Florian Hibler

RPKI Capable Routers

Florian Hibler
Contributors: Alex Band
1

During RIPE 63 in Vienna, a few of us got together and started downloading, compiling and configuring the RPKI daemon. I now set up two routers which I made publicly available. The details are described in this article.


During RIPE 63 in Vienna, a few of us got together and started downloading, compiling and configuring the RPKI daemon (rpki.net). Kay Rechthien, netsign GmbH and me, Florian Hibler, EuroTransit GmbH, found a few holes in the documentation and some issues with the configuration, especially when being new to this technology. But we managed to get it up and running in the end. Therefore we are also willing to contribute to their documentation. Later, the RIPE NCC provided us with the RIPE RPKI Validator which was much easier to install.

You can see our approach here: http://rpki01.fra2.de.euro-transit.net .

I also got in touch with Juniper (thanks to Randy Bush who connected me with the right person at the other end) and obtained the beta code for their RPKI implementation. I now set up two routers, one validating against the RPKId from rpki.net and the other one against the RIPE RPKI Validator.

Being at the edge of technology and contributing to this is very important for our company, so I have made this testbed open to the public. You can have a look at the routers when telnetting to 193.34.50.25 and 193.34.50.26.

  • User: rpki
  • PW: testbed

You can use the following commands:

  • show route <prefix>
  • show route validation-state valid|invalid|unknown
  • show validation database
  • show validation statistics
  • show validation session

If you are an a RIPE NCC member, you can use your Resource Certificate to set up BGP origin validation. This is how it works:

  1. Read here how to enable the service in the LIR Portal
  2. State which ASs are authorised to announce your prefixes in the LIR Portal
  3. Check the status here: http://rpki01.fra2.de.euro-transit.net:8080/bgp-preview
  4. See if it shows up as authorised valid route announcements on the Junipers routers
1

About the author

Florian Hibler Based in Hamburg, Germany

Florian graduated in 2008 from Deutsche Telekom AG as a computer specialist in systems integration after which he worked as a professional Research &amp; Development Engineer. During this time he created solutions for the backbone engineering systems of tier-1 carriers and was also involved in technical projects for the German Navy. In 2009, Florian joined EuroTransit as Head of Network Engineering responsible for network and capacity planning, supplier contracts as well as supervising the Network Management Center. In 2011, he became Chief Technical Officer and so joined the management team working closely to set and deliver the company’s strategy.

Comments 1