JUNOS_BGP3
今度は、RPKIでのOrigin AS 検証
構成は↓でR1でOrigin検証をする。 RPKIサーバはJPNICが公開しているものを利用
R1→AS1
R2→AS2
まずはCisco
R1とR2はeBGPで接続&R2がR1に5.1.64.0/24の経路を広告しているのを確認
R1
R1#show bgp ipv4 unicast
BGP table version is 5659, local router ID is 1.1.1.1
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not foundNetwork Next Hop Metric LocPrf Weight Path
*> 1.1.1.1/32 0.0.0.0 0 32768 i
*> 3.3.3.3/32 10.1.1.254 0 2 i
*> 5.1.64.0/24 10.1.1.254 0 0 2 i
ここで、RPKIの設定
R1
router bgp 1
bgp router-id 1.1.1.1
bgp log-neighbor-changes
bgp rpki server tcp 192.41.192.218 port 323 refresh 150
neighbor 10.1.1.254 remote-as 2
!
address-family ipv4
network 1.1.1.1 mask 255.255.255.255
neighbor 10.1.1.254 activate
neighbor 10.1.1.254 soft-reconfiguration inbound
neighbor 10.1.1.254 route-map RPKI in
exit-address-family
!
!
route-map RPKI permit 10
match rpki invalid
set local-preference 90
!
route-map RPKI permit 20
match rpki not-found
set local-preference 100
!
route-map RPKI permit 30
match rpki valid
set local-preference 110
!
R1で確認
R1#show bgp ipv4 unicast
BGP table version is 5662, local router ID is 1.1.1.1RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
V*> 1.1.1.1/32 0.0.0.0 0 32768 i
I* 5.1.64.0/24 10.1.1.254 0 90 0 2 i
→5.1.64.0/24のLPが90で、行頭が「I」が付与されている。
これは、RPKIの検証結果が「INVALID」だから
R1#show bgp ipv4 unicast rpki table
Network Maxlen Origin-AS Source Neighbor
5.1.64.0/24 24 34549 0 192.41.192.218/323
→RPKI上は、「5.1.64.0/24」のOriginはAS34549だからR1はinvalid判断
・・・というのをJUNOSでやってみる。
R1
set routing-options router-id 1.1.1.1
set routing-options autonomous-system 1
set routing-options validation group RPKI session 192.41.192.218 refresh-time 150
set routing-options validation group RPKI session 192.41.192.218 hold-time 300
set routing-options validation group RPKI session 192.41.192.218 port 323
set protocols bgp group EBGP type external
set protocols bgp group EBGP import validation
set protocols bgp group EBGP export to-eBGP
set protocols bgp group EBGP peer-as 2
set protocols bgp group EBGP neighbor 10.1.1.254set policy-options policy-statement validation term valid from protocol bgp
set policy-options policy-statement validation term valid from validation-database valid
set policy-options policy-statement validation term valid from route-type external
set policy-options policy-statement validation term valid then local-preference 110
set policy-options policy-statement validation term valid then validation-state valid
set policy-options policy-statement validation term valid then accept
set policy-options policy-statement validation term invalid from protocol bgp
set policy-options policy-statement validation term invalid from validation-database invalid
set policy-options policy-statement validation term invalid from route-type external
set policy-options policy-statement validation term invalid then local-preference 90
set policy-options policy-statement validation term invalid then validation-state invalid
set policy-options policy-statement validation term invalid then accept
set policy-options policy-statement validation term unknown from protocol bgp
set policy-options policy-statement validation term unknown from route-type external
set policy-options policy-statement validation term unknown then validation-state unknown
set policy-options policy-statement validation term unknown then accept
R1で確認
admin@R1# run show route receive-protocol bgp 10.1.1.254
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 3.3.3.3/32 10.1.1.254 2 I
* 5.1.64.0/24 10.1.1.254 2 I
admin@R1# run show route protocol bgp 5.1.64.0/24
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both5.1.64.0/24 *[BGP/170] 00:00:22, localpref 90
AS path: 2 I, validation-state: invalid
> to 10.1.1.254 via ge-0/0/0.0
「invalid」、LPが「90」になっている。
なお、「validation-state」の表示は、Policyステートメントで定義しなければ、変化しない。
まぁ、JPNICのサイト掲載Configがちょい変な感じだったので、こっちで検証しただけ。