Tag Archives: invalid

How-to – Implement RPKI in 3 simple steps

Posted on by

What’s RPKI?

Although sounding complicated, Resource Public Key Infrastructure is just a way to secure the internet against IPv4/v6 prefix hijacks and leaks. To achieve that, RPKI will serve your router the trusted information so it can check if eBGP learned prefixes are originating from where they are allowed to (first AS in path) and in the format they are allowed to (subnetmask or subnetmask range). It’s first described in RFC6480.

An ROA (Route Origin Authorization) is kind of a signed IRR and basically has following structure:

ASN |  IPv4/v6 Prefix  |  Mask  | (Optional)  Max. Mask  | signature

These are usually stored on specific servers managed by your responsible IRR org.

2-way implementation

There are 2 independent aspects when you implement RPKI:

  • generate ROAs to protect your prefixes. This is usually made on your RIR platform who will act like a “Certification Authority” for it’s managed prefixes.
  • implement RPKI Validation to protect your routing-table. Setup your own Validator server who will download and verify the ROAs from the RIRs. A RTR Server (RPKI-to-Router protocol) is needed to send the ROA lists to your  routers.

You can run RPKI on your routers and take routing decisions based on it without having ROAs. You can also create ROAs for your prefixes without having RPKI implemented in your routing logic or network. Implement both is best.

While the title may refer to a very simple and quick process to implement RPKI, you might want to plan this carefully and study the impact on your routing. Best is to go trough the whole process with a /24 that isn’t used for prod.

Here you can see the Cloudflare RPKI diagram neatly describing the whole setup:

RPKI-diagram

Source: https://blog.cloudflare.com/rpki/

Before we start

Well, yes, deploying it could be relatively quick & easy in a small AS but  make sure you take time to fully understand the implications before taking any productive steps. Read through the tutorial and make your own opinion about how you will benefit from it and what risks it involves for your network.

Continue reading