services/RPKI
ROA + RPKI
This page covers guidance and examples on using RPKI and ROA within DN42.
What is ROA?
A Route Origination Authorization details which AS is authorised to advertise which originating IP prefixes. A ROA may also include prefix length information.
What is RPKI?
Resource Public Key Infrastructure is basically a framework for securing the routing infrastructure.
It provides a way to connect number resource information to a trust anchor.
What is RTR?
The Resource Public Key Infrastructure (RPKI) to Router Protocol provides a way for a router to access RPKI validation information.
It provides the router with validity information regarding prefix origination:
- VALID
The route announcement is covered by a ROA and the announcing AS is validated - INVALID
The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking) - UNKNOWN
There exists no ROA for the route announcement
How can I implement ROA on dn42?
On dn42 we generate ROA information from the dn42 registry.
Generators:
- Burble's dn42regsrv: < https://git.burble.com/burble.dn42/dn42regsrv>
- bauen1's dn42-roagen: https://gitlab.com/bauen1/dn42-roagen
- Kioubit's registry wizard: https://github.com/Kioubit/dn42_registry_wizard
- chuangzhu's pure bash script: https://paste.sr.ht/~chuang/e98d2fe791de68a6cf5aade7877cd0dbc1cdb84e
It is also possible to integrate the ROA files with a RTR cache server as shown below.
ROA
Using public ROA tables
ROA files generated by dn42regsrv are available from burble.dn42:
| URL | IPv4/IPv6 | Description |
|---|---|---|
| https://dn42.burble.com/roa/dn42_roa_46.json | Both | JSON format for use with RPKI |
| https://dn42.burble.com/roa/dn42_roa_bird1_46.conf | Both | Bird1 format |
| https://dn42.burble.com/roa/dn42_roa_bird1_4.conf | IPv4 Only | Bird1 format |
| https://dn42.burble.com/roa/dn42_roa_bird1_6.conf | IPv6 Only | Bird1 format |
| https://dn42.burble.com/roa/dn42_roa_bird2_46.conf | Both | Bird2 format |
| https://dn42.burble.com/roa/dn42_roa_bird2_4.conf | IPv4 Only | Bird2 format |
| https://dn42.burble.com/roa/dn42_roa_bird2_6.conf | IPv6 Only | Bird2 format |
ROA files generated by roa_wizard are available from kioubit.dn42:
| URL | IPv4/IPv6 | Description |
|---|---|---|
| https://kioubit-roa.dn42.dev/?type=v4 | IPv4 Only | Bird2 format |
| https://kioubit-roa.dn42.dev/?type=v6 | IPv6 Only | Bird2 format |
| https://kioubit-roa.dn42.dev/?type=json | Both | JSON format for use with RPKI |
RPKI
It is recommended to run your own RPKI validator, as this provides you with the most security and control over your routing decisions. However, to get started, or if running your own validator isn’t desirable, a public RPKI RTR server is available. The service supports full RPKI validation for all relevant DN42 and affiliated networks’ prefixes.
Using Public RPKI Services
DN42’s RPKI RTR service endpoints are hosted by multiple operators. By configuring multiple RTR servers in your BGP daemon, you gain additional resiliency and improved validation coverage.
| Server | Port | IPv4/IPv6 |
|---|---|---|
| rpki.akae.re | 8082 | both |
| rpki.dn42.launchpadx.top | 8082 | both |
| rpki.dn42.milu.moe | 8082 | both |
| rpki.dn42.6700.cc | 8282 | both |
| rpki.nia.dn42 | 8082 | both |
| rpki.routedbits.dn42 | 8082 | both |
FlapAlerted RPKI RTR Servers
These services will publish a ROA pointing to AS0 when a prefix flapping. This can be used to prevent flap from spreading further in the network.
| Server | Port | IPv4/IPv6 | FlapAlerted Instance | Provider |
|---|---|---|---|---|
| rpki.dn42.launchpadx.top | 8084 | both | https://flaps.lpnet0.dn42/, https://dn42-flaps.launchpadx.top/ | AS4242423702 |
| rpki.nia.dn42 | 8084 | both | flap.nia.dn42, flap42.strexp.net | AS4242421331 |
| rpki.nia.dn42 | 8083 | both | Multiple Sources (2-Votes Policy) (see flap-data.nia.dn42) | AS4242421331 |
| rpki.dn42.6700.cc | 8280 | both | Flap data source: https://flap42-data.strexp.net | AS4242423088 |
To configure the service, connect your BGP software’s RPKI client to one or more of these RTR servers.
Example Configuration (Bird 2)
protocol rpki roa_dn42_1 {
roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; };
remote "rpki1.example.com";
port 8082;
refresh 600;
retry 300;
expire 7200;
}
protocol rpki roa_dn42_2 {
roa4 { table dn42_roa; };
roa6 { table dn42_roa_v6; };
remote "rpki2.example.com";
port 8082;
refresh 600;
retry 300;
expire 7200;
}Running Your Own RPKI Server
With Docker
docker run --name dn42rpki -p 8082:8282 --restart=always -d rpki/stayrtr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.jsonWith Docker Compose
services:
stayrtr:
image: rpki/stayrtr:latest
ports:
- "8082:8282"
command: >
-cache https://dn42.burble.com/roa/dn42_roa_46.jsonUsing Kioubit's DN42 Registry Wizard
DN42 Registry Wizard is a comprehensive tool for DN42 registry interactions. Unlike other solutions, it can parse the registry and host an RTR server all-in-one without requiring separate components.
All-in-One RTR Server
# Clone the DN42 registry
git clone https://git.dn42.dev/dn42/registry.git
# Start RTR server directly from registry
./registry_wizard <path to registry> rtr
# Setup a cronjob to continously update the registry and notify registry_wizard
git fetch --all
git reset --hard origin/master
kill -SIGUSR1 "$(pidof 'registry_wizard')"Usage: registry_wizard <registry_root> rtr [OPTIONS]
Options:
-p, --port <port> Port to listen on [default: 9323]
--refresh <refresh> RTR refresh timing [default: 3600]
--expire <expire> RTR expire timing [default: 7200]
--retry <retry> RTR retry timing [default: 600]
-h, --help Print help