Configuring RPKI

Procedure

• Start RPKI and configure RPKI session parameters on a client.
  1. Run system-view

     The system view is displayed.

  2. Run rpki

     RPKI is started, and the RPKI view is displayed.

  3. Run session ipv4-address

     An address of the RPKI server is specified for a TCP connection to be set up between the client and RPKI server.

  4. Run tcp port port-number [ password md5 cipher-password | keychain keychain-name ]

     Parameters are configured for the TCP connection to be set up between the client and RPKI server.

     

     MD5 authentication is not recommended if high security is required.

     

     • The new password is at least eight characters long and contains at least two of the following types: upper-case letters, lower-case letters, digits, and special characters, except the question mark (?) and space.

     • For security purposes, you are advised to configure a password in ciphertext mode. To further improve device security, periodically change the password.

  5. (Optional) Run timer { aging aging-time | refresh refresh-time }

     Timers are configured for the RPKI session between the client and the RPKI server.

     aging-time specifies the aging time of validation information, and refresh-time specifies the interval at which validation information is updated. You can configure the two timers to achieve the desired level of BGP security. If high BGP security is desired, configure a small value for each timer. Note that frequent validation information updates will lead to high bandwidth resource consumption.

  6. (Optional) Run rpki-limit limit [ alert-only | idle-forever | idle-timeout times ]

     The maximum number of Route Origination Authorization (ROA) entries that the device is allowed to receive in a session is configured.

     In most cases, a large number of ROA entries exist on an RPKI server. If the device receives a large number of ROA entries from the RPKI server, excessive system resources will be consumed. To prevent this problem, run the rpki-limit command to configure the maximum number of ROA entries that the BGP device is allowed to receive in a session.

  7. (Optional) Run connect-interface { interface-name | ipv4-source-address | interface-type interface-number | interface-type ipv4-source-address | interface-type interface-number ipv4-source-address }

     The source interface for sending RPKI packets is specified.

  8. (Optional) Run ssl-policy policy-name

     An SSL policy to be bound to the TCP connection between the device and RPKI server is configured.

  9. Run commit

     The configuration is committed.

     

     After RPKI session configurations are changed, run the reset rpki session command to reset the involved RPKI session for the new configurations to take effect.

• Apply the BGP origin AS validation result to route selection.
  1. Run system-view

     The system view is displayed.

  2. Run bgp as-number

     The BGP view is displayed.

  3. Run prefix origin-validation enable

     Origin AS validation of RPKI is enabled.

     After origin AS validation is enabled, the device matches the origin AS of each received route against the ROAs in the database and provides the validation result, which can be Valid, NotFound, or Invalid.

     

     To check ROA data of routes, including the origin ASs, run the display rpki table command. RPKI origin AS validation takes effect on the routes received from EBGP peers, not on the routes received from IBGP peers.

  4. Run bestroute origin-as-validation [ allow-invalid ]

     The BGP origin AS validation result of RPKI is applied to route selection.

     BGP selects routes in the order of Valid, NotFound, and Invalid. If allow-invalid is not specified in the command, BGP ignores the routes with the validation result being Invalid during route selection.

  5. Run peer { ipv4-address | group-name } advertise-ext-community

     The device is configured to advertise extended community attributes to a specified peer.

  6. Run peer { ipv4-address | group-name } advertise origin-as-validation

     The BGP device is enabled to advertise the origin AS validation result of RPKI to the specified peer or peer group.

     

     The BGP origin AS validation result of RPKI can be advertised only to IBGP peers.

  7. Run commit

     The configuration is committed.

• Configure the device to perform ROA on the routes to be advertised to an EBGP peer to control BGP route advertisement.
  1. Run system-view

     The system view is displayed.

  2. Run bgp as-number

     The BGP view is displayed.

  3. Run peer { peerIpv4Addr | peerGroupName } origin-validation export [ include-not-found [ external ] ]

     The local device is configured to perform ROA on the routes to be advertised to an EBGP peer.

     After the local device is configured to perform ROA on the routes to be advertised to an EBGP peer, the device compares the origin AS of a route with that of the matched route recorded in the database. The ROA result can be Valid (indicating that the origin AS is correct), NotFound (indicating no result), or Invalid (indicating that the origin AS is incorrect). By default, only the routes whose ROA result is Valid are advertised. To configure the device to advertise the routes with the ROA result being Valid or NotFound, specify the include-not-found keyword in the preceding command. To configure the device to advertise the routes with the ROA result being Valid or NotFound (if the routes with the result being NotFound were received from another AS), specify the include-not-found external keyword in the preceding command.

  4. Run commit

     The configuration is committed.

• Apply the BGP regional validation result to BGP route selection.
  1. Run system-view

     The system view is displayed.

  2. Run rpki

     RPKI is started, and the RPKI view is displayed.

  3. Run region-validation

     Regional validation is enabled, and the regional validation view is displayed.

  4. You can configure regions or regional confederations as required.
     • Create a region.
       1. Run region region-id

          A region is created.

       2. Run description description-text

          A description is configured for the region.

       3. Run as-number { asn } &<1-100>

          An AS number list is configured so that the AS numbers in it can be added to the region.

       4. Run quit

          Exit the RPKI region-validation-region view.

     • Create a regional confederation.
       1. Run region region-id

          A region is created.

       2. Run quit

          Exit the RPKI region-validation-region view.

       3. Run region-confederation region-confederation-id

          A regional confederation is created.

       4. Run description description-text

          A description is configured for the regional confederation.

       5. Run region { region-id } &<1-100>

          A region ID list is configured in the regional confederation so that regions in the list are added to the regional confederation.

       6. Run quit

          Exit the RPKI region-validation-confederation view.

  5. Run bgp as-number

     The BGP view is displayed.

  6. Run region-validation

     BGP regional validation is enabled.

     Or run region-validation confed-check strict

     Strict BGP regional validation is enabled.

  7. Run bestroute region-validation [ allow-invalid ]

     The BGP regional validation result of RPKI is applied to BGP route selection.

     If regional validation succeeds, the route is valid and can participate in route selection. If regional validation fails, the route is invalid and cannot participate in route selection. To allow the routes that fail regional validation to be valid and participate in route selection, configure the allow-invalid parameter in the command. The priority of such routes is reduced during route selection.

  8. Run commit

     The configuration is committed.