Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] RIPE RPKI v3 Docker Containers

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] RIPE RPKI v3 Docker Containers


Chronological Thread 
  • From: "Dale W. Carder" <>
  • To:
  • Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers
  • Date: Mon, 6 Aug 2018 16:28:44 -0500
  • Ironport-phdr: 9a23:Dqsd+hw1SB2m69jXCy+O+j09IxM/srCxBDY+r6Qd2+sQIJqq85mqBkHD//Il1AaPAd2Fraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HSbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHmiCkJKSM3/mLZisN/kK1UvRCuqBJkzo7IfI2YLuZycr/HcN8EQ2dKQ8ZfVzZGAoO5d4YDAeQPMvxcr4bjulABrQGyDhSyCez10D9Hm2H53bc03+88FgzJwQIhEM4Uv3TOsdr6Kr0SXPurw6nT1znDae1Z2Svk5YXObxsvr/aMXbdqfsrQz0kiDx7KjlKMpozmITyVzP4BvHSc7+plTe6vhG8nqx1xojiy3cggkJXGhoUQyl3C6C53w541KMWlREJlYtOoCpVduzuVOodrWM8vQXxktD4kxrAHpZK3YC0HxZU7yBPQZPGKdoiF4hzhWeafJDp3mnNodK6iixu38UWtyunxW8ex3VZEtSVKjMPDu3UD2hHd5cWLVP5w8Vyh1DqS0Q3Y9/tKLloulaXBLp4s2r4wmYQXsUTEBiL2llv5gaCMekUg4eeo7/7rYrrhpp+CL4N0iwf+PboymsGnHOg0LAsDU3KV9Oim27Dv4Ff1TbdXgvEul6nWqpHaJcAVpq6jBA9V154u5AuxDji6ytsYh2QII0xfeB+ckYfpIEvCIPbmAvejm1isiitkx+jaPr39BZXANmPDn6n9crZg8U5cyRYzzNBG65NaBbEMO/bzWk7qtNzEFR81LRa4w+fhCNVhyIweQ2SPDbGFMK/Mq1OH+P8gI/TfLLMS7S3wIOU/5uL/yGA2sV4bYaSz25YLMja1Euk1DV+eZC+mrt4FHC81+EIVRfbmhUfIGWpfeH27Ra4x/Bk2E8SgAJuVFdPlu6CIwCruRs4eXWtBEF3ZSXo=

Hi Seth,

RIPE specifically ships the software reachable only to localhost and
recommends using a reverse proxy to manage access. Based on that, my
read is that it may not be a good idea to distribute a build of this
software that accessible to the public by default.

Dale

Thus spake Garrett, Seth B
()
on Mon, Aug 06, 2018 at 09:23:04PM +0000:
> Here are Docker containers I made for the RIPE RPKI version 3 validation
> server. I first started with a Centos container that was 600MB. These are
> built on the openjdk:8-alpine container which gets them down to 165MB.
> I've been running them successfully in AWS using a t2.medium EC2 Docker
> host running the AWS Linux OS.
>
> RPKI is pretty easy to get started with. Information shared from Andrew
> Gallo and others is a very good place to start.
>
> Docker Hub:
> https://hub.docker.com/r/toomscj7/rpki3-rtr-server-alpine/
> https://hub.docker.com/r/toomscj7/rpki3-validator-alpine/
>
> GitHub:
> https://github.com/sethgarrett/rpki-rtr-server-alpine
> https://github.com/sethgarrett/rpki-validator-alpine
>
>
> Note: They will start listening on all interfaces. Keep that in mind with
> regards to your Docker host's orientation to the public. You can modify
> the application.properties files and rebuild to adjust that.
>
> https://github.com/RIPE-NCC/rpki-validator-3/
>
> ===========================================
> Juniper Config
>
> ?BGP Import Policy (chained before our existing import)
> policy-options policy-statement RPKI-VALIDATE-NEXT-POLICY
> term VALID {
> from {
> protocol bgp;
> validation-database valid;
> }
> then {
> validation-state valid;
> next policy;
> }
> }
> term INVALID {
> from {
> protocol bgp;
> validation-database invalid;
> }
> then {
> validation-state invalid;
> next policy;
> }
> }
> term UNKNOWN {
> from {
> protocol bgp;
> validation-database unknown;
> }
> then {
> validation-state unknown;
> next policy;
> }
> }
> term DEFAULT {
> then next policy;
> }
>
> Validation Server Router Config (under routing-options)
> validation {
> group RPKI-VALIDATOR {
> session xxx.xxx.xxx.xxx { (IP of your validation server)
> refresh-time 120;
> hold-time 240;
> port 8323;
> local-address xxx.xxx.xxx.xxx; (source IP of your router)
> }
> }
> }
>
> Keep in mind if you use your loopback IP that you will need to be mindful
> of any loopback filters too.
>
>
>
>
>
> Seth Garrett
> Principal Network Systems Engineer
> Indiana University

Archive powered by MHonArc 2.6.19.

Top of Page