diff --git a/README.md b/README.md index ea95ecf..01a932d 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ rpkihub.au is a site designed to help network operators deploy Route Origin Auth It will detail the steps to publish Route Origin Authorisations (ROAs) with the five Regional Internet Registries (APNIC, ARIN, RIPE NCC, LACNIC and AFRINIC) which is the most common method. It will also detail how to install, setup and configure Krill from NLnet Labs (https://nlnetlabs.nl/projects/routing/krill/) for the more advanced users who may wish to manage their own RPKI Certificate Authority. -The site will also go into detail about configuring Route Object Validation (ROV) on your BGP sessions to validate ROAs using Relying Party (RP) software. This component is important as it enables you to either reject or set a lower preference on the routes for which the origin Autonomous System Number (ASN) has not been authorised. +The site will also go into detail about configuring Route Object Validation (ROV) on your BGP sessions to validate ROAs using Relying Party (RP) software. This component is important as it enables you to reject routes for which the origin Autonomous System Number (ASN) has not been authorised. Eventually, I will also go into detail on how to install and configure RPKI Relying Party (RP) software for your network to use to validate ROAs. @@ -12,4 +12,8 @@ This site is still a work in progress, and has a long way to go. There are many Thanks for your support, hope this helps, and would love to hear if and how this has helped you! -\- Christopher Hawker \ No newline at end of file +\- Christopher Hawker + +## Acknowledgements + + - [Job Snijders](https://datatracker.ietf.org/person/job@fastly.com) - He has provided some valuable insight and information which would have taken me quite some time to pick up on and introduce. \ No newline at end of file diff --git a/docs/tutorial-routerconfig/mikrotik.md b/docs/tutorial-routerconfig/mikrotik.md index e083e42..65cf917 100644 --- a/docs/tutorial-routerconfig/mikrotik.md +++ b/docs/tutorial-routerconfig/mikrotik.md @@ -2,6 +2,43 @@ sidebar_position: 2 --- -# Mikrotik Configuration +# MikroTik Configuration -To Be Written \ No newline at end of file +MikroTik's RouterOS v7 supports the RPKI to Router Protocol (RTR) as defined in RFC8210. To enable route object validation, fortunately the process is rather straightforward (depending on how complex your route filters are). + +Before you can configure your router, it requires that you have either installed your preferred validator software onto a server, or have access to one. + +## Step 1 - Connecting to your Validator + +Connect to your router using SSH or Telnet and execute the below commands: + +``` +/routing/bgp/rpki +add group=rtrGroup1 address=192.0.2.110 port=8282 refresh-interval=30 +``` + +Otherwise if you prefer to use WinBox for router management connect to your router, and in the menu on the left go to Routing > RPKI. When the RPKI window opens, click on the blue + button. Enter the group name, address, port number and refresh interval. + +
+![New RPKI validator configuration window](/img/mikrotik_winbox_rpki1.png) + +📷 Figure: New RPKI validator configuration window. +
+ +To confirm that your validator is configured correctly you can issue the following command: + +``` +/routing/rpki/rpki-check group=rtrGroup1 prefix=103.0.0.0/16 origin-as=4608 +``` + +## Step 2 - Configuring BGP route validation + +To configure route validation, you will need to do so in your route filters. This is by far easier to do so on the command line, either via SSH/Telnet or the Terminal window in WinBox. + +``` +/routing/filter/rule +add chain=bgp_in rule="rpki-verify rtrGroup1" +add chain=bgp_in rule="if (rpki invalid) { reject } else { accept }" +``` + +You can take a look at MikroTik's [Route Selection and Filters](https://help.mikrotik.com/docs/display/ROS/Route+Selection+and+Filters) page for additional functionality regarding route filtering. \ No newline at end of file diff --git a/static/img/mikrotik_winbox_rpki1.png b/static/img/mikrotik_winbox_rpki1.png new file mode 100644 index 0000000..a9ecb49 Binary files /dev/null and b/static/img/mikrotik_winbox_rpki1.png differ