•
IPv4/IPv6 Unicast should be within the same BGP instance in which IPv4/IPv6 Labeled-Unicast is
configured.
•
IPv4/IPv6 Multicast should be within the same BGP instance in which IPv4/IPv6 Unicast is configured.
•
All configuration changes for a single BGP instance can be committed together. However, configuration
changes for multiple instances cannot be committed together.
BGP Prefix Origin Validation Based on RPKI
A BGP route associates an address prefix with a set of autonomous systems (AS) that identify the interdomain
path the prefix has traversed in the form of BGP announcements. This set is represented as the AS_PATH
attribute in BGP and starts with the AS that originated the prefix.
To help reduce well-known threats against BGP including prefix mis-announcing and monkey-in-the-middle
attacks, one of the security requirements is the ability to validate the origination AS of BGP routes. The AS
number claiming to originate an address prefix (as derived from the AS_PATH attribute of the BGP route)
needs to be verified and authorized by the prefix holder.
The Resource Public Key Infrastructure (RPKI) is an approach to build a formally verifiable database of IP
addresses and AS numbers as resources. The RPKI is a globally distributed database containing, among other
things, information mapping BGP (internet) prefixes to their authorized origin-AS numbers. Routers running
BGP can connect to the RPKI to validate the origin-AS of BGP paths.
Configuring RPKI Cache-server
Perform this task to configure Resource Public Key Infrastructure (RPKI) cache-server parameters.
Configure the RPKI cache-server parameters in rpki-server configuration mode. Use the rpki server command
in router BGP configuration mode to enter into the rpki-server configuration mode
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.1.x
64 OL-30423-03
Implementing BGP
BGP Prefix Origin Validation Based on RPKI
To Next Page
Loading...
Need help?
General
