Use RPKI data as if it were route-objects

[job]

RPKI can be used to do Origin Validation and reject invalid announcements, but RPKI can also be used in context of provisioning & creation of whitelists.

If we take as example http://irrexplorer.nlnog.net/search/23.179.0.0/24 - for this prefix there is no IRR route object, but there is a RPKI ROA which states what the authorised origin AS is and this matches what is observed in the DFZ. I'd prefer to accept such a prefix from AS neighbor 6939.

In other words, we should treat RPKI ROAs as if they are IRR route objects.

Implementation suggestion: we can use rtrsub to generate a yml file of all such RPKI ROAs, and if arouteserver is expanding ASNs into route objects (after having expanded AS-SETS into ASNs), it also does a lookup in that yml file.

[pierky]

Here it is...

arouteserver/config.d/general.yml

Lines 223 to 260 in 566f313

	use_rpki_roas_as_route_objects:
	# With regards of prefix validation, when this option is
	# enabled ARouteServer uses RPKI ROAs as if they were route
	# objects.
	# Routes whose origin ASN is authorized by a client's AS-SET
	# but whose prefix has not a corresponding route object will
	# be accepted if a covering ROA exists for that origin
	# ASN. In this case, if 'tag_as_set' is True, these routes
	# are tagged with the 'prefix_validated_via_rpki_roas'
	# community.
	#
	# This option is used only when 'enforce_origin_in_as_set'
	# and 'enforce_prefix_in_as_set' are both set to True.
	# Set this to True to enable this feature.
	#
	# Default: False
	enabled: False
	# The source used to gather RPKI ROAs.
	#
	# Can be one of the following options:
	# - 'rtrlib': ROAs are loaded using the external program
	# rtrllib (https://github.com/rtrlib/bird-rtrlib-cli).
	# The name of the table where send the ROAs to is 'RPKI'.
	# - 'ripe-rpki-validator-cache': ROAs are fetched via
	# HTTP from the RIPE RPKI Validator cache
	# (http://localcert.ripe.net:8088/export).
	#
	# Please note that this method is far from guaranteeing
	# that a cryptographically validated datased is retrieved
	# from a trusted cache.
	#
	# OpenBGPD: only the 'ripe-rpki-validator-cache' source
	# is currently supported.
	#
	# Default: ripe-rpki-validator-cache
	source: "ripe-rpki-validator-cache"

---

OpenBGPD:

arouteserver/examples/rich/openbgpd.conf

Lines 147 to 154 in 566f313

	# RPKI ROAs used as route objects
	# Add the soo:65535:1 ext community to routes whose
	# origin ASN has a ROA for the announced prefix.
	# It will be used later during IRRDB validation in
	# case the origin ASN is authorized by a client's
	# AS-SET but the prefix is not.
	match from group clients source-as 10745 prefix { 2001:500:30::/48, 2001:500:4::/48, 192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24 } set ext-community soo 65535:1
	match from group clients source-as 3333 prefix { 193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21, 2001:67c:2e8::/48, 193.0.22.0/23, 2001:610:240::/42, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22 prefixlen 22 - 26 } set ext-community soo 65535:1

And if a route has its origin ASN authorized by an AS-SET, then...

arouteserver/examples/rich/openbgpd.conf

Lines 254 to 259 in 566f313

	# routes which carry a soo:65535:1 community have the prefix validated by a ROA
	match from 192.0.2.22 ext-community soo 65535:1 set community 65530:2
	match from 192.0.2.22 ext-community soo 65535:1 set large-community 999:65530:2
	match from 192.0.2.22 ext-community soo 65535:1 set { community delete NO_ADVERTISE ext-community delete soo 65535:1 }

---

BIRD:

arouteserver/examples/rich/bird4.conf

Lines 21 to 28 in 566f313

	# RPKI ROAs used as route objects
	define RPKI_ROAs_as_route_objects_AS10745 = [
	192.136.136.0/24, 192.149.252.0/24, 199.43.0.0/24
	];
	define RPKI_ROAs_as_route_objects_AS3333 = [
	193.0.24.0/24, 193.0.12.0/23, 193.0.18.0/23, 193.0.0.0/21,
	193.0.22.0/23, 193.0.10.0/23, 193.0.20.0/23, 193.0.24.0/22{22,26}
	];

arouteserver/examples/rich/bird4.conf

Lines 1569 to 1577 in 566f313

	# This function verifies if there is such a ROA for the
	# current route's origin ASN to validate the announced prefix.
	function prefix_in_rpki_roas_as_route_objects() {
	case bgp_path.last {
	10745: return net ~ RPKI_ROAs_as_route_objects_AS10745;
	3333: return net ~ RPKI_ROAs_as_route_objects_AS3333;
	}
	return false;
	}

arouteserver/examples/rich/bird4.conf

Lines 1866 to 1873 in 566f313

	# Origin ASN is valid, prefix is not: check if a RPKI ROAs exists.
	if !reject_because_of_bad_origin && reject_because_of_bad_prefix && prefix_in_rpki_roas_as_route_objects() then {
	bgp_community.add((65530, 2));
	bgp_large_community.add((999, 65530, 2));
	return true;
	}

Any feedback?

[job]

Guess we'll have to test this to provide you with good feedback! :)

[pierky]

If you want to test it it's already available in the latest pre-release version on PyPi test:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple --pre --upgrade arouteserver