RPKI
RouterOS implements the Resource Public Key Infrastructure (RPKI) to Router Protocol defined in RFC 8210. RTR is a lightweight, low-memory protocol for retrieving prefix validation data from RPKI validators. See a validator setup example on the RIPE blog.
Configuration is available under /routing/rpki.
Basic Example
Assume your network has an RTR server at IP address 192.168.1.1:
/routing/rpki
add group=myRpkiGroup address=192.168.1.1 port=8282 refresh-interval=20
The group, address, port, and refresh-interval parameters configure the RTR connection. Additional parameters include vrf, preference, retry-interval, and expire-interval.
After the connection is established and the validator database is received, check prefix validity using rpki-check:
[admin@rack1_b33_CCR1036] /routing/rpki> rpki-check group=myRpkiGroup prfx=70.132.18.0/24 origin-as=16509
valid
Use the cached database in routing filters to accept or reject prefixes based on RPKI validity. First set up a /routing/filter/rule that defines which RPKI group performs verification. After that, filters can match the status from the RPKI database. Status can have one of four values:
- valid - Database has a record and origin AS is valid.
- invalid - The database has a record and origin AS is invalid.
- unknown - The database does not have information about the prefix and origin AS.
- unverified - Set when none of the RPKI group's sessions has synced the database. Use this value to handle total RPKI failure.
/routing/filter/rule
add chain=bgp_in rule="rpki-verify myRpkiGroup"
add chain=bgp_in rule="if (rpki invalid) { reject } else { accept }"