hints:rpki
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
hints:rpki [2024/03/20 13:47] – [Initial Preparation] philip | hints:rpki [2024/03/20 22:24] – [RPKI-client] philip | ||
---|---|---|---|
Line 13: | Line 13: | ||
* [[rpki# | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
- | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
* [[rpki# | * [[rpki# | ||
Line 185: | Line 184: | ||
===== RPKI-client ===== | ===== RPKI-client ===== | ||
- | **rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki# | + | **rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki# |
**rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7. | **rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7. | ||
Line 286: | Line 285: | ||
StayRTR is a hard fork of [[rpki# | StayRTR is a hard fork of [[rpki# | ||
- | StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(31). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR. | + | StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(47). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR. |
So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. | So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. | ||
Line 441: | Line 440: | ||
And that's it. Enjoy your new StayRTR installation. | And that's it. Enjoy your new StayRTR installation. | ||
- | ===== GoRTR ===== | ||
- | |||
- | I've included GoRTR here though it is no longer maintained by Cloudflare as the maintainer has moved on to pastures new. All development work is now being carried out on [[rpki# | ||
- | |||
- | I'll be very clear - **please don't use GoRTR**. I still run it for interest sake. For production, [[rpki# | ||
- | |||
- | As with StayRTR, you need a working Go environment. Please consult the [[rpki# | ||
- | |||
- | |||
- | ==== Installing GoRTR ==== | ||
- | |||
- | Easiest way to do this is to build from the [[https:// | ||
- | |||
- | **Note1**: You could download and use the provided [[https:// | ||
- | |||
- | **Note2**: You could even download the [[https:// | ||
- | |||
- | But we will focus on building from the source. | ||
- | < | ||
- | git clone https:// | ||
- | cd gortr | ||
- | make build-gortr build-rtrmon build-rtrdump | ||
- | </ | ||
- | which builds **gortr** as well as **rtrmon** and **rtrdump** (the latter used for testing purposes). | ||
- | |||
- | Copy the resulting binaries to **/ | ||
- | < | ||
- | cd dist | ||
- | sudo cp -p gortr-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrdump-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | sudo cp -p rtrmon-v0.14.8-5-g9f01dca-linux-x86_64 / | ||
- | </ | ||
- | |||
- | GoRTR has lots of options, but the ones we need are these: | ||
- | < | ||
- | -bind string | ||
- | Bind address (default ": | ||
- | | ||
- | URL of the cached JSON data (default " | ||
- | | ||
- | Check if file is still valid (default true) | ||
- | | ||
- | Check signature using provided public key (disable by passing -verify=false) | ||
- | </ | ||
- | We don't need to use the Cloudflare JSON source, given we have our own from the newly created RPKI-client. RPKI-client doesn' | ||
- | |||
- | We run GoRTR like this: | ||
- | < | ||
- | / | ||
- | </ | ||
- | which will at least let us test that it works. Run it and see what happens - you should see output at the command line looking like this: | ||
- | < | ||
- | INFO[0001] New update (304138 uniques, 304138 total prefixes). 0 bytes. Updating sha256 hash -> 0592ddc6e9a82666f8ddc5eda8cad76cb61f22640f17199b1bff06b5928b9718 | ||
- | INFO[0002] Updated added, new serial 0 | ||
- | INFO[0002] GoRTR Server started (sessionID: | ||
- | </ | ||
- | And if you check the ports that are listening (**ss -an**) you will see: | ||
- | < | ||
- | tcp LISTEN | ||
- | tcp LISTEN | ||
- | </ | ||
- | Port 3323 is the listening port for Router connections. And Port 8080 is the metrics port, for monitoring systems to connect to. | ||
- | |||
- | But perhaps this isn't good for long term operations as you'd prefer to have this start running automatically when the system starts. And for that we'd need to set up a suitable **systemd** entry. | ||
- | |||
- | First off, let's create a user for GoRTR (it does not have to run as root): | ||
- | < | ||
- | sudo groupadd _gortr | ||
- | sudo useradd –g _gortr –s / | ||
- | </ | ||
- | Next we create a file **/ | ||
- | < | ||
- | # Settings for GoRTR. Consult https:// | ||
- | # more discussion and other available options | ||
- | |||
- | GORTR_ARGS=-bind :3323 -verify=false -cache / | ||
- | # | ||
- | </ | ||
- | Then we go to the **/ | ||
- | < | ||
- | [Unit] | ||
- | Description=GoRTR RPKI to Router Server | ||
- | Documentation=https:// | ||
- | After=network.target | ||
- | |||
- | [Service] | ||
- | EnvironmentFile=/ | ||
- | ExecStart=/ | ||
- | Type=exec | ||
- | User=_gortr | ||
- | Group=_gortr | ||
- | AmbientCapabilities=CAP_NET_BIND_SERVICE | ||
- | CapabilityBoundingSet=CAP_NET_BIND_SERVICE | ||
- | |||
- | [Install] | ||
- | WantedBy=multi-user.target | ||
- | </ | ||
- | We then need to enable it: | ||
- | < | ||
- | sudo systemctl enable gortr | ||
- | </ | ||
- | which then displays: | ||
- | < | ||
- | Created symlink / | ||
- | </ | ||
- | and then we can run GoRTR, like this: | ||
- | < | ||
- | sudo systemctl start gortr | ||
- | </ | ||
- | Once it is running, check that it is working by running: | ||
- | < | ||
- | sudo systemctl status gortr | ||
- | </ | ||
- | and you should see something like this: | ||
- | < | ||
- | * gortr.service - GoRTR RPKI to Router Server | ||
- | | ||
- | Drop-In: / | ||
- | | ||
- | | ||
- | Docs: https:// | ||
- | Main PID: 170962 (gortr) | ||
- | Tasks: 14 (limit: 38463) | ||
- | | ||
- | | ||
- | | ||
- | |||
- | Dec 27 13:14:43 gortr gortr[170962]: | ||
- | Dec 27 13:24:46 gortr gortr[170962]: | ||
- | Dec 27 13:24:50 gortr gortr[170962]: | ||
- | </ | ||
- | and you can also run the more traditional **ps ax** to see something like: | ||
- | < | ||
- | | ||
- | </ | ||
- | |||
- | And that's it. Enjoy your new GoRTR installation. | ||
===== Cisco IOS-XE Hints ===== | ===== Cisco IOS-XE Hints ===== |
hints/rpki.txt · Last modified: 2024/03/20 22:24 by philip