What is RPKI?
RPKI (Resource Public Key Infrastructure) was well explained by APNIC hereIn the past, BKNIX provided the validated cache (ROA objects) implemented by RPKI Relying Party (RP) software called rcynic which is the part of RPKI toolkit 'rpki.net'
Currently, BKNIX aims to run more than one software on multiple hosts for diversity and redundancy.
Rcynic was replaced by Routinator.
Additionally, StayRTR and FORT Validator are concurrently running together on different ports.
BGP Speakers can retrieve this information via 'rpki-rtr' which is described in [RFC6810].
Note that this communication is unencrypted.
Statistics
This statistics page can be found here
Config guide
Nokia (Alcatel-Lucent)
SROS:C-12.0.R6
configure
router
origin-validation
rpki-session 203.159.70.26
port 323
description "BKNIX (rpki.bknix.co.th)"
no shutdown
exit
rpki-session 2001:deb:0:4070::26
port 323
description "BKNIX (rpki.bknix.co.th)"
no shutdown
exit
rpki-session 203.159.70.36
port 323
description "BKNIX (rpki.bknix.net)"
no shutdown
exit
rpki-session 2001:deb:0:4070::36
port 323
description "BKNIX (rpki.bknix.net)"
no shutdown
exit
exit
Above setup tells the router to setup rpki-rtr with the validated cache only.It can enable the validation process at the specific peer(s) or peer-group.
configure router
bgp
best-path-selection
origin-validation-unusable #Enable/Disable BGP routes which its origin validation state is invalid to be use or unuse in best path selection.
exit
group "Peer AS"
enable-origin-validation ipv4 ipv6 #Enable/Disable Origin Validation for the bgp family
exit
exit
exit
Cisco (IOS-XE)
IOS XE-3.5.0/15.1(3) or laterrouter bgp (your AS) bgp rpki server tcp 203.159.70.26 port 323 refresh 60 bgp rpki server tcp 203.159.70.36 port 4323 refresh 60 ! address-family ipv4 no bgp bestpath prefix-validate disable #Enable Origin Validation process no bgp bestpath prefix-validate allow-invalid #Do not allow invalid routes to be considered for bestpath exit-address-family ! address-family ipv6 no bgp bestpath prefix-validate disable #Enable Origin Validation process no bgp bestpath prefix-validate allow-invalid #Do not allow invalid routes to be considered for bestpath exit-address-family !
Juniper (JUNOS)
Release 12.2 or later
routing-options {
validation {
group RPKI {
session 203.159.70.26 {
refresh-time 60;
port 323;
}
session 203.159.70.36 {
refresh-time 60;
port 323;
}
}
}
}
create your own policy How to manipulate received routes with different validation state.
policy-options {
policy-statement BKNIX-RS-v4-IN {
term valid {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
accept;
}
}
term not-found {
from {
protocol bgp;
validation-database unknown;
}
then {
validation-state unknown;
accept;
}
}
term invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
reject; #To allow invalid route,use accept; instead
}
}
then reject;
}
}
...
then apply the configuration to peers
protocols {
bgp {
group BKNIX-RS {
neighbor 203.159.68.68 {
import BKNIX-RS-v4-IN;
}
neighbor 203.159.68.69 {
import BKNIX-RS-v4-IN;
}
neighbor 2001:deb:0:68::68 {
import BKNIX-RS-v6-IN;
}
neighbor 2001:deb:0:68::69 {
import BKNIX-RS-v6-IN;
}
}
}
}
