RPKI Origin Validation Tutorial

SAFNOG-5, JNB, August 2019

Sources for the tutorial to be held at SAFNOG-5 on Tuesday, 27 August 16:00 - 17:30 SAST.

Prerequisites

Docker Host

You will need a linux machine (or VM). The following intructions assume that the host is running Ubuntu 18.04.

The steps described may need to be adapted for other distrobutions and/or versions.

Host firewall

Docker doesn't manage ip6tables config, like it does for IPv4. IPv6 ND is broken as a result. To permit bridged traffic (using ufw) add the following to /etc/ufw/user6.rules:

-A ufw6-user-forward -m physdev --physdev-is-bridged -j ACCEPT

... and then

sudo ufw reload

Docker

The lab is implemented as an interconnected set of docker containers. Orchestration is handled by docker compose.

Juniper cRPD

The routers in the lab topology run Juniper cRPD, a containerised version of the Junos routing protocol daemon. We can't distribute that here for licensing reasons, so you need to get that elsewhere.

The lab has been tested using version 19.2R1.8, but others should work with some adjustments.

Once you have obtained a tarball of the image, load into the local image repo with:

$ docker load -i crpd-19.2R1.8.tgz

Topology

The lab topology looks like:

  j1       j2 ---- t1
   |       |
 -------------
  |    |    |
 ccc  rp1  rp2

j1 and j2 are routers in AS65000. They speak IS-IS and iBGP for both IPv4 and IPv6 unicast address families.

t1 is a route injector (running exabgp) emulating a transit provider (AS65001), attached to j2.

The routers are also attached to a management network containing - ccc.

Also on the internal network are two rpki validation caches and the config management machine:

• rp1 runs the ripe validation cache version 3.1.
• rp2 runs routinator version xxx.

Usage

To launch, just do:

$ docker-compose up

If you have made changes to the sources, then rebuild the docker images with:

$ docker-compose build

See the docker-compose docs for more usage info.