RTR Service

Routinator has a built-in server for the RPKI-to-Router (RTR) protocol. It supports RFC 8210 as well as the older version described in RFC 6810. When launched as an RTR server, routers with support for route origin validation (ROV) can connect to Routinator to fetch the processed data.

Tip

If you would like to run the RTR server as a separate daemon, for example because you want to centralise validation and distribute processed data to various locations where routers can connect, then NLnet Labs provides RTRTR.

In order to start the RTR server at 192.0.2.13 and 2001:0DB8::13 on port 3323, run Routinator using the server subcommand:

routinator server --rtr 192.0.2.13:3323 --rtr [2001:0DB8::13]:3323

Please note that port 3323 is not the IANA-assigned default port for the protocol, which would be 323. But as this is a privileged port, you would need to be running Routinator as root when otherwise there is no reason to do that.

Communication between Routinator and the router using the RPKI-RTR protocol is done via plain TCP. Below, there is an explanation how to secure the transport using either SSH or TLS.

Secure Transports

These instructions were contributed by wk on Github.

RFC 6810#section-7 defines a number of secure transports for RPKI-RTR that can be used to secure communication between a router and a RPKI relying party.

However, the RPKI Router Implementation Report documented in RFC 7128#section-5 suggests these secure transports have not been widely implemented. Implementations, however, do exist, and a secure transport could be valuable in situations where the RPKI relying party is provided as a public service, or across a non-trusted network.

SSH Transport

SSH transport for RPKI-RTR can be configured with the help of netcat and OpenSSH.

  1. Begin by installing the openssh-server and netcat packages.

Make sure Routinator is running as an RTR server on localhost:

routinator server --rtr 127.0.0.1:3323
  1. Create a username and a password for the router to log into the host with, such as rpki.

  2. Configure OpenSSH to expose an rpki-rtr subsystem that acts as a proxy into Routinator by editing the /etc/ssh/sshd_config file or equivalent to include the following line:

# Define an `rpki-rtr` subsystem which is actually `netcat` used to
# proxy STDIN/STDOUT to a running `routinator server --rtr 127.0.0.1:3323`
Subsystem       rpki-rtr        /bin/nc 127.0.0.1 3323

# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1

# Only allow the rpki user to execute this one command
Match User rpki
    ForceCommand /bin/nc localhost 3323
    PasswordAuthentication yes
Match all
  1. Restart the OpenSSH server daemon.

  2. Set up the router running IOS-XR using this example configuration:

router bgp 65534
 rpki server 192.168.0.100
  username rpki
  password <password>
  transport ssh port 22

TLS Transport

TLS transport for RPKI-RTR can be configured with the help of stunnel.

  1. Begin by installing the stunnel package.

  2. Make sure Routinator is running as an RTR server on localhost:

routinator server --rtr 127.0.0.1:3323
  1. Acquire (via for example Let’s Encrypt) or generate an SSL certificate. In the example below, an SSL certificate for the domain example.com generated by Let’s Encrypt is used.

  2. Create an stunnel configuration file by editing /etc/stunnel/rpki.conf or equivalent:

[rpki]
; Use a letsencrypt certificate for example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem

; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost
accept = 323
connect = 127.0.0.1:3323
  1. Restart stunnel to complete the process.