1 of 10

rpkirtr

Darren O’Connor

2 of 10

rpkirtr or rpki-rtr?

  • Naming is not my thing
  • rpkirtr is my implementation of RFC8210 - aka version 1
  • The Resource Public Key Infrastructure (RPKI) to Router Protocol
  • Facilitates the sending of ROAs from a ‘cache’ to a router
  • rpkirtr is exclusively used for bgpstuff.net
  • Low memory and CPU usage

3 of 10

So what is a ROA?

  • Route Origin Authorizations - RFC6480
  • ROAs are used to for original validation, aka ASN X is allowed to originate prefix Y
  • Does NOT do path validation
  • Validator high CPU

4 of 10

From validator to rpkirtr cache

  • Many ways to get data from validated cache to rpki-rtr. Examples include:
    • Dump all ROAs into local json file
    • Dump ROAs into a database of some sort
    • Could use a pull system in which the cache pulls ROAs from the validator via gRPC
    • Validators themselves could directly implement rpki-rtr
    • Pick your poison

5 of 10

rpki-rtr

  • Runs over TCP
  • Sends PDUs, protocol data units, describing validated ROAs towards a router
  • The router does not need to do any cryptographic work
  • My implementation currently reads externally validated json dumps
    • Don’t do this in production

6 of 10

Basic operation

  • Cache starts up and reads initial ROA data. Sets local serial number to 0.
  • Router connects to cache and send a reset query PDU
  • Cache sends cache response PDU
  • Cache sends payload PDUs, which contains the ROAs
    • One PDU per prefix
  • Cache sends end of data PDU.

7 of 10

Payload PDU

0 8 16 24 31

.-------------------------------------------.

| Protocol | PDU | |

| Version | Type | zero |

| 1 | 4 | |

+-------------------------------------------+

| |

| Length=20 |

| |

+-------------------------------------------+

| | Prefix | Max | |

| Flags | Length | Length | zero |

| | 0..32 | 0..32 | |

+-------------------------------------------+

| |

| IPv4 Prefix |

| |

+-------------------------------------------+

| |

| Autonomous System Number |

| |

`-------------------------------------------'

  • Lowest order bit in flag determines type of announcement
    • 1 - announce
    • 2 - withdraw
  • IPv6 PDU is identical other than sized an extra 96 bits

8 of 10

Cache update

  • Set time for when cache will check it’s sources for updates
    • bgpstuff.net checks every 6 minutes
  • If using validator as source, could update anytime there was a ROA change
  • Cache should update it’s serial number
  • Cache needs to work out the new set of ROAs, as well as which ROAs need to be added or deleted to get from the previous version to the current version.
  • Cache should send a notify PDU to connected routers informing them that the serial number has changed

9 of 10

ROA diffs

  • rpkirtr downloads new ROAs
  • Makes diff with a list of added and deleted ROAs
  • I only save enough information for going back one serial number
  • You could implement multiple generations to get an old serial back to current
  • Might be more complicated than required
  • If router serial ‘too’ old, rpki-rtr will send cache reset PDU to router
  • Router has its own timers.

10 of 10

Extras

  • Don’t we already have a protocol that can send IP prefixes and added metadata?
  • SLURM (Simplified Local Internet Number Resource Management with the RPKI) - RFC8416
  • Version 2 draft
    • Would provide ability to share path information
  • ROA table could get large
  • Sign your prefixes!
  • I welcome pull requests

0 8 16 24 31

.-------------------------------------------.

| Protocol | PDU | |

| Version | Type | zero |

| 2 | 11 | |

+-------------------------------------------+

| |

| Length |

| |

+-------------------------------------------+

| | | |

| Flags | zero | Provider AS Count |

| | | |

+-------------------------------------------+

| |

| Customer Autonomous System Number |

| |

+-------------------------------------------+

| |

| Provider Autonomous System Number(s) |

| |

~-------------------------------------------~