RPKI Capable Routers

During RIPE 63 in Vienna, a few of us got together and started downloading, compiling and configuring the RPKI daemon (rpki.net). Kay Rechthien, netsign GmbH and me, Florian Hibler, EuroTransit GmbH, found a few holes in the documentation and some issues with the configuration, especially when being new to this technology. But we managed to get it up and running in the end. Therefore we are also willing to contribute to their documentation. Later, the RIPE NCC provided us with the RIPE RPKI Validator which was much easier to install.

You can see our approach here: http://rpki01.fra2.de.euro-transit.net .

I also got in touch with Juniper (thanks to Randy Bush who connected me with the right person at the other end) and obtained the beta code for their RPKI implementation. I now set up two routers, one validating against the RPKId from rpki.net and the other one against the RIPE RPKI Validator.

Being at the edge of technology and contributing to this is very important for our company, so I have made this testbed open to the public. You can have a look at the routers when telnetting to 193.34.50.25 and 193.34.50.26.

• User: rpki
• PW: testbed

You can use the following commands:

• show route <prefix>
• show route validation-state valid|invalid|unknown
• show validation database
• show validation statistics
• show validation session

If you are an a RIPE NCC member, you can use your Resource Certificate to set up BGP origin validation. This is how it works:

1. Read here how to enable the service in the LIR Portal
2. State which ASs are authorised to announce your prefixes in the LIR Portal
3. Check the status here: http://rpki01.fra2.de.euro-transit.net:8080/bgp-preview
4. See if it shows up as authorised valid route announcements on the Junipers routers