Philip Smith's Internet Development Site

User Tools

Site Tools

Trace:
hints:rpki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hints:rpki [2024/07/31 05:42] – [IOS-XR Configuration with Validator] philiphints:rpki [2025/05/04 23:24] (current) – [Building rpki-client] philip
Line 14: Line 14:
   * [[rpki#stayrtr|StayRTR]]   * [[rpki#stayrtr|StayRTR]]
   * [[rpki#cisco_ios-xe_hints|Cisco IOS-XE]]   * [[rpki#cisco_ios-xe_hints|Cisco IOS-XE]]
 +  * [[rpki#cisco_ios-xr_hints|Cisco IOS-XR]]
   * [[rpki#juniper_hints|Juniper]]   * [[rpki#juniper_hints|Juniper]]
   * [[rpki#bird_hints|BIRD]]   * [[rpki#bird_hints|BIRD]]
   * [[rpki#frrouting_hints|FRR]]   * [[rpki#frrouting_hints|FRR]]
  
-The tips and tricks for the validator builds discussed below all are for Ubuntu 22.04. They should also work just fine on Ubuntu 18.04 (which is supported until April 2023) and on Ubuntu 20.04 (which is supported until April 2025).+The tips and tricks for the validator builds discussed below all are for Ubuntu 24.04. They should also work on Ubuntu 18.04 and Ubuntu 20.04 (neither of which is supported)and Ubuntu 22.04 (which is supported until April 2027). If you are installing a fresh container or VM, please use Ubuntu 24.04 (if you are wedded to the Ubuntu family).
  
 ===== AS0 TALs ===== ===== AS0 TALs =====
Line 31: Line 32:
 ===== NLnetLabs Routinator ===== ===== NLnetLabs Routinator =====
  
-Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.14.0, at time of writing.+Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.14.2, at time of writing.
  
 If using Debian/Ubuntu as I do, then just use the supplied package and your favourite package manager. Described in NLnetLabs's [[https://github.com/NLnetLabs/routinator#quick-start-with-debian-and-ubuntu-packages| Github]] repo. If using Debian/Ubuntu as I do, then just use the supplied package and your favourite package manager. Described in NLnetLabs's [[https://github.com/NLnetLabs/routinator#quick-start-with-debian-and-ubuntu-packages| Github]] repo.
Line 85: Line 86:
 ===== FORT ===== ===== FORT =====
  
-FORT is the validator developed by NIC Mexico. More about it is on the [[https://fortproject.net/en/validator|Project page]]. At time of writing, version 1.6.has been released and fixes many issues present in previous versions.+FORT is the validator developed by NIC Mexico. More about it is on the [[https://fortproject.net/en/validator|Project page]]. At time of writing, version 1.6.has been released and fixes many issues present in previous versions. However from version 1.6.3, FORT requires Ubuntu 24.04 as it requires libjansson4 (>= 2.14). Ubuntu 22.04 only comes with libjansson4 2.13.1-1.1build3 will only support FORT version 1.6.2.
  
-FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3-1), so for this reason we use the latest NIC Mexico produced package.+FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3-1). Likewise for Ubuntu 24.04, the FORT shipped is version 1.6.1-1build3. For this reason we use the latest NIC Mexico produced package.
  
 FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https://nicmx.github.io/FORT-validator/installation.html| Github]] repo closely. FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https://nicmx.github.io/FORT-validator/installation.html| Github]] repo closely.
Line 94: Line 95:
  
 <code> <code>
-wget https://github.com/NICMx/FORT-validator/releases/download/1.6.2/fort_1.6.2-1_amd64.deb+wget https://github.com/NICMx/FORT-validator/releases/download/1.6.6/fort_1.6.6-1_amd64.deb
 </code> </code>
 and then install it: and then install it:
 <code> <code>
-sudo apt install ./fort_1.6.2-1_amd64.deb+sudo apt install ./fort_1.6.6-1_amd64.deb
 </code> </code>
  
Line 150: Line 151:
 and it should run successfully. You should see something like this when you run **systemctl status fort**: and it should run successfully. You should see something like this when you run **systemctl status fort**:
 <code> <code>
-fort.service - FORT RPKI validator +● fort.service - FORT RPKI validator 
-     Loaded: loaded (/lib/systemd/system/fort.service; enabled; vendor preset: enabled) +     Loaded: loaded (/usr/lib/systemd/system/fort.service; enabled; preset: enabled) 
-    Drop-In: /run/systemd/system/service.d +     Active: active (running) since Mon 2024-10-07 22:58:03 AEST29s ago
-             └─zzz-lxc-service.conf +
-     Active: active (running) since Wed 2022-01-26 03:54:05 UTC4s ago+
        Docs: man:fort(8)        Docs: man:fort(8)
              https://nicmx.github.io/FORT-validator/              https://nicmx.github.io/FORT-validator/
-   Main PID: 3100 (fort) +   Main PID: 148150 (fort) 
-      Tasks: 37 (limit: 28794+      Tasks: 27 (limit: 38225
-     Memory: 12.0M+     Memory: 680.6M (peak: 680.7M) 
 +        CPU: 27.801s
      CGroup: /system.slice/fort.service      CGroup: /system.slice/fort.service
-             └─3100 /usr/bin/fort --configuration-file /etc/fort/config.json+             └─148150 /usr/bin/fort --configuration-file /etc/fort/config.json 
 + 
 +Oct 07 22:58:03 fort systemd[1]: Started fort.service - FORT RPKI validator.
 </code> </code>
 You can check by using **ps ax** to get: You can check by using **ps ax** to get:
Line 258: Line 260:
 sudo make install sudo make install
 </code> </code>
-which will install the client in **/usr/local/sbin** and the TALs in **/etc/rpki**, as well as create the cache and output directories needed. Note that the ARIN TAL requires users to read the disclaimer first so is not provided by default. So you need to do this manually: +which will install the client in **/usr/local/sbin** and the TALs in **/etc/rpki**, as well as create the cache and output directories needed. It will also copy the 5 RIR "constraints" files into **/etc/rpki**; these prevent [[https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/|overclaiming of resources]] by the 5 RIRs
-<code> +
-wget https://www.arin.net/resources/manage/rpki/arin.tal +
-sudo mv arin.tal /etc/rpki +
-</code>+
 Now the client can be run. There is no daemon option, it simply runs at the command line, and when it has finished downloading all the VRPs (around 10-15 minutes depending on bandwidth) it exits. But that's okay. Try running the client: Now the client can be run. There is no daemon option, it simply runs at the command line, and when it has finished downloading all the VRPs (around 10-15 minutes depending on bandwidth) it exits. But that's okay. Try running the client:
 <code> <code>
Line 280: Line 279:
 </code> </code>
 and that's it. Every hour, cron will run **rpki-client** which will produce JSON output of all the VRPs it has collected. As noted above, JSON output is what is used by StayRTR and GoRTR as their input sources. Make sure that the **/etc/cron.hourly/rpki-client** is executable, otherwise it will not run. and that's it. Every hour, cron will run **rpki-client** which will produce JSON output of all the VRPs it has collected. As noted above, JSON output is what is used by StayRTR and GoRTR as their input sources. Make sure that the **/etc/cron.hourly/rpki-client** is executable, otherwise it will not run.
 +
 +If you would like to include the [[https://bgp4all.com/pfs/hints/rpki#as0_tals|AS0 TALs]] from APNIC and LACNIC it is not sufficient to just place them in your chosen TAL directory. You will also need to include the **-0** option in the command line, like this:
 +<code>
 +/usr/local/sbin/rpki-client -0j > /tmp/rpki-client.log 2>&1
 +</code>
  
 It's a good idea to check the log file in case **rpki-client** reports issues trying to write local files etc. But mostly what you'll see there are all the transactions with the various CAs, and the problems encountered (there will be lots, unfortunately). It's a good idea to check the log file in case **rpki-client** reports issues trying to write local files etc. But mostly what you'll see there are all the transactions with the various CAs, and the problems encountered (there will be lots, unfortunately).
Line 288: Line 292:
 StayRTR is a hard fork of GoRTR (which is no longer maintained by Cloudflare and is badly out of date). For this reason, I **strongly** recommend you use StayRTR rather than GoRTR. If you have an existing GoRTR install, simply replace it with StayRTR. StayRTR is a hard fork of GoRTR (which is no longer maintained by Cloudflare and is badly out of date). For this reason, I **strongly** recommend you use StayRTR rather than GoRTR. If you have an existing GoRTR install, simply replace it with StayRTR.
  
-StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(50). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR.+StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution (packaged version is 0.3.0) and the Ubuntu 24.04 distribution (packaged version is 0.5.1). At the time of writing, the current release of StayRTR is version 0.6.2, and much prefer to have the latest version of a critical piece of software like a validator.
  
 So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator.
Line 296: Line 300:
 First you will need a working Go environment. Full instructions are at [[https://go.dev/doc/install|https://go.dev/doc/install]], and I've reproduced the key pieces here to make it easy for installers. First you will need a working Go environment. Full instructions are at [[https://go.dev/doc/install|https://go.dev/doc/install]], and I've reproduced the key pieces here to make it easy for installers.
  
-First off, download the latest Go package (1.22.at time of writing):+First off, download the latest Go package (1.24.at time of writing):
 <code> <code>
-wget https://go.dev/dl/go1.22.5.linux-amd64.tar.gz+wget https://go.dev/dl/go1.24.1.linux-amd64.tar.gz
 </code> </code>
 If you have an existing Go environment, perhaps save it in case something goes wrong with the new version: If you have an existing Go environment, perhaps save it in case something goes wrong with the new version:
Line 308: Line 312:
 cd /usr/local cd /usr/local
 sudo chmod 777 . sudo chmod 777 .
-tar xzf ~/go1.22.5.linux-amd64.tar.gz+tar xzf ~/go1.24.1.linux-amd64.tar.gz
 sudo chmod 755 . sudo chmod 755 .
 </code> </code>
Line 338: Line 342:
 <code> <code>
 cd dist cd dist
-sudo cp -p stayrtr-v0.5.1-50-gbf5793c-linux-x86_64 /usr/local/bin/stayrtr +sudo cp -p stayrtr-v0.6.2-linux-x86_64 /usr/local/bin/stayrtr 
-sudo cp -p rtrdump-v0.5.1-50-gbf5793c-linux-x86_64 /usr/local/bin/rtrdump +sudo cp -p rtrdump-v0.6.2-linux-x86_64 /usr/local/bin/rtrdump 
-sudo cp -p rtrmon-v0.5.1-50-gbf5793c-linux-x86_64 /usr/local/bin/rtrmon+sudo cp -p rtrmon-v0.6.2-linux-x86_64 /usr/local/bin/rtrmon
 </code> </code>
  
Line 422: Line 426:
 and you should see something like this: and you should see something like this:
 <code> <code>
-stayrtr.service - StayRTR RPKI to Router Server +● stayrtr.service - StayRTR RPKI to Router Server 
-     Loaded: loaded (/lib/systemd/system/stayrtr.service; enabled; vendor preset: ena +     Loaded: loaded (/usr/lib/systemd/system/stayrtr.service; enabled; preset: enabled) 
-     Active: active (running) since Fri 2022-01-28 15:50:27 AEST25s ago +     Active: active (running) since Thu 2024-08-15 16:57:07 +0631s ago 
-       Docs: https://github.com/bgp/stayrtr   Main PID: 17390 (stayrtr) +       Docs: https://github.com/bgp/stayrtr 
-      Tasks: 11 (limit: 4915)     Memory: 241.8M+   Main PID: 44045 (stayrtr) 
 +      Tasks: (limit: 4614) 
 +     Memory: 379.9M (peak: 459.4M) 
 +        CPU: 3.805s
      CGroup: /system.slice/stayrtr.service      CGroup: /system.slice/stayrtr.service
-             └─17390 /usr/local/bin/stayrtr -bind :3323 -cache /var/db/rpki-client/js +             └─44045 /usr/local/bin/stayrtr -bind :3323 -cache /var/db/rpki-client/json 
-Jan 28 15:50:27 stayrtr systemd[1]: Starting StayRTR RPKI to Router Server... + 
-Jan 28 15:50:27 stayrtr systemd[1]: Started StayRTR RPKI to Router Server. +Aug 15 16:57:06 rpki systemd[1]: Starting stayrtr.service - StayRTR RPKI to Router Server... 
-Jan 28 15:50:27 stayrtr stayrtr[17390]: time="2022-01-28T15:50:27+10:00" level=info m +Aug 15 16:57:07 rpki systemd[1]: Started stayrtr.service - StayRTR RPKI to Router Server. 
-Jan 28 15:50:28 stayrtr stayrtr[17390]: time="2022-01-28T15:50:28+10:00" level=info m +Aug 15 16:57:10 rpki stayrtr[44045]: time="2024-08-15T16:57:10+06:00" level=info msg="New update (602077 uniques, 602151 total prefixes, 71 vaps, 3 router> 
-Jan 28 15:50:29 stayrtr stayrtr[17390]: time="2022-01-28T15:50:29+10:00" level=info +Aug 15 16:57:11 rpki stayrtr[44045]: time="2024-08-15T16:57:11+06:00" level=info msg="Update added, new serial 0" 
-Jan 28 15:50:29 stayrtr stayrtr[17390]: time="2022-01-28T15:50:29+10:00" level=info m+Aug 15 16:57:11 rpki stayrtr[44045]: time="2024-08-15T16:57:11+06:00" level=info msg="StayRTR Server started (sessionID:61374, refresh:3600, retry:600, ex>
 </code> </code>
 and you can also run the more traditional **ps ax** to see something like: and you can also run the more traditional **ps ax** to see something like:
 <code> <code>
-17390 ?        Ssl    0:04 /usr/local/bin/stayrtr -bind :3323 -cache /var/db/rpki-client/json+  44045 ?        Ssl    0:03 /usr/local/bin/stayrtr -bind :3323 -cache /var/db/rpki-client/json
 </code> </code>
  
Line 444: Line 451:
  
  
-===== Cisco IOS-XE & XR Hints =====+===== Cisco IOS-XE Hints =====
  
-This section shows the basic configuration needed to get route origin validation up and running on Cisco IOS-XE and IOS-XR platforms.+This section shows the basic configuration needed to get route origin validation up and running on Cisco IOS-XE platforms.
  
-Most commentary is for IOS-XE 16.x and IOS-XR 7.5 onwards. Older versions will also likely work with the following examples, but their RPKI implementation is somewhat old and buggy.+Most commentary is for IOS-XE 16.x. Older versions will also likely work with the following examples, but their RPKI implementation is somewhat old and buggy.
  
 ==== IOS-XE Configuration with Validator ==== ==== IOS-XE Configuration with Validator ====
Line 470: Line 477:
 show ip bgp rpki servers show ip bgp rpki servers
 </code> </code>
 +
 +==== Cisco IOS-XE Caveats ====
 +
 +Cisco IOS-XE has many defaults which are non-standard and will be potentially frustrating for operators:
 +  * Cannot specify a source-interface for the router to validator connection
 +  * Automatically activates route origin validation (can be turned off!)
 +  * Automatically drops invalids (can be turned off!)
 +  * Locally originated prefixes are always marked as valid (cannot be turned off!) - fixed in most recent IOS-XE 17.x releases
 +  * Automatically prefers Valid path over Invalid/NotFound, even if latter has higher local-preference (BGP Best Path Selection over-ride) (cannot be turned off!)
 +  * If validator disappears, router validation database is flushed within a few minutes - fixed in most recent IOS-XE 16.6 releases
 +
 +To turn off the checking of the RPKI validation database (**IOS-XE 15.5 onwards**):
 +<code>
 +router bgp <ASN>
 + address-family ipv4
 +  bgp bestpath prefix-validate disable
 + address-family ipv6
 +  bgp bestpath prefix-validate disable
 +</code>
 +The ROAs are still listed in the RPKI table but the router will not use them. (This should be the default, as per RFC.)
 +
 +To turn off the automatic dropping of invalids:
 +<code>
 +router bgp <ASN>
 + address-family ipv4
 +  bgp bestpath prefix-validate allow-invalid
 + address-family ipv6
 +  bgp bestpath prefix-validate allow-invalid
 +</code>
 +A new set up of RPKI in a Cisco IOS-XE network should start with "monitoring" only. Which is only downloading the validation database, not implementing any checking. So the savvy operator would combine the above like this:
 +<code>
 +router bgp <ASN>
 + address-family ipv4
 +  bgp bestpath prefix-validate disable
 +  bgp bestpath prefix-validate allow-invalid
 + address-family ipv6
 +  bgp bestpath prefix-validate disable
 +  bgp bestpath prefix-validate allow-invalid
 +</code>
 +
 +Once they are ready to implement RPKI, first remove the ''prefix-validate disable'', and monitor. And once ready to do ROV, removing the ''prefix-validate allow-invalid'' would be the last step.
 +
 +The major show-stopper for an IOS-XE based network is the insertion of validation check in the BGP path selection process, over-riding ''local-preference''. There is no way of turning this mis-feature off and it is a fundamental impediment to implementing ROV in a Cisco IOS-XE based network.
 +
 +To propagate the validation state in IBGP, both BGP speakers need:
 +<code>
 +neighbor x.x.x.x announce rpki state
 +</code>
 +Please do **NOT** do this, as there are operational consequences, especially if validators become unreachable (specifically that IOS-XE has added an undocumented feature in the path selection process whereby a prefix marked as //valid// from one IBGP neighbour is preferred over //invalid/////notfound// from another IBGP neighbour regardless of //local-preference// setting).
 +
 +**Summary:** Cisco has tried to make it easy to deploy ROV, but unfortunately this "assistance" ignores standards and best practices. Any implementation must never take control away from the operator about what they can and cannot do, especially if there is no way of turning off mis-features.
 +
 +===== Cisco IOS-XR Hints =====
 +
 +This section shows the basic configuration needed to get route origin validation up and running on Cisco IOS-XR platforms.
 +
 +Most commentary is for IOS-XR 7.5 onwards. Older versions will also likely work with the following examples, but their RPKI implementation is likely to be more buggy.
  
 ==== IOS-XR Configuration with Validator ==== ==== IOS-XR Configuration with Validator ====
Line 529: Line 593:
 </code> </code>
 The sub-options will display all the prefixes fitting into each category. The sub-options will display all the prefixes fitting into each category.
- 
-==== Cisco IOS-XE Caveats ==== 
- 
-Cisco IOS-XE has many defaults which are non-standard and will be potentially frustrating for operators: 
-  * Cannot specify a source-interface for the router to validator connection 
-  * Automatically activates route origin validation (can be turned off!) 
-  * Automatically drops invalids (can be turned off!) 
-  * Locally originated prefixes are always marked as valid (cannot be turned off!) - fixed in most recent IOS-XE 17.x releases 
-  * Automatically prefers Valid path over Invalid/NotFound, even if latter has higher local-preference (BGP Best Path Selection over-ride) (cannot be turned off!) 
-  * If validator disappears, router validation database is flushed within a few minutes - fixed in most recent IOS-XE 16.6 releases 
- 
-To turn off the checking of the RPKI validation database (**IOS-XE 15.5 onwards**): 
-<code> 
-router bgp <ASN> 
- address-family ipv4 
-  bgp bestpath prefix-validate disable 
- address-family ipv6 
-  bgp bestpath prefix-validate disable 
-</code> 
-The ROAs are still listed in the RPKI table but the router will not use them. (This should be the default, as per RFC.) 
- 
-To turn off the automatic dropping of invalids: 
-<code> 
-router bgp <ASN> 
- address-family ipv4 
-  bgp bestpath prefix-validate allow-invalid 
- address-family ipv6 
-  bgp bestpath prefix-validate allow-invalid 
-</code> 
-A new set up of RPKI in a Cisco IOS-XE network should start with "monitoring" only. Which is only downloading the validation database, not implementing any checking. So the savvy operator would combine the above like this: 
-<code> 
-router bgp <ASN> 
- address-family ipv4 
-  bgp bestpath prefix-validate disable 
-  bgp bestpath prefix-validate allow-invalid 
- address-family ipv6 
-  bgp bestpath prefix-validate disable 
-  bgp bestpath prefix-validate allow-invalid 
-</code> 
- 
-Once they are ready to implement RPKI, first remove the ''prefix-validate disable'', and monitor. And once ready to do ROV, removing the ''prefix-validate allow-invalid'' would be the last step. 
- 
-The major show-stopper for an IOS-XE based network is the insertion of validation check in the BGP path selection process, over-riding ''local-preference''. There is no way of turning this mis-feature off and it is a fundamental impediment to implementing ROV in a Cisco IOS-XE based network. 
- 
-To propagate the validation state in IBGP, both BGP speakers need: 
-<code> 
-neighbor x.x.x.x announce rpki state 
-</code> 
-Please do **NOT** do this, as there are operational consequences, especially if validators become unreachable (specifically that IOS-XE has added an undocumented feature in the path selection process whereby a prefix marked as //valid// from one IBGP neighbour is preferred over //invalid/////notfound// from another IBGP neighbour regardless of //local-preference// setting). 
- 
-**Summary:** Cisco has tried to make it easy to deploy ROV, but unfortunately this "assistance" ignores standards and best practices. Any implementation must never take control away from the operator about what they can and cannot do, especially if there is no way of turning off mis-features. 
- 
  
 ===== Juniper Hints ===== ===== Juniper Hints =====
hints/rpki.1722404549.txt.gz · Last modified: by philip