Great analysis Harold. We do not have RPKI Validation server. Yes, I am looking to run the Validation function on XR or XE. XE preferably.

Thanks

@onibala 

-RPKI validator on a linux server (RRDP flow to RIR):

 Routinator (by NLnetLabs)

The RPKI Validator (by the RIPE NCC)

OctoRPKI (by Cloudflare)

FORT (by NIC México)

-Configure RPKI server on your IOS-XR/XE Router (RTR flow between the Validator and the Router)

I know about it, but I want to run it on XE or XR.....thanks

Hi @onibala ,

As I mentioned in a previous post, it would be preferable to run the RPKI validation server on a separate Linux server. The reason for that is that this function needs to do crypto related processing related to certification validation for a lot of resources (full Internet routing table), which could have an impact on the router if you decided to implement this function inside a container on XE or XR.

BTW, I have never tested the RPKI validation server in a container on XE and XR, so it remains to be tested.

Regards,

Can you share cisco doc. About  ios xr container used as rpki.

I think the only option is server and it controls by ISP. 

Hi @MHM Cisco World ,

> Can you share cisco doc. About  ios xr container used as rpki.

As mentioned in a previous post, I have never tested running the RPKI validation server in a container on XR myself, but I just found a white paper that states that it is possible and how it can be done.

https://xrdocs.io/design/blogs/routinator-hosted-on-xr

> I think the only option is server and it controls by ISP. 

It is possible that some ISP provide this service, but it is normally recommended to run the RPKI validation service as part of your local infrastructure.

Regards,

Security team generally wants this service in a didicated server, in terms of flow and other security requirements.

Hi @onibala ,

Just found an excellent white paper describing how the RPKI validation server can be implemented in a container on XR. 

https://xrdocs.io/design/blogs/routinator-hosted-on-xr

So, yes it can be done on XR. I have not found any paper for XE, but it might still be possible. This would need to be tested though.

Regards,

Harold, I saw this one already. The configuration is rather complex.

Hi @onibala ,

Yes, it is a bit more complicated than installing on a dedicated Linux server. It is the cost you have to pay for not having to buy an additional server. You could also consider installing the RPKI validation server on an existing Linux server.

Regards,

I would rather buy couple XR devices for robustness and security.

Hi @onibala ,

If you want to install the RPKI validation server on the XR devices then you need to use the solution explained in the white paper I provided, as there is no native support in XR for that functionality.

Regards,

Hello @onibala,

Have you got a toplogy in mind ? Have you got a draw of you want to lab ?

Which Validator do you want to test ? You want to both test IOS-XR and IOS-XE rpki server configuration ?