What is RPKI?

The Resource Public Key Infrastructure (RPKI) was developed to improve the security of the BGP. This includes, on the one hand, the RPKI Router Protocol (RTR) for exchanging RPKI data and, on the other hand, the validity check of the association of prexes to authorized ASes by means of Route Origin Validation (ROV).

The authentication of the affiliation of a prex to a specific AS is done using Route Origination Authorizations (ROAs) and is described in RFC-6482. The authentication is done using X.509 certificates. The origin of a route can be authenticated and also verified by using RPKI, which increases the security of the BGP.

 

RPKI validators at Rheintal IX

Rheintal IX operates redundant RPKI validators at two physically separated locations. These are available to our participants in the peering LAN via our Service AS under the following IPv6 addresses:

Host Name IPv4 IPv6 Ports
rpki1.rheintal-ix.net RPKI Cache-Server #1 46.18.111.17 2a0e:11c0:4::17 rpki-rtr (3323/tcp)
rpki2.rheintal-ix.net RPKI Cache-Server #2 46.18.111.18 2a0e:11c0:4::18 rpki-rtr (3323/tcp)

The service is provided by us on a “best-effort” basis. We therefore recommend all our members to run their own RPKI validator within their own infrastructure and to use our servers only as secondary and tertiary sources.

 

Configuration example

The following is a sample configuration for Route Origin Validation (ROV) using RPKI on Cisco IOS-XE.

Cisco (IOS-XE)

Release IOS XE-3.5.0/15.1(3) and above

router bgp (your AS)
bgp rpki server tcp 46.18.111.17 port 3323 refresh 3600
bgp rpki server tcp 46.18.111.18 port 33323 refresh 3600
bgp rpki server tcp 2a0e:11c0:4::17 port 33323 refresh 3600
bgp rpki server tcp 2a0e:11c0:4::18 port 33323 refresh 3600
!
address-family ipv4
  bgp bestpath prefix-validate allow-invalid     # Allow invalid routes to be considered for bestpath
  no bgp bestpath prefix-validate disable	 # Enable the Origin Validation (ROV) process
  exit-address-family
!
address-family ipv6
  bgp bestpath prefix-validate allow-invalid     # Allow invalid routes to be considered for bestpath
  no bgp bestpath prefix-validate disable	 # Enable Origin Validation (ROV) process
  exit-address-family
!

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-3s/irg-xe-3s-book/bgp-origin-as-validation.pdf

 

 

Further information

For more information on RPKI and ROV, see the following links:

 

FAQs, tutorials and documentation on RPKI and ROV:

https://www.ripe.net/manage-ips-and-asns/resource-management/certification/

https://labs.ripe.net/Members/tashi_phuntsho_3/how-to-install-an-rpki-validator

https://www.ripe.net/manage-ips-and-asns/resource-management/certification/router-configuration

https://rpki.readthedocs.io/en/latest/index.html

 

Presentations on RPKI:

https://applied-privacy.net/files/2019-11-05_ATNOG_Lets_adopt_RPKI.pdf

https://www.rheintal-ix.net/wp-content/uploads/Sicheres-BGP-Routing-mit-RPKI-ROV.pdf

 

Test and debug tools:

https://rpki.cloudflare.com

https://rpki-validator.ripe.net/

https://rpki-browser2.realmv6.org/

https://sg-pub.ripe.net/jasper/rpki-web-test/

https://isbgpsafeyet.com/

https://rov.rpki.net/