Philip Smith's Internet Development Site

User Tools

Site Tools

Trace:
hints:rpki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hints:rpki [2023/12/28 02:04] – [GoRTR] philiphints:rpki [2024/03/20 22:24] (current) – [StayRTR] philip
Line 13: Line 13:
   * [[rpki#rpki-client|RPKI-client]] validator   * [[rpki#rpki-client|RPKI-client]] validator
   * [[rpki#stayrtr|StayRTR]]   * [[rpki#stayrtr|StayRTR]]
-  * [[rpki#gortr|GoRTR]] from Cloudflare 
   * [[rpki#cisco_ios-xe_hints|Cisco IOS-XE]]   * [[rpki#cisco_ios-xe_hints|Cisco IOS-XE]]
   * [[rpki#juniper_hints|Juniper]]   * [[rpki#juniper_hints|Juniper]]
Line 32: Line 31:
 ===== NLnetLabs Routinator ===== ===== NLnetLabs Routinator =====
  
-Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.13.0, at time of writing.+Nothing to say here, the instructions just work, the validator installs sweetly, and just runs. As long as the instructions are followed. The current version of Routinator is 0.13.2, at time of writing.
  
 If using Debian/Ubuntu as I do, then just use the supplied package and your favourite package manager. Described in NLnetLabs's [[https://github.com/NLnetLabs/routinator#quick-start-with-debian-and-ubuntu-packages| Github]] repo. If using Debian/Ubuntu as I do, then just use the supplied package and your favourite package manager. Described in NLnetLabs's [[https://github.com/NLnetLabs/routinator#quick-start-with-debian-and-ubuntu-packages| Github]] repo.
Line 84: Line 83:
 ===== FORT ===== ===== FORT =====
  
-FORT is the validator developed by NIC Mexico. More about it is on the [[https://fortproject.net/en/validator|Project page]]. At time of writing, version 1.6.1 has been released.+FORT is the validator developed by NIC Mexico. More about it is on the [[https://fortproject.net/en/validator|Project page]]. At time of writing, version 1.6.1 has been released and fixes many issues present in previous versions.
  
-FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3), so for this reason we use the NIC Mexico produced package.+FORT is available as part of Ubuntu 22.04 packaging, but it is an older version (1.5.3-1), so for this reason we use the latest NIC Mexico produced package.
  
 FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https://nicmx.github.io/FORT-validator/installation.html| Github]] repo closely. FORT is not quite so easy to install, but still relatively simple as long as you follow the instructions on their [[https://nicmx.github.io/FORT-validator/installation.html| Github]] repo closely.
Line 185: Line 184:
 ===== RPKI-client ===== ===== RPKI-client =====
  
-**rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki#stayrtr|StayRTR]], which is a fork of Cloudflare's now mostly unmaintained [[rpki#gortr|GoRTR]]).+**rpki-client** is just a validator - it does not have the functionality to accept connections from a router. We'll come to that later on (we'll need to use [[rpki#stayrtr|StayRTR]], which is a fork of Cloudflare's now unmaintained GoRTR).
  
 **rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7. **rpki-client** has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 7.6). At the time of writing, the current release of **rpki-client** is version 8.7.
Line 199: Line 198:
 The other required package noted in the instructions is **tls** from LibreSSL. LibreSSL is a branch of OpenSSL and is used on OpenBSD - not found on Linux, but seems to be appearing in the latest Debian/Ubuntu beta builds. So we need to download the bits we need and install. The **rpki-client** instructions don't say anything about how to do that. The other required package noted in the instructions is **tls** from LibreSSL. LibreSSL is a branch of OpenSSL and is used on OpenBSD - not found on Linux, but seems to be appearing in the latest Debian/Ubuntu beta builds. So we need to download the bits we need and install. The **rpki-client** instructions don't say anything about how to do that.
  
-First we go to [[https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/|https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/]] and select the latest package, which is libressl-3.8.2.tar.gz at time of writing+First we go to [[https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/|https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/]] and select the latest package, which is libressl-3.8.3.tar.gz at time of writing (libressl-3.9.0 is also out now, but I'm staying away from .0 releases)
 <code> <code>
-wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.2.tar.gz+wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.3.tar.gz
 </code> </code>
 We then unpack it: We then unpack it:
 <code> <code>
-tar zxf libressl-3.8.2.tar.gz+tar zxf libressl-3.8.3.tar.gz
 </code> </code>
 and then build it: and then build it:
 <code> <code>
-cd libressl-3.8.2+cd libressl-3.8.3
 ./configure --enable-libtls-only ./configure --enable-libtls-only
 make make
Line 216: Line 215:
 Note the option to only build **libtls** - we don't need the rest of LibreSSL and it could well interfere with OpenSSL which will already be on the system. Now that **libtls** is built, the **install** action will put the libraries in **/usr/local/lib** like this: Note the option to only build **libtls** - we don't need the rest of LibreSSL and it could well interfere with OpenSSL which will already be on the system. Now that **libtls** is built, the **install** action will put the libraries in **/usr/local/lib** like this:
 <code> <code>
--rw-r--r-- 1 root root 19555936 Nov  9 14:35 libtls.a +-rw-r--r--  1 root root      923 Mar 20 00:02 libtls.la 
--rw-r--r-- 1 root root      923 Nov  9 14:35 libtls.la +lrwxrwxrwx  1 root root       16 Mar 20 00:02 libtls.so -> libtls.so.28.0.0 
-lrwxrwxrwx 1 root root       16 Nov  9 14:35 libtls.so -> libtls.so.28.0.0 +lrwxrwxrwx  1 root root       16 Mar 20 00:02 libtls.so.28 -> libtls.so.28.0.0 
-lrwxrwxrwx 1 root root       16 Nov  9 14:35 libtls.so.28 -> libtls.so.28.0.0 +-rw-r--r--  1 root root  9108376 Mar 20 00:02 libtls.so.28.0.0
--rw-r--r-- 1 root root  9104272 Nov  9 14:35 libtls.so.28.0.0+
 </code> </code>
 Run **sudo ldconfig** so that the system knows about the new libraries. Run **sudo ldconfig** so that the system knows about the new libraries.
Line 285: Line 283:
 ===== StayRTR ===== ===== StayRTR =====
  
-StayRTR is a hard fork of [[rpki#gortr|GoRTR]] (which is no longer maintained by Cloudflare). For this reason, I **strongly** recommend you use StayRTR rather than GoRTR. If you have an existing GoRTR install, simply replace it with StayRTR.+StayRTR is a hard fork of GoRTR (which is no longer maintained by Cloudflare and is badly out of date). For this reason, I **strongly** recommend you use StayRTR rather than GoRTR. If you have an existing GoRTR install, simply replace it with StayRTR.
  
-StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(31). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR.+StayRTR has now been packaged and is available as part of the Ubuntu 22.04 distribution. However, the packaged version is old (version 0.3.0). At the time of writing, the current release of StayRTR is version 0.5.1(47). I'm not going to upgrade a production system to interim Ubuntu releases just to get a slightly newer (and still out of date) version of StayRTR.
  
 So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator. So for this reason, and to stay up to date, at least on Ubuntu, we have to build it ourselves. A pity that the **StayRTR** maintainers don't build their own deb package, or pre-build packages like NLnetLabs do with Routinator.
Line 295: Line 293:
 First you will need a working Go environment. Full instructions are at [[https://go.dev/doc/install|https://go.dev/doc/install]], and I've reproduced the key pieces here to make it easy for installers. First you will need a working Go environment. Full instructions are at [[https://go.dev/doc/install|https://go.dev/doc/install]], and I've reproduced the key pieces here to make it easy for installers.
  
-First off, download the latest Go package (1.21.at time of writing):+First off, download the latest Go package (1.22.at time of writing):
 <code> <code>
-wget https://go.dev/dl/go1.21.4.linux-amd64.tar.gz+wget https://go.dev/dl/go1.22.1.linux-amd64.tar.gz
 </code> </code>
 If you have an existing Go environment, perhaps save it in case something goes wrong with the new version: If you have an existing Go environment, perhaps save it in case something goes wrong with the new version:
Line 307: Line 305:
 cd /usr/local cd /usr/local
 sudo chmod 777 . sudo chmod 777 .
-tar xzf ~/go1.21.4.linux-amd64.tar.gz+tar xzf ~/go1.22.1.linux-amd64.tar.gz
 sudo chmod 755 . sudo chmod 755 .
 </code> </code>
Line 337: Line 335:
 <code> <code>
 cd dist cd dist
-sudo cp -p stayrtr-v0.5.1-31-g03532ba-linux-x86_64 /usr/local/bin/stayrtr +sudo cp -p stayrtr-v0.5.1-47-gfebec67-linux-x86_64 /usr/local/bin/stayrtr 
-sudo cp -p rtrdump-v0.5.1-31-g03532ba-linux-x86_64 /usr/local/bin/rtrdump +sudo cp -p rtrdump-v0.5.1-47-gfebec67-linux-x86_64 /usr/local/bin/rtrdump 
-sudo cp -p rtrmon-v0.5.1-31-g03532ba-linux-x86_64 /usr/local/bin/rtrmon+sudo cp -p rtrmon-v0.5.1-47-gfebec67-linux-x86_64 /usr/local/bin/rtrmon
 </code> </code>
  
Line 442: Line 440:
 And that's it. Enjoy your new StayRTR installation. And that's it. Enjoy your new StayRTR installation.
  
-===== GoRTR ===== 
- 
-I've included GoRTR here though it is no longer maintained by Cloudflare as the maintainer has moved on to pastures new. All development work is now being carried out on [[rpki#stayrtr|StayRTR]] which is a hard fork of GoRTR. The last version of GoRTR was released in April 2023, and is version 0.14.8. 
- 
-I'll be very clear - **please don't use GoRTR**. I still run it for interest sake. For production, [[rpki#stayrtr|StayRTR]] is very actively maintained, and that's what should be used in conjunction with [[https://bgp4all.com/pfs/hints/rpki#rpki-client|rpki-client]]. 
- 
-As with StayRTR, you need a working Go environment. Please consult the [[https://bgp4all.com/pfs/hints/rpki#installing_go|Installing Go]] section for how to do that. 
- 
- 
-==== Installing GoRTR ==== 
- 
-Easiest way to do this is to build from the [[https://github.com/cloudflare/gortr|Github repo]].  
- 
-**Note1**: You could download and use the provided [[https://github.com/cloudflare/gortr/releases|binaries]] if you wish. 
- 
-**Note2**: You could even download the [[https://github.com/cloudflare/gortr/releases/download/v0.14.8/gortr_0.14.8_amd64.deb|Debian]] package if you wish, and install that. It needs the **adduser** package, and a **libc** from 2.4 onwards (most modern Ubuntu releases). Bonus with the .deb package is that it comes with a **systemd** configuration. 
- 
-But we will focus on building from the source. 
-<code> 
-git clone https://github.com/cloudflare/gortr.git 
-cd gortr 
-make build-gortr build-rtrmon build-rtrdump 
-</code> 
-which builds **gortr** as well as **rtrmon** and **rtrdump** (the latter used for testing purposes). 
- 
-Copy the resulting binaries to **/usr/local/bin**: 
-<code> 
-cd dist 
-sudo cp -p gortr-v0.14.8-5-g9f01dca-linux-x86_64 /usr/local/bin/gortr 
-sudo cp -p rtrdump-v0.14.8-5-g9f01dca-linux-x86_64 /usr/local/bin/rtrdump 
-sudo cp -p rtrmon-v0.14.8-5-g9f01dca-linux-x86_64 /usr/local/bin/rtrmon 
-</code> 
- 
-GoRTR has lots of options, but the ones we need are these: 
-<code> 
- -bind string 
-    Bind address (default ":8282") 
- -cache string 
-    URL of the cached JSON data (default "https://rpki.cloudflare.com/rpki.json") 
- -checktime 
-    Check if file is still valid (default true) 
- -verify 
-        Check signature using provided public key (disable by passing -verify=false) 
-</code> 
-We don't need to use the Cloudflare JSON source, given we have our own from the newly created RPKI-client. RPKI-client doesn't insert a timestamp in the way that GoRTR wants, nor is there a signature on it, so we need to disable that too. 
- 
-We run GoRTR like this: 
-<code> 
-/usr/local/bin/gortr -bind :3323 -verify=false -cache /var/db/rpki-client/json -checktime=false 
-</code> 
-which will at least let us test that it works. Run it and see what happens - you should see output at the command line looking like this: 
-<code> 
-INFO[0001] New update (304138 uniques, 304138 total prefixes). 0 bytes. Updating sha256 hash  -> 0592ddc6e9a82666f8ddc5eda8cad76cb61f22640f17199b1bff06b5928b9718 
-INFO[0002] Updated added, new serial 0 
-INFO[0002] GoRTR Server started (sessionID:33094, refresh:3600, retry:600, expire:7200) 
-</code> 
-And if you check the ports that are listening (**ss -an**) you will see: 
-<code> 
-tcp    LISTEN           128          *:3323              *:* 
-tcp    LISTEN           128          *:8080              *:* 
-</code> 
-Port 3323 is the listening port for Router connections. And Port 8080 is the metrics port, for monitoring systems to connect to. 
- 
-But perhaps this isn't good for long term operations as you'd prefer to have this start running automatically when the system starts. And for that we'd need to set up a suitable **systemd** entry.  
- 
-First off, let's create a user for GoRTR (it does not have to run as root): 
-<code> 
-sudo groupadd _gortr 
-sudo useradd –g _gortr –s /sbin/nologin –d /nonexistent –c "GoRTR user" _gortr 
-</code> 
-Next we create a file **/etc/default/gortr** with the following contents: 
-<code> 
-# Settings for GoRTR. Consult https://github.com/cloudflare/gortr for 
-# more discussion and other available options 
- 
-GORTR_ARGS=-bind :3323 -verify=false -cache /var/db/rpki-client/json -checktime=false 
-# 
-</code> 
-Then we go to the **/lib/systemd/system/** folder and create the **systemd** entry - call it **gortr.service**. Here is a simple one that should work: 
-<code> 
-[Unit] 
-Description=GoRTR RPKI to Router Server 
-Documentation=https://github.com/cloudflare/gortr 
-After=network.target 
- 
-[Service] 
-EnvironmentFile=/etc/default/gortr 
-ExecStart=/usr/local/bin/gortr $GORTR_ARGS 
-Type=exec 
-User=_gortr 
-Group=_gortr 
-AmbientCapabilities=CAP_NET_BIND_SERVICE 
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE 
- 
-[Install] 
-WantedBy=multi-user.target 
-</code> 
-We then need to enable it: 
-<code> 
-sudo systemctl enable gortr 
-</code> 
-which then displays: 
-<code> 
-Created symlink /etc/systemd/system/multi-user.target.wants/gortr.service → /lib/systemd/system/gortr.service. 
-</code> 
-and then we can run GoRTR, like this: 
-<code> 
-sudo systemctl start gortr 
-</code> 
-Once it is running, check that it is working by running: 
-<code> 
-sudo systemctl status gortr 
-</code> 
-and you should see something like this: 
-<code> 
-* gortr.service - GoRTR RPKI to Router Server 
-     Loaded: loaded (/lib/systemd/system/gortr.service; enabled; vendor preset: enabled) 
-    Drop-In: /run/systemd/system/service.d 
-             └─zzz-lxc-service.conf 
-     Active: active (running) since Wed 2023-07-19 07:00:18 UTC; 5 months 9 days ago 
-       Docs: https://github.com/cloudflare/gortr 
-   Main PID: 170962 (gortr) 
-      Tasks: 14 (limit: 38463) 
-     Memory: 314.5M 
-     CGroup: /system.slice/gortr.service 
-             └─170962 /usr/local/bin/gortr -bind :3323 -verify=false -cache /var/db/rpki-client/json -checktime=false 
- 
-Dec 27 13:14:43 gortr gortr[170962]: time="2023-12-27T13:14:43Z" level=info msg="File /var/db/rpki-client/json is identical to the previous ve> 
-Dec 27 13:24:46 gortr gortr[170962]: time="2023-12-27T13:24:46Z" level=info msg="New update (621269 uniques, 621269 total prefixes). 0 bytes. > 
-Dec 27 13:24:50 gortr gortr[170962]: time="2023-12-27T13:24:50Z" level=info msg="Updated added, new serial 3871" 
-</code> 
-and you can also run the more traditional **ps ax** to see something like: 
-<code> 
- 170962 ?        Ssl  985:57 /usr/local/bin/gortr -bind :3323 -verify=false -cache /var/db/rpki-client/json -checktime=false 
-</code> 
- 
-And that's it. Enjoy your new GoRTR installation. 
  
 ===== Cisco IOS-XE Hints ===== ===== Cisco IOS-XE Hints =====
Line 759: Line 620:
 ===== BIRD Hints ===== ===== BIRD Hints =====
  
-This section shows the basic configuration needed to get route origin validation up and running on a [[https://bird.network.cz/|BIRD]] platform. This will be of most interest to IXPs, as BIRD is the mostly widely used Route Server implementation today. The configuration here is for BIRDv2 (2.13.1 at time of writing).+This section shows the basic configuration needed to get route origin validation up and running on a [[https://bird.network.cz/|BIRD]] platform. This will be of most interest to IXPs, as BIRD is the mostly widely used Route Server implementation today. The configuration here is for BIRDv2 (2.14 at time of writing).
  
 ==== Configuration with Validator ==== ==== Configuration with Validator ====
hints/rpki.1703689488.txt.gz · Last modified: 2023/12/28 02:04 by philip