ROA records can be received from the ROA cache server by connecting with rpki-rtr. BGP router will receive ROA information and will enable BGP Origin Validation on your router.
| Host name | Host IP address | Listen port |
|---|---|---|
| roa1.mfeed.ad.jp | 210.173.170.254 | rpki-rtr (tcp:323) |
| 2001:3a0:e002:1001::101 | rpki-rtr (tcp:323) |
Currently, only 'rpki-rtr' (which is described in RFC6810) is supported.
Please note that every information exchanged through 'rpki-rtr' will remain unencrypted.
| Repository | Trust Anchor Locator |
|---|---|
| repository.afrinic.net | afrinic.tal |
| rpki.apnic.net | apnic-rpki-root-iana-origin.tal |
| repository.lacnic.net | lacnic.tal |
| rpki.ripe.net | ripe-ncc-root.tal |
| rpki-repository.nic.ad.jp | jpnic-preliminary-ca-s1.tal |
Our cache data is updated hourly using rsync to Trust Anchors listed above.
The following examples are basic configurations and commands to connect to our ROA cache server(210.173.170.254) with rpki-rtr. Please replace AS65000 with your actual asn.
! router bgp 65000 bgp rpki server tcp 210.173.170.254 port 323 refresh 60 !
In this example, only routes with 'valid' or 'not found' 'RPKI State' will be installed into your routing table. If you prefer to install 'invalid' ones also, please refer to the configuration below.
!
router bgp 65000
address-family ipv4
bgp bestpath prefix-validate allow-invalid
exit-address-family
!
address-family ipv6
bgp bestpath prefix-validate allow-invalid
exit-address-family
!
If you need to do more than just allowing them, set up route-maps.
Cisco> show ip bgp rpki servers
Cisco> show ip bgp rpki table
Cisco> show ip bgp ipv6 unicast rpki table
Cisco> clear ip bgp rpki server 210.173.170.254 port 323
Cisco> clear ip bgp rpki server 210.173.170.254 port 323 reset-only
routing-options {
validation {
group RPKI {
session 210.173.170.254 {
refresh-time 60;
port 323;
}
}
}
}
By default, committing above configuration will make your router listen on tcp:2222 both IPv4 and IPv6. We recommend you filter out any access to these ports EXCEPT from your router itself. These ports are used internally in your router.
The above example just enables the session to ROA cache server. See below (policy-options and bgp) to enable route validation if neccesary.
policy-options {
policy-statement AS65253-PEER-IN {
term valid {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
accept;
}
}
term not-found {
from {
protocol bgp;
validation-database unknown;
}
then {
validation-state unknown;
accept;
}
}
term invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
reject;
}
}
then reject;
}
}
protocols {
bgp {
group AS65253 {
neighbor 192.168.0.253 {
import AS65253-PEER-IN;
}
neighbor 2001:db8::253 {
import AS65253-PEER-IN;
}
}
}
}
Juniper> show validation session
Juniper> show validation database
Juniper> clear validation session 210.173.170.254
Juniper> clear validation database
configure router
origin-validation
rpki-session 210.173.170.254
port 323
no shutdown
exit
exit
exit
The above example just enables the session to ROA cache server. See below to enable route validation if neccesary.
configure router
bgp
best-path-selection
origin-validation-unusable
exit
group "Peer AS"
enable-origin-validation ipv4 ipv6
exit
exit
exit
Alcatel# show router origin-validation rpki-session
Alcatel# show router origin-validation database
Alcatel# clear router origin-validation rpki-session 210.173.170.254