BGP Prefix Validation Using RPKI-RTR Configuration

Configuration Hierarchy

The diagram illustrates the BGP prefix validation mechanism configuration hierarchy.

BGP RPKI Configuration Hierarchy

Configuration Syntax and Commands

The following sections describe the BGP RPKI prefix validation configuration syntax and commands.

Configure Validation Session with RPKI Local Cache

The following configuration commands are used to define validation session on an RBFS device. It specifies different session parameters such as cache IP address, update source, port, and preference.

In scenarios where multiple caches are available, the system employs a deterministic method for selecting the preferred cache. The cache preference method provides a way to determine which cache should be used based on configurable priorities.

Cache Preference:

When a preference is configured, the cache with the numerically lower preference value is selected.
If no preference is configured, or two caches have the same preference value, the selection follows these rules:
- Among IPv4 caches, the cache with the higher IP address is preferred.
- Among IPv6 caches, the cache with the higher IP address is preferred.
- Between IPv4 and IPv6 caches, the IPv4 cache takes precedence over IPv6.

Syntax

set instance <instance-name> protocol validation session [IPv4|IPv6] <cache-address> <update-source>

Attribute	Description
cache-address	Cache server IP address.
update-source	Specify the source IP address. This address is used to establish a TCP connection with RPKI cache to fetch RPKI data.
port	Port number used for the RPKI local cache. Range 1 - 65535. Default port is 3323. If you do not configure a port, the default port number is used.
preference	Enables RBFS to select the validated route record from the preferred cache. Range 1 - 255. A numerically lower preference value indicates the higher preference.

Attribute

Description

cache-address

Cache server IP address.

update-source

Specify the source IP address. This address is used to establish a TCP connection with RPKI cache to fetch RPKI data.

port

Port number used for the RPKI local cache. Range 1 - 65535. Default port is 3323. If you do not configure a port, the default port number is used.

preference

Enables RBFS to select the validated route record from the preferred cache. Range 1 - 255. A numerically lower preference value indicates the higher preference.

Example: Validation session with the RPKI local cache

The following configuration sets up RPKI validation for both IPv4 and IPv6 routes in BGP. IPv4 session connects the router to an RPKI cache server with the RTR protocol, using the specified cache server IP address 192.168.5.50. The update-source, that is source IP address, is specified to 192.168.5.20 for the IPv4 session. The port number that is used for RTR communication is specified to '3345' for the session.

For the IPv6 session, the cache server IP address is specified to 192:168:5::50 and the source IP is specified 192:168:5::20. The port number is specified 3323 that is used for RTR communication.

The preference value for the IPv4 session is set to 100, while the preference value for the IPv6 session is set to 10. The preference value determines which session is prioritized when both sessions are available. A lower numerical preference value indicates a higher preference. In this scenario, the IPv6 session has a higher preference because it has a lower value, meaning that the IPv6 session will take priority over the IPv4 session.

set instance vrf-blue protocol validation session ipv4 192.168.5.50 192.168.5.20
set instance vrf-blue protocol validation session ipv4 192.168.5.50 192.168.5.20 preference 100
set instance vrf-blue protocol validation session ipv6 192:168:5::50 192:168:5::20
set instance vrf-blue protocol validation session ipv6 192:168:5::50 192:168:5::20 port 3346
set instance vrf-blue protocol validation session ipv6 192:168:5::50 192:168:5::20 preference 10

The following example shows the validation session with RPKI local cache.

supervisor@rtbrick.net: cfg> show config instance vrf-blue protocol validation
{
  "rtbrick-config:validation": {
    "session": {
      "ipv4": [
        {
          "cache-address": "192.168.5.50",
          "update-source": "192.168.5.20"
          "preference": 100
        }
      ],
      "ipv6": [
        {
          "cache-address": "192:168:5::50",
          "update-source": "192:168:5::20",
          "port": 3346,
          "preference": 10
        }
      ]
    }
  }
}

Configure BGP Validation Instance

Syntax

set instance <instance-name> protocol bgp validation-instance <validation-instance>

Attribute	Description
<validation-instance>	Validation instance name.

Attribute

Description

<validation-instance>

Validation instance name.

Example: Validation Instance configuration

The following configuration sets up 'vrf-blue' as a validation instance.

set instance default protocol bgp validation-instance vrf-blue

The following example shows validation instance as vrf-blue.

supervisor@rtbrick.net: cfg> show config instance default protocol bgp validation-instance
{
  "rtbrick-config:validation-instance": "vrf-blue"
}

Configure BGP Validation Filter

Validation filter can be configured under a specific BGP peer group.

Syntax

set instance <instance-name> protocol bgp peer-group <pg-name> validation-filter [strict|loose|mark-only|disable]

Attribute	Description
strict	BGP accepts only the valid routes.
loose	BGP accepts both valid routes and unknown routes. But it rejects routes with invalid RPKI data.
mark-only	BGP will accept valid, invalid and unknown routes. All RPKI validation state processing must be done in routing policy.
disable	No route validation is performed. Routes are installed based on the BGP route selection process.

Attribute

Description

strict

BGP accepts only the valid routes.

loose

BGP accepts both valid routes and unknown routes. But it rejects routes with invalid RPKI data.

mark-only

BGP will accept valid, invalid and unknown routes. All RPKI validation state processing must be done in routing policy.

disable

No route validation is performed. Routes are installed based on the BGP route selection process.

Example: Validation filter configuration

The following configuration defines the validation filter. The validation filter is defined as 'loose' that means BGP can accept both valid routes and unknown routes, but it rejects routes with invalid RPKI data.

set instance default protocol bgp peer-group P2 validation-filter loose

The following example shows the validation filter as "loose.""

supervisor@rtbrick.net: cfg> show config instance default protocol bgp peer-group P2 validation-filter
{
  "rtbrick-config:validation-filter": "loose"
}

The following example shows the configuration of BGP validation filter "mark-only."

set instance default protocol bgp peer-group pg1 validation-filter mark-only

supervisor@rtbrick>LEAF01: cfg> show config instance default protocol bgp peer-group pg1 validation-filter
{
  "rtbrick-config:validation-filter": {
    "mark-only": "true"
  }
}

Ignoring RPKI Validation State When Selecting BGP Best Route

RBFS can be configured to ignore the RPKI Validation State while selecting the BGP best route. It is recommended to exercise caution when doing this, as this can cause unexpected results such as black holes and routing loops.

Both "validation-filter mark-only" and "ignore-validation-state true" must be configured to enable proper processing in policy.

Syntax:

set instance <instance-name> protocol bgp bestroute-selection ignore-validation-state < false | true >

The following example shows the configuration for ignoring the RPKI validation state.

set instance default protocol bgp bestroute-selection ignore-validation-state true

supervisor@rtbrick>LEAF01: cfg> show config instance default protocol bgp bestroute-selection
{
  "rtbrick-config:bestroute-selection": {
    "ignore-validation-state": "true"

  }
}