Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] RPKI follow up from TechEx

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] RPKI follow up from TechEx


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Cc:
  • Subject: Re: [Security-WG] RPKI follow up from TechEx
  • Date: Mon, 6 Nov 2017 17:38:35 -0500
  • Ironport-phdr: 9a23:lWMIwxGJ6on3pI8qvAv3XJ1GYnF86YWxBRYc798ds5kLTJ7zp8iwAkXT6L1XgUPTWs2DsrQf2rqQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDmwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KODw38G/XhMJ+j79Vrgy9qBFk2YHYfJuYOeBicq/Bf94XQ3dKUMZLVyxGB4Oxd5cCD+wcMuZCsYb8qUYFoxqkCgmoAOPvzSJDi3js0q01yeshFQXG3As7EtIBvnXUsc/5O7kPXuCo1aTFyyjIYf1R2Tf48ofIcxYhrOmOXbJtd8rRyFEvGB3fjlmKr4zqIS+V2+IQuGaY9+ptTfyjhm87pwxzpzWvyMQhhZLVio8QxV3I6Tl1zJswKNKkVEJ0etupHZ5Ouy2EKYR7RN4pTXtytyYg0LIGvIa2fCgUx5QjwB7Sc/mHfJKJ4hLnTeqRICt4iG58dLOwmRq+71avxvfzVsmz11ZKoS5FncfWun8R0BzT79CLSvp7/ki/xTaCzx7f5+BYLU02kKfbJZ0szaUsmpcWvknPAjP6lFjzgaCKakkr4e2l5uH5brn4uJCQL4p0hRv/MqQqlMy/G+M4Mg0WUmeB9uSzzrnj/Un+QLhRkPI2l7PWsJHeJcgBqa64DRJV3pw95BmiEjeqyM4YkmUfLFJZZBKHiJDkO0rQL//kEPe/mVWskCtrxvzfMLzhDY7ALnzCkLf6YbZ98FBQxBAyzdBZ+5JbFKsBIPTtVU/tqtDUFAE2PBGpw7WvNNIo1J8dcWuPC7WBdqLVq1TO6u83KvSIIoIZpWXHJuAh9sLp2HY2kFsZeoGmwoZRZXylTdp8JEDMSHzgmNoeWUgDug45BLjjh1SGVTl7aGmvGa8w+2doW8qdEY7fS9X10/S61yChE8gOaw==
We have two linux machines running the RIPE Validator.  Our regional router (a Juniper MX480) and our campus routers (MX240s) have a connection to each validator.

This validation session just gets the results of the validation process into the router.  As the document you sent  shows, for Juniper routers, you need to take the initial step of applying a BGP import policy to tell the router do compare incoming routes to the database.

Our regional router has that policy implement, our campus router do not yet have that configuration (waiting for a change window to implement the policy)

The policy on the regional router does *nothing* except set the validation state of the router; one term looks like:
term valid {
    from {
        protocol bgp;
        validation-database valid;
    }
    then {
        validation-state valid;
        next-policy;
    }
}
       
We are not making any other changes to the route (eg, localpref).  I would suggest paying attention to the 'then' action.  The sample config in the doc uses 'accept' which is a terminating action.  Depending on how you are combining this with other import policies, it may change expected behavior.  For reference, we have a separate policy specifically for RPKI validation, and all actions are 'next-polilcy'

Because all the routes are being accepted AND no changes are being made, I would describe it as a relatively low risk activity.  The validators can be stopped and restarted without impact on the routers (aside from noting the state of the connection to the validator.


Make sense?

On Mon, Nov 6, 2017 at 4:51 PM, John Kristoff <> wrote:
On Wed, 1 Nov 2017 14:12:00 +0000
Andrew Gallo <> wrote:

> There were a couple of questions either in our WG meeting, in the RPKI
> session, or from other conversations that I can provide at least some
> updates on.

Thanks Andrew, this is useful.

Can you explain a bit more about how you do validation?  I'd be
hesitant to put any of this on any production routing that is forwarding
traffic today.  Do you have a Unix server plus a one-armed router that
just does validation for monitoring purposes, or something else?

I'm looking at this, which I assume is something similar to what you do?

  <https://www.juniper.net/documentation/en_US/release-independent/solutions/information-products/pathway-pages/bgp-rpki-tn.pdf>

John


Archive powered by MHonArc 2.6.19.

Top of Page