RPKI for Home Usage
Resource Public Key Infrastructure
you may know what RPKI is …
It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.
As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.
With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.
Network Diagram
+-------------+ +---------------+
| | | |
| | | Router / | Home Network, 192.168.1.0/24
| www +--------------+ Firewall +------------------------------------------------+
| | | | |
| | | | <---------------------------+ |
+-------------+ +---------------+ 3. Sending Invalid Route | |
| for Nullrouting | |
| | |
+-------------+ +--------------------+
| | | |
| BGP Peeer | | OpenBSD VM running |
| | <------------------------> | OpenBGPD & RPKI |
| AS: 12345 | EBGP Session | |
+-------------+ | AS: 65001- |
+--------------------+
+--------------------------------------->
1. Sending Full BGP Table (800k Routes) 2. Filtern Invalid Routes
Setup
OpenBSD VM with OpenBGPD and Fullfeed
Install the VM and Patch the Box. Apply all normal Security Restrictions (SSH Key, Root Logins restrictions, Packet Filter, …) as you normally should do.
Install OpenBGPD
As it is part of the Base System, you just have to configure it :)
cat << 'EOF' > /etc/bgpd.conf
# BGP Config
ASN="65100"
AS $ASN
router-id x.x.x.x (you can use your public ip address, it doesn't matter ...)
# we don't announce any network
prefix-set mynetworks {
}
# we have to accept Routes via Default, as the BGP Peers is out in the Internet ..
nexthop qualify via default
# udpate fib ?
fib-update yes
# hold time
holdtime 7200
# validate rpki
include "/var/db/rpki-client/openbgpd"
# upstream providers
neighbor 85.232.240.179 {
remote-as 57355
descr "lukasz.bromirski.net-4"
multihop 15
}
## rules section
# just accecpt invalid routes and set blackhole them
allow quick from ebgp ovs invalid set nexthop blackhole
# don't advertise anything to the peer
deny quick to ebgp
EOF
chmod 600 /etc/bgpd.conf
Enable and Start Service
rcctl enable bgpd
rcctl restart bgpd
Enable RPKI Update in Crontab
~ * * * * -ns rpki-client -v && bgpctl reload
Check BGP
user@bgpvm ~$ bgpctl show sum
Neighbor AS MsgRcvd MsgSent OutQ Up/Down State/PrfRcvd
lukasz.bromirski.net-4 57355 1487779 259 0 4d21h27m 823706
As you can see here, we learn 823k IPv4 Routes from Lukasz BGP Router
but all of them are Invalid ! (check the ! under column ovs)
Invalid Routes only
user@bgpvm ~$ bgpctl show ip bgp ovs invalid |head -20
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath origin
*> ! 1.6.219.0/24 85.232.240.179 100 0 57355 15694 6453 9583 137130 i
*> ! 1.6.229.0/24 85.232.240.179 100 0 57355 15694 6453 4755 i
*> ! 1.6.230.0/24 85.232.240.179 100 0 57355 15694 6453 4755 i
*> ! 1.7.178.0/24 85.232.240.179 100 0 57355 15694 6453 9583 137130 i
*> ! 1.37.137.0/24 85.232.240.179 100 0 57355 15694 6453 4775 i
*> ! 1.186.221.0/24 85.232.240.179 100 0 57355 15694 6453 4755 45769 i
*> ! 2.58.132.0/24 85.232.240.179 100 0 57355 15694 24724 6461 1680 42013 i
*> ! 2.188.227.0/24 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 i
*> ! 2.188.229.0/24 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 212161 i
*> ! 2.188.232.0/23 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 i
*> ! 2.188.232.0/24 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 43395 i
*> ! 2.188.234.0/24 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 204393 i
*> ! 2.188.236.0/23 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 i
*> ! 2.188.238.0/24 85.232.240.179 100 0 57355 15694 24724 12389 29049 49666 12880 42337 204393 i
checking your own routing table, you can see hunderts of invalid and hence nullrouted networks !
My Routing Table
user@bgpvm ~$ route -n show -inet |head -10
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default ip-of-my-router UGS 6 18989 - 8 em0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
1.6.219/24 127.0.0.1 UGB 0 0 32768 48 lo0
1.6.229/24 127.0.0.1 UGB 0 0 32768 48 lo0
1.6.230/24 127.0.0.1 UGB 0 0 32768 48 lo0
1.7.178/24 127.0.0.1 UGB 0 0 32768 48 lo0
...
user@bgpvm ~$ route -n show -inet |grep "127.0.0.1" |wc -l
1076
now. you simple peer with your own Internet Router (of course, it must also be able to speak bgp) and there, you Nullroute all this Networks as well. And your whole Home/SME Network is protected :)
Give a try !
Any Comments ?
sha256: b5e56c3b752e6ba6300f35bdaf629b1c7aef93cecaa751fd2e90b055f404a90e