Juniper BGP RPKI Validation
Deploy RPKI Server
Create two VMs with Ubuntu 22.04 LTS and install OctoRPKI and GoRTR.
Resources:
- CPU: 4
- RAM: 8GB
- Disk: 32GB
OctoRPKI
wget https://github.com/cloudflare/cfrpki/releases/download/v1.5.10/octorpki_1.5.10_amd64.deb
dpkg -i octorpki_1.5.10_amd64.deb
mkdir /usr/share/octorpki/cache
chown -R octorpki:octorpki /usr/share/octorpki/cache
systemctl enable octorpki.service
systemctl restart octorpki.service
And wait around 5-10 minutes to download all the RPKI data.
GoRTR
wget https://github.com/cloudflare/gortr/releases/download/v0.14.8/gortr_0.14.8_amd64.deb
dpkg -i gortr_0.14.8_amd64.deb
Change config file /etc/default/gortr:
GORTR_ARGS='-cache http://localhost:8081/output.json'
systemctl enable gortr.service
systemctl restart gortr.service
After open port 8282/tcp in the firewall.
Configure RPKI Server in Juniper
vitalvas@mx204-city17# show routing-options validation
group local-rpki {
session <vm1 ip address> {
port 8282;
local-address <my local ip address>;
}
session <vm2 ip address> {
port 8282;
local-address <my local ip address>;
}
}
Show connection status
show validation session
show validation statistics
Juniper BGP RPKI Validation
Create set of communities to tag routes based on RPKI validation state.
set policy-options community origin-validation-state-invalid members 0x4300:2
set policy-options community origin-validation-state-unknown members 0x4300:1
set policy-options community origin-validation-state-valid members 0x4300:0
Create policy statement to tag routes based on RPKI validation state.
vitalvas@mx204-city17# show policy-options policy-statement rpki-validate
term valid {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
community add origin-validation-state-valid;
next term;
}
}
term unknown {
from {
protocol bgp;
validation-database unknown;
}
then {
validation-state unknown;
community add origin-validation-state-unknown;
next term;
}
}
term invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
community add origin-validation-state-invalid;
next term;
}
}
Configure BGP to use RPKI validation
vitalvas@mx204-city17# show policy-options policy-statement peer-<peer name>-import
term rpki-invalid {
from {
protocol bgp;
community origin-validation-state-invalid;
}
then reject;
}
term any-v4 {
from {
protocol bgp;
route-filter 0.0.0.0/0 prefix-length-range /8-/24;
}
then {
local-preference 150;
accept;
}
}
term any-v6 {
from {
protocol bgp;
route-filter ::/0 prefix-length-range /3-/48;
}
then {
local-preference 150;
accept;
}
}
vitalvas@mx204-city17# show protocols bgp group peer-<peer name>
type external;
import [ bogon-nets bogon-asns rpki-validate peer-<peer name>-import reject ];
export [ peer-<peer name>-export reject ];
peer-as <peer asn>;
neighbor <peer address> {
local-address <local address>;
family inet {
unicast;
}
}
neighbor <peer address> {
local-address <local address>;
family inet6 {
unicast;
}
}
Show RPKI validation state
Show valid routes
show route validation-state valid
Show invalid routes. These routes are rejected from the routing table and hidden
show route validation-state invalid hidden
Test RPKI Server from Cloudflare
vitalvas@mx204-city17# show routing-options validation
/* rtr.rpki.cloudflare.com */
group cloudflare {
session 172.65.0.2 {
port 8282;
local-address <my local ipv4 address>;
}
session 2606:4700:60::2 {
port 8282;
local-address <my local ipv6 address>;
}
}
Whitelist specific prefixes
vitalvas@mx204-city17# show | compare
[edit routing-options validation]
+ static {
+ record 1.1.1.0/24 {
+ maximum-length 32 {
+ origin-autonomous-system 65500 {
+ validation-state valid;
+ }
+ }
+ }
+ }