hints:rpki
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
hints:rpki [2023/12/28 01:33] – [Installing GoRTR] philip | hints:rpki [2024/03/20 22:24] (current) – [StayRTR] philip | ||
---|---|---|---|
Line 13: | Line 13: | ||
* [[rpki# | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
- | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
Line 32: | Line 31: | ||
===== NLnetLabs Routinator ===== | ===== NLnetLabs Routinator ===== | ||
- | Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.13.0, at time of writing. | + | Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.13.2, at time of writing. |
If using Debian/ | If using Debian/ | ||
Line 84: | Line 83: | ||
===== FORT ===== | ===== FORT ===== | ||
- | FORT is the validator developed by NIC Mexico. More about it is on the [[https:// | + | FORT is the validator developed by NIC Mexico. More about it is on the [[https:// |
- | FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3), so for this reason we use the NIC Mexico produced package. | + | FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3-1), so for this reason we use the latest |
FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https:// | FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https:// | ||
Line 185: | Line 184: | ||
===== RPKI-client ===== | ===== RPKI-client ===== | ||
- | **rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki# | + | **rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki# |
**rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7. | **rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7. | ||
Line 199: | Line 198: | ||
The other required package noted in the instructions is **tls** from LibreSSL. LibreSSL is a branch of OpenSSL and is used on OpenBSD - not found on Linux, but seems to be appearing in the latest Debian/ | The other required package noted in the instructions is **tls** from LibreSSL. LibreSSL is a branch of OpenSSL and is used on OpenBSD - not found on Linux, but seems to be appearing in the latest Debian/ | ||
- | First we go to [[https:// | + | First we go to [[https:// |
< | < | ||
- | wget https:// | + | wget https:// |
</ | </ | ||
We then unpack it: | We then unpack it: | ||
< | < | ||
- | tar zxf libressl-3.8.2.tar.gz | + | tar zxf libressl-3.8.3.tar.gz |
</ | </ | ||
and then build it: | and then build it: | ||
< | < | ||
- | cd libressl-3.8.2 | + | cd libressl-3.8.3 |
./configure --enable-libtls-only | ./configure --enable-libtls-only | ||
make | make | ||
Line 216: | Line 215: | ||
Note the option to only build **libtls** - we don't need the rest of LibreSSL and it could well interfere with OpenSSL which will already be on the system. Now that **libtls** is built, the **install** action will put the libraries in **/ | Note the option to only build **libtls** - we don't need the rest of LibreSSL and it could well interfere with OpenSSL which will already be on the system. Now that **libtls** is built, the **install** action will put the libraries in **/ | ||
< | < | ||
- | -rw-r--r-- | + | -rw-r--r-- |
- | -rw-r--r-- | + | lrwxrwxrwx |
- | lrwxrwxrwx 1 root root | + | lrwxrwxrwx |
- | lrwxrwxrwx 1 root root | + | -rw-r--r-- |
- | -rw-r--r-- 1 root root | + | |
</ | </ | ||
Run **sudo ldconfig** so that the system knows about the new libraries. | Run **sudo ldconfig** so that the system knows about the new libraries. | ||
Line 285: | Line 283: | ||
===== StayRTR ===== | ===== StayRTR ===== | ||
- | StayRTR is a hard fork of [[rpki# | + | StayRTR is a hard fork of GoRTR (which is no longer maintained by Cloudflare |
- | StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(31). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR. | + | StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(47). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR. |
So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. | So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. | ||
Line 295: | Line 293: | ||
First you will need a working Go environment. Full instructions are at [[https:// | First you will need a working Go environment. Full instructions are at [[https:// | ||
- | First off, download the latest Go package (1.21.4 at time of writing): | + | First off, download the latest Go package (1.22.1 at time of writing): |
< | < | ||
- | wget https:// | + | wget https:// |
</ | </ | ||
If you have an existing Go environment, | If you have an existing Go environment, | ||
Line 307: | Line 305: | ||
cd /usr/local | cd /usr/local | ||
sudo chmod 777 . | sudo chmod 777 . | ||
- | tar xzf ~/go1.21.4.linux-amd64.tar.gz | + | tar xzf ~/go1.22.1.linux-amd64.tar.gz |
sudo chmod 755 . | sudo chmod 755 . | ||
</ | </ | ||
Line 337: | Line 335: | ||
< | < | ||
cd dist | cd dist | ||
- | sudo cp -p stayrtr-v0.5.1-31-g03532ba-linux-x86_64 / | + | sudo cp -p stayrtr-v0.5.1-47-gfebec67-linux-x86_64 / |
- | sudo cp -p rtrdump-v0.5.1-31-g03532ba-linux-x86_64 / | + | sudo cp -p rtrdump-v0.5.1-47-gfebec67-linux-x86_64 / |
- | sudo cp -p rtrmon-v0.5.1-31-g03532ba-linux-x86_64 / | + | sudo cp -p rtrmon-v0.5.1-47-gfebec67-linux-x86_64 / |
</ | </ | ||
Line 442: | Line 440: | ||
And that's it. Enjoy your new StayRTR installation. | And that's it. Enjoy your new StayRTR installation. | ||
- | ===== GoRTR ===== | ||
- | |||
- | I've included GoRTR here though it is no longer maintained by Cloudflare as the maintainer has moved on to pastures new. All development work is now being carried out on [[rpki# | ||
- | |||
- | I'll be very clear - **please don't use GoRTR**. I still run it for interest sake. For production, [[rpki# | ||
- | |||
- | As with StayRTR, you need a working Go environment. Please consult the [[https:// | ||
- | |||
- | |||
- | ==== Installing GoRTR ==== | ||
- | |||
- | Easiest way to do this is to build from the [[https:// | ||
- | |||
- | **Note1**: You could download and use the provided [[https:// | ||
- | |||
- | **Note2**: You could even download the [[https:// | ||
- | |||
- | But we will focus on building from the source. | ||
- | < | ||
- | git clone https:// | ||
- | cd gortr | ||
- | make build-gortr build-rtrmon build-rtrdump | ||
- | </ | ||
- | which builds **gortr** as well as **rtrmon** and **rtrdump** (the latter used for testing purposes). | ||
- | |||
- | Copy the resulting binaries to **/ | ||
- | < | ||
- | cd dist | ||
- | sudo cp -p gortr-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrdump-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrmon-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | </ | ||
- | |||
- | GoRTR has lots of options, but the ones we need are these: | ||
- | < | ||
- | -bind string | ||
- | Bind address (default ": | ||
- | | ||
- | URL of the cached JSON data (default " | ||
- | | ||
- | Check if file is still valid (default true) | ||
- | | ||
- | Check signature using provided public key (disable by passing -verify=false) | ||
- | </ | ||
- | We don't need to use the Cloudflare JSON source, given we have our own from the newly created RPKI-client. RPKI-client doesn' | ||
- | |||
- | We run GoRTR like this: | ||
- | < | ||
- | / | ||
- | </ | ||
- | which will at least let us test that it works. Run it and see what happens - you should see output at the command line looking like this: | ||
- | < | ||
- | INFO[0001] New update (304138 uniques, 304138 total prefixes). 0 bytes. Updating sha256 hash -> 0592ddc6e9a82666f8ddc5eda8cad76cb61f22640f17199b1bff06b5928b9718 | ||
- | INFO[0002] Updated added, new serial 0 | ||
- | INFO[0002] GoRTR Server started (sessionID: | ||
- | </ | ||
- | And if you check the ports that are listening (**ss -an**) you will see: | ||
- | < | ||
- | tcp LISTEN | ||
- | tcp LISTEN | ||
- | </ | ||
- | Port 3323 is the listening port for Router connections. And Port 8080 is the metrics port, for monitoring systems to connect to. | ||
- | |||
- | But perhaps this isn't good for long term operations as you'd prefer to have this start running automatically when the system starts. And for that we'd need to set up a suitable **systemd** entry. | ||
- | |||
- | First off, let's create a user for GoRTR (it does not have to run as root): | ||
- | < | ||
- | sudo groupadd _gortr | ||
- | sudo useradd –g _gortr –s / | ||
- | </ | ||
- | Next we create a file **/ | ||
- | < | ||
- | # Settings for GoRTR. Consult https:// | ||
- | # more discussion and other available options | ||
- | |||
- | GORTR_ARGS=-bind :3323 -verify=false -cache / | ||
- | # | ||
- | </ | ||
- | Then we go to the **/ | ||
- | < | ||
- | [Unit] | ||
- | Description=GoRTR RPKI to Router Server | ||
- | Documentation=https:// | ||
- | After=network.target | ||
- | |||
- | [Service] | ||
- | EnvironmentFile=/ | ||
- | ExecStart=/ | ||
- | Type=exec | ||
- | User=_gortr | ||
- | Group=_gortr | ||
- | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
- | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </ | ||
- | We then need to enable it: | ||
- | < | ||
- | sudo systemctl enable gortr | ||
- | </ | ||
- | which then displays: | ||
- | < | ||
- | Created symlink / | ||
- | </ | ||
- | and then we can run GoRTR, like this: | ||
- | < | ||
- | sudo systemctl start gortr | ||
- | </ | ||
- | Once it is running, check that it is working by running: | ||
- | < | ||
- | sudo systemctl status gortr | ||
- | </ | ||
- | and you should see something like this: | ||
- | < | ||
- | * gortr.service - GoRTR RPKI to Router Server | ||
- | | ||
- | Drop-In: / | ||
- | | ||
- | | ||
- | Docs: https:// | ||
- | Main PID: 170962 (gortr) | ||
- | Tasks: 14 (limit: 38463) | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Dec 27 13:14:43 gortr gortr[170962]: | ||
- | Dec 27 13:24:46 gortr gortr[170962]: | ||
- | Dec 27 13:24:50 gortr gortr[170962]: | ||
- | </ | ||
- | and you can also run the more traditional **ps ax** to see something like: | ||
- | < | ||
- | | ||
- | </ | ||
- | |||
- | And that's it. Enjoy your new GoRTR installation. | ||
===== Cisco IOS-XE Hints ===== | ===== Cisco IOS-XE Hints ===== | ||
Line 759: | Line 620: | ||
===== BIRD Hints ===== | ===== BIRD Hints ===== | ||
- | This section shows the basic configuration needed to get route origin validation up and running on a [[https:// | + | This section shows the basic configuration needed to get route origin validation up and running on a [[https:// |
==== Configuration with Validator ==== | ==== Configuration with Validator ==== |
hints/rpki.txt · Last modified: 2024/03/20 22:24 by philip