ROA cache Technical Info

Information for ROA cache server

ROA records can be received from the ROA cache server by connecting with rpki-rtr. BGP router will receive ROA information and will enable BGP Origin Validation on your router.

Host

Host name Host IP address Listen port
roa1.mfeed.ad.jp 210.173.170.254 rpki-rtr (tcp:323)
2001:3a0:e002:1001::101 rpki-rtr (tcp:323)

Currently, only 'rpki-rtr' (which is described in RFC6810) is supported.
Please note that every information exchanged through 'rpki-rtr' will remain unencrypted.

Trust Anchors

Repository Trust Anchor Locator
repository.afrinic.net afrinic.tal
rpki.apnic.net apnic-rpki-root-afrinic-origin.tal
rpki.apnic.net apnic-rpki-root-arin-origin.tal
rpki.apnic.net apnic-rpki-root-iana-origin.tal
rpki.apnic.net apnic-rpki-root-lacnic-origin.tal
rpki.apnic.net apnic-rpki-root-ripe-origin.tal
repository.lacnic.net lacnic.tal
rpki.ripe.net ripe-ncc-root.tal
rpki-repository.nic.ad.jp jpnic-preliminary-ca-s1.tal

Our cache data is updated hourly using rsync to Trust Anchors listed above.

Router Configuration Examples

The following examples are basic configurations and commands to connect to our ROA cache server(210.173.170.254) with rpki-rtr. Please replace AS65000 with your actual asn.

Cisco (IOS-XE 3.12.0S)

Set up RPKI-RTR
!
router bgp 65000
  bgp rpki server tcp 210.173.170.254 port 323 refresh 60
!

In this example, only routes with 'valid' or 'not found' 'RPKI State' will be installed into your routing table. If you prefer to install 'invalid' ones also, please refer to the configuration below.



BGP Origin Validation (allowing 'invalid' routes)
!
router bgp 65000
  address-family ipv4
    bgp bestpath prefix-validate allow-invalid
  exit-address-family
  !
  address-family ipv6
    bgp bestpath prefix-validate allow-invalid
  exit-address-family
!

If you need to do more than just allowing them, set up route-maps.



Confirm RPKI-RTR Sessions
Cisco> show ip bgp rpki servers

Confirm ROA table for IPv4
Cisco> show ip bgp rpki table

Confirm ROA table for IPv6
Cisco> show ip bgp ipv6 unicast rpki table

Reset the RPKI-RTR session with ROA cache server
Cisco> clear ip bgp rpki server 210.173.170.254 port 323

Request ROA cache server to re-send ROA information
Cisco> clear ip bgp rpki server 210.173.170.254 port 323 reset-only

Juniper (JUNOS 12.3R7.7)

Set up RPKI-RTR
routing-options {
  validation {
    group RPKI {
      session 210.173.170.254 {
        refresh-time 60;
        port 323;
      }
    }
  }
}

By default, committing above configuration will make your router listen on tcp:2222 both IPv4 and IPv6. We recommend you filter out any access to these ports EXCEPT from your router itself. These ports are used internally in your router.

The above example just enables the session to ROA cache server. See below (policy-options and bgp) to enable route validation if neccesary.


Set up BGP Origin Validation (policy-options section)
policy-options {
  policy-statement AS65253-PEER-IN {
    term valid {
      from {
        protocol bgp;
        validation-database valid;
      }
      then {
        validation-state valid;
        accept;
      }
    }
    term not-found {
      from {
        protocol bgp;
        validation-database unknown;
      }
      then {
        validation-state unknown;
        accept;
      }
    }
    term invalid {
      from {
        protocol bgp;
        validation-database invalid;
      }
      then {
        validation-state invalid;
        reject;
      }
    }
    then reject;
  }
}

Set up BGP Origin Validation (protocols bgp section)
protocols {
  bgp {
    group AS65253 {
      neighbor 192.168.0.253 {
        import AS65253-PEER-IN;
      }
      neighbor 2001:db8::253 {
        import AS65253-PEER-IN;
      }
    }
  }
}

Confirm RPKI-RTR Sessions
Juniper> show validation session

Confirm ROA table
Juniper> show validation database

Reset the RPKI-RTR session with ROA cache server
Juniper> clear validation session 210.173.170.254

Request ROA cache server to re-send ROA information
Juniper> clear validation database

Alcatel (SROS 12.0R4)

Set up RPKI-RTR
configure router
  origin-validation
    rpki-session 210.173.170.254
      port 323
      no shutdown
    exit
  exit
exit

The above example just enables the session to ROA cache server. See below to enable route validation if neccesary.


Set up BGP Origin Validation
configure router
  bgp
    best-path-selection
      origin-validation-unusable
    exit
    group "Peer AS"
      enable-origin-validation ipv4 ipv6
    exit
  exit
exit

Confirm RPKI-RTR Sessions
Alcatel# show router origin-validation rpki-session

Confirm ROA table
Alcatel# show router origin-validation database

Reset the RPKI-RTR session with ROA cache server
Alcatel# clear router origin-validation rpki-session 210.173.170.254