Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use RPKI data as if it were route-objects #19

Closed
job opened this issue Oct 26, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@job
Copy link
Contributor

commented Oct 26, 2017

RPKI can be used to do Origin Validation and reject invalid announcements, but RPKI can also be used in context of provisioning & creation of whitelists.

If we take as example http://irrexplorer.nlnog.net/search/23.179.0.0/24 - for this prefix there is no IRR route object, but there is a RPKI ROA which states what the authorised origin AS is and this matches what is observed in the DFZ. I'd prefer to accept such a prefix from AS neighbor 6939.

In other words, we should treat RPKI ROAs as if they are IRR route objects.

Implementation suggestion: we can use rtrsub to generate a yml file of all such RPKI ROAs, and if arouteserver is expanding ASNs into route objects (after having expanded AS-SETS into ASNs), it also does a lookup in that yml file.

pierky added a commit that referenced this issue Oct 30, 2017

v0.14.0-alpha2
closes #19
@pierky

This comment has been minimized.

Copy link
Owner

commented Nov 1, 2017

Here it is...

use_rpki_roas_as_route_objects:
# With regards of prefix validation, when this option is
# enabled ARouteServer uses RPKI ROAs as if they were route
# objects.
# Routes whose origin ASN is authorized by a client's AS-SET
# but whose prefix has not a corresponding route object will
# be accepted if a covering ROA exists for that origin
# ASN. In this case, if 'tag_as_set' is True, these routes
# are tagged with the 'prefix_validated_via_rpki_roas'
# community.
#
# This option is used only when 'enforce_origin_in_as_set'
# and 'enforce_prefix_in_as_set' are both set to True.
# Set this to True to enable this feature.
#
# Default: False
enabled: False
# The source used to gather RPKI ROAs.
#
# Can be one of the following options:
# - 'rtrlib': ROAs are loaded using the external program
# rtrllib (https://github.com/rtrlib/bird-rtrlib-cli).
# The name of the table where send the ROAs to is 'RPKI'.
# - 'ripe-rpki-validator-cache': ROAs are fetched via
# HTTP from the RIPE RPKI Validator cache
# (http://localcert.ripe.net:8088/export).
#
# Please note that this method is far from guaranteeing
# that a cryptographically validated datased is retrieved
# from a trusted cache.
#
# OpenBGPD: only the 'ripe-rpki-validator-cache' source
# is currently supported.
#
# Default: ripe-rpki-validator-cache
source: "ripe-rpki-validator-cache"


OpenBGPD:

# RPKI ROAs used as route objects
# Add the soo:65535:1 ext community to routes whose
# origin ASN has a ROA for the announced prefix.
# It will be used later during IRRDB validation in
# case the origin ASN is authorized by a client's
# AS-SET but the prefix is not.
match from group clients source-as 10745 prefix { 2001:500:30::/48, 2001:500:4::/48, 192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24 } set ext-community soo 65535:1
match from group clients source-as 3333 prefix { 193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21, 2001:67c:2e8::/48, 193.0.22.0/23, 2001:610:240::/42, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22 prefixlen 22 - 26 } set ext-community soo 65535:1

And if a route has its origin ASN authorized by an AS-SET, then...

# routes which carry a soo:65535:1 community have the prefix validated by a ROA
match from 192.0.2.22 ext-community soo 65535:1 set community 65530:2
match from 192.0.2.22 ext-community soo 65535:1 set large-community 999:65530:2
match from 192.0.2.22 ext-community soo 65535:1 set { community delete NO_ADVERTISE ext-community delete soo 65535:1 }


BIRD:

# RPKI ROAs used as route objects
define RPKI_ROAs_as_route_objects_AS10745 = [
192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24
];
define RPKI_ROAs_as_route_objects_AS3333 = [
193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21,
193.0.22.0/23, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22{22,26}
];

# This function verifies if there is such a ROA for the
# current route's origin ASN to validate the announced prefix.
function prefix_in_rpki_roas_as_route_objects() {
case bgp_path.last {
10745: return net ~ RPKI_ROAs_as_route_objects_AS10745;
3333: return net ~ RPKI_ROAs_as_route_objects_AS3333;
}
return false;
}

# Origin ASN is valid, prefix is not: check if a RPKI ROAs exists.
if !reject_because_of_bad_origin && reject_because_of_bad_prefix && prefix_in_rpki_roas_as_route_objects() then {
bgp_community.add((65530, 2));
bgp_large_community.add((999, 65530, 2));
return true;
}

Any feedback?

@job

This comment has been minimized.

Copy link
Contributor Author

commented Nov 1, 2017

Guess we'll have to test this to provide you with good feedback! :)

@pierky

This comment has been minimized.

Copy link
Owner

commented Nov 1, 2017

If you want to test it it's already available in the latest pre-release version on PyPi test:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple --pre --upgrade arouteserver

@pierky pierky added this to the v0.14.0 milestone Nov 1, 2017

@pierky pierky closed this in ea9e785 Nov 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.