The RPKI-to-Router server used at Cloudflare
Branch: master
Clone or download
Latest commit 0999908 Nov 13, 2018

README.md

GoRTR

GoRTR is an open-source implementation of RPKI to Router protocol (RFC 6810) using the the Go Programming Language.

  • /lib contains a library to create your own server and client.
  • /file contains the structure of a JSON export file and signing capabilities.
  • /cmd/gortr/gortr.go is a simple implementation that fetches a list and offers it to a router.

Disclaimer

This software comes with no warranty.

Features of the server

  • Refreshes a JSON list of prefixes (from either Cloudflare or a RIPE Validator)
  • Prometheus metrics
  • Lightweight
  • TLS
  • Signature verification and expiration control

Features of the API

To start developing

You need a working Go environment (1.10 or newer).

$ git clone git@github.com:cloudflare/gortr.git && cd gortr
$ go build cmd/gortr/gortr.go

Install it

$ go get github.com/cloudflare/gortr/cmd/gortr

Copy cf.pub to your local directory if you want to use Cloudflare's signed JSON file.

Create TLS certificates if you want to use the TLS feature:

$ openssl ecparam -genkey -name prime256v1 -noout -outform pem > private.pem
$ openssl req -new -x509 -key private.pem -out server.pem

If you want to sign your list of prefixes, generate an ECDSA key (similar to the first command above). Then generate the public key.

$ openssl ec -in private.pem -pubout -outform pem > public.pem

Run it

$ ./gortr -bind 127.0.0.1:8282

Make sure cf.pub is in the current directory. Or pass -verify.key=path/to/cf.pub

Data sources

Use your own validator, as long as the JSON source follows the following schema:

{
  "roas": [
    {
      "prefix": "10.0.0.0/24",
      "maxLength": 24,
      "asn": "AS65001"
    },
    ...
  ]
}
  • Cloudflare (list curated, signed, compressed and cached in +150 PoPs)
  • Third-party RIPE Validators:

To use a data source that do not contains signatures or validity information, pass: -verify=false -checktime=false

Configure on Juniper

Configure a session to the RTR server

louis@router> show configuration routing-options validation
group TEST-RPKI {
    session 192.168.1.100 {
        port 8282;
    }
}

Add policies to validate or invalidate prefixes

louis@router> show configuration policy-options policy-statement STATEMENT-EXAMPLE
term RPKI-TEST-VAL {
    from {
        protocol bgp;
        validation-database valid;
    }
    then {
        validation-state valid;
        next term;
    }
}
term RPKI-TEST-INV {
    from {
        protocol bgp;
        validation-database invalid;
    }
    then {
        validation-state invalid;
        reject;
    }
}

Display status of the session to the RTR server.

louis@router> show validation session 192.168.1.100 detail
Session 192.168.1.100, State: up, Session index: 1
  Group: TEST-RPKI, Preference: 100
  Port: 8282
  Refresh time: 300s
  Hold time: 600s
  Record Life time: 3600s
  Serial (Full Update): 1
  Serial (Incremental Update): 1
    Session flaps: 2
    Session uptime: 00:25:07
    Last PDU received: 00:04:50
    IPv4 prefix count: 46478
    IPv6 prefix count: 8216

Show content of the database

louis@router> show validation database brief
RV database for instance master

Prefix                 Origin-AS Session                                 State   Mismatch
1.0.0.0/24-24              13335 192.168.1.100                           valid
1.1.1.0/24-24              13335 192.168.1.100                           valid

License

Licensed under the BSD 3 License.