Shuvodip's Networking Warehouse: Resource Public Key Infrastructure (RPKI), Routinator and MikroTik RouterOS

MikroTik with RPKI

Well, recently MikroTik started to work of development supporting RPKI in Router OS. In development channel Release 7.0beta7 they first release support of RPKI on 4^th June, 2020. However, it was not able to filter Prefixes in terms of valid, invalid or unknown. In release “Release 7.1beta1” lunched on 21^st July, 2020, they added rpki-check. As a fact, from MikroTik Terminal it becomes possible to check valid, invalid or unknown Prefixes but filter remain with same problem. From “Release 7.1beta6” it is working very smoothly.

We will develop following Topology of LAB for RPKI with MikroTik.

By this we can simply understand the configuration and working process of RPKI with MikroTik.

First of all, we build the Physical Topology as Figured. As we did earlier our Routinator RPKI Validator Server is ready with updated cache. Now let’s configure the MikroTik.

We need to upgrade both MikroTik in Development Channel Router OS Release 7.1beta6. As we updated Router OS properly and no default configuration, we are ready to go further.

Note: In version 7 configuration is change a lot than 6. So, going to step by step for a clear understand

In first let us Fixed the Identity of MikroTik.

For R1> Access to MikroTik with Winbox> Open New Terminal

/system identity

set name=R1

For R2 similarly;

/system identity

set name=R2

Now let’s comments Interfaces, thus connections can be easily understood.

For R1;

/interface ethernet

set [ find default-name=ether2 ] comment=To-R2

set [ find default-name=ether4 ] comment=To-RPKI-SERVER

For R2;

/interface ethernet

set [ find default-name=ether2 ] comment=To-R1

set [ find default-name=ether4 ] comment=To-RPKI-SERVER

Let’s set the IP Addresses.

For R1;

/ip address

add address=192.168.0.41/24 interface=ether4 network=192.168.0.0

add address=172.16.0.1/30 interface=ether2 network=172.16.0.0

For R2;

/ip address

add address=192.168.0.42/24 interface=ether4 network=192.168.0.0

add address=172.16.0.2/30 interface=ether2 network=172.16.0.0

Now let’s set the BGP Template and Router ID {These are optional but good practice}

For R1;

/routing bgp template

set default as=135533 disabled=no router-id=172.16.0.1 routing-table=main

/routing id

add disabled=no id=172.16.0.1 name=router-id select-dynamic-id=only-loopback select-from-vrf=main

For R2;

/routing bgp template

set default as=135534 disabled=no router-id=172.16.0.2 routing-table=main

/routing id

add disabled=no id=172.16.0.2 name=router-id select-dynamic-id=only-loopback select-from-vrf=main

Before, going to set up eBGP let’s configure the network which will be advertised.

For R1;

/ip firewall address-list

add address=61.45.248.0/24 list="My Network"

add address=118.179.223.0/24 list="My Network"

/ip route

add blackhole dst-address=61.45.248.0/24

add blackhole dst-address=118.179.223.0/24

For R2;

/ip firewall address-list

add address=61.45.249.0/24 list="My Network"

add address=202.4.96.0/24 list="My Network"

/ip route

add blackhole dst-address=61.45.249.0/24

add blackhole dst-address=202.4.96.0/24

Now, we may go for BGP.

For R1;

/routing bgp connection

add as=135533 connect=yes disabled=no listen=yes local.address=172.16.0.1 .role=ebgp name=eBGP output.network="\"My Network\"" redistribute=static remote.address=\

172.16.0.2/32 .as=135534 routing-table=main rx-min-ttl=1 tx-ttl=1

For R2;

/routing bgp connection

add as=135534 connect=yes disabled=no listen=yes local.address=172.16.0.2 .role=ebgp name=eBGP output.network="\"My Network\"" redistribute=static remote.address=\

172.16.0.1/32 .as=135533 routing-table=main rx-min-ttl=1 tx-ttl=1

Note: You may require to change TTL value while you are working on different Topology.

Well, now bgp should be established. Let’s Check it.

R1 Route Table after BGP configure

R2 Route Table after BGP configure

So, our BGP is just working fine. Now, here are some Question.

1. Is 61.45.248.0/24 is “valid” for ASN 135533?

2. Is 61.45.249.0/24 is “valid” for ASN 135534?

3. Is 118.179.223.0/24 is “valid” for ASN 135533?

4. Is 202.4.96.0/24 is “valid” for ASN 135534?

Let’s find those answers from our Routinator RPKI Server.

Answer to the Question 1 is Yes valid

Answer to the Question 2 is Yes valid

Answer to the Question 3 is No invalid

Answer to the Question 4 is also No invalid

So, our RPKI Server is working smoothly. Let’s connects Router R1 and R2 logically with it.

For R1;

/routing rpki

add address=192.168.0.2 disabled=no expire-interval=7200 group=Primary port=3323 refresh-interval=20 retry-interval=600

For R2;

/routing rpki

add address=192.168.0.2 disabled=no expire-interval=7200 group=Primary port=3323 refresh-interval=20 retry-interval=600 vrf=main

Now, let’s check route valid/invalid or else from MikroTik Router by commands as figured.

R1 RPKI Check

R2 RPKI Check

Let’s filter the invalid routes by RPKI in BGP in filter. First create filter rules.

For R1;

/routing filter rule

add chain=BGP-IN rule="rpki-verify group=Primary "

add chain=BGP-IN rule="if [rpki invalid ] then={action reject } else={action accept } "

For R2;

/routing filter rule

add chain=BGP-IN disabled=yes rule="rpki-verify group=Primary "

add chain=BGP-IN disabled=yes rule="if [rpki invalid ] then={action reject } else={action accept } "

Now need to add this filter in BGP Connection in both Router. I am giving full command of BGP Connection. It also could be added by editing particular connection and value-name.

For R1;

/routing bgp connection

add as=135533 connect=yes disabled=no input.filter=BGP-IN listen=yes local.address=172.16.0.1 .role=ebgp name=eBGP output.network="\"My Network\"" redistribute=static \

remote.address=172.16.0.2/32 .as=135534 routing-table=main rx-min-ttl=1 tx-ttl=1

For R2;

/routing bgp connection

add as=135534 connect=yes disabled=no input.filter=BGP-IN listen=yes local.address=172.16.0.2 .role=ebgp name=eBGP output.network="\"My Network\"" redistribute=static \

remote.address=172.16.0.1/32 .as=135533 routing-table=main rx-min-ttl=1 tx-ttl=1

Let’s check the route table now.