RPKI for Home Usage

Page content

Resource Public Key Infrastructure

you may know what RPKI is …

It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP.

As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP.

With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

Network Diagram


 +-------------+              +---------------+
 |             |              |               |
 |             |              |   Router /    |                     Home Network, 192.168.1.0/24
 |     www     +--------------+   Firewall    +------------------------------------------------+
 |             |              |               |                                    |
 |             |              |               |  <---------------------------+     |
 +-------------+              +---------------+    3. Sending Invalid Route  |     |
        |                                             for Nullrouting        |     |
        |                                                                    |     |
 +-------------+                                                          +--------------------+
 |             |                                                          |                    |
 |   BGP Peeer |                                                          | OpenBSD VM running |
 |             |          <------------------------>                      | OpenBGPD & RPKI    |
 | AS: 12345   |                 EBGP Session                             |                    |
 +-------------+                                                          | AS: 65001-         |
                                                                          +--------------------+
                     +--------------------------------------->
                      1. Sending Full BGP Table (800k Routes)             2. Filtern Invalid Routes

Setup

OpenBSD VM with OpenBGPD and Fullfeed

Install the VM and Patch the Box. Apply all normal Security Restrictions (SSH Key, Root Logins restrictions, Packet Filter, …) as you normally should do.

Install OpenBGPD

As it is part of the Base System, you just have to configure it :)

cat << 'EOF' > /etc/bgpd.conf

# BGP Config
AS $ASN
ASN="65100"
router-id x.x.x.x (you can use your public ip address, it doesn't matter ...)

# we don't announce any network
prefix-set mynetworks {
}

# we have to accept Routes via Default, as the BGP Peers is out in the Internet ..
nexthop qualify via default

# udpate fib ?
fib-update yes

# hold time
holdtime 7200

# validate rpki
include "/var/db/rpki-client/openbgpd"

# upstream providers
neighbor 85.232.240.179 {
  remote-as 57355
  descr "lukasz.bromirski.net-4"
  multihop 15
}

## rules section

# just accecpt invalid routes and set blackhole them
allow quick from ebgp ovs invalid set nexthop blackhole

# don't advertise anything to the peer
deny quick to ebgp

EOF

chmod 600 /etc/bgpd.conf

Enable and Start Service

rcctl enable bgpd
rcctl restart bgpd

Enable RPKI Update in Crontab

~	*	*	*	*	-ns rpki-client -v && bgpctl reload

Check BGP

user@bgpvm ~$ bgpctl show sum                                                                                                               
Neighbor                   AS    MsgRcvd    MsgSent  OutQ Up/Down  State/PrfRcvd
lukasz.bromirski.net-4  57355    1487779        259     0 4d21h27m 823706

As you can see here, we learn 823k IPv4 Routes from Lukasz BGP Router

but all of them are Invalid ! (check the ! under column ovs)

Invalid Routes only

user@bgpvm ~$ bgpctl show ip bgp ovs invalid |head -20 
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
       S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination          gateway          lpref   med aspath origin
*>      ! 1.6.219.0/24         85.232.240.179    100     0 57355 15694 6453 9583 137130 i
*>      ! 1.6.229.0/24         85.232.240.179    100     0 57355 15694 6453 4755 i
*>      ! 1.6.230.0/24         85.232.240.179    100     0 57355 15694 6453 4755 i
*>      ! 1.7.178.0/24         85.232.240.179    100     0 57355 15694 6453 9583 137130 i
*>      ! 1.37.137.0/24        85.232.240.179    100     0 57355 15694 6453 4775 i
*>      ! 1.186.221.0/24       85.232.240.179    100     0 57355 15694 6453 4755 45769 i
*>      ! 2.58.132.0/24        85.232.240.179    100     0 57355 15694 24724 6461 1680 42013 i
*>      ! 2.188.227.0/24       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 i
*>      ! 2.188.229.0/24       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 212161 i
*>      ! 2.188.232.0/23       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 i
*>      ! 2.188.232.0/24       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 43395 i
*>      ! 2.188.234.0/24       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 204393 i
*>      ! 2.188.236.0/23       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 i
*>      ! 2.188.238.0/24       85.232.240.179    100     0 57355 15694 24724 12389 29049 49666 12880 42337 204393 i

checking your own routing table, you can see hunderts of invalid and hence nullrouted networks !

My Routing Table

user@bgpvm ~$ route -n show -inet |head -10               
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            ip-of-my-router    UGS        6    18989     -     8 em0  
224/4              127.0.0.1          URS        0        0 32768     8 lo0  
1.6.219/24         127.0.0.1          UGB        0        0 32768    48 lo0  
1.6.229/24         127.0.0.1          UGB        0        0 32768    48 lo0  
1.6.230/24         127.0.0.1          UGB        0        0 32768    48 lo0  
1.7.178/24         127.0.0.1          UGB        0        0 32768    48 lo0 
...

user@bgpvm ~$ route -n show -inet |grep "127.0.0.1" |wc -l
1076

now. you simple peer with your own Internet Router (of course, it must also be able to speak bgp) and there, you Nullroute all this Networks as well. And your whole Home/SME Network is protected :)

Give a try !

sha256: 8945b5c618e1372c7494b514f232c49aed4c2268030eec9abd80d701274d71dd