The Protocol of Autonomous Edge System (BGP) It is the de facto standard for routing on the Internet. However, over the years, it has become increasingly susceptible to security problems, such as route hijacking and the spread of false routing information.
This is where the Resource Public Key Infrastructure (RPKI) of BGP, a technology that improves security and authentication in the world of Internet routing. In this article, we will explore the key concepts of BGP RPKI in MikroTik RouterOS, its usage, and the scenarios where it is most relevant.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
Key concepts of RPKI and BGP
Before we dive into the details of RPKI in MikroTik RouterOS, it is essential to understand a few key concepts:
Border Gateway Protocol (BGP)
BGP is a routing protocol used to exchange routing information between autonomous systems on the Internet. It is essential for connectivity and communication between networks and plays a crucial role in determining the routes that Internet traffic will follow.
RPKI (Resource Public Key Infrastructure)
RPKI is a security framework designed to strengthen the Internet's routing infrastructure. RPKI is based on public key cryptography and uses digital certificates to ensure the authenticity of routing information.
ROA (Route Origin Authorization)
An ROA is an RPKI object that associates an IP address or network prefix with an autonomous system. This allows network operators to explicitly declare who is authorized to advertise a specific prefix in BGP.
Using RPKI in MikroTik RouterOS
MikroTik RouterOS, a routing operating system used in a variety of network devices, supports BGP RPKI. Implementing RPKI in MikroTik RouterOS allows network operators to protect their BGP routes from malicious or misconfigured advertisements, thereby improving the security and stability of their networks. Here are some ways RPKI is used in MikroTik RouterOS:
BGP route validation
MikroTik RouterOS can verify the authenticity of BGP routes using RPKI. When a BGP route is received, the router checks whether a corresponding ROA exists in the RPKI database. If no match is found, the router can mark the route as invalid or ignore it.
Safe ads
RPKI allows network operators to declare which autonomous systems are authorized to advertise specific routes. This prevents route hijacking and the spread of false routing information, since only authorized advertisements are considered valid.
Protection against configuration errors
RPKI also helps prevent configuration errors that can lead to routing problems. By validating BGP routes, network operators can quickly identify configuration issues and correct them before they impact network connectivity.
RPKI usage scenarios in MikroTik RouterOS
BGP RPKI on MikroTik RouterOS is used in a variety of scenarios to improve network security and reliability. Some of the most common scenarios include:
Internet Service Providers (ISPs)
ISPs implement RPKI on their MikroTik RouterOS routers to ensure that routes advertised by their customers and business partners are authentic and secure. This helps prevent route hijacking and protect network integrity.
Companies
Companies that manage their own network infrastructure can use RPKI to ensure that only authorized routes are advertised in BGP. This is especially important to protect connectivity and data privacy on your networks.
Data centers
Data centers running MikroTik RouterOS can use RPKI to secure their internal routing routes and ensure that routes between data centers are secure and authentic.
Example 1: Basic RPKI Configuration
Access the MikroTik CLI: First, access your MikroTik device using SSH or through the console.
Configure an RPKI Cache Server:
/routing bgp rpki set enabled=yes
/routing bgp rpki add name=rpki-server1 address=rpki.example.com
Verify the Connection with the RPKI Server:
/routing bgp rpki print
Enable RPKI Validation on BGP Routes:
/routing bgp instance set default rpki-validation=yes
View BGP Routes and their RPKI Status:
/routing bgp advertisements print
Example 2: Advanced Implementation with Route Filters
Access the MikroTik CLI: Log in to your MikroTik device using SSH or the console.
Configure Multiple RPKI Cache Servers:
/routing bgp rpki add name=rpki-server1 address=rpki1.example.com
/routing bgp rpki add name=rpki-server2 address=rpki2.example.com
Activate RPKI Validation:
/routing bgp rpki set enabled=yes
Configure BGP Route Filters to Validate Routes:
/routing filter add chain=RPKI-IN rule="if bgp-route-type=external then { if rpki-validity=valid then accept else reject }"
Apply the Filter to the BGP Process:
/routing bgp peer set your-peer-name in-filter=RPKI-IN
Review Route Configuration and Status:
/routing bgp peer print detail
/routing bgp advertisements print
Conclusion
BGP RPKI on MikroTik RouterOS is an important technology to improve security and authentication in Internet routing. It allows network operators to validate BGP routes, prevent route hijacking, and protect their networks from malicious or misconfigured advertisements.
As Internet security becomes increasingly critical, implementing RPKI on MikroTik RouterOS becomes a best practice in various scenarios, from Internet Service Providers to enterprises and data centers. The adoption of RPKI in MikroTik RouterOS contributes to a more secure and reliable Internet.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
BGP and MPLS RouterOS v7 book
Study material for the MTCINE Certification Course updated to RouterOS v7
Related Posts
- Virtual Private LAN Service (VPLS): An advanced approach to network connectivity
- BGP Protocol: History, messages and configuration on MikroTik RouterOS devices
- Network Optimization with Traffic Engineering: Designing Efficient Data Flow
- MPLS: A Versatile Technology to Optimize Networks
- Loopback Interfaces: Boosting Stability and Connectivity in Modern Networks