcements with the correct @@ -19,6 +26,14 @@ open source implementations to choose from, such as NLNetLabs' Routinator_ RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described in :rfc:`8210`. +.. tip:: + If you are new to these routing security technologies then there is an + `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed + very quickly. Their documentation explains everything from what RPKI is to + deploying it in production (albeit with a focus on using NLnet Labs' + tools). It also has some `help and operational guidance`_ including + "What can I do about my route having an Invalid state?" + First you will need to deploy an RPKI validator for your routers to use. The RIPE NCC helpfully provide `some instructions`_ to get you started with several different options. Once your server is running you can start @@ -81,10 +96,11 @@ filter we reject prefixes with the state `invalid`, and set a higher set policy route-map ROUTES-IN rule 30 action 'deny' set policy route-map ROUTES-IN rule 30 match rpki 'invalid' -Once your routers are configured to reject RPKI-invalid prefixes, test -whether the configuration is working correctly using the `RIPE Labs RPKI +Once your routers are configured to reject RPKI-invalid prefixes, you can +test whether the configuration is working correctly using the `RIPE Labs RPKI Test`_ experimental tool. +.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216 .. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/ .. _GoRTR: https://github.com/cloudflare/gortr .. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki @@ -93,3 +109,5 @@ Test`_ experimental tool. .. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/ .. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/ .. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ +.. _excellent guide to RPKI: https://rpki.readthedocs.io/ +.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html |