[lacnog] [sidr] Announcing BGP Secure Router Extension (BGP-SRx) Prototype Implementation
Arturo Servin
aservin en lacnic.net
Dom Oct 16 13:55:03 BRST 2011
Con CentOS lo tengo funcionando.
http://www.labs.lacnic.net/drupal/rpki-with-quagga
Por cierto, queremos hacer un análisis de rutas pero requerimos tener un peering (solo para obtener las rutas, no para tráfico) con full routing tables en v4 y v6 (podríamos usar MRT de RIS o route-views pero creo que nos implica más trabajo). Si alguien nos puede ayudar con el peering se los agradeceríamos.
Aquí como se ven las rutas usando el demo de rpki de lacnic (http://rpkidemo.labs.lacnic.net):
bgpd# sh ip bgp
BGP table version is 0, local router ID is 192.168.56.103
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Validation: v - valid, u - unknown, i - invalid, ? - undefined
SRx Status: I - route ignored, D - SRx evaluation deactivated
SRxVal Format: validation result (origin validation, path validation)
Origin codes: i - IGP, e - EGP, ? - incomplete
Ident SRxVal SRxLP Status Network Next Hop Metric LocPrf Weight Path
*> B2E8F5E6 v(v,-) 10.0.0.0/16 192.168.56.104 0 0 20 i
*> 093057FE i(i,-) 10.0.0.0/24 192.168.56.104 0 0 20 i
* -------- ?(?,-) I 10.0.1.0/24 0.0.0.0 0 32768 i
*> D58A50E7 u(u,-) 10.10.0.0/16 192.168.56.104 0 0 20 i
Total number of prefixes 4
bgpd# sh ip bgp 10.0.0.0/16
BGP routing table entry for 10.0.0.0/16
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
20
SRx Information:
Update ID: 0xB2E8F5E6
Validation:
prefix-origin: valid
path processing disabled!
192.168.56.104 from 192.168.56.104 (192.168.56.104)
Origin IGP, metric 0, localpref 100, valid, external, best
Last update: Wed Dec 31 22:38:17 1969
Saludos,
.as
On 14 Oct 2011, at 14:05, Arturo Servin wrote:
>
> No lo he probado aún, justo lo iba a hacer en Ubuntu, pero ahora con lo que comentas igual lo hago con Fedora.
>
> Saludos,
> .as
>
> On 14 Oct 2011, at 14:02, Ariel Weher wrote:
>
>> Ayer la estuve probando pero no he logrado compilarlo, en el equipo de testing evidentemente me faltan algunas librerías. La verdad no me puse a leer el código para ver cual falta, sin embargo estuve leyendo la documentación y dice que está desarrollado en base a linux fedora. Este fin de semana me voy a armar una VM con dicha distribución y vuelvo a probar.
>>
>> Si alguien ya intento y se encontró con el mismo problema, agradezco me de una pista de como seguir.
>>
>> Mi servidor cuenta con ubuntu server 10.04.3 LTS.
>>
>> Saludos
>>
>> On Sun, Oct 9, 2011 at 5:58 PM, Arturo Servin <aservin en lacnic.net> wrote:
>>
>> Ademas de las implementaciones en Cisco IOS y Juniper JunOS el NIST acaba de liberar una nueva extensión para Quagga.
>>
>> Saludos,
>> as
>>
>> Sent from my mobile device
>> (please excuse typoss and brevit.)
>>
>>
>> Begin forwarded message:
>>
>>> From: "Montgomery, Douglas" <dougm en nist.gov>
>>> Date: 9 October 2011 14:19:48 GMT-02:00
>>> To: LIST NANOG <nanog en nanog.org>
>>> Cc: "sidr en ietf.org" <sidr en ietf.org>
>>> Subject: [sidr] Announcing BGP Secure Router Extension (BGP-SRx) Prototype Implementation
>>>
>>> Announcing BGP Secure Router Extension (BGP-SRx) Prototype Implementation
>>>
>>> IETF SIDR working group is developing standards for BGP origin validation
>>> and AS path validation to strengthen the inter-domain routing
>>> infrastructure. At the IETF 80 in March 2011, NIST made an introductory
>>> presentation on a prototyping effort called BGP Secure Router Extension
>>> (BGP-SRx). SRx is an open source reference implementation and research
>>> platform for investigating emerging BGP security extensions and supporting
>>> protocols.
>>>
>>> BGP-SRx has three parts: SRx Server, SRx API, and Quagga SRx (integrates
>>> SRx API into Quagga router). The current focus in the BGP-SRx prototype is
>>> on origin validation, although it is designed to be be extended to path
>>> validation in the future (some stub functionality is already included in
>>> this version).
>>>
>>> The current release implements: The RPKI/Router Protocol and a variety of
>>> BGP policies for enforcing Route Origin Authorizations (ROAs) conveyed
>>> from RPKI validating caches. Also included in the release are test
>>> client/server test harnesses for RPKI/Router and WireShark modules for
>>> debugging.
>>>
>>> For more information on BGP-SRx, and to download the prototype and tools,
>>> see: http://www-x.antd.nist.gov/bgpsrx/
>>>
>>> For those wanting an easy way to experiment with BGP-SRx, in June we made
>>> an announcement about the BRITE system (BGPSEC/RPKI Interoperability Test &
>>> Evaluation): http://mailman.nanog.org/pipermail/nanog/2011-June/038063.html
>>>
>>> You can use BRITE (http://brite.antd.nist.gov/) to run BGP-SRx
>>> (or any other implementation) through aseries of test scripts that exercise
>>> numerous interesting scenarios for BGP ROA processing under different policy
>>> assumptions.
>>>
>>> We will make a presentation at NANOG-53 on Monday (9/10/11) in the ISP Security
>>> BoF where we will briefly explain the functionalities of both BGP-SRx and
>>> BRITE and also give demos. Please attend the BoF if you are interested to
>>> learn more.
>>>
>>> Comments and feedback about SRx and BRITE are welcome. See the project page
>>> For details.
>>>
>>> dougm
>>> --
>>> Doug Montgomery – Mgr. Internet & Scalable Systems Research / ITL / NIST
>>>
>>> _______________________________________________
>>> sidr mailing list
>>> sidr en ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>>
>>
>> _______________________________________________
>> LACNOG mailing list
>> LACNOG en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lacnog
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20111016/fb0571f5/attachment.html>
Más información sobre la lista de distribución LACNOG