a5136b7b634b9cdc16dc51b47ecf70eb3889d205
ROA-slash-RPKI.md
| ... | ... | @@ -0,0 +1,62 @@ |
| 1 | +[[_TOC_]] |
|
| 2 | + |
|
| 3 | + |
|
| 4 | +## What is ROA? |
|
| 5 | + |
|
| 6 | +A Route Origination Authorization details which AS is authorised to advertise which originating IP prefixes. A ROA may also include prefix length information. |
|
| 7 | + |
|
| 8 | +## What is RPKI? |
|
| 9 | + |
|
| 10 | +Resource Public Key Infrastructure is basically a framework for securing the routing infrastructure. |
|
| 11 | +It provides a way to connect number resource information to a trust anchor. |
|
| 12 | + |
|
| 13 | +## What is RTR? |
|
| 14 | + |
|
| 15 | +The Resource Public Key Infrastructure (RPKI) to Router Protocol provides a way for a router to access RPKI validation information. |
|
| 16 | +It provides the router with validity information regarding prefix origination: |
|
| 17 | + |
|
| 18 | +* VALID |
|
| 19 | + The route announcement is covered by a ROA and the announcing AS is validated |
|
| 20 | +* INVALID |
|
| 21 | + The route announcement is covered by a ROA and the announcing AS is invalid (possibly hijacking) |
|
| 22 | +* UNKNOWN |
|
| 23 | + There exists no ROA for the route announcement |
|
| 24 | + |
|
| 25 | +## How can I implement ROA on dn42? |
|
| 26 | + |
|
| 27 | +On dn42 we generate ROA information from the dn42 registry. |
|
| 28 | +ROA json/bird files can be generated using [dn42regsrv](https://git.dn42.us/burble/dn42regsrv). |
|
| 29 | +It is also possible to integrate this with a RTR cache server such as [gortr](https://github.com/cloudflare/gortr). |
|
| 30 | + |
|
| 31 | +### dn42regsrv |
|
| 32 | + |
|
| 33 | +You can find a hosted example of dn42regsrv at https://explorer.burble.com/ |
|
| 34 | + |
|
| 35 | +Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.dn42.us/burble/dn42regsrv). |
|
| 36 | + |
|
| 37 | +You can also run dn42regsrv via docker (then available at 127.0.0.1:8042): |
|
| 38 | + |
|
| 39 | + git checkout https://git.dn42.us/burble/dn42regsrv.git . |
|
| 40 | + cd contrib/docker |
|
| 41 | + docker-compose build |
|
| 42 | + docker-compose up -d |
|
| 43 | + |
|
| 44 | +Documentation for the api endpoints can be found here: https://git.dn42.us/burble/dn42regsrv/src/master/API.md |
|
| 45 | + |
|
| 46 | +### gortr |
|
| 47 | + |
|
| 48 | +burble kindly provides ready-to-use files for gortr here: |
|
| 49 | + |
|
| 50 | +https://dn42.burble.com/roa/dn42_roa_46.json |
|
| 51 | + |
|
| 52 | +You can use these to simply run gortr via docker: |
|
| 53 | + |
|
| 54 | + docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082 |
|
| 55 | + |
|
| 56 | +### This is all to complicated, is there an easy all-in-one package for RTR? |
|
| 57 | + |
|
| 58 | +TODO: Publish docker-compose-yml to git for gortr+dn42regsrv |
|
| 59 | + |
|
| 60 | +### How do I integrate RTR with my BGP implementation |
|
| 61 | + |
|
| 62 | +You have to consult the documentation of your implementation for that. We will provide configuration examples on the specific pages. |
|
| ... | ... | \ No newline at end of file |