use RPKI ROAs as if they were route objects

closes #19
pierky · Oct 29, 2017 · ea9e785 · ea9e785
1 parent c513fc5
commit ea9e785
Show file tree

Hide file tree

Showing 38 changed files with 855 additions and 37 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -3,6 +3,15 @@ Change log
 
 .. note:: **Upgrade notes**: after upgrading, run the ``arouteserver setup-templates`` command to sync the local templates with those distributed with the new version. More details on the `Upgrading <https://arouteserver.readthedocs.io/en/latest/INSTALLATION.html#upgrading>`__ section of the documentation.
 
+next release
+------------
+
+- New feature: use RPKI ROAs as if they were route objects.
+
+  This feature allows to accept those routes whose origin ASN is authorized by a client AS-SET, whose prefix is not but it is covered by a RPKI ROA for the same origin ASN.
+
+  Related: `issue #19 on GitHub <https://github.com/pierky/arouteserver/issues/19>`_.
+
 v0.13.0
 -------
 

diff --git a/config.d/general.yml b/config.d/general.yml
@@ -224,7 +224,7 @@ cfg:
         # objects.
         # Routes whose origin ASN is authorized by a client's AS-SET
         # but whose prefix has not a corresponding route object will
-        # be accepted if a corresponding ROA exists for that origin
+        # be accepted if a covering ROA exists for that origin
         # ASN. In this case, if 'tag_as_set' is True, these routes
         # are tagged with the 'prefix_validated_via_rpki_roas'
         # community.
@@ -239,13 +239,20 @@ cfg:
 
         # The source used to gather RPKI ROAs.
         #
-        # Currently, the only method that has been implemented is to
-        # fetch data from the RIPE RPKI Validator cache
-        # (http://localcert.ripe.net:8088/export).
+        # Can be one of the following options:
+        # - 'rtrlib': ROAs are loaded using the external program
+        #   rtrllib (https://github.com/rtrlib/bird-rtrlib-cli).
+        #   The name of the table where send the ROAs to is 'RPKI'.
+        # - 'ripe-rpki-validator-cache': ROAs are fetched via
+        #   HTTP from the RIPE RPKI Validator cache
+        #   (http://localcert.ripe.net:8088/export).
         #
-        # Please note that this method is far from guaranteeing that
-        # a cryptographically validated datased is retrieved from a
-        # trusted cache.
+        #   Please note that this method is far from guaranteeing
+        #   that a cryptographically validated datased is retrieved
+        #   from a trusted cache.
+        #
+        # OpenBGPD: only the 'ripe-rpki-validator-cache' source
+        # is currently supported.
         #
         # Default: ripe-rpki-validator-cache
         source: "ripe-rpki-validator-cache"

diff --git a/docs/GENERAL.rst b/docs/GENERAL.rst
@@ -437,7 +437,7 @@ https://arouteserver.readthedocs.io/en/latest/CONFIG.html
   objects.
   Routes whose origin ASN is authorized by a client's AS-SET
   but whose prefix has not a corresponding route object will
-  be accepted if a corresponding ROA exists for that origin
+  be accepted if a covering ROA exists for that origin
   ASN. In this case, if **tag_as_set** is True, these routes
   are tagged with the **prefix_validated_via_rpki_roas**
   community.
@@ -465,14 +465,26 @@ https://arouteserver.readthedocs.io/en/latest/CONFIG.html
   The source used to gather RPKI ROAs.
 
 
-  Currently, the only method that has been implemented is to
-  fetch data from the RIPE RPKI Validator cache
-  (http://localcert.ripe.net:8088/export).
+  Can be one of the following options:
 
 
-  Please note that this method is far from guaranteeing that
-  a cryptographically validated datased is retrieved from a
-  trusted cache.
+  - **rtrlib**: ROAs are loaded using the external program
+    rtrllib (https://github.com/rtrlib/bird-rtrlib-cli).
+    The name of the table where send the ROAs to is **RPKI**.
+
+
+  - **ripe-rpki-validator-cache**: ROAs are fetched via
+    HTTP from the RIPE RPKI Validator cache
+    (http://localcert.ripe.net:8088/export).
+
+
+  Please note that this method is far from guaranteeing
+  that a cryptographically validated datased is retrieved
+  from a trusted cache.
+
+
+  OpenBGPD: only the **ripe-rpki-validator-cache** source
+  is currently supported.
 
 
   Default: **ripe-rpki-validator-cache**

diff --git a/docs/_static/examples_default.html b/docs/_static/examples_default.html
@@ -76,6 +76,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 <strong>enforced</strong>. Routes whose prefix is not part of the client's AS-SET are rejected.
 </p></li>
 
+
 </ul>
 
 

diff --git a/docs/_static/examples_rich.html b/docs/_static/examples_rich.html
@@ -85,6 +85,8 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 <strong>enforced</strong>. Routes whose prefix is not part of the client's AS-SET are rejected.
 </p></li>
 
+<li><p>Use RPKI ROAs to validate routes whose origin ASN is authorized by the client's AS-SET but whose prefix is not.</p></li>
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -113,6 +115,13 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
     <td>999:65530:0</td>
   </tr>
 
+    <tr>
+    <td>Prefix matched by a RPKI ROA for the authorized origin ASN</td>
+    <td>65530:2</td>
+    <td>None</td>
+    <td>999:65530:2</td>
+  </tr>
+
 </tbody>
 </table>
 </p></li>

diff --git a/docs/_static/tests_real_general.html b/docs/_static/tests_real_general.html
@@ -85,6 +85,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 <strong>enforced</strong>. Routes whose prefix is not part of the client's AS-SET are rejected.
 </p></li>
 
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -113,6 +114,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
     <td>999:65530:0</td>
   </tr>
 
+
 </tbody>
 </table>
 </p></li>

diff --git a/examples/bird_hooks/bird4.conf b/examples/bird_hooks/bird4.conf
@@ -21,6 +21,7 @@ roa table RPKI {
 };
 
 
+
 # ---------------------------------------------------------
 # COMMON
 
@@ -436,6 +437,7 @@ function add_noexport_noadvertise(int peer_as) {
 
 
 
+
 # ---------------------------------------------------------
 # IRRDB
 
@@ -516,6 +518,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 
@@ -711,6 +714,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 

diff --git a/examples/bird_hooks/bird6.conf b/examples/bird_hooks/bird6.conf
@@ -21,6 +21,7 @@ roa table RPKI {
 };
 
 
+
 # ---------------------------------------------------------
 # COMMON
 
@@ -487,6 +488,7 @@ function add_noexport_noadvertise(int peer_as) {
 
 
 
+
 # ---------------------------------------------------------
 # IRRDB
 
@@ -557,6 +559,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 

diff --git a/examples/default/bird4.conf b/examples/default/bird4.conf
@@ -15,7 +15,8 @@ table master sorted;
 # ---------------------------------------------------------
 # RPKI
 
-# RPKI not enabled at 'cfg.filtering.rpki.enabled'
+# RPKI not used.
+
 
 
 # ---------------------------------------------------------
@@ -193,6 +194,7 @@ function add_noexport_noadvertise(int peer_as) {
 
 
 
+
 # ---------------------------------------------------------
 # IRRDB
 
@@ -265,6 +267,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 
@@ -424,6 +427,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 

diff --git a/examples/default/bird6.conf b/examples/default/bird6.conf
@@ -15,7 +15,8 @@ table master sorted;
 # ---------------------------------------------------------
 # RPKI
 
-# RPKI not enabled at 'cfg.filtering.rpki.enabled'
+# RPKI not used.
+
 
 
 # ---------------------------------------------------------
@@ -244,6 +245,7 @@ function add_noexport_noadvertise(int peer_as) {
 
 
 
+
 # ---------------------------------------------------------
 # IRRDB
 
@@ -306,6 +308,7 @@ bool reject_because_of_bad_prefix;
 	}
 
 
+
 	if reject_because_of_bad_origin then {
 		reject "origin ASN [", bgp_path.last, "] not in allowed as-sets - REJECTING ", net;
 

diff --git a/examples/default/description.html b/examples/default/description.html
@@ -76,6 +76,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 <strong>enforced</strong>. Routes whose prefix is not part of the client's AS-SET are rejected.
 </p></li>
 
+
 </ul>
 
 

diff --git a/examples/default/openbgpd.conf b/examples/default/openbgpd.conf
@@ -111,6 +111,7 @@ match from group clients community NO_ADVERTISE set ext-community soo 65535:6528
 match from group clients community NO_ADVERTISE set community delete NO_ADVERTISE
 
 
+
 # AS_PATH: length
 deny quick from group clients max-as-len 32
 

diff --git a/examples/default/template-context b/examples/default/template-context
@@ -112,6 +112,12 @@ cfg:
       peer_as: false
       std: null
       type: outbound
+    prefix_validated_via_rpki_roas:
+      ext: null
+      lrg: null
+      peer_as: false
+      std: null
+      type: outbound
     prepend_once_to_any:
       ext: null
       lrg: null
@@ -211,6 +217,9 @@ cfg:
       enforce_prefix_in_as_set: true
       peering_db: false
       tag_as_set: true
+      use_rpki_roas_as_route_objects:
+        enabled: false
+        source: ripe-rpki-validator-cache
     max_as_path_len: 32
     max_prefix:
       action: null
@@ -746,7 +755,7 @@ asns:
 
 
 irrdb_info
--------
+----------
 - asns:
   - 3333
   descr: AS3333
@@ -847,5 +856,10 @@ irrdb_info
   used_by: client AS10745_1, client AS10745_2
 
 
+rpki_roas_as_route_objects
+--------------------------
+{}
+
+
 roas
 ----
diff --git a/examples/default/template-context4 b/examples/default/template-context4
@@ -112,6 +112,12 @@ cfg:
       peer_as: false
       std: null
       type: outbound
+    prefix_validated_via_rpki_roas:
+      ext: null
+      lrg: null
+      peer_as: false
+      std: null
+      type: outbound
     prepend_once_to_any:
       ext: null
       lrg: null
@@ -211,6 +217,9 @@ cfg:
       enforce_prefix_in_as_set: true
       peering_db: false
       tag_as_set: true
+      use_rpki_roas_as_route_objects:
+        enabled: false
+        source: ripe-rpki-validator-cache
     max_as_path_len: 32
     max_prefix:
       action: null
@@ -745,7 +754,7 @@ asns:
 
 
 irrdb_info
--------
+----------
 - asns:
   - 3333
   descr: AS3333
@@ -818,5 +827,10 @@ irrdb_info
   used_by: client AS10745_1
 
 
+rpki_roas_as_route_objects
+--------------------------
+{}
+
+
 roas
 ----