Configure a RPKI validator Server
We required our own RPKI Validator. There are many relying software like Routinator by NLnet Labs, The RPKI Validator by the RIPE NCC, OctoRPKI by Cloudflare, FORT by NIC México, Quagga etc.
Among them we are going to use Routinator.
We use a standard Ubuntu 18.04
installation (selecting the minimal virtual server option), 2 vCPUs, 2GB RAM,
10GB LVM hard drive. Which have Internet Connectivity with Static IP already
and access as Super User.
Before starting to install the validator, ensure your packages are up to date.
#apt update && apt upgrade
Rather than running Routinator as the root user, we will create a dedicated user:
#useradd
-c 'Routinator 3000' -d /srv/routinator -m -s /bin/bash -u 1100 routinator
#passwd routinator
Now need to install the required software. build-essential is an Ubuntu alias package that installs the common C software build suite. cargo is Rust's package manager and installing that automatically installs other Rust dependencies.
#apt install -y build-essential cargo rsync
We should have rust version >= 1.43.0 installed (check with rustc -V).
To install Routinator, we then switch to the routinator user and use Cargo to build and install it:
#su routinator
$cargo install routinator
To check if this works, run the following (and note the path to the routinator binary):
routinator@routinator:~$
/srv/routinator/.cargo/bin/routinator -V
Routinator 0.9.0
Routinator needs to prepare its working environment via the init command, which will set up both the directory for the local RPKI cache as well as the TAL directory. Running it will prompt you to agree to the ARIN Relying Party Agreement (RPA) so it can install the ARIN TAL along with the other four RIR TALs:
~$/srv/routinator/.cargo/bin/routinator init
To agree with the ARIN RPA, run:
~$/srv/routinator/.cargo/bin/routinator init --accept-arin-rpa
We can then test by running the following (this command prints the validated ROA payloads and increases the log level to show the process in detail at least once):
~$/srv/routinator/.cargo/bin/routinator -v vrps
Start Routinator's RTR and HTTP service with:
~$/srv/routinator/.cargo/bin/routinator server --rtr [IPv4]:3323 --http [IPv4]::8080
Note: For IPv6 --rtr [IPv6]:3323 –http[IPv6]:8080 need to add
It will stay attached unless we run it with -d (for daemon) to start in the background. We can see log messages using:
~$cat /var/log/syslog | grep routinator
When it starts, there is a webserver on port 8080
Starting on Boot:
To have this service start at boot, we
create systemd service files:
#cat /etc/systemd/system/rpki-routinator.service
[Unit]
Description=RPKI Routinator
[Service]
Restart=always
RestartSec=60
WorkingDirectory=/srv/routinator
User=routinator
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=rpki-routinator
ExecStart=/srv/routinator/.cargo/bin/routinator server --rtr [IPv4]:3323 --http [IPv4]:8080
[Install]
WantedBy=multi-user.target
And then we enable it to start on boot:
~$systemctl enable rpki-routinator.service
***If we have to upgrade Routinator, we need to reinstall it (-f to overwrite the older version):
cargo install -f routinator
More about configuration of Routinator available in URL:
https://rpki.readthedocs.io/en/latest/routinator/index.html
And Manual of Routinator in URL:
https://nlnetlabs.nl/documentation/rpki/routinator/
Now
if we try the Web page we will get following.
Part-3 Link: https://sdroy.blogspot.com/2021/07/resource-public-key-infrastructure-rpki_7.html
No comments:
Post a Comment