cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2003
Views
11
Helpful
28
Replies

RPKI Validator Server Configuration

onibala
Level 1
Level 1

Can IOS, IOS-XE, or IOS-XR support server functioning as RPKI Validator? This is similar of PKI CA server configuration in any IOS platform.

I want to test it in our Lab without connecting to any RPKI servers in the Internet.

Thanks,

Audie

 

28 Replies 28

Hi @onibala ,

The two papers that M02@rt37 posted do not show how you can run the RPKI validation server natively on an XR or XE router, but rather how you can configure XR and XE to communicate with an RPKI validator server. 

Do you currently have an RPKI validation server or are you looking at how you could run this functionality on XR to XE?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Great analysis Harold. We do not have RPKI Validation server. Yes, I am looking to run the Validation function on XR or XE. XE preferably.

Thanks

@onibala 

-RPKI validator on a linux server (RRDP flow to RIR):

 Routinator (by NLnetLabs)

The RPKI Validator (by the RIPE NCC)

OctoRPKI (by Cloudflare)

FORT (by NIC México)

-Configure RPKI server on your IOS-XR/XE Router (RTR flow between the Validator and the Router)

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I know about it, but I want to run it on XE or XR.....thanks

Hi @onibala ,

As I mentioned in a previous post, it would be preferable to run the RPKI validation server on a separate Linux server. The reason for that is that this function needs to do crypto related processing related to certification validation for a lot of resources (full Internet routing table), which could have an impact on the router if you decided to implement this function inside a container on XE or XR.

BTW, I have never tested the RPKI validation server in a container on XE and XR, so it remains to be tested.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Can you share cisco doc. About  ios xr container used as rpki.

I think the only option is server and it controls by ISP. 

Hi @MHM Cisco World ,

Can you share cisco doc. About  ios xr container used as rpki.

As mentioned in a previous post, I have never tested running the RPKI validation server in a container on XR myself, but I just found a white paper that states that it is possible and how it can be done.

https://xrdocs.io/design/blogs/routinator-hosted-on-xr

I think the only option is server and it controls by ISP. 

It is possible that some ISP provide this service, but it is normally recommended to run the RPKI validation service as part of your local infrastructure.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Security team generally wants this service in a didicated server, in terms of flow and other security requirements.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Hi @onibala ,

Just found an excellent white paper describing how the RPKI validation server can be implemented in a container on XR. 

https://xrdocs.io/design/blogs/routinator-hosted-on-xr

So, yes it can be done on XR. I have not found any paper for XE, but it might still be possible. This would need to be tested though.

Regards,

 

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Harold, I saw this one already. The configuration is rather complex.

Hi @onibala ,

Yes, it is a bit more complicated than installing on a dedicated Linux server. It is the cost you have to pay for not having to buy an additional server. You could also consider installing the RPKI validation server on an existing Linux server.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

I would rather buy couple XR devices for robustness and security.

Hi @onibala ,

If you want to install the RPKI validation server on the XR devices then you need to use the solution explained in the white paper I provided, as there is no native support in XR for that functionality.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Hello @onibala,

Have you got a toplogy in mind ? Have you got a draw of you want to lab ?

Which Validator do you want to test ? You want to both test IOS-XR and IOS-XE rpki server configuration ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Review Cisco Networking for a $25 gift card