Name | IP address | Protocol (Port) - Software |
rpki.bknix.co.th | 203.159.70.26 2001:deb:0:4070::26 |
rpki-rtr (tcp:323) - Routinator |
rpki-rtr (tcp:4323) - GoRTR | ||
rpki-rtr (tcp:8323) - RIPE Validator | ||
rpki.bknix.net | 203.159.70.36 2001:deb:0:4070::36 |
rpki-rtr (tcp:323) - Routinator |
rpki-rtr (tcp:4323) - GoRTR | ||
rpki-rtr (tcp:8323) - RIPE Validator |
configure router origin-validation rpki-session 203.159.70.26 port 323 description "BKNIX (rpki.bknix.co.th)" no shutdown exit rpki-session 2001:deb:0:4070::26 port 323 description "BKNIX (rpki.bknix.co.th)" no shutdown exit exitAbove setup tells the router to setup rpki-rtr with the validated cache only.
configure router bgp best-path-selection origin-validation-unusable #Enable/Disable BGP routes which its origin validation state is invalid to be use or unuse in best path selection. exit group "Peer AS" enable-origin-validation ipv4 ipv6 #Enable/Disable Origin Validation for the bgp family exit exit exit
router bgp (your AS) bgp rpki server tcp 203.159.70.26 port 323 refresh 60 bgp rpki server tcp 203.159.70.26 port 4323 refresh 60 ! address-family ipv4 no bgp bestpath prefix-validate disable #Enable Origin Validation process no bgp bestpath prefix-validate allow-invalid #Do not allow invalid routes to be considered for bestpath exit-address-family ! address-family ipv6 no bgp bestpath prefix-validate disable #Enable Origin Validation process no bgp bestpath prefix-validate allow-invalid #Do not allow invalid routes to be considered for bestpath exit-address-family !
routing-options { validation { group RPKI { session 203.159.70.26 { refresh-time 60; port 323; } } } }create your own policy How to manipulate received routes with different validation state.
policy-options { policy-statement BKNIX-RS-v4-IN { term valid { from { protocol bgp; validation-database valid; } then { validation-state valid; accept; } } term not-found { from { protocol bgp; validation-database unknown; } then { validation-state unknown; accept; } } term invalid { from { protocol bgp; validation-database invalid; } then { validation-state invalid; reject; #To allow invalid route,use accept; instead } } then reject; } } ...then apply the configuration to peers
protocols { bgp { group BKNIX-RS { neighbor 203.159.68.68 { import BKNIX-RS-v4-IN; } neighbor 203.159.68.69 { import BKNIX-RS-v4-IN; } neighbor 2001:deb:0:68::68 { import BKNIX-RS-v6-IN; } neighbor 2001:deb:0:68::69 { import BKNIX-RS-v6-IN; } } } }