Implementation of RPKI Origin Validation in route-map

A substitute for the RTR protocol: generate configuration blobs for your routers instead of using the RTR protocol to interact with RPKI.

The generated route-map configuration will first check whether the BGP route announced and passed through the route-map is covered by a RPKI ROA or not, if not it will mark the route as not-found using the 65000:0 BGP community.

If the route was covered by a RPKI ROA, the route-map proceeds to match the announcement against each authorised (Prefix, Origin AS) tuple to see if any RPKI ROA can make the BGP announcement valid. If there is no match, the annnouncement is RPKI Invalid and will be rejected.

Example

An example generated route-map configuration is available here.

Installation

git clone https://github.com/job/rpki-ov-route-map
cd rpki-ov-route-map
python3 -m venv .venv
. .venv/bin/activate
pip3 install -e .

Use

Some BGP implementations don't have native support for RPKI based BGP Origin Validation RFC 6811, this utility attempts to offer a workaround for route-map oriented BGP implementations.

$ rpki-ov-route-map > route-map-configuration.txt

Then use TFTP or some other copying mechanism to upload the resulting file to the BGP router, and copy the file into the running-config. Subsequently you can associate route-map rpki-ov with the EBGP ingress policy of the peer.

router bgp 65000
  neighbor x.x.x.x remote-as 65123
  neighbor x.x.x.x route-map rpki-ov in

But honestly, use of this software for any purpose other than entertainment is not recommended.

Copyright

Copyright (c) April 1st, 2020 Job Snijders job@instituut.net, Ben Maddison benm@workonline.africa