diff options
Diffstat (limited to 'docs/routing/rpki.rst')
| -rw-r--r-- | docs/routing/rpki.rst | 113 |
1 files changed, 0 insertions, 113 deletions
diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst deleted file mode 100644 index 9813b1b6..00000000 --- a/docs/routing/rpki.rst +++ /dev/null @@ -1,113 +0,0 @@ -.. _rpki: - -#### -RPKI -#### - -.. pull-quote:: - - There are two types of Network Admins who deal with BGP, those who have - created an international incident and/or outage, and those who are lying - - -- `tweet by EvilMog`_, 2020-02-21 - -:abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI -(Public Key Infrastructure)` designed to secure the Internet routing -infrastructure. It associates BGP route announcements with the correct -originating :abbr:`ASN (Autonomus System Number)` which BGP routers can then -use to check each route against the corresponding :abbr:`ROA (Route Origin -Authorisation)` for validity. RPKI is described in :rfc:`6480`. - -A BGP-speaking router like VyOS can retrieve ROA information from RPKI -"Relying Party software" (often just called an "RPKI server" or "RPKI -validator") by using :abbr:`RTR (RPKI to Router)` protocol. There are several -open source implementations to choose from, such as NLNetLabs' Routinator_ -(written in Rust), Cloudflare's GoRTR_ and OctoRPKI_ (written in Go), and -RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described -in :rfc:`8210`. - -.. tip:: - If you are new to these routing security technologies then there is an - `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed - very quickly. Their documentation explains everything from what RPKI is to - deploying it in production (albeit with a focus on using NLnet Labs' - tools). It also has some `help and operational guidance`_ including - "What can I do about my route having an Invalid state?" - -First you will need to deploy an RPKI validator for your routers to use. The -RIPE NCC helpfully provide `some instructions`_ to get you started with -several different options. Once your server is running you can start -validating announcements. - -Imported prefixes during the validation may have values: - - valid - The prefix and ASN that originated it match a signed ROA. These are - probably trustworthy route announcements. - - invalid - The prefix or prefix length and ASN that originated it doesn't - match any existing ROA. This could be the result of a prefix hijack, or - merely a misconfiguration, but should probably be treated as - untrustworthy route announcements. - - notfound - No ROA exists which covers that prefix. Unfortunately this is the case - for about 80% of the IPv4 prefixes which were announced to the :abbr:`DFZ - (default-free zone)` at the start of 2020 (see more detail in - NLnet Labs' `RPKI analytics`_). - -.. note:: - If you are responsible for the global addresses assigned to your - network, please make sure that your prefixes have ROAs associated with them - to avoid being `notfound` by RPKI. For most ASNs this will involve - publishing ROAs via your :abbr:`RIR (Regional Internet Registry)` (RIPE - NCC, APNIC, ARIN, LACNIC or AFRINIC), and is something you are encouraged - to do whenever you plan to announce addresses into the DFZ. - - Particularly large networks may wish to run their own RPKI certificate - authority and publication server instead of publishing ROAs via their RIR. - This is a subject far beyond the scope of VyOS' documentation. Consider - reading about Krill_ if this is a rabbit hole you need or especially want - to dive down. - -We can build route-maps for import based on these states. Here is a simple -RPKI configuration, where `routinator` is the RPKI-validating "cache" -server with ip `192.0.2.1`: - -.. code-block:: none - - set protocols rpki cache routinator address '192.0.2.1' - set protocols rpki cache routinator port '3323' - -Here is an example route-map to apply to routes learned at import. In this -filter we reject prefixes with the state `invalid`, and set a higher -`local-preference` if the prefix is RPKI `valid` rather than merely -`notfound`. - -.. code-block:: none - - set policy route-map ROUTES-IN rule 10 action 'permit' - set policy route-map ROUTES-IN rule 10 match rpki 'valid' - set policy route-map ROUTES-IN rule 10 set local-preference '300' - set policy route-map ROUTES-IN rule 20 action 'permit' - set policy route-map ROUTES-IN rule 20 match rpki 'notfound' - set policy route-map ROUTES-IN rule 20 set local-preference '125' - set policy route-map ROUTES-IN rule 30 action 'deny' - set policy route-map ROUTES-IN rule 30 match rpki 'invalid' - -Once your routers are configured to reject RPKI-invalid prefixes, you can -test whether the configuration is working correctly using the `RIPE Labs RPKI -Test`_ experimental tool. - -.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216 -.. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/ -.. _GoRTR: https://github.com/cloudflare/gortr -.. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki -.. _Validator: https://www.ripe.net/manage-ips-and-asns/resource-management/certification/tools-and-resources -.. _some instructions: https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator -.. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/ -.. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/ -.. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ -.. _excellent guide to RPKI: https://rpki.readthedocs.io/ -.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html |