diff options
| author | Marek Isalski <github.com@maz.nu> | 2020-02-24 07:15:42 +0000 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-24 08:15:42 +0100 | 
| commit | 7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b (patch) | |
| tree | ccd1707f4541ebd737d2a2152bd4bae75246a32a /docs/routing | |
| parent | cf8ac48b88f43061c59cf35ad58b7aafbac1e7eb (diff) | |
| download | vyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.tar.gz vyos-documentation-7d47e8c0c1fb5c13797f33c4d3ffb46765bf545b.zip | |
rpki: add links to further guidance
Diffstat (limited to 'docs/routing')
| -rw-r--r-- | docs/routing/rpki.rst | 22 | 
1 files changed, 20 insertions, 2 deletions
| diff --git a/docs/routing/rpki.rst b/docs/routing/rpki.rst index 47ca63f1..9813b1b6 100644 --- a/docs/routing/rpki.rst +++ b/docs/routing/rpki.rst @@ -4,6 +4,13 @@  RPKI  #### +.. pull-quote:: + +   There are two types of Network Admins who deal with BGP, those who have +   created an international incident and/or outage, and those who are lying + +   -- `tweet by EvilMog`_, 2020-02-21 +  :abbr:`RPKI (Resource Public Key Infrastructure)` is a framework :abbr:`PKI  (Public Key Infrastructure)` designed to secure the Internet routing  infrastructure. It associates BGP route announcements with the correct @@ -19,6 +26,14 @@ open source implementations to choose from, such as NLNetLabs' Routinator_  RIPE NCC's RPKI Validator_ (written in Java). The RTR protocol is described  in :rfc:`8210`. +.. tip:: +  If you are new to these routing security technologies then there is an +  `excellent guide to RPKI`_ by NLnet Labs which will get you up to speed +  very quickly. Their documentation explains everything from what RPKI is to +  deploying it in production (albeit with a focus on using NLnet Labs' +  tools). It also has some `help and operational guidance`_ including +  "What can I do about my route having an Invalid state?" +  First you will need to deploy an RPKI validator for your routers to use. The  RIPE NCC helpfully provide `some instructions`_ to get you started with  several different options.  Once your server is running you can start @@ -81,10 +96,11 @@ filter we reject prefixes with the state `invalid`, and set a higher    set policy route-map ROUTES-IN rule 30 action 'deny'    set policy route-map ROUTES-IN rule 30 match rpki 'invalid' -Once your routers are configured to reject RPKI-invalid prefixes, test -whether the configuration is working correctly using the `RIPE Labs RPKI +Once your routers are configured to reject RPKI-invalid prefixes, you can +test whether the configuration is working correctly using the `RIPE Labs RPKI  Test`_ experimental tool. +.. _tweet by EvilMog: https://twitter.com/Evil_Mog/status/1230924170508169216  .. _Routinator: https://www.nlnetlabs.nl/projects/rpki/routinator/  .. _GoRTR: https://github.com/cloudflare/gortr  .. _OctoRPKI: https://github.com/cloudflare/cfrpki#octorpki @@ -93,3 +109,5 @@ Test`_ experimental tool.  .. _Krill: https://www.nlnetlabs.nl/projects/rpki/krill/  .. _RPKI analytics: https://www.nlnetlabs.nl/projects/rpki/rpki-analytics/  .. _RIPE Labs RPKI Test: https://sg-pub.ripe.net/jasper/rpki-web-test/ +.. _excellent guide to RPKI: https://rpki.readthedocs.io/ +.. _help and operational guidance: https://rpki.readthedocs.io/en/latest/about/help.html | 
