Configuring RPKI

Resource Public Key Infrastructure (RPKI) is used to secure BGP4+ by validating the origin ASs of BGP4+ routes.

Usage Scenario

When an RPKI server is available on the network and you want to validate the origin ASs of BGP4+ routes, you can configure RPKI on a client to accept only the routes that originate from the specified ASs. In addition, you can apply the validation result to BGP4+ route selection to ensure that hosts in the local AS can securely communicate with hosts in other ASs.

RPKI configuration on a client includes configuring basic RPKI session information and applying the BGP4+ origin AS validation result to route selection.

Pre-configuration Tasks

Before configuring RPKI, configure basic BGP4+ functions.

Procedure

Start RPKI and configure RPKI session parameters on a client.
1. Run system-view
  The system view is displayed.
2. Run rpki
  RPKI is started, and the RPKI view is displayed.
3. Run session ipv6-address
  An address of the RPKI server is specified for TCP connections to be set up between the client and RPKI server.
4. Run tcp port port-number [ password md5 cipher-password | | keychain keychain-name ]
  Parameters are configured for the TCP connection between the client and RPKI server.
  
  MD5 authentication is not recommended if high security is required.
5. (Optional) Run timer { aging aging-time | refresh refresh-time }
  Timers are configured for the RPKI session between the client and the RPKI server.
  
  aging-time specifies the aging time of validation information, and refresh-time specifies the interval at which validation information is updated. You can configure the two timers to achieve the desired level of BGP4+ security. If high BGP4+ security is desired, configure a small value for each timer. Note that frequent validation information updates will lead to high bandwidth resource consumption.
6. (Optional) Run connect-interface { interface-name | ipv6-source-address | interface-type interface-number | interface-type ipv6-source-address | interface-type interface-number ipv6-source-address }
  The source interface for sending RPKI packets is specified.
7. (Optional) Run ssl-policy policy-name
  An SSL policy to be bound to the TCP connection between the device and RPKI server is configured.
8. Run commit
  The configuration is committed.
  
  After configuring RPKI session parameters, run the reset rpki session command to reset the RPKI session for the new RPKI session parameters to take effect.
Apply the BGP4+ origin AS validation result to BGP4+ route selection.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family unicast
  The IPv6 unicast address family view is displayed.
4. Run prefix origin-validation enable
  Origin AS validation is enabled.
  
  After origin AS validation is enabled, the client periodically queries Route Origin Authorizations (ROAs) from the RPKI server and matches the origin AS of each received route against the ROAs. The validation result can be Valid, NotFound, or Invalid.
  
  To check ROA data, including origin ASs of routes, run the display rpki table command.
5. Run bestroute origin-as-validation [ allow-invalid ]
  The BGP4+ origin AS validation result is applied to route selection.
  
  BGP4+ selects routes in the order of Valid, NotFound, and Invalid. If allow-invalid is not specified in the command, BGP4+ ignores the routes with the validation result being Invalid during route selection.
6. Run peer { ipv6-address | group-name } advertise-ext-community
  The device is configured to advertise extended community attributes to a specified peer.
7. Run peer { ipv6–address | group-name } advertise origin-as-validation
  The BGP4+ origin AS validation result is advertised to the specified BGP4+ peer or peer group.
8. Run commit
  The configuration is committed.
Configure the device to perform ROA on the routes to be advertised to an EBGP peer to control BGP4+ route advertisement.
1. Run system-view
  The system view is displayed.
2. Run bgp as-number
  The BGP view is displayed.
3. Run ipv6-family unicast
  The IPv6 unicast address family view is displayed.
4. Run peer { peerIpv6Addr | peerGroupName } origin-validation export [ include-not-found [ external ] ]
  The local device is configured to perform ROA on the routes to be advertised to an EBGP peer.
  
  After the local device is configured to perform ROA on the routes to be advertised to an EBGP peer, the device compares the origin AS of a route with that of the matched route recorded in the database. The ROA result can be Valid (indicating that the origin AS is correct), NotFound (indicating no result), or Invalid (indicating that the origin AS is incorrect). By default, only the routes whose ROA result is Valid are advertised. To configure the device to advertise the routes with the ROA result being Valid or NotFound, specify the include-not-found keyword in the preceding command. To configure the device to advertise the routes with the ROA result being Valid or NotFound (if the routes with the result being NotFound were received from another AS), specify the include-not-found external keyword in the preceding command.
5. Run commit
  The configuration is committed.
Apply the BGP4+ regional validation result to BGP4+ route selection.
1. Run system-view
  The system view is displayed.
2. Run rpki
  RPKI is started, and the RPKI view is displayed.
3. Run region-validation
  Regional validation is enabled, and the regional validation view is displayed.
4. You can configure regions or regional confederation as required.
  - Create a region.
    1. Run region region-id
      A region is created.
    2. Run description description-text
      A description is configured for the region.
    3. Run as-number { asn } &<1-100>
      An AS number list is configured so that the AS numbers in it can be added to the region.
    4. Run quit
      Exit the RPKI region-validation-region view.
  - Create a regional confederation.
    1. Run region region-id
      A region is created.
    2. Run quit
      Exit the RPKI region-validation-region view.
    3. Run region-confederation region-confederation-id
      A regional confederation is created.
    4. Run description description-text
      A description is configured for the regional confederation.
    5. Run region { region-id } &<1-100>
      A region ID list is configured in the regional confederation so that regions in the list are added to the regional confederation.
    6. Run quit
      Exit the RPKI region-validation-confederation view.
5. Run bgp as-number
  The BGP view is displayed.
6. Run ipv6-family unicast
  The IPv6 unicast address family view is displayed.
7. Run region-validation
  BGP4+ regional validation is enabled.
  
  Or run region-validation confed-check strict
  
  Strict BGP4+ regional validation is enabled.
8. Run bestroute region-validation [ allow-invalid ]
  The BGP4+ regional validation result is applied to BGP4+ route selection.
  
  If regional validation succeeds, the route is valid and can participate in route selection. If regional validation fails, the route is invalid and cannot participate in route selection. To allow the routes that fail regional validation to be valid and participate in route selection, configure the allow-invalid parameter in the command. The priority of such routes is reduced during route selection.
9. Run commit
  The configuration is committed.

Checking the Configurations

# Run the display rpki session ipv6-address verbose command to check RPKI session configurations.