[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RPKI OV implementation in route-map

Subject: RPKI OV implementation in route-map
From: job at instituut.net (Job Snijders)
Date: Wed, 1 Apr 2020 20:52:46 +0000

Dear Mark, group,

On Tue, Mar 31, 2020 at 03:50:23PM +0200, Mark Tinka wrote:
> On 31/Mar/20 15:21, Dorian Kim wrote:
> > Unfortunately we donâ??t have any testing done or experience with RPKI
> > on XE or Classic boxes as we donâ??t have any deployed outside of OOB
> > infrastructure.
>
> Cherish your blessings, and for the time being, keep them that way :-).

Since it was a quiet day in early April, Ben and I whipped up something
to generate config in industry standard format to mimic the RFC 6811
RPKI based BGP Origin Validation procedure. It uses the 'route-map'
configuration construct found in some older BGP implementations.

    https://github.com/job/rpki-ov-route-map

We didn't test this in production, but I reckon you can upload the
generated output into the router's 'running-config' using a hourly
crontab, TFTP, RANCID, and expect(1). Here is an example config to
copy+paste. If we don't hear back from you we'll assume success. 

    (warning: large text file)
    https://raw.githubusercontent.com/job/rpki-ov-route-map/master/example-route-map-configuration.txt

After applying the above you can reference 'rpki-ov' at each of your
EBGP peers as ingress policy: "neighbor x.x.x.x route-map rpki-ov in".

Be careful though, performance may not be as good as a native RPKI OV
implementation!

Cheers,

Job & Ben

Follow-Ups:
- RPKI OV implementation in route-map
  - From: mark.tinka at seacom.mu (Mark Tinka)

Prev by Date: Pilot Fiber, Chicago Area: Impressions?
Next by Date: The Cost of Paid Peering with Chinese ISPs
Previous by thread: Backhoe season?
Next by thread: RPKI OV implementation in route-map
Index(es):
- Date
- Thread