AS58280 (Articoli su ROV)https://as58280.net/itContents © 2025 <a href="mailto:max@as58280.net">Max Stucchi</a> Thu, 30 Jan 2025 15:53:05 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssRPKI Origin Validation on Mikrotikhttps://as58280.net/it/articles/RPKI-on-Mikrotik/Max Stucchi<h3>Configuring RPKI-based Route Origin Validation on Mikrotik</h3> <p>About a week ago, Mikrotik announced that the latest version of their OS - I mean, the beta version of RouterOSv7 - now has support for RPKI Origin Validation.</p> <p>I have decided to try to configure it and report here.</p> <p>Unfortunately, <strong>IPv6 BGP</strong> in RouterOSv7 Beta 8 is <strong>broken</strong>, in which it does not send any network announcement to the other peer in the BGP session. This means that at the time of this writing, my whole IPv6 configuration is broken, because I can't originate any IPv6 announcement from my network.</p> <p>Anyway, on with the experiment. First of all we need to find our <em>canary</em>, a network that is covered by a ROA that makes it <em>invalid</em>. There is a route announced by Cloudflare that we can use, and it's all described in <a href="https://blog.cloudflare.com/is-bgp-safe-yet-rpki-routing-security-initiative/">this article</a>:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/ipv6/route&gt;<span class="w"> </span>print<span class="w"> </span>where<span class="w"> </span>dst-address<span class="o">=</span><span class="s2">"2606:4700:7000::/48"</span> Flags:<span class="w"> </span>D<span class="w"> </span>-<span class="w"> </span>DYNAMIC<span class="p">;</span><span class="w"> </span>I<span class="w"> </span>-<span class="w"> </span>INACTIVE,<span class="w"> </span>A<span class="w"> </span>-<span class="w"> </span>ACTIVE<span class="p">;</span><span class="w"> </span>b<span class="w"> </span>-<span class="w"> </span>BGP,<span class="w"> </span>m<span class="w"> </span>-<span class="w"> </span>MODEM Columns:<span class="w"> </span>DST-ADDRESS,<span class="w"> </span>GATEWAY,<span class="w"> </span>DISTANCE <span class="w"> </span>DST-ADDRESS<span class="w"> </span>GA<span class="w"> </span>DI <span class="w"> </span>DIb<span class="w"> </span><span class="m">2606</span>:4700:7000::/48<span class="w"> </span>::<span class="w"> </span><span class="m">20</span> <span class="w"> </span>DIb<span class="w"> </span><span class="m">2606</span>:4700:7000::/48<span class="w"> </span>::<span class="w"> </span><span class="m">20</span> </pre></div> <p>As you can see, we are now receiving it. I am receiving a full IPv6 feed from <a href="https://www.openfactory.ch">OpenFactory - AS58299</a> at the moment.</p> <p>We have to do work in three stages:</p> <ol> <li>Install a validator. In this case we will use <a href="https://www.nlnetlabs.nl/projects/rpki/routinator/">routinator</a> from NLNetLabs. It's really easy to install, fast, and will fit here;</li> <li>Set up a connection to the validator from the router. In this case I am running a RB4011;</li> <li>Use the information we obtain from the validator to filter out the invalid networks.</li> </ol> <h4>1. Install routinator</h4> <p>I have been using FreeBSD for about 20 years, so I will go ahead with it. Routinator can also be installed on any Linux flavour.</p> <p>On FreeBSD, we have a package, so I will go ahead with pkg.</p> <div class="code"><pre class="code literal-block">root@routinator<span class="w"> </span>/root&gt;<span class="w"> </span>pkg<span class="w"> </span>install<span class="w"> </span>routinator </pre></div> <p>Then configure to init it for the TALs</p> <div class="code"><pre class="code literal-block">sudo<span class="w"> </span>-u<span class="w"> </span>routinator<span class="w"> </span>-g<span class="w"> </span>routinator<span class="w"> </span>routinator<span class="w"> </span>-c<span class="w"> </span>/usr/local/etc/routinator/routinator.conf<span class="w"> </span>init sudo<span class="w"> </span>-u<span class="w"> </span>routinator<span class="w"> </span>-g<span class="w"> </span>routinator<span class="w"> </span>routinator<span class="w"> </span>-c<span class="w"> </span>/usr/local/etc/routinator/routinator.conf<span class="w"> </span>init<span class="w"> </span>--accept-arin-rpa </pre></div> <p>The first command actually errored out, so I first copy the config file manually, and then re-run those two commands.</p> <div class="code"><pre class="code literal-block">root@routinator<span class="w"> </span>/root&gt;<span class="w"> </span>cp<span class="w"> </span>/usr/local/etc/routinator/routinator.conf.example<span class="w"> </span>/usr/local/etc/routinator/routinator.conf </pre></div> <p>Additionally, I didn't have <em>sudo</em>, so I ran the commands as root and then I changed the owner of all the directories to be the <em>routinator</em> user.</p> <p>I also changed the configuration so that the directory structure is more in line with what FreeBSD uses as standard hierarchy.</p> <p>You can find the complete file <a href="https://github.com/AS58280/AS58280-Confs/blob/master/routinator.rpki.as58280.net/usr/local/etc/routinator/routinator.conf">here</a></p> <p>The last thing to do is to configure routinator to run in <em>rc.conf</em> and then run it:</p> <div class="code"><pre class="code literal-block">root@routinator<span class="w"> </span>/root&gt;<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s1">'routinator_enable="YES"'</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/rc.conf root@routinator<span class="w"> </span>/root&gt;<span class="w"> </span>/usr/local/etc/rc.d/routinator<span class="w"> </span>start </pre></div> <p>and now we have routinator running and listening on 45.129.224.37 port 3323.</p> <p>This instance of routinator is available to use, and I'll soon setup a hostname for it.</p> <h4>2. Configure the RTR Session</h4> <p>Then, on to configuring our router. As you can see, we have a specific menu for RPKI:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp&gt; ..<span class="w"> </span>--<span class="w"> </span>go<span class="w"> </span>up<span class="w"> </span>to<span class="w"> </span>routing advertisements<span class="w"> </span>-- connection<span class="w"> </span>-- peer-cache<span class="w"> </span>-- rpki<span class="w"> </span>-- template<span class="w"> </span>-- </pre></div> <p>The work we have to do is divided in two parts:</p> <ol> <li>Setting up communication to the routinator instance; and</li> <li>Setting up our filters so that we filter based on RPKI.</li> </ol> <p>First of all, we have to configure the RTR Session. We will connect to the routinator instance we have set up previously, so here:</p> <div class="code"><pre class="code literal-block"><span class="p">[</span><span class="nx">admin</span><span class="err">@</span><span class="nx">r1</span><span class="p">.</span><span class="nx">btl</span><span class="p">.</span><span class="nx">ch</span><span class="p">.</span><span class="nx">as58280</span><span class="p">.</span><span class="nx">net</span><span class="p">]</span><span class="w"> </span><span class="o">/</span><span class="nx">routing</span><span class="o">/</span><span class="nx">bgp</span><span class="o">/</span><span class="nx">rpki</span><span class="p">&gt;</span><span class="w"> </span><span class="nx">add</span><span class="w"> </span><span class="nx">address</span><span class="p">=</span><span class="m m-Double">45.129.224.37</span><span class="w"> </span><span class="nx">port</span><span class="p">=</span><span class="mi">3323</span><span class="w"> </span><span class="nx">preference</span><span class="p">=</span><span class="mi">1</span> </pre></div> <p>and I got an error while trying to print the entries:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/rpki&gt;<span class="w"> </span>print Flags:<span class="w"> </span>X<span class="w"> </span>-<span class="w"> </span>disabled <span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="p">;;;</span><span class="w"> </span>group<span class="w"> </span>name<span class="w"> </span>must<span class="w"> </span>be<span class="w"> </span>specified <span class="w"> </span><span class="nv">address</span><span class="o">=</span><span class="m">45</span>.129.224.37<span class="w"> </span><span class="nv">port</span><span class="o">=</span><span class="m">3323</span><span class="w"> </span><span class="nv">preference</span><span class="o">=</span><span class="m">1</span> <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/rpki&gt;<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="nv">group</span><span class="o">=</span> Group<span class="w"> </span>::<span class="o">=</span> <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/rpki&gt;<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="nv">group</span><span class="o">=</span>validator <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/rpki&gt;<span class="w"> </span>print Flags:<span class="w"> </span>X<span class="w"> </span>-<span class="w"> </span>disabled <span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="nv">group</span><span class="o">=</span>validator<span class="w"> </span><span class="nv">address</span><span class="o">=</span><span class="m">45</span>.129.224.37<span class="w"> </span><span class="nv">port</span><span class="o">=</span><span class="m">3323</span><span class="w"> </span><span class="nv">preference</span><span class="o">=</span><span class="m">1</span> <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/rpki&gt; </pre></div> <p>Turns out you can configure groups of validators to talk to, and I later on discovered that in your filters you can point to these specific groups. That looks like an interesting feature.</p> <h4>3. Configure the filters</h4> <p>Let's go ahead and see what we need to do next with the filters.</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/filter/rule&gt;<span class="w"> </span>add<span class="w"> </span><span class="nv">action</span><span class="o">=</span>accept<span class="w"> </span><span class="nv">chain</span><span class="o">=</span><span class="k">in</span>-v6<span class="w"> </span>rpki-verify<span class="o">=</span>validator<span class="w"> </span>rpki-match<span class="o">=</span>valid <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/filter/rule&gt;<span class="w"> </span>add<span class="w"> </span><span class="nv">chain</span><span class="o">=</span><span class="k">in</span>-v6<span class="w"> </span><span class="nv">action</span><span class="o">=</span>reject<span class="w"> </span>match-rpki<span class="o">=</span>invalid </pre></div> <p>and then we need to add this filter chain to the template we use for BGP. In <em>/routing/bgp/template/</em> I have the following:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/template&gt;<span class="w"> </span>print Flags:<span class="w"> </span>*<span class="w"> </span>-<span class="w"> </span>default,<span class="w"> </span>X<span class="w"> </span>-<span class="w"> </span>disabled,<span class="w"> </span>I<span class="w"> </span>-<span class="w"> </span>inactive <span class="w"> </span><span class="m">0</span><span class="w"> </span>*<span class="w"> </span><span class="p">;;;</span><span class="w"> </span>reserved<span class="w"> </span>AS<span class="w"> </span>value <span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"default"</span><span class="w"> </span><span class="nv">instance</span><span class="o">=</span>default <span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"stucchinet4"</span><span class="w"> </span>routing-table<span class="o">=</span>main<span class="w"> </span><span class="nv">as</span><span class="o">=</span><span class="m">58280</span><span class="w"> </span>address-families<span class="o">=</span>ip,ipv6 <span class="w"> </span>output.filter<span class="o">=</span>out-v4<span class="w"> </span>.network<span class="o">=</span><span class="m">45</span>.129.224.0/22 <span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"stucchinet6"</span><span class="w"> </span>routing-table<span class="o">=</span>main<span class="w"> </span><span class="nv">instance</span><span class="o">=</span>default<span class="w"> </span>apply-changes<span class="o">=</span>auto<span class="w"> </span><span class="nv">as</span><span class="o">=</span><span class="m">58280</span><span class="w"> </span>address-families<span class="o">=</span>ipv6<span class="w"> </span>output.filter<span class="o">=</span><span class="s2">""</span><span class="w"> </span>.network<span class="o">=</span><span class="s2">""</span> </pre></div> <p>And especially for the IPv6 template, I have no input.filter set, yet. So let's go ahead and add it:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/template&gt;<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">2</span><span class="w"> </span>input.filter<span class="o">=</span><span class="k">in</span>-v6 <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/template&gt;<span class="w"> </span>print Flags:<span class="w"> </span>*<span class="w"> </span>-<span class="w"> </span>default,<span class="w"> </span>X<span class="w"> </span>-<span class="w"> </span>disabled,<span class="w"> </span>I<span class="w"> </span>-<span class="w"> </span>inactive <span class="w"> </span><span class="m">0</span><span class="w"> </span>*<span class="w"> </span><span class="p">;;;</span><span class="w"> </span>reserved<span class="w"> </span>AS<span class="w"> </span>value <span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"default"</span><span class="w"> </span><span class="nv">instance</span><span class="o">=</span>default <span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"stucchinet4"</span><span class="w"> </span>routing-table<span class="o">=</span>main<span class="w"> </span><span class="nv">as</span><span class="o">=</span><span class="m">58280</span><span class="w"> </span>address-families<span class="o">=</span>ip,ipv6 <span class="w"> </span>output.filter<span class="o">=</span>out-v4<span class="w"> </span>.network<span class="o">=</span><span class="m">45</span>.129.224.0/22 <span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="nv">name</span><span class="o">=</span><span class="s2">"stucchinet6"</span><span class="w"> </span>routing-table<span class="o">=</span>main<span class="w"> </span><span class="nv">instance</span><span class="o">=</span>default<span class="w"> </span>apply-changes<span class="o">=</span>auto<span class="w"> </span><span class="nv">as</span><span class="o">=</span><span class="m">58280</span><span class="w"> </span>address-families<span class="o">=</span>ipv6<span class="w"> </span>output.filter<span class="o">=</span><span class="s2">""</span><span class="w"> </span>.network<span class="o">=</span><span class="s2">""</span> <span class="w"> </span>input.filter<span class="o">=</span><span class="k">in</span>-v6 </pre></div> <p>and there it is.</p> <h4>4. Check the result</h4> <p>Let's now check if Origin Validation gets applied:</p> <div class="code"><pre class="code literal-block"><span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/routing/bgp/template&gt;<span class="w"> </span>/ipv6<span class="w"> </span>route/ <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/ipv6/route&gt;<span class="w"> </span>print<span class="w"> </span>where<span class="w"> </span>dst-address<span class="o">=</span><span class="s2">"2606:4700:7000::/48"</span> <span class="o">[</span>admin@r1.btl.ch.as58280.net<span class="o">]</span><span class="w"> </span>/ipv6/route&gt; </pre></div> <p>Here we go! The prefix is not visible anymore and gets filtered out.</p> <p>You might have to disable and re-enable the BGP Session for the filter to kick in.</p> <p>This is the end. Besides the issues with IPv6 BGP, it seems that Mikrotik is going towards a nice result with this, so I hope they work quickly on making RouterOS v7 available for production, and hopefully this will increase RPKI adoption around the World, and will make <a href="http://instituut.net/~job/">Job Snijders</a> happy... :)</p>https://as58280.net/it/articles/RPKI-on-Mikrotik/Tue, 17 Nov 2020 14:16:18 GMT