4. FRR - BGP RPKI patch

FRR - BGP RPKI patch


  • Hey folks,

    I needed to support RPKI on my own little VPN mesh network, so I've made a patch that adds support in the GUI for RPKI, in BGP, on the lates (GA) pfSense/FRR version pair. As it turns out, pfSense ships with versions of FRR that support RPKI, and that package supports:

    • RTR protocol support (non-TLS)
    • SSH protocol support (RTR over SSH/TLS)

    What is RPKI?
    RPKI is a wonderful way to either secure your public internet routes against signed ROAs, or distribute your own route filtering/whitelist. FAQ on RPKI: https://www.apnic.net/get-ip/faqs/rpki/

    How do I use this in pfSense?
    To turn on RPKI, go to BGP -> Advanced and, under the RPKI section, select the values you want. Then, add cache servers for the RPKI ROA cache servers. I recommend switching on RPKI debugging in that advanced section, as you can see log messages.
    This patch does not have input validation yet. So, be mindful that you use/format IP addresses, host names, ports, timeout values, etc. correctly. Aside from that, business as usual.

    613cf3d1-cdbe-4e04-8ce4-0141cf406c7f-image.png

    78515a9a-8661-4626-865c-262b3346b589-image.png

    How do I run a RTR server?
    You can run your very own RTR server (even in Docker!) with Cloudflare's project GoRTR: https://github.com/cloudflare/gortr. For example, I run mine against a custom ROA file (as it's an internal VPN) with:

    docker run -d --restart always -p 8282:8282 -v /etc/rpki/roas.json:/rpki.json cloudflare/gortr -checktime=false -verify=false -cache=/rpki.json

    Which hosts a non-TLS bare RTR server that can be added in the Cache Servers section in the patched BGP configuration section. As an idea, you can even generate the ROAs on-the-fly for more real-time route filtering, if you want.

    Patch
    I'm open to suggestions, etc., as I'd like to make this into a pull request at some point (and add appropriate input validation) if it makes the most sense to do so.
    Patch file: rpki.patch

    0
  • Rebel Alliance Developer Netgate

    If you make a pull request for that we can certainly consider it for inclusion. Input validation would be nice but is not strictly required, since that's a work in progress throughout the FRR package.

    1 1 Reply

  • @jimp Thanks Jim, I'll get started on the process of designing a PR soon.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy