Project

ROA cache Technical Info

Information for ROA cache server

ROA records can be received from the ROA cache server by connecting with rpki-rtr. BGP router will receive ROA information and will enable BGP Origin Validation on your router.

Host

Host nameHost IP addressListen port
roa1.mfeed.ad.jp210.173.170.254rpki-rtr (tcp:323)
roa1.mfeed.ad.jp2001:3a0:e002:1001::101rpki-rtr (tcp:323)
  • Currently, only rpki-rtr (which is described in RFC6810) is supported.
  • Please note that every information exchanged through rpki-rtr will remain unencrypted.

Trust Anchors

RepositoryTrust Anchor Locator
repository.afrinic.netafrinic.tal
rpki.apnic.netapnic-rpki-root-iana-origin.tal
repository.lacnic.netlacnic.tal
rpki.ripe.netripe-ncc-root.tal
rpki-repository.nic.ad.jpjpnic-preliminary-ca-s1.tal

Our cache data is updated every twelve hours using rsync to Trust Anchors listed above.

Router Configuration Examples

The following examples are basic configurations and commands to connect to our ROA cache server(210.173.170.254) with rpki-rtr. Please replace AS65000 with your actual asn.

Cisco (IOS-XE 3.12.0S)

Set up RPKI-RTR

1
2
3
4
!
router bgp 65000
bgp rpki server tcp 210.173.170.254 port 323 refresh 60
!

In this example, only routes with 'valid' or 'not found' 'RPKI State' will be installed into your routing table. If you prefer to install 'invalid' ones also, please refer to the configuration below.

BGP Origin Validation (allowing 'invalid' routes)

1
2
3
4
5
6
7
8
9
10
!
router bgp 65000
address-family ipv4
bgp bestpath prefix-validate allow-invalid
exit-address-family
!
address-family ipv6
bgp bestpath prefix-validate allow-invalid
exit-address-family
!

If you need to do more than just allowing them, set up route-maps.

Confirm RPKI-RTR Sessions

1
Cisco> show ip bgp rpki servers

Confirm ROA table for IPv4

1
Cisco> show ip bgp rpki table

Confirm ROA table for IPv6

1
Cisco> show ip bgp ipv6 unicast rpki table

Reset the RPKI-RTR session with ROA cache server

1
Cisco> clear ip bgp rpki server 210.173.170.254 port 323

Request ROA cache server to re-send ROA information

1
Cisco> clear ip bgp rpki server 210.173.170.254 port 323 reset-only

Juniper (JUNOS 12.3R7.7)

Set up RPKI-RTR

1
2
3
4
5
6
7
8
9
10
routing-options {
validation {
group RPKI {
session 210.173.170.254 {
refresh-time 60;
port 323;
}
}
}
}
  • By default, committing above configuration will make your router listen on tcp:2222 both IPv4 and IPv6. We recommend you filter out any access to these ports EXCEPT from your router itself. These ports are used internally in your router.
  • The above example just enables the session to ROA cache server. See below (policy-options and bgp) to enable route validation if neccessary.

Set up BGP Origin Validation (policy-options section)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
policy-options {
policy-statement AS65253-PEER-IN {
term valid {
from {
protocol bgp;
validation-database valid;
}
then {
validation-state valid;
accept;
}
}
term not-found {
from {
protocol bgp;
validation-database unknown;
}
then {
validation-state unknown;
accept;
}
}
term invalid {
from {
protocol bgp;
validation-database invalid;
}
then {
validation-state invalid;
reject;
}
}
then reject;
}
}

Set up BGP Origin Validation (protocols bgp section)

1
2
3
4
5
6
7
8
9
10
11
12
protocols {
bgp {
group AS65253 {
neighbor 192.168.0.253 {
import AS65253-PEER-IN;
}
neighbor 2001:db8::253 {
import AS65253-PEER-IN;
}
}
}
}

Confirm RPKI-RTR Sessions

1
Juniper> show validation session

Confirm ROA table

1
Juniper> show validation database

Reset the RPKI-RTR session with ROA cache server

1
Juniper> clear validation session 210.173.170.254

Request ROA cache server to re-send ROA information

1
Juniper> clear validation database

Alcatel (SROS 12.0R4)

Set up RPKI-RTR

1
2
3
4
5
6
7
8
configure router
origin-validation
rpki-session 210.173.170.254
port 323
no shutdown
exit
exit
exit

The above example just enables the session to ROA cache server. See below to enable route validation if neccessary.

Set up BGP Origin Validation

1
2
3
4
5
6
7
8
9
10
configure router
bgp
best-path-selection
origin-validation-unusable
exit
group "Peer AS"
enable-origin-validation ipv4 ipv6
exit
exit
exit

Confirm RPKI-RTR Sessions

1
Alcatel# show router origin-validation rpki-session

Confirm ROA table

1
Alcatel# show router origin-validation database

Reset the RPKI-RTR session with ROA cache server

1
Alcatel# clear router origin-validation rpki-session 210.173.170.254