RTR Service¶
Routinator has a built-in server for the RPKI-to-Router (RTR) protocol, which
can be started with the --rtr
command line option or the
rtr-listen option in the configuration file.
Routinator supports RTR version 1 described in RFC 8210, as well as the older version from RFC 6810. After the first validation run has completed, routers with support for route origin validation (ROV) can connect to Routinator to fetch the processed data.
Tip
If you would like to run the RTR server as a separate daemon, for example because you want to centralise validation and distribute processed data to various locations where routers can connect, then NLnet Labs provides RTRTR.
In the examples throughout the documentation we use port 3323 for RTR connections, but please note that this is not the IANA-assigned default port for the protocol, which would be 323. But as this is a privileged port, you would need to be running Routinator as root when otherwise there is no reason to do that.
Secure Transports¶
Although there is no mandatory-to-implement transport that provides authentication and integrity protection, RFC 6810#section-7 defines a number of secure transports for RPKI-RTR that can be used to secure communications, including TLS, SSH, TCP MD5 and TCP-AO.
Routinator has native support for TLS connections, and can be configured to use SSH Transport with some additional tooling.
TLS Transport¶
It’s possible to natively use RTR-over-TLS connections with Routinator. There is an IANA-assigned default port for rpki-rtr-tls as well, in this case 324.
Currently, very few routers have implemented support for TLS, but it may be especially useful to use secure connections when deploying our RTR data proxy RTRTR, as data may be flowing across the public Internet.
In this example we’ll start Routinator’s RTR server listening on the IP addresses 192.0.2.13 and 2001:0DB8::13 and use port 3324 to make sure it’s not a privileged port.
First, indicate that you want a TLS connection with the --rtr-tls
option. Then use the --rtr-tls-cert
option to specify the path to a
file containing the server certificates to be used. This file has to contain
one or more certificates encoded in PEM format. Lastly, use the
--rtr-tls-key
option to specify the path to a file containing the
private key to be used for RTR-over-TLS connections. The file has to contain
exactly one private key encoded in PEM format:
routinator server --rtr-tls 192.0.2.13:3324 \
--rtr-tls [2001:0DB8::13]:3324 \
--rtr-tls-cert "/path/to/rtr-tls.crt" \
--rtr-tls-key "/path/to/rtr-tls.key"
If you want to securely connect to Routinator with RTRTR using the
RTR-TLS Unit, a certificate that is
trusted by the usual set of web trust anchors will work with no additional
configuration. In case you generated a self-signed certificate for
Routinator, make sure to copy the certificate to your machine running RTRTR
and refer to the path of the file in your unit using the cacerts
configuration option.
New in version 0.11.0.
SSH Transport¶
These instructions were contributed by Wild Kat.
SSH transport for RPKI-RTR can be configured with the help of netcat and OpenSSH.
Begin by installing the openssh-server and netcat packages.
Make sure Routinator is running as an RTR server on localhost:
routinator server --rtr 127.0.0.1:3323
Create a username and a password for the router to log into the host with, such as
rpki
.Configure OpenSSH to expose an
rpki-rtr
subsystem that acts as a proxy into Routinator by editing the/etc/ssh/sshd_config
file or equivalent to include the following line:
# Define an `rpki-rtr` subsystem which is actually `netcat` used to
# proxy STDIN/STDOUT to a running `routinator server --rtr 127.0.0.1:3323`
Subsystem rpki-rtr /bin/nc 127.0.0.1 3323
# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
# Only allow the rpki user to execute this one command
Match User rpki
ForceCommand /bin/nc localhost 3323
PasswordAuthentication yes
Match all
Restart the OpenSSH server daemon.
Set up the router running IOS-XR using this example configuration:
router bgp 65534
rpki server 192.168.0.100
username rpki
password <password>
transport ssh port 22
Configuring Routers¶
Route Origin Validation is supported on most hardware and software routers. This documentation does not provide authoritative information on how to configure each router platform, but aims to provide helpful pointers.
Hardware Routers¶
Software Routers¶
See also
Rejecting RPKI Invalid BGP Routes in the NLNOG BGP Filter Guide.
Note
For additions or corrections, please open an issue or submit a pull request.