Nate Sales

Blog Network

RPKI Validation with BIRD

June 28, 2020

Resource Public Key Infrastructure (RPKI) is the modern solution to BGP security. Or at least in theory. In practice, just like IRR DBs, RPKI is split between RIRs and becomes a headache to deal with. In this post I’ll be going over how to secure your network with RPKI.

RPKI Signing

A block is “signed” when it has an accompanying cryptographic signature containing the authorized ASN and maximum length. Maximum length is the smallest prefix size that is allowed to be announced individually instead of aggregated into the parent block. This signature is called a ROA (Route Origin Authorization) and is created in the block’s RIR database.

roa4 table rpki4;
roa6 table rpki6;

protocol rpki {
  roa4 { table rpki4; };
  roa6 { table rpki6; };

  transport tcp;
  remote "127.0.0.1" port 8282;

  retry keep 90;
  refresh keep 900;
  expire keep 172800;
}

function is_rpki_invalid() {
  if (net.type = NET_IP4) then {
    return roa_check(rpki4, net, bgp_path.last_nonaggregated) = ROA_INVALID;
  }

  if (net.type = NET_IP6) then {
    return roa_check(rpki6, net, bgp_path.last_nonaggregated) = ROA_INVALID;
  }
}

RPKI Validation

RPKI validation is the process of verifying a route’s RPKI status. A route can be either Valid, Invalid, or NotFound. Valid means the route is correctly signed for the announcing ASN, Invalid means the announcing ASN is not the ASN that is on the ROA, and NotFound (Also known as Unknown or Unsigned) means the route does not have a ROA. RPKI validation takes place on a RPKI validator, which uses the RIR’s databases to check a route’s RPKI status. The RTR protocol is used to relay the RPKI status to a router.

The RFCs

RPKI is defined in RFC 6480 and the RTR protocol in RFC 8210.

Implementation

Both signing and validation are equally important in a network. RPKI doesn’t do any good if the route isn’t signed, and signing doesn’t do any good if nobody is validating it. ROA creation for IP blocks managed by the RIPE NCC can be managed through the RPKI Dashboard by clicking “New ROA”. Other RIRs have different processes for creating a ROA, but all 5 RIRs support RPKI and have documentation on their websites about their specific process.