netsec-sig - [Security-WG] RIPE RPKI v3 Docker Containers
Subject: Internet2 Network Security SIG
List archive
- From: "Garrett, Seth B" <>
- To: Internet2 Security WG <>
- Subject: [Security-WG] RIPE RPKI v3 Docker Containers
- Date: Mon, 6 Aug 2018 21:23:04 +0000
- Accept-language: en-US
- Ironport-phdr: 9a23:nneQchJi96uC2XTQWNmcpTZWNBhigK39O0sv0rFitYgfK/7xwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgOD+UdMulVtJPyq0cUoBakGQWgGP7jxzlVjXH2x6061OEhHBnI0AIhBd0Oqm7Uo8vpNKcOSey+0bTGwivfb/NWxDzw9YbEeQ0mrPGXRr1wftDeyVM1FwzbklWdso3lPy6P2usTrmeb8vNtWOSygGAprAFxpyKgxsYqioTRm40VzUzL9SZnz4YvP9G3VEl7Ydu8HJtftiGaK4t2Qt45TG1ypCk6zbgGtJimdyYJ0JQq3wPTZ+KDfoSS4B/uUPydLSpiiH54e7+yhA6+/VWhx+HiTMW4zkhGoytfntTDqnwBzQLf58efRvtz4Eis2iqD2gXW5+xLPU84i6vWJpshz7IujZUev0HOHiH4lUj5lqCbc0Ep+ua05+nlZLjtu4WSOJVuig7kN6Qjgsy/Dvo8MggJR2Wb+f6z1Kf//U38WrpKiOc6krTYsJDGPsQXvK+5AwlI3YYi8Rm/CS2p3M4GknYaMVJJYBOHj473NFHSOP30EOmzjlC2nDppw/3KJKDtDo/QInXAk7rtZbN95FRdyAo3w9Bf/ZVUCrQZLfLoQUDxu8bXDgUjMwOq3+bqE9R91p4EVW2RH6CZLbvesUWU6eI3P+mMeIgVtS7mK/c7+/HukGU5mV4BfaipxJcWZn+4E+9iI0WYenrsnswBHXkQsgo/SuzqlEONUSRVZ3msQ6Iw+Cs3B5y7AofeFciRh+mg2ju2BJtbejoOMV2HDG3pa5TMZNhEPDmfKdJ7kyAVEKeuY44nyRy0sgLmkfxqIveCqQMCspe2nvd8/ffeiQ12vQd5E8TV+SvFG3p+kWoSXTIq9KFi50Fx1wHQguBDn/VEGIkLtLtyWQAgOMuZlrQiBg==
|
Here are Docker containers I made for the RIPE RPKI version 3 validation server. I first started with a Centos container that was 600MB. These are built on the openjdk:8-alpine container which gets them down to 165MB. I've
been running them successfully in AWS using a t2.medium EC2 Docker host running the AWS Linux OS.
RPKI is pretty easy to get started with. Information shared from Andrew Gallo and others is a very good place to start.
Docker Hub:
GitHub:
Note: They will start listening on all interfaces. Keep that in mind with regards to your Docker host's orientation to the public. You can modify the application.properties files and rebuild to adjust that.
===========================================
Juniper Config
BGP Import Policy (chained before our existing import) policy-options policy-statement RPKI-VALIDATE-NEXT-POLICY
term VALID {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
next policy;
}
}
term INVALID {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
next policy;
}
}
term UNKNOWN {
from {
protocol bgp;
validation-database unknown;
}
then {
validation-state unknown;
next policy;
}
}
term DEFAULT {
then next policy;
}
Validation Server Router Config (under routing-options)
validation {
group RPKI-VALIDATOR {
session xxx.xxx.xxx.xxx { (IP of your validation server)
refresh-time 120;
hold-time 240;
port 8323;
local-address xxx.xxx.xxx.xxx;
(source IP of your router)
}
}
}
Keep in mind if you use your loopback IP that you will need to be mindful of any loopback filters too.
Seth Garrett |
- [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/06/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Dale W. Carder, 08/06/2018
- <Possible follow-up(s)>
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/06/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/07/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Dale W. Carder, 08/07/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/07/2018
Archive powered by MHonArc 2.6.19.