2 min read rpki

RPKI validation

RPKI validation

BGP is built on trust, but as with everything else you can't trust people. I am not saying that BGP hijacks are only by malicious actors but it happens. And even if the hijack isn't malicious, you will be affected when an hijack occur.
RPKI is meant to protect us from that. So therefore I must have RPKI signing and validation implemented into my little network.

Signing

For my prefix there's actually not much to do when it comes to signing. I can use my LIR's control panel to create ROA's.

https://rpki.as215855.net indicates that I have a valid signing

Validation

The validation is on me to implement on my routers.
I am using Routinator as RPKI relay that I run on a dedicated VM and they are connected together with tailscale.
Most of my infrastructure is still running back in Europe with Hetzner so having a dedicated VM there makes sense for me.
So on my edge routers, I first configure a RPKI protocol.

##########
## ROAs ##
##########
roa6 table roa_v6;

protocol rpki routinator1 {
  roa6 { table roa_v6; };
  remote "100.108.204.55" port 3323;
  retry keep 90;
  refresh keep 900;
  expire keep 172800;
}

Then we create a function where we will lookup our incoming prefix against what's from the Routinator feed:

# Functions
function ix_import_v6(int asnr)
{
    if(roa_check(roa_v6, net, bgp_path.last_nonaggregated) = ROA_INVALID) then return false;

    return true;
}

And then we apply the function in my import filter:

template bgp AS215855v6 {
   ipv6 {
      export filter {
         if net = 2a0e:97c0:e60::/48 then accept;
         reject;
      };
        import where ix_import_v6(58057);
        import keep filtered;
   };
   local as 215855;
}

And if we were to visualize how the Routinator sits in my setup, it looks like this:

And to verify that it is all working, we can find a prefix that we know is invalid. Easiest way is to make use of Cloudflares https://isbgpsafeyet.com tests.
They use invalid.rpki.cloudflare.com for tests, so let's look that one up in our routing table. 

invalid.rpki.cloudflare.com. 252 IN     AAAA    2606:4700:7000::6715:f409
invalid.rpki.cloudflare.com. 252 IN     AAAA    2606:4700:7000::6715:f408

IPv6 addresses for the RPKI test

BIRD 2.0.7 ready.
bird> sh ro for 2606:4700:7000::6715:f408
Network not found
bird>

Perfect, the prefix is being filtered as it should.

What I've noticed though is that sometimes it seems like updates from the Routinator doesn't make it into Bird properly so I have to run reload all in to make sure things are up to date.