From 65d2a88dd2aaef7344cfa62918e3ddf4c72ca50a Mon Sep 17 00:00:00 2001
From: Pavel Tvrdík <pawel.tvrdik@gmail.com>
Date: Thu, 17 Sep 2015 17:15:30 +0200
Subject: RPKI protocol with one cache server per protocol

The RPKI protocol (RFC 6810) using the RTRLib
(http://rpki.realmv6.org/) that is integrated inside
the BIRD's code.

Implemeted transports are:
 - unprotected transport over TCP
 - secure transport over SSHv2

Example configuration of bird.conf:
  ...
  roa4 table r4;
  roa6 table r6;

  protocol rpki {
    debug all;

    # Import both IPv4 and IPv6 ROAs
    roa4 { table r4; };
    roa6 { table r6; };

    # Set cache server (validator) address,
    # overwrite default port 323
    remote "rpki-validator.realmv6.org" port 8282;

    # Overwrite default time intervals
    retry   10;         # Default 600 seconds
    refresh 60;         # Default 3600 seconds
    expire 600;         # Default 7200 seconds
  }

  protocol rpki {
    debug all;

    # Import only IPv4 routes
    roa4 { table r4; };

    # Set cache server address to localhost,
    # use default ports tcp => 323 or ssh => 22
    remote 127.0.0.1;

    # Use SSH transport instead of unprotected transport over TCP
    ssh encryption {
      bird private key "/home/birdgeek/.ssh/id_rsa";
      remote public key "/home/birdgeek/.ssh/known_hosts";
      user "birdgeek";
    };
  }
  ...
---
 doc/bird.sgml | 182 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 180 insertions(+), 2 deletions(-)

(limited to 'doc/bird.sgml')

diff --git a/doc/bird.sgml b/doc/bird.sgml
index 014225d1..53998a76 100644
--- a/doc/bird.sgml
+++ b/doc/bird.sgml
@@ -469,7 +469,7 @@ protocol rip {
 	Create a new ROA (Route Origin Authorization) table. ROA tables can be
 	used to validate route origination of BGP routes. A ROA table contains
 	ROA entries, each consist of a network prefix, a max prefix length and
-	an AS number. A ROA entry specifies prefixes which could be originated
+	an AS (Autonomous System) number. A ROA entry specifies prefixes which could be originated
 	by that AS number. ROA tables could be filled with data from RPKI (RFC
 	6480) or from public databases like Whois. ROA tables are examined by
 	<cf/roa_check()/ operator in filters.
@@ -3595,7 +3595,7 @@ protocol rip [&lt;name&gt;] {
 
 <descrip>
 	<tag>int <cf/rip_metric/</tag>
-	RIP metric of the route (ranging from 0 to <cf/infinity/).  When routes
+	RIP metric of the route (ranging from 0 to <cf/infinity/). When routes
 	from different RIP instances are available and all of them have the same
 	preference, BIRD prefers the route with lowest <cf/rip_metric/. When a
 	non-RIP route is exported to RIP, the default metric is 1.
@@ -3623,6 +3623,184 @@ protocol rip {
 }
 </code>
 
+<sect>RPKI
+
+<sect1>Introduction
+
+<p>The Resource Public Key Infrastructure (RPKI) is mechanism for origin
+validation of BGP routes (RFC 6480). BIRD supports only so-called RPKI-based
+origin validation. There is implemented RPKI to Router (RPKI-RTR) protocol (RFC
+6810).  It uses some of the RPKI data to allow a router to verify that the
+autonomous system announcing an IP address prefix is in fact authorized to do
+so. This is not crypto checked so can be violated. But it should prevent the
+vast majority of accidental hijackings on the Internet today, e.g. the famous
+Pakastani accidental announcement of YouTube's address space.
+
+<p>The RPKI-RTR protocol receives and maintains a set of ROAs from a cache
+server (also called validator). You can validate routes (RFC 6483) using
+function <cf/roa_check()/ in filter and set it as import filter at the BGP
+protocol. BIRD should re-validate all of affected routes after RPKI update by
+RFC 6811, but we don't support it yet! You can use a BIRD's client command
+<cf>reload in <m/bgp_protocol_name/</cf> for manual call of revalidation of all
+routes.
+
+<sect1>Supported transports
+<itemize>
+        <item>Unprotected transport over TCP uses a port 323. The cache server
+        and BIRD router should be on the same trusted and controlled network
+        for security reasons.
+        <item>SSHv2 encrypted transport connection uses the normal SSH port
+        22.
+</itemize>
+
+<sect1>Configuration
+
+<p>We currently support just one cache server per protocol. However you can
+define more RPKI protocols generally.
+
+<code>
+protocol rpki [&lt;name&gt;] {
+        roa4 { table &lt;tab&gt;; };
+        roa6 { table &lt;tab&gt;; };
+        remote &lt;ip&gt; | "&lt;domain&gt;" [port &lt;num&gt;];
+        port &lt;num&gt;;
+        refresh [keep] &lt;num&gt;;
+        retry [keep] &lt;num&gt;;
+        expire [keep] &lt;num&gt;;
+        transport tcp;
+        transport ssh {
+                bird private key "&lt;/path/to/id_rsa&gt;";
+                remote public key "&lt;/path/to/known_host&gt;";
+                user "&lt;name&gt;";
+        };
+}
+</code>
+
+<p>Alse note that you have to specify ROA table into which will be imported
+routes from a cache server. If you want to import only IPv4 prefixes you have
+to specify only roa4 table. Similarly with IPv6 prefixes only. If you want to
+fetch both IPv4 and even IPv6 ROAs you have to specify both types of ROA
+tables.
+
+<sect2>RPKI protocol options
+
+<descrip>
+        <tag>remote <m/ip/ | "<m/hostname/" [port <m/num/]</tag> Specifies
+        a destination address of the cache server.  Can be specified by an IP
+        address or by full domain name string.  Only one cache can be specified
+        per protocol. This option is required.
+
+        <tag>port <m/num/</tag> Specifies the port number. The default port
+        number is 323 for transport without any encryption and 22 for transport
+        with SSH encryption.
+
+        <tag>refresh [keep] <m/num/</tag> Time period in seconds. Tells how
+        long to wait before next attempting to poll the cache using a Serial
+        Query or a Reset Query packet. Must be lower than 86400 seconds (one
+        day). Too low value can caused a false positive detection of
+        network connection problems.  A keyword <cf/keep/ suppresses updating
+        this value by a cache server.
+        Default: 3600 seconds
+
+        <tag>retry [keep] <m/num/</tag> Time period in seconds between a failed
+        Serial/Reset Query and a next attempt.  Maximum allowed value is 7200
+        seconds (two hours). Too low value can caused a false positive
+        detection of network connection problems.  A keyword <cf/keep/
+        suppresses updating this value by a cache server.
+        Default: 600 seconds
+
+        <tag>expire [keep] <m/num/</tag> Time period in seconds. Received
+        records are deleted if the client was unable to successfully refresh
+        data for this time period.  Must be in range from 600 seconds (ten
+        minutes) to 172800 seconds (two days).  A keyword <cf/keep/
+        suppresses updating this value by a cache server.
+        Default: 7200 seconds
+
+        <tag>transport tcp</tag> Unprotected transport over TCP. It's a default
+        transport. Should be used only on secure private networks.
+        Default: tcp
+
+        <tag>transport ssh { <m/SSH transport options.../ }</tag> It enables a
+        SSHv2 transport encryption. Cannot be combined with a TCP transport.
+        Default: off
+</descrip>
+
+<sect3>SSH transport options
+<descrip>
+	<tag>bird private key "<m>/path/to/id_rsa</m>"</tag>
+	A path to the BIRD's private SSH key for authentication.
+	It can be a <cf><m>id_rsa</m></cf> file.
+
+	<tag>remote public key "<m>/path/to/known_host</m>"</tag>
+	A path to the cache's public SSH key for verification identity
+	of the cache server. It could be a path to <cf><m>known_host</m></cf> file.
+
+	<tag>user "<m/name/"</tag>
+	A SSH user name for authentication. This option is a required.
+</descrip>
+
+<sect1>Examples
+<sect2>BGP origin validation
+<p>Policy: Don't import <cf/ROA_INVALID/ routes.
+<code>
+roa4 table r4;
+roa6 table r6;
+
+protocol rpki {
+	debug all;
+	
+	roa4 { table r4; };
+	roa6 { table r6; };
+
+	# Please, do not use rpki-validator.realmv6.org in production
+	remote "rpki-validator.realmv6.org" port 8282;
+	
+	retry keep 5;
+	refresh keep 30;
+	expire 600;
+}
+
+filter peer_in {
+	if (roa_check(r4, net, bgp_path.last) = ROA_INVALID ||
+	    roa_check(r6, net, bgp_path.last) = ROA_INVALID) then
+	{
+		print "Ignore invalid ROA ", net, " for ASN ", bgp_path.last;
+		reject;
+	}
+	accept;
+}
+
+protocol bgp {
+	debug all;
+	local as 65000;
+	neighbor 192.168.2.1 as 65001;
+	import filter peer_in;
+}
+</code>
+
+<sect2>SSHv2 transport encryption
+<code>
+roa4 table r4;
+roa6 table r6;
+
+protocol rpki {
+	debug all;
+	
+	roa4 { table r4; };
+	roa6 { table r6; };
+	
+	remote 127.0.0.1 port 2345;
+	transport ssh {
+		bird private key "/home/birdgeek/.ssh/id_rsa";
+		remote public key "/home/birdgeek/.ssh/known_hosts";
+		user "birdgeek";
+	};
+	
+	# Default interval values
+}
+</code>
+
+
 
 <sect>Static
 
-- 
cgit v1.2.3