A substitute for the RTR protocol: generate configuration blobs for your routers instead of using the RTR protocol to interact with RPKI.
The generated route-map configuration will first check whether the BGP route
announced and passed through the route-map is covered by a RPKI ROA or not,
if not it will mark the route as not-found using the 65000:0 BGP community.
If the route was covered by a RPKI ROA, the route-map proceeds to match
the announcement against each authorised (Prefix, Origin AS) tuple to see
if any RPKI ROA can make the BGP announcement valid. If there is no match, the
annnouncement is RPKI Invalid and will be rejected.
An example generated route-map configuration is available here.
git clone https://github.com/job/rpki-ov-route-map
cd rpki-ov-route-map
python3 -m venv .venv
. .venv/bin/activate
pip3 install -e .
Some BGP implementations don't have native support for RPKI based BGP Origin
Validation RFC 6811, this utility
attempts to offer a workaround for route-map oriented BGP implementations.
$ rpki-ov-route-map > route-map-configuration.txt
Then use TFTP or some other copying mechanism to upload the resulting file
to the BGP router, and copy the file into the running-config. Subsequently you
can associate route-map rpki-ov with the EBGP ingress policy of the peer.
router bgp 65000
neighbor x.x.x.x remote-as 65123
neighbor x.x.x.x route-map rpki-ov in
But honestly, use of this software for any purpose other than entertainment is not recommended.
Copyright (c) April 1st, 2020 Job Snijders [email protected], Ben Maddison [email protected]