Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

BGP Origin Validation Using RPKI

 

This example shows how to configure RPKI, configure RPKI validator, RPKI validator verification and operation, and the Origin Validation.

Configure RPKI

This configuration example provides instructions to configure RPKI.

Requirements

This example uses the following hardware and software components:

  • Tested with Junos OS 19.2R1.8 (Origin Validation supported since Junos OS Release 12.2).

  • Two MX204 routers.

  • A virtual machine (VM)

Overview

Figure 1 shows a high-level network diagram used for reference throughout this document.

The two MX204 routers, Router1 and Router2, are border routers that control the routes received from upstream ISPs. RPKI is configured on these two routers. The virtual machine (VM) (IP address 172.18.158.39) runs the RIPE NCC RPKI Validator. This VM downloads the RPKI ROA’s from the 5 RIRs.

Figure 1: High-Level Network Diagram for RPKI Origin Validation Testing
High-Level
Network Diagram for RPKI Origin Validation Testing

Configure RPKI

The BGP import policy accepts both VALID and UNKOWN validation states and rejects routes that have a RPKI INVALID validation state.

The relevant configuration for the Router1 MX204 are highlighted in the following router options:

Configure the RPKI Validator

RPKI validator configuration uses the RPKI validator from RIPE NCC, and the other validators are available from NLnet Labs, and Cloudflare.

In the case of the RIPE NCC validator, a Linux operating system with OpenJDK 8 or higher and rsync support is required. The validation software is available at the RIPE’s website and it is downloaded to the server. Figure 2 shows the RIPE NCC download screen for the RPKI validator software.

Figure 2: The RIPE NNC Validator Download Page
The RIPE
NNC Validator Download Page

This configuration uses a VM running Ubuntu 18.04.4 LTS. This RPKI validator package does not require installation. The package is ready to run when you extract it. The package supports a Web-based interface on port 8080 for monitoring and configuring the validator. Without changes to the configuration, the package listens on port 8323 for RPKI-RTR communications. The configuration is shown below.

root@dev01:/var/tmp# wget https://ftp.ripe.net/tools/rpki/validator3/prod/generic/rpki-validator-3-latest-dist.tar.gz
root@dev01:/var/tmp# tar zxvf rpki-validator-3-latest-dist.tar.gz
root@vm1:/var/tmp# cd rpki-validator-3.1-2020.01.13.09.31.26/

By default, the validator listens to the localhost only. If you need to change this behavior, comment the optserver.address=localhostion or specify a different IP address in the application.properties file in the conf/ directory.

The next step is to start the validator:

root@dev01:~/rpki-validator-3.1-2020.01.13.09.31.26# ./rpki-validator-3.sh

Console shows output and after some time a pattern of retrieving and validating ROAs is noticed.

You must download and install the ARIN TAL for a fully functional validator. See https://github.com/RIPE-NCC/rpki-validator-3/wiki for the installation procedure.

In summary, the steps include:

Start the RPKI-RTR daemon that handles the connection between the validator and the router.

For a reachable RTR server, besides localhost, you need to change the application.properties file in the conf/ directory for the validator.

RPKI Validator Verification and Operation

You can use the Web interface to view the state of the RPKI validator process. Figure 3 shows how to check the state of downloading and validating ROAs from the preconfigured RIR RPKI repository (Trust Anchors).

Figure 3: Checking the Configured Trust Anchors
Checking
the Configured Trust Anchors

You can check the connection state from the routers to the RPKI roots as well. Figure 4 shows the view of the validated ROAs from various NICs and the RIPE NCC.

Figure 4: Checking the RPKI ROAs
Checking the RPKI
ROAs

The RPKI validator has a very useful feature, the Whitelist, which lets you create your own ROAs locally as seen in Figure 5.

Figure 5: Locally Created ROAs
Locally Created ROAs

Origin Validation Using RPKI Configured on a Junos OS Router

The Junos OS has the following two commands focused on Origin Validation:

  1. The show validation command displays the state of the router with regard to the RPKI validators.
    user@Router1> show validation ?
    user@Router1> show validation session
    user@Router1> show validation database
    user@Router1> show validation statistics
  2. The show route validation-state command displays routes having a certain validation state.
    user@Router1> show route validation-state ?

    The following three examples provide received routes and the resultant validation states on Router1.

    • 10.0.0/24 thru 10.0.9/24

      The RPKI validator has ROAs for 10.0.0/22 with a maximum prefix length of 24, which means all of the routes should have a state of VALID; however, there is also an ROA for 10.0.0.0/12-16 (maximum /16) for origin AS of 64508. This marks 10.0.4/24 thru 10.0.9/24 as INVALID.

    • 172.16.0/24 thru 172.16.9/24

      The RPKI validator has ROAs for 172.16.0.0/16 and a maximum prefix length of 16, which means all of these routes should have a state of INVALID. Even though the origin AS number is correct, they have exceeded the maximum prefix length of /16.

    • 172.30.0.0/24 thru 172.30.9.0/24

      The RPKI validator does not have ROAs for any of these routes, which means all of these should have a state of UNKNOWN.

    user@Router1> show route validation-state valid
    user@Router1> show route validation-state unknown
    user@Router1> show route validation-state invalid