Resource Public Key Infrastructure, abbreviated as RPKI is security layer that provides security for Internet’s BGP routing infrastructure. It is also known as Resource Certification and is based on public key infrastructure (PKI) framework. It provides additional security and reliability to BGP.
In this article, we will discuss a special case in which:
“Customer is receiving full internet routing table from both the ISP 1 and 2 and running ibgp between the routers R1 and R2.”
Problem Statement: When rpki on the router most of the routes status is not found as per rpki server and rpki status is not found for external route but iBGP route status for rpki is valid which should not happen.
Before enabling RPKI:
R1 #sh bgp ipv4 uni 192.168.0.0/24
BGP routing table entry for 192.168.0.0/24, version 800
Paths: (2 available, best #2, table default)
Advertised to update-groups: 4
Refresh Epoch 8
65001 65002 65003
172.16.1.1 (metric 130816) from 172.16.1.1 (172.16.1.1)
Due to this, the customer device starts to prefer iBGP routes instead of eBGP routes causing sub optimal routing in the network.
Internally and locally sourced paths aren’t subject to validation. The assumption is that you trust your own equipment. You can use the ‘neighbor x.x.x.x announce rpki state’ config to ensure that your routers communicate validation status to each other.
I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)