BGP RPKI-Based Route Validation
Overview
Resource Public Key Infrastructure (RPKI) is a security framework designed to mitigate the risk of BGP prefix hijacking by cryptographically verifying that an Autonomous System (AS) is authorized to announce a given IP prefix.
In OcNOS, RPKI-based BGP Origin Validation allows the router to download Route Origin Authorizations (ROAs) from an RPKI server via the RTR protocol. The downloaded ROAs are then used to validate incoming BGP routes, ensuring that only legitimate prefixes are considered during best path selection.
This feature improves routing security by reducing the acceptance and propagation of invalid routes.
Feature Characteristics
| • | ROA Retrieval: Supports downloading ROAs from multiple (up to 10) RPKI servers over TCP or SSH transport. |
| • | Per-AF and Per-VRF Support: Validation can be enabled on a per-address-family (IPv4/IPv6 unicast) and per-VRF basis. |
| • | Validation States: Each route is tagged with one of the three validation state: |
| • | Valid (V): Prefix-AS match found in ROA. |
| • | Invalid (I): Prefix-AS mismatch or not authorized. |
| • | Not-Found (N): No corresponding ROA. |
| • | Flexible Policy Control: Route-map support for matching on RPKI state (valid, invalid, not-found) to set attributes such as local preference. |
| • | Best Path Selection Control: |
| • | Option to consider only valid/not-found routes for path selection. |
| • | Configurable to allow invalid routes in best path preference. |
| • | Dynamic Updates: ROA updates are applied in real time from RPKI servers. |
Benefits
| • | Enhanced Security: Prevents acceptance of hijacked or misconfigured routes. |
| • | Operational Flexibility: Operators can tune route selection with route-maps or allow invalid routes for troubleshooting. |
| • | Standards Compliance: Implements BGP Origin Validation as per RPKI-based validation standards. |
| • | Granular Control: Policies can be applied per Address Family (AF)or Virtual Routing and Forwarding (VRF), giving operators flexibility in deploying validation gradually. |
| • | Improved Resilience: Reduces propagation of invalid prefixes across the Internet routing system. |