Project

RPKI Project
ROA Cache
Configuration Examples
Miscellaneous

Router Configuration Examples

Introduction

The content of this page is based on the results of research conducted jointly with the Okada Laboratory at University of Nagasaki during fiscal 2023.

General guidelines

Enabling ROV on a BGP router involves several steps. Generally, the following preparations are required:

  • Connecting to ROA cache servers
    • Configuring priority levels for connecting to multiple servers
    • Designing protocol timer values
  • Setting validation for VRPs and RIB routes
    • Settings to ensure that invalid routes are not deleted from the RIB
  • Managing RIB routes based on validation results
    • Whether or not to provide information through iBGP
    • Raising or lowering priority levels
    • Deleting invalid routes, etc.

ROA cache servers

Loss of connectivity to a ROA cache server can significantly impact routing table information, and traffic forwarding based on that information. To ensure stable maintenance of routing information, it is recommended to configure connections to multiple ROA cache servers. This page provides configuration examples for the following operating systems, which can be configured for multiple caches.

OSMultiple ROA cachesRemarks
IOS-XR/XEProcesses VRPs from multiple caches as a unified VRP
JUNOSEstablishes RTR sessions with prioritized caches

Timer values

BGP routers and ROA caches support several configurable timer values. The following table summarizes timers implemented on each relevant operating system:

TimerIOS-XR/XEJUNOS
hold-time sec
refresh-time
record-lifetime (purge-time)
retry-time
response-time

The definitions of these timers are as follows:

  • hold-time: Duration of maximum session retention when there is no communication between the BGP router and ROA cache.
  • refresh-time: Frequency at which the BGP router sends regular Serial Query PDUs to the ROA cache.
  • record-lifetime: Period during which VRPs obtained from the ROA cache remain valid after the BGP router loses connection to the ROA cache.
  • retry-time: Time interval before retrying a connection to the ROA cache after it is lost due to an error.
  • response-time: Amount of time that the router waits for a response from the ROA cache after sending a query.

Cisco IOS-XR configuration

To begin configuring RPKI, move to the "router bgp configuration" level.
This example is assumed to be for an initial configuration and, for safety purposes, includes "bgp bestpath origin-as allow invalid" in order to also install routes that have been determined to be invalid into the routing table. This setting is unnecessary if you do not need to install invalid routes.

1
2
3
4
cisco-xr-router# configure terminal
cisco-xr-router(config)# router bgp <AS Numbers>
cisco-xr-router(config-bgp)# address-family ipv4 unicast
cisco-xr-router(config-bgp-ipv4)# bgp bestpath origin-as allow invalid

A) Configure ROA cache servers and check VRP retrieval

1
2
3
4
5
6
7
#Primary ROA cache server
cisco-xr-router (config-bgp)# rpki server <IP address of ROA cache server>
cisco-xr-router (config-bgp-rpki-server)# transport tcp port <Port number of ROA cache server>

#Secondary ROA cache server
cisco-xr-router (config-bgp)# rpki server <IP address of ROA cache server>
cisco-xr-router (config-bgp-rpki-server)# transport tcp port <Port number of ROA cache server>

The above example involves configuring two ROA cache servers.

1
2
3
cisco-xr-router(config-bgp)# do show run 
cisco-xr-router(config-bgp)# do show ip bgp rpki server summary
#(If the router is connected to the RPKI cache servers, then information will be displayed.)

Confirm that the router has received VRPs from the ROA cache servers.

1
2
3
4
5
6
7
8
9
10
11
12
13
#Display VRPs
cisco-xr-router# do show ip bgp rpki table

#Check whether VRPs are obtained for the ROAs that are supposed to exist.
#(In this configuration example, VRPs are checked for 192.0.2.0/24, which is an IPv4 address range for   
#documentation. In an actual configuration, replace this with the ROAs, etc., for your organization, as necessary.)
cisco-xr-router# show ip bgp rpki table | include 192.0.2.0/24

#Check the total number of VRPs
cisco-xr-router# show ip bgp rpki summary
RPKI cache-servers configured: 2
RPKI database
  Total IPv4 net/path: 351268/394829

B) Change route priority levels based on the ROV results
In the example below, ROV is performed on Update packets received from 192.0.2.1, a BGP peer. The Local Preference value is set to 150 for valid routes and 100 for "not found" routes. This configuration prefers valid routes.

1
2
3
4
5
6
7
8
9
10
11
12
cisco-xr-router(config)# route-policy ROV-IN 
cisco-xr-router(config-route-map)# if validation-state is valid then
cisco-xr-router(config-route-map)# set local-preference 150

cisco-xr-router(config-route-map)# elseif validation-state is not-found then
cisco-xr-router(config-route-map)# set local-preference 100
cisco-xr-router(config-route-map)# exit 

cisco-xr-router# router bgp <AS Numbers>
cisco-xr-router(config-bgp)# neighbor 192.0.2.1
cisco-xr-router(config-bgp-nbr)# address-family ipv4 unicast
cisco-xr-router(config-bgp-nbr-af)# route-policy ROV-IN in

Check the routing table to confirm whether it reflects the ROV results. In this example, 203.0.113.0/24, an IPv4 address range for documentation, is used for VRPs. In a real-world situation, specify invalid routes for confirmation.

1
cisco-xr-router# show ip route | include 203.0.113.0/24

C) Delete an ROV configuration
To disable ROV for any reason, follow the steps below:

1
2
3
4
5
6
7
8
9
10
11
#Delete the route-map
cisco-xr-router# conf t
cisco-xr-router(config)# router bgp <AS Number>
cisco-xr-router(config-bgp)# neighbor 192.0.2.1 
cisco-xr-router(config-bgp-nbr)# no route-policy ROV-IN in

#Delete the completed ROA cache server configuration
cisco-xr-router# conf t
cisco-xr-router(config)# router bgp <AS Number>
cisco-xr-router(config-router)# no bgp rpki server <IP address of ROA cache server> 
cisco-xr-router(config-router)# commit

D) Check ROA cache server status and VRPs
Check connection with ROA cache servers, and VRP retrieval status.

1
2
cisco-xr-router# show ip bgp rpki server summary
cisco-xr-router# show ip bgp rpki table

E) Change ROA cache server priority levels and timers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#preference: Specifies the priority level for the ROA cache server. The valid range is 1 to 10. Lower values   
#indicate higher priority. If a value is specified, only VRPs from the prioritized ROA cache servers will be   
#used for validation.
cisco-xr-router(config-bgp-rpki-server)# preference {preference-value}

#refresh-time: Specifies the frequency of regular Serial Query PDUs. Set this to off to disable regular   
#transmission. The valid range is 30 to 3600 seconds.
cisco-xr-router(config-bgp-rpki-server)# refresh-time {time-in-second | off}

#response-time: Specifies the time to wait for a response after sending a Query PDU to the ROA cache server.
#Set this to off to wait for an unlimited time for a response. The valid range is 30 to 3600 seconds.
cisco-xr-router(config-bgp-rpki-server)# response-time {time-in-second | off}

#purge-time: Specifies the period during which the router retains VRPs downloaded from the ROA cache server   
#after losing connection to it. The valid range is 30 to 360 seconds. This cannot be set to off.
cisco-xr-router(config-bgp-rpki-server)# purge-time {time-in-second}
cisco-xr-router(config-bgp-rpki-server)#

Cisco IOS-XE configuration

To begin configuring RPKI, move to the "router bgp configuration" level. This example is assumed to be for an initial configuration and, for safety purposes, includes "bgp bestpath origin-as allow invalid" in order to also install routes that have been determined to be invalid into the routing table. This setting is unnecessary if you do not need to install invalid routes.

1
2
3
4
cisco-xe-router# configure terminal
cisco-xe-router(config)# router bgp <AS Numbers>
cisco-xe-router(config-router)# address-family ipv4 unicast
cisco-xe-router(config-router)# bgp bestpath origin-as allow invalid

A) Configure ROA cache servers and check VRP retrieval

1
2
3
4
5
6
7
#Primary ROA cache server
cisco-xe-router (config-router)# bgp rpki server tcp <IP address of ROA cache server> port <Port number of ROA   
cache server> refresh < refresh-time >
#Secondary ROA cache server
cisco-xe-router (config-router)#  bgp rpki server tcp <IP address of ROA cache server> port <Port number of ROA   
cache server> refresh < refresh-time >
#In IOS-XE, set refresh-time when configuring a server.

The above example involves configuring two ROA cache servers.

1
2
3
4
5
#Check the configuration
cisco-xe-router# show running-config
 
cisco-xe-router# show ip bgp rpki server
#If the servers have been configured, then relevant information will be displayed.

Confirm that the router has received VRPs from the ROA cache servers.

1
2
3
4
5
6
7
8
9
10
11
12
13
#Display a summary of rtr caches.
cisco-xe-router# show bgp rpki roa summary

#Display VRPs (IPv4)
cisco-xe-router# show bgp ipv4 unicast rpki table

#Display VRPs (IPv6)
cisco-xe-router# show bgp ipv6 unicast rpki table

#Check whether VRPs are obtained for the ROAs that are supposed to exist.
#(VRPs are checked for 192.0.2.0/24, which is an IPv4 address range for documentation. In an actual   
#configuration, replace this with the ROAs, etc., for your organization.)
cisco-xe-router# show ip bgp ipv4 unicast rpki table | include 192.0.2.0/24

B) Change route priority levels based on the ROV results
In the example below, ROV is performed on Update packets received from 192.0.2.1, a BGP peer. The Local Preference value is set to 150 for valid routes and 100 for "not found" routes. This configuration prefers valid routes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cisco-xe-router(config)# route-map ROV-IN deny 10
cisco-xe-router(config-route-map)# match rpki invalid
cisco-xe-router(config-route-map)#exit
cisco-xe-router(config)# route-map ROV-IN permit 10
cisco-xe-router(config-route-map)# match rpki valid
cisco-xe-router(config-route-map)# set local-preference 150
cisco-xe-router(config-route-map)# exit
cisco-xe-router(config)# route-map ROV-IN permit 20
cisco-xe-router(config-route-map)# match rpki not-found
cisco-xe-router(config-route-map)# set local-preference 100
cisco-xe-router(config-route-map)# exit 

cisco-xe-router# router bgp <AS Numbers>
cisco-xe-router(config-bgp-nbr)# address-family ipv4
cisco-xe-router(config-bgp)# neighbor {bgp neighbor ip} route-map ROV-IN

Check the BGP table to confirm whether it reflects the ROV results. In this example, 203.0.113.0/24, an IPv4 address range for documentation, is used for VRPs. In a real-world situation, specify invalid routes for confirmation.

1
cisco-xe-router# show ip bgp 203.0.113.0/24

C) Delete an ROV configuration
To disable ROV for any reason, follow the steps below:

1
2
3
4
5
6
7
8
9
10
#Delete the applied route-map
cisco-xe-router# router bgp <AS Numbers>
cisco-xe-router(config-bgp-nbr)# address-family ipv4
cisco-xe-router(config-bgp)# no neighbor {bgp neighbor ip} route-map ROV-IN

#Delete the completed ROA cache server configuration
cisco-xe-router# conf t
cisco-xe-router(config)# router bgp <AS Number>
cisco-xe-router(config-router)# no bgp rpki server tcp <IP address of ROA cache server> port <Port number of ROA   
cache server> refresh < refresh-time >

D) Check ROA cache server status and VRPs
Check connection with ROA cache servers, and VRP retrieval status.

1
2
cisco-xe-router# show ip bgp rpki server | include neighbor
cisco-xe-router# show ip bgp rpki table

E) Change ROA cache server priority levels and timers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#preference: This option cannot be specified in IOS-XE.

#refresh-time: Specifies the frequency of regular Serial Query PDUs. Set this to off to disable regular   
#transmission. The valid range is 30 to 3600 seconds.
cisco-xe-router(config-bgp-rpki-server)# refresh-time {time-in-second | off}

#response-time: Specifies the time to wait for a response after sending a Query PDU to the ROA cache server.
#Set this to off to wait for an unlimited time for a response. The valid range is 30 to 3600 seconds.
cisco-xe-router(config-bgp-rpki-server)# response-time {time-in-second | off}

#purge-time: Specifies the period during which the router retains VRPs downloaded from the ROA cache server   
#after losing connection to it. The valid range is 30 to 360 seconds. This cannot be set to off.
cisco-xe-router(config-bgp-rpki-server)# purge-time {time-in-second}
cisco-xe-router(config-bgp-rpki-server)#

Juniper JUNOS configuration

In JUNOS, it is the best practice to define a filter to protect the routing engine (RE) and apply it to lo0, as recommended in RFC6192. To establish RTR sessions, the filter must accept necessary packets to enable RE to communicate with external ROA cache servers.

1
2
3
4
5
6
7
8
9
10
11
12
set policy-options prefix-list rpki-rtr-v4 apply-path "routing-options validation group <*> session <*.*>"
set policy-options prefix-list rpki-rtr-v6 apply-path "routing-options validation group <*> session <*:*>"

set firewall family inet filter protect-re-v4 term rpki-rtr from source-prefix-list rpki-rtr-v4
set firewall family inet filter protect-re-v4 term rpki-rtr from protocol tcp
set firewall family inet filter protect-re-v4 term rpki-rtr from source-port <Port number of ROA cache server>
set firewall family inet filter protect-re-v4 term rpki-rtr then accept

set firewall family inet filter protect-re-v6 term rpki-rtr from source-prefix-list rpki-rtr-v6
set firewall family inet filter protect-re-v6 term rpki-rtr from next-header tcp
set firewall family inet filter protect-re-v6 term rpki-rtr from source-port <Port number of ROA cache server>
set firewall family inet filter protect-re-v6 term rpki-rtr then accept

A) Configure ROA cache servers and check VRP retrieval

1
2
3
4
5
6
7
8
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> refresh-time 150
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> hold-time 300
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> record-lifetime   
1800
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> port <Port number of   
ROA cache server>
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> local-address <IP   
address of lo0 configured on router>

The above example involves configuring one ROA cache server. To configure multiple servers, repeat the same procedure with the parameters changed accordingly. If configuring three or more servers, the "max-sessions" setting must be adjusted as follows, as its default value is 2:

1
set routing-options validation group rpki-roa-cache max-sessions {sessions-in-group}

Confirm that RTR sessions with the ROA cache servers have been established.

1
2
3
4
user@junos> show validation session
Session                                  State   Flaps     Uptime #IPv4/IPv6 records
2406:e240:d000:1::feed                   Up          0   08:13:21 490424/117711
2406:e240:d000:2::feed                   Up          0   08:13:21 490424/117711

Check VRPs.

1
user@junos> show validation database

Check whether VRPs are obtained for the ROAs that are supposed to exist. (In this configuration example, VRPs are checked for 192.0.2.0/24, which is an IPv4 address range for
documentation. In an actual configuration, replace this with the ROAs, etc., for your organization,
as necessary.)

1
user@junos> show validation database record 192.0.2.0/24

Check the total number of VRPs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
user@junos> show validation statistics
Total RV records: 2432527
Total Replication RV records: 2432527
  Prefix entries: 548876
  Origin-AS entries: 608138
Memory utilization: 973649280 bytes
RV database: default
  RV records in Database: 2432527
  Origin-AS entries in Database: 608138
  Database origin-validation re-evaluation statistics: 1221
    Attempts resulting Valid: 579
    Attempts resulting invalid: 0
    Attempts resulting Unknown: 642
  BGP import policy reevaluation notifications: 11646
    inet.0, 11561
    inet6.0, 85
Policy origin-validation re-evaluation statistics: 1221
  Attempts resulting Valid: 579
  Attempts resulting invalid: 0
  Attempts resulting Unknown: 642
BGP import policy reevaluation notifications: 11646

B) Change route priority levels based on the ROV results
In the example below, ROV is performed on Update packets received from 192.0.2.1, a BGP peer. The Local Preference value is set to 150 for valid routes, 100 for "not found" routes, and 50 for invalid routes. This configuration prefers routes in the order: valid, not found, invalid.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
set policy-options community origin-validation-state-invalid members large:<AS number, etc.>::1000:4
set policy-options community origin-validation-state-unknown members large:<AS number, etc.>:1000:2
set policy-options community origin-validation-state-valid members large:<AS number, etc.>:1000:1
#The community value is for example purposes.

set policy-options policy-statement rpki-rov term valid from protocol bgp
set policy-options policy-statement rpki-rov term valid from validation-database valid
set policy-options policy-statement rpki-rov term valid then local-preference 150
set policy-options policy-statement rpki-rov term valid then validation-state valid
set policy-options policy-statement rpki-rov term valid then community add origin-validation-state-valid
set policy-options policy-statement rpki-rov term valid then next policy
#At the "then" level above, other options include assigning a community, or modifying the Local Preference   
#value, such as by specifying "local-preference add 50."

set policy-options policy-statement rpki-rov term not-found from protocol bgp
set policy-options policy-statement rpki-rov term not-found from validation-database unknown
set policy-options policy-statement rpki-rov term not-found then local-preference 100
set policy-options policy-statement rpki-rov term not-found then validation-state unknown
set policy-options policy-statement rpki-rov term not-found then community add origin-validation-state-unknown
set policy-options policy-statement rpki-rov term not-found then next policy
#At the "then" level above, other options include assigning a community.

set policy-options policy-statement rpki-rov term invalid from protocol bgp
set policy-options policy-statement rpki-rov term invalid from validation-database invalid
set policy-options policy-statement rpki-rov term invalid then local-preference 50
set policy-options policy-statement rpki-rov term invalid then validation-state invalid
set policy-options policy-statement rpki-rov term invalid then community add origin-validation-state-invalid
set policy-options policy-statement rpki-rov term invalid then next policy
#At the "then" level above, other options include assigning a community, or rejecting the matched routes.

set protocols bgp group <BGP configuration group> import rpki-rov
set protocols bgp group <BGP configuration group> import other-policy
set protocols bgp group <BGP configuration group> peer-as <AS Number> 
set protocols bgp group <BGP configuration group> neighbor 192.0.2.1

Check the routing table to confirm whether it reflects the ROV results. In this example, 203.0.113.0/24, an IPv4 address range example for documentation, is used for VRPs.
In a real-world situation, specify invalid routes for confirmation.

1
user@junos> show route 203.0.113.0/24 extensive

C) Delete an ROV configuration
To disable ROV for any reason, follow the steps below:

1
2
3
4
5
#Delete the policy-statement application setting.
delete protocols bgp group <BGP configuration group> import rpki-rov

#Delete the completed ROA cache server configuration
delete routing-options validation group rpki-roa-cache

D) Check ROA cache server status and VRPs
Check connection with ROA cache servers, and VRP retrieval status.

1
2
user@junos> show validation session
user@junos> show validation database

E) Change ROA cache server priority levels and timers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#preference: Specifies the priority level for the ROA cache server. The default value is 100. Higher values   
#indicate higher priority.   
#If this option is set, sessions with ROA cache servers will be established sequentially based on their   
#priority levels. Sessions with servers assigned the same priority level will be established in random order.
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> preference 
{preference-value}

#refresh-time: Specifies the frequency (in seconds) of regular checking that the ROA cache server is alive.
#The hold-time value described later must be at least twice the refresh-time value.
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> refresh-time  
{time-in-sec}

#hold-time: Specifies the period (in seconds) during which the ROA cache server is assumed to be alive even  
#if no communication occurs with the router.
#If no communication occurs beyond the hold-time period, the router considers the session to be down.
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> hold-time   
{time-in-sec}

#record-lifetime: Specifies the period during which the router retains VRPs downloaded from the ROA cache   
#server after losing connection to it.
set routing-options validation group rpki-roa-cache session <IP address of ROA cache server> record-lifetime  
{time-in-sec}