Configurando Quagga para manipular prefijos (Local Preference) utilizando RPKI
Objetivo:
En el siguiente mini laboratorio configuraremos Quagga para manipular prefijos BGP y asignar Local Preference segun el estado RPKI (valid, invalid, Not Found).
Escenario:
- R1 publica un prefijo con un AS que no le corresponde (segun ROA)
- R2 publica el mismo prefijo que R1 pero desde un AS que si es valido
- R2 publica un prefijo sin ROA.
- En este escenario el validador y el router Quagga estan en el mismo equipo
Diagrama del laboratorio:
Requisitos:
- Quagga con soporte para RPKI
- RPKI Validator de RIPE NCC
- Un prefijo que sepamos que se tiene ROA valido. En nuestro caso utilizamos el prefijo 200.85.64.0 que sabiamos que tiene un ROA que indica que debe ser publicado por el AS 7908
- Ejecutar el validador de RIPE NCC antes de ejecutar Quagga
Configuraciones de todos los equipos
hostname RPKI-RTR password test ! router bgp 65000 bgp router-id 10.0.0.10 bgp bestpath prefix-validate allow-invalid neighbor 10.0.0.1 remote-as 65001 neighbor 10.0.0.1 route-map rpki in neighbor 10.0.0.2 remote-as 7908 neighbor 10.0.0.2 route-map rpki in neighbor 10.0.0.3 remote-as 65003 neighbor 10.0.0.3 route-map rpki in ! route-map rpki permit 10 match rpki invalid set local-preference 10 ! route-map rpki permit 20 match rpki valid set local-preference 30 ! route-map rpki permit 30 match rpki notfound set local-preference 20 ! line vty ! enable-rpki rpki polling_period 1000 rpki timeout -1216757171 ! rpki group 1 rpki cache 127.0.0.1 8282 !
! ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! enable password test ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip icmp rate-limit unreachable ! ! no ip domain lookup ! ip cef ip audit po max-events 100 ! ! ! ! ip tcp synwait-time 5 ! ! ! ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 half-duplex ! interface FastEthernet0 no ip address shutdown speed auto ! router bgp 65001 no synchronization bgp log-neighbor-changes network 200.85.64.0 neighbor 10.0.0.10 remote-as 65000 no auto-summary ! ip classless ip route 200.85.64.0 255.255.255.0 Null0 no ip http server no ip http secure-server ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 password test login ! end
! ! ! ! hostname R2 ! no ip domain lookup no ip icmp rate-limit unreachable ip tcp synwait 5 ! line con 0 exec-timeout 0 0 logging synchronous privilege level 15 no login line aux 0 exec-timeout 0 0 logging synchronous privilege level 15 no login ! ! end
! ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip icmp rate-limit unreachable ! ! no ip domain lookup ! ip cef ip audit po max-events 100 ! ! ! ! ip tcp synwait-time 5 ! ! ! ! interface Ethernet0 ip address 10.0.0.3 255.255.255.0 half-duplex ! interface FastEthernet0 no ip address shutdown speed auto ! router bgp 65003 no synchronization bgp log-neighbor-changes network 192.168.0.0 neighbor 10.0.0.10 remote-as 65000 no auto-summary ! ip classless ip route 192.168.0.0 255.255.255.0 Null0 no ip http server no ip http secure-server ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous line vty 0 4 login ! end
Salida final en Quagga:
(Notese los flags N, I, V) (Notese los local preference)
RPKI-RTR# sh ip bgp
BGP table version is 0, local router ID is 10.0.0.10
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
N*> 192.168.0.0 10.0.0.3 0 20 0 65003 i
I* 200.85.64.0 10.0.0.1 0 10 0 65001 i
V*> 10.0.0.2 0 30 0 7908 i
Total number of prefixes 2