Routinator can run as a service that periodically fetches RPKI data, verifies it and makes the resulting data set available through the built-in HTTP server and via the RTR protocol. You can start the Routinator service using the server
subcommand.
In addition to the various VRP output formats, Routinator's HTTP server also provides an API, a user interface <doc_routinator_ui>
and monitoring endpoints <doc_routinator_monitoring>
. The server is not enabled by default for security reasons, nor does it have a default host or port.
Please note that the HTTP server is intended to run on your internal network and doesn't offer HTTPS natively. If this is a requirement, you can for example run Routinator behind an NGINX reverse proxy.
In order to start the HTTP server at 192.0.2.13 and 2001:0DB8::13 on port 8323, run:
routinator server --http 192.0.2.13:8323 --http [2001:0DB8::13]:8323
The application will stay attached to your terminal unless you provide the --detach
option.
After fetching and verifying all RPKI data, the following paths are available:
/csv
Returns the current set of VRPs in csv output format
/csvext
Returns the current set of VRPs in csvext output format.
/json
Returns the current set of VRPs in json output format
/openbgpd
Returns the current set of VRPs in OpenBGPD output format
/bird
Returns the current set of VRPs in bird output format
/bird2
Returns the current set of VRPs in bird2 output format
/rpsl
Returns the current set of VRPs in RPSL output format
The service supports GET requests with the following paths:
/metrics
Returns a set of
monitoring <doc_routinator_monitoring>
metrics in the format used by Prometheus./status
Returns the current status of the Routinator instance. This is similar to the output of the
/metrics
endpoint but in a more human friendly format./log
Returns the logging output of the last validation run. The log level matches that set upon start.
Note that the output is collected after each validation run and is therefore only available after the initial run has concluded.
/version
Returns the version of the Routinator instance.
/api/v1/validity/as-number/prefix
Returns a JSON object describing whether the route announcement given by its origin AS number and address prefix is RPKI valid, invalid, or not found. A complete list of VRPs that caused the result is included.
/validity?asn=as-number&prefix=prefix
Same as above but with a more form-friendly calling convention.
These paths accept filter expressions to limit the VRPs returned in the form of a query string. The field filter-asn
can be used to filter for ASNs and the field filter-prefix
can be used to filter for prefixes. The fields can be repeated multiple times.
Routinator supports RPKI-RTR as specified in RFC 8210 as well as the older version described in RFC 6810.
When launched as an RTR server, routers with support for route origin validation (ROV) can connect to Routinator to fetch the processed data. This includes hardware routers such as Juniper <https://www.juniper.net/documentation/en_US/junos/topics/topic-map/bgp-origin -as-validation.html>, Cisco <https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/ 15-s/irg-15-s-book/irg-origin-as.html> and Nokia <https://infocenter.alcatel-lucent.com/public/7750SR160R4A/index.jsp?topic=% 2Fcom.sr.unicast%2Fhtml%2Fbgp.html&cp=22_4_7_2&anchor=d2e5366>, as well as software solutions like BIRD, GoBGP and others <doc_rpki_rtr>
.
Like the HTTP server, the RTR server is not started by default, nor does it have a default host or port. Thus, in order to start the RTR server at 192.0.2.13 and 2001:0DB8::13 on port 3323, run Routinator using the server
command:
routinator server --rtr 192.0.2.13:3323 --rtr [2001:0DB8::13]:3323
Please note that port 3323 is not the IANA-assigned default port for the protocol, which would be 323. But as this is a privileged port, you would need to be running Routinator as root when otherwise there is no reason to do that. The application will stay attached to your terminal unless you provide the --detach
option.
By default, the repository will be updated and verified every 10 minutes. You can change this via the --refresh
option and specify the interval between verification in seconds. That is, if you rather have Routinator validate every 15 minutes, the above command becomes:
routinator server --rtr 192.0.2.13:3323 --rtr [2001:0DB8::13]:3323 --refresh=900
Communication between Routinator and the router using the RPKI-RTR protocol is done via plain TCP. Below, there is an explanation how to secure the transport using either SSH or TLS.
These instructions were contributed by wk on Github.
6810#section-7
defines a number of secure transports for RPKI-RTR that can be used to secure communication between a router and a RPKI relying party.
However, the RPKI Router Implementation Report documented in 7128#section-5
suggests these secure transports have not been widely implemented. Implementations, however, do exist, and a secure transport could be valuable in situations where the RPKI relying party is provided as a public service, or across a non-trusted network.
SSH transport for RPKI-RTR can be configured with the help of netcat and OpenSSH.
- Begin by installing the
openssh-server
andnetcat
packages.
Make sure Routinator is running as an RTR server on localhost:
routinator server --rtr 127.0.0.1:3323
- Create a username and a password for the router to log into the host with, such as
rpki
. - Configure OpenSSH to expose an
rpki-rtr
subsystem that acts as a proxy into Routinator by editing the/etc/ssh/sshd_config
file or equivalent to include the following line:
# Define an `rpki-rtr` subsystem which is actually `netcat` used to
# proxy STDIN/STDOUT to a running `routinator server --rtr 127.0.0.1:3323`
Subsystem rpki-rtr /bin/nc 127.0.0.1 3323
# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
- Restart the OpenSSH server daemon.
- Set up the router running IOS-XR using this example configuration:
router bgp 65534
rpki server 192.168.0.100
username rpki
password rpki
transport ssh port 22
TLS transport for RPKI-RTR can be configured with the help of stunnel.
- Begin by installing the
stunnel
package. - Make sure Routinator is running as an RTR server on localhost:
routinator server --rtr 127.0.0.1:3323
- Acquire (via for example Let's Encrypt) or generate an SSL certificate. In the example below, an SSL certificate for the domain example.com generated by Let's Encrypt is used.
- Create an stunnel configuration file by editing
/etc/stunnel/rpki.conf
or equivalent:
[rpki]
; Use a letsencrypt certificate for example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem
; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost
accept = 323
connect = 127.0.0.1:3323
- Restart
stunnel
to complete the process.