RPKI v Go6Lab-u

V Go6Lab-u smo postavili RPKI Validation server in začeli na centralnem BGP routerju prefixe tudi preverjati. Postavitev validacije in tudi dejansko preverjanje veljavnosti oglaševanjih prefixov je tako enostavna, da je škoda da tega nismo postavili že prej…

Validator teče na naslovu rpki.go6lab.si na portu 8282

rpki.go6lab.si. 3600 IN A 91.239.96.50
rpki.go6lab.si. 3600 IN AAAA 2001:67c:27e4::50

Če sledimo navodilom na RIPE RPKI resources strani, kjer je enostavno obrazložen postopek kako dodamo RPKI preverjanje na Cisco in Juniper usmerjevalnikih bomo kar naenkrat ugotovili, da smo začeli preverjati verodostojnost route announcements. Pri konfiguraciji svojega BGP routerja vpišemo namesto IP naslova serverja, ki je tam naveden enega od zgornjih dveh naslovov – IPv6 ali IPv4.

Centralni Go6 BGP router (Cisco 7606, IOS 15.2(4)S) je z RPKI validatorjem povezan preko IPv6 in zadeva čisto lepo deluje.

Routing security je pomembna naslednja stopnica pri zagotavljanju dobrega, verodostojnega in varnega usmerjanja na Internetu, predvsem pa pri preprečevanju kraje IPv4 in IPv6 naslovnih prostorov – oziroma napačnega oglaševanja, kot se je to zgodilo pakistanskemu Telekomu, ko je pomotoma oglasil v Internet IP alokacijo, ki pripada YouTube…

Nekaj tehnikalij (kako to zgleda na C*** routerju):

(Trikrat se vsak zapis pojavi ker imamo v go6lab tri povezave navzven (SiOL, Amis in T-2) in 3 krat full IPv4 in IPv6 BGP tabele)

c7600-go6lab#sh ip bgp rpki servers 
BGP SOVC neighbor is 2001:67C:27E4::50/8282 connected to port 8282
Flags 64, Refresh time is 600, Serial number is 8, Session ID is 24182
InQ has 0 messages, OutQ has 0 messages, formatted msg 1
Session IO flags 3, Session flags 4008
 Neighbor Statistics:
 Prefixes 4220
 Connection attempts: 1
 Connection failures: 0
 Errors sent: 0
 Errors received: 0
   
c7600-go6lab#sh bgp ipv6 unicast 2001:4d60::/32 
BGP routing table entry for 2001:4D60::/32, version 4093555
Paths: (3 available, best #3, table default)
 Advertised to update-groups:
 2 15 
 Refresh Epoch 1
 8591 286 24785 1126, (received & used)
  2001:15C0:1000:104A::42 (FE80::8618:8800:6E91:B803) from 2001:15C0:1000:104A::42 (212.18.32.191)
  Origin IGP, localpref 100, valid, external
  Community: 8591:1002
  path 26555A58 RPKI State valid
  rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
 34779 1299 3549 1126, (received & used)
  2A01:260:1::216 from 2A01:260:1::216 (84.255.208.216)
  Origin IGP, localpref 100, valid, external
  Community: 34779:31006
  path 2557D750 RPKI State valid
  rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
 5603 6939 1126, (received & used)
  2A00:EE0::1:0:0:7 from 2A00:EE0::1:0:0:7 (95.176.255.252)
  Origin IGP, localpref 100, valid, external, best
  path 2818D53C RPKI State valid
  rx pathid: 0, tx pathid: 0x0

   
c7600-go6lab#sh ip bgp 93.175.147.0/24
BGP routing table entry for 93.175.147.0/24, version 12829231
Paths: (3 available, best #3, table default)
 Advertised to update-groups:
 13 17 
 Refresh Epoch 1
 8591 2603 1103 12654, (received & used)
  90.157.211.89 from 90.157.211.89 (212.18.32.191)
  Origin IGP, localpref 100, valid, external
  Community: 8591:1003
  path 2E08EB58 RPKI State valid
  rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
 34779 1299 3257 1103 12654
  84.255.208.216 from 84.255.208.216 (84.255.208.216)
  Origin IGP, localpref 100, valid, external
  Community: 34779:30001
  path 20466C64 RPKI State valid
  rx pathid: 0, tx pathid: 0
  Refresh Epoch 1
  5603 3356 12654, (received & used)
  95.176.255.252 from 95.176.255.252 (95.176.255.252)
  Origin IGP, localpref 100, valid, external, best
  path 295E5D24 RPKI State valid
  rx pathid: 0, tx pathid: 0x0
c7600-go6lab#

Vaš IP naslov (ali ste na IPv6 ?):
3.144.89.42

Comments

  1. March 8th, 2013 | 16:17

    […] je poročal o RPKI-based BGP Route Origin Validation v Go6Labu, kjer je navedel primer konfiguracije na opremi proizvajalca C*. Da bo slika popolnejša, je prav, […]

Leave a reply

website