RPKI on IOS-XR (RPKI Routes)

Load ios-xr.rpki.enable.init.cfg

#IOS-XE (R6)
config replace flash:ios-xr.rpki.enable.init.cfg

#IOS-XR (XR1, XR2)
configure
load bootflash:ios-xr.rpki.enable.init.cfg
commit replace
y

Configure RPKI on XR5 for both IPv4 and IPv6. Reject all invalid paths.

The RPKI server is reachable at 10.100.100.1 on port 22. Use SSH as the transport. Use rpki/rpki as the credentials.

The prefix 2001:2a0::/32 has been incorrectly categorized by RPKI. Configure the path to be valid via AS 1659.

Answer

#XR1
router bgp 1245
 rpki route 2001:2a0::/32 max 32 origin 1659 
 rpki server 10.100.100.1
  transport ssh port 22
  username rpki
  password rpki
 !
 address-family ipv4 unicast
  bgp origin-as validation enable
  bgp bestpath origin-as use validity
 !
 address-family ipv6 unicast
  bgp origin-as validation enable
  bgp bestpath origin-as use validity

Explanation

Before adding the override RPKI route, we can see that 2001:2a0::/32 has no best path, because all paths received are invalid.

IOS-XR gives us the ability to add “override” RPKI routes. These are locally added to the RPKI database. We must specify the prefix, maxlength, and origin AS, which are the three components of an ROA.

router bgp 1245
 rpki route 2001:2a0::/32 max 32 origin 1659

Note that while the parser allows you to omit the max prefix length, the router will not let you commit.

We now have a valid path for this prefix:

If we inspect the RPKI table, we can see that this override route has been inserted. The RPKI server of 0.0.0.0 shows that it was locally inserted into the table.

The ROA from the RPKI server is still there, but we only need one match to validate a route.

Note that AS=0 is a special case which means that the route should never be originated into BGP.