How do you handle invalid or unknown BGP origin announcements with RPKI?

1 What is RPKI?

RPKI is a cryptographic framework that allows network operators to create and publish digital certificates and signed objects that attest their ownership and authority over IP addresses and AS numbers. RPKI objects include route origin authorizations (ROAs), which specify which AS can originate a prefix, and router certificates, which enable routers to authenticate each other and exchange RPKI information. RPKI relies on a hierarchical trust model, where a root certificate authority (CA) delegates authority to regional and local CAs, which in turn issue certificates and ROAs to network operators.

2 How does RPKI validate BGP origin announcements?

RPKI validation is the process of checking the origin AS of a BGP announcement against the ROAs published in the RPKI repository. This can be done by a separate validator server or by the router itself, depending on the implementation. The validator server collects and verifies the RPKI objects from the repository and generates a validation cache, which is a list of valid, invalid, and unknown prefixes and their origin ASes. The validator server then sends the validation cache to the router via a secure protocol, such as RPKI-to-router (RTR). The router then compares the origin AS of each BGP announcement with the validation cache and assigns a validation state: valid, invalid, or unknown.

3 How do you filter invalid or unknown BGP origin announcements?

Filtering invalid or unknown BGP origin announcements is a policy decision that depends on your network objectives and risk tolerance. However, the general recommendation is to reject or de-prioritize invalid announcements and accept or prefer valid announcements. This way, you can prevent routing loops, hijacks, and misconfigurations that could affect your network performance and security. To filter BGP origin announcements based on their validation state, you need to configure your router to apply appropriate route maps, filters, or attributes to the incoming or outgoing BGP updates. For example, you can use the bgp bestpath prefix-validate command to prefer valid prefixes over invalid or unknown prefixes in Cisco IOS.

4 How do you monitor RPKI validation and filtering?

Monitoring RPKI validation and filtering is essential to ensure that your network is receiving and sending accurate and secure BGP origin information. You can use various tools and commands to monitor the status and statistics of RPKI validation and filtering on your router, such as show bgp ipv4 unicast prefix-validate, show rpki cache-server, and show rpki prefix-table in Cisco IOS. You can also use external tools and services, such as RIPE RPKI Validator, RPKI Monitor, and RPKI Observatory, to check the validity of your own or other networks' prefixes and ROAs, and to detect any anomalies or errors in the RPKI repository or validation process.

5 What are some best practices for RPKI validation and filtering?

When deploying RPKI validation and filtering on your network, it’s important to take certain steps to ensure improved security and stability. Utilizing multiple validator servers and cache servers for redundancy and load balancing is imperative. Additionally, it’s important to keep router software and RPKI objects up to date with regular signature verification. Testing RPKI validation and filtering policies in a lab or sandbox environment before applying them to your production network is also recommended. Furthermore, you should monitor the impact of RPKI validation and filtering on your network traffic and routing table size, as well as coordinate with peers and upstream providers for consistent and compatible policies and practices.