fbpx
Facebook f Twitter LinkedIn Youtube Instagram Whatsapp

BGP RPKI in MikroTik RouterOS: Concepts, Uses and Scenarios

  • No comments
  • Share this article
Facebook
Twitter
LinkedIn
WhatsApp
Telegram

The Protocol of Autonomous Edge System (BGP) It is the de facto standard for routing on the Internet. However, over the years, it has become increasingly susceptible to security problems, such as route hijacking and the spread of false routing information.

This is where the Resource Public Key Infrastructure (RPKI) of BGP, a technology that improves security and authentication in the world of Internet routing. In this article, we will explore the key concepts of BGP RPKI in MikroTik RouterOS, its usage, and the scenarios where it is most relevant.

At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading

Go to Test

Key concepts of RPKI and BGP

Before we dive into the details of RPKI in MikroTik RouterOS, it is essential to understand a few key concepts:

Border Gateway Protocol (BGP)

BGP is a routing protocol used to exchange routing information between autonomous systems on the Internet. It is essential for connectivity and communication between networks and plays a crucial role in determining the routes that Internet traffic will follow.

RPKI (Resource Public Key Infrastructure)

RPKI is a security framework designed to strengthen the Internet's routing infrastructure. RPKI is based on public key cryptography and uses digital certificates to ensure the authenticity of routing information.

ROA (Route Origin Authorization)

An ROA is an RPKI object that associates an IP address or network prefix with an autonomous system. This allows network operators to explicitly declare who is authorized to advertise a specific prefix in BGP.

 

Using RPKI in MikroTik RouterOS

MikroTik RouterOS, a routing operating system used in a variety of network devices, supports BGP RPKI. Implementing RPKI in MikroTik RouterOS allows network operators to protect their BGP routes from malicious or misconfigured advertisements, thereby improving the security and stability of their networks. Here are some ways RPKI is used in MikroTik RouterOS:

BGP route validation

MikroTik RouterOS can verify the authenticity of BGP routes using RPKI. When a BGP route is received, the router checks whether a corresponding ROA exists in the RPKI database. If no match is found, the router can mark the route as invalid or ignore it.

Safe ads

RPKI allows network operators to declare which autonomous systems are authorized to advertise specific routes. This prevents route hijacking and the spread of false routing information, since only authorized advertisements are considered valid.

Protection against configuration errors

RPKI also helps prevent configuration errors that can lead to routing problems. By validating BGP routes, network operators can quickly identify configuration issues and correct them before they impact network connectivity.

BGP RPKI in MikroTik RouterOS: Concepts, Uses and Scenarios

RPKI usage scenarios in MikroTik RouterOS

BGP RPKI on MikroTik RouterOS is used in a variety of scenarios to improve network security and reliability. Some of the most common scenarios include:

Internet Service Providers (ISPs)

ISPs implement RPKI on their MikroTik RouterOS routers to ensure that routes advertised by their customers and business partners are authentic and secure. This helps prevent route hijacking and protect network integrity.

Companies

Companies that manage their own network infrastructure can use RPKI to ensure that only authorized routes are advertised in BGP. This is especially important to protect connectivity and data privacy on your networks.

Data centers

Data centers running MikroTik RouterOS can use RPKI to secure their internal routing routes and ensure that routes between data centers are secure and authentic.

Example 1: Basic RPKI Configuration

Access the MikroTik CLI: First, access your MikroTik device using SSH or through the console.

Configure an RPKI Cache Server:

/routing bgp rpki set enabled=yes 

/routing bgp rpki add name=rpki-server1 address=rpki.example.com

Verify the Connection with the RPKI Server:

/routing bgp rpki print

Enable RPKI Validation on BGP Routes:

/routing bgp instance set default rpki-validation=yes

View BGP Routes and their RPKI Status:

/routing bgp advertisements print

Example 2: Advanced Implementation with Route Filters

Access the MikroTik CLI: Log in to your MikroTik device using SSH or the console.

Configure Multiple RPKI Cache Servers:

/routing bgp rpki add name=rpki-server1 address=rpki1.example.com 

/routing bgp rpki add name=rpki-server2 address=rpki2.example.com

Activate RPKI Validation:

/routing bgp rpki set enabled=yes

Configure BGP Route Filters to Validate Routes:

/routing filter add chain=RPKI-IN rule="if bgp-route-type=external then { if rpki-validity=valid then accept else reject }"

Apply the Filter to the BGP Process:

/routing bgp peer set your-peer-name in-filter=RPKI-IN

Review Route Configuration and Status:

/routing bgp peer print detail 

/routing bgp advertisements print

 

Conclusion

BGP RPKI on MikroTik RouterOS is an important technology to improve security and authentication in Internet routing. It allows network operators to validate BGP routes, prevent route hijacking, and protect their networks from malicious or misconfigured advertisements.

As Internet security becomes increasingly critical, implementing RPKI on MikroTik RouterOS becomes a best practice in various scenarios, from Internet Service Providers to enterprises and data centers. The adoption of RPKI in MikroTik RouterOS contributes to a more secure and reliable Internet.

Brief knowledge quiz

What do you think of this article?
Do you dare to evaluate your learned knowledge?

QUIZ - BGP RPKI in MikroTik RouterOS: Concepts, Uses and Scenarios

Recommended book for this article

Tags: BGP, Digital Certificates, Network connectivity, Internet routing, MikroTik RouterOS, RPKI, BGP routes, Network Security, Internet security, Autonomous System

Related Posts

Related Posts

Microlabs

Other topics that may interest you

Do you want to suggest a topic?

Every week we post new content. Do you want us to talk about something specific?
Topic for the next blog

Upcoming online courses

MikroTik Books (Spanish)

Leave a comment

Your email address will not be published. Required fields are marked with *

ABC Xperts color logo

Follow Us

Facebook f Twitter LinkedIn Youtube Instagram

About Us

Headquarters

Av. Juan T. Marengo and J. Orrantia

Professional Center Building, Office 507

Guayaquil. Ecuador

Zip Code 090505

Contact

Subscribe

to our weekly newsletters

Newsletter

MikroTik Books

Certification Courses

NAS series

Network Administration Specialist

UAS Series

Ubiquiti Equipment Management Specialist

MAS Series

MikroTik Administration Specialist

NAE Series

Network Administration Engineer

MAE Series

MikroTik Administration Engineer

MikroTik Certifications

Security

Cybersecurity
Security of the information
  • SIN-NSI
    Information security regulations How to implement? (soon)

Data Science

Python

Copyright © 2024 abcxperts.com – All Rights Reserved

Developed by Network Xperts SA
Register for the Introduction to Advanced Routing OSPF BGP MPLS course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Introduction to
OSPF - BGP - MPLS

Sign up for this Free course

MAE-RAV-ROS-240118
(MAS-ROS) Free Introduction to MikroTik RouterOS version 7 course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAS-ROS-240111

Promo for Three Kings Day!

KINGS24

15%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the Three Kings Day discount code!

* promotion valid until Sunday January 7, 2024
** the code (KINGS24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

New Year's Eve Promo!

NY24

20%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the New Year's Eve discount code!

* promotion valid until Monday, January 1, 2024
** the code (NY24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

Christmas discounts!

XMAS23

30%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the discount code for Christmas!!!

**codes are applied in the shopping cart
Promo valid until Monday December 25, 2023

CYBER WEEK DISCOUNTS

CW23-MK

17%

all MikroTik OnLine courses

CW23-AX

30%

all Academy courses

CW23-LIB

25%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Cyber ​​Week!!!

**codes are applied in the shopping cart
Promo valid until Sunday December 3, 2023

BLACK FRIDAY DISCOUNTS

BF23-MX

22%

all MikroTik OnLine courses

BF23-AX

35%

all Academy courses

BF23-LIB

30%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Black Friday!!!

**Codes are applied in the shopping cart

codes are applied in the shopping cart
valid until Sunday November 26, 2023

MikroTik VPN Webinar with ZeroTier

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAE-VPN-SET-231115

Halloween promo

Take advantage of discount codes for Halloween.

Codes are applied in the shopping cart

HW23-MK

11% discount on all MikroTik OnLine courses

11%

HW23-AX

30% discount on all Academy courses

30%

HW23-LIB

25% discount on all MikroTik Books and Book Packs

25%

close menu icon

Register and participate in the free course Introduction to Advanced Routing with MikroTik (MAE-RAV-ROS)

Today (Wednesday) October 11, 2023
7pm to 11pm (Colombia, Ecuador, Peru)

MAE-RAV-ROS-231011