summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMarek Isalski <github.com@maz.nu>2020-02-24 07:15:42 +0000
committerGitHub <noreply@github.com>2020-02-24 08:15:42 +0100
commit7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b (patch)
treeccd1707f4541ebd737d2a2152bd4bae75246a32a /docs
parentcf8ac48b88f43061c59cf35ad58b7aafbac1e7eb (diff)
downloadvyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.tar.gz
vyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.zip
rpki: add links to further guidance
Diffstat (limited to 'docs')
-rw-r--r--docs/routing/rpki.rst22
1 files changed, 20 insertions, 2 deletions
diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst
index 47ca63f1..9813b1b6 100644
--- a/docs/routing/rpki.rst
+++ b/docs/routing/rpki.rst
@@ -4,6 +4,13 @@
RPKI
####
+.. pull-quote::
+
+ There are two types of Network Admins who deal with BGP, those who have
+ created an international incident and/or outage, and those who are lying
+
+ -- `tweet by EvilMog`_, 2020-02-21
+
:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI
(Public Key Infrastructure)` designed to secure the Internet routing
infrastructure. It associates BGP route announcements with the correct
@@ -19,6 +26,14 @@ open source implementations to choose from, such as NLNetLabs' Routinator_
RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described
in :rfc:`8210`.
+.. tip::
+ If you are new to these routing security technologies then there is an
+ `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed
+ very quickly. Their documentation explains everything from what RPKI is to
+ deploying it in production (albeit with a focus on using NLnet Labs'
+ tools). It also has some `help and operational guidance`_ including
+ "What can I do about my route having an Invalid state?"
+
First you will need to deploy an RPKI validator for your routers to use. The
RIPE NCC helpfully provide `some instructions`_ to get you started with
several different options. Once your server is running you can start
@@ -81,10 +96,11 @@ filter we reject prefixes with the state `invalid`, and set a higher
set policy route-map ROUTES-IN rule 30 action 'deny'
set policy route-map ROUTES-IN rule 30 match rpki 'invalid'
-Once your routers are configured to reject RPKI-invalid prefixes, test
-whether the configuration is working correctly using the `RIPE Labs RPKI
+Once your routers are configured to reject RPKI-invalid prefixes, you can
+test whether the configuration is working correctly using the `RIPE Labs RPKI
Test`_ experimental tool.
+.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216
.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/
.. _GoRTR: https://github.com/cloudflare/gortr
.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki
@@ -93,3 +109,5 @@ Test`_ experimental tool.
.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/
.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/
.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/
+.. _excellent guide to RPKI: https://rpki.readthedocs.io/
+.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html