nlnetlabs-routinator/doc/transports.md

# Secure transports for RPKI-RTR

[RFC6810](https://tools.ietf.org/html/rfc6810#page-17) defines a number of
secure transports for RPKI-RTR that can be used to secure communication
between a router and a RPKI relying party.

Subsequent survey in the form of [RFC7128](https://tools.ietf.org/html/rfc7128#page-7)
suggests these secure transport have not been widely implemented.
Implementations, however, do exist, and a secure transport could be valuable
in situations where the RPKI relying party is provided as a public service,
or across a non-trusted network.

## SSH transport for RPKI-RTR

SSH transport for RPKI-RTR can be configured with the help of [netcat](http://netcat.sourceforge.net/)
and [OpenSSH](https://www.openssh.com/).

Begin by installing the `openssh-server` and `netcat` packages.

Install Routinator and ensure it is running in RTR listener mode on localhost:

```bash
routinator rtrd -a -l 127.0.0.1:3323
```

Create a username and a password for the router to log into the host with,
such as `rpki`.

Configure OpenSSH to expose an `rpki-rtr` subsystem that acts as a proxy
into Routinator by editing the `/etc/ssh/sshd_config` file or equivalent to
include the following line:

```text
# Define an `rpki-rtr` subsystem which is actually `netcat` used to proxy STDIN/STDOUT to a running `routinator rtrd -a -l 127.0.0.1:3323`
Subsystem       rpki-rtr        /bin/nc 127.0.0.1 3323

# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
```

Restart the OpenSSH server daemon.

An example router-side configuration for a device running IOS-XR:

```text
router bgp 65534
 rpki server 192.168.0.100
  username rpki
  password rpki
  transport ssh port 22
```

## TLS transport for RPKI-RTR

TLS transport for RPKI-RTR can be configured with the help of [stunnel](https://www.stunnel.org/).

Begin by installing the `stunnel` package.

Install Routinator and ensure it is running in RTR listener mode on localhost:

```bash
routinator rtrd -a -l 127.0.0.1:3323
```

Acquire (via for example [letsencrypt](https://letsencrypt.org/)) or generate
an SSL certificate. In the example below, an SSL certificate for
the domain `example.com` generated by `letsencrypt` is used.

Create an stunnel configuration file by editing `/etc/stunnel/rpki.conf`
or equivalent:

```text
[rpki]
; Use a letsencrypt certificate for example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem

; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost
accept = 323
connect = 127.0.0.1:3323
```

Restart stunnel.
document rpki-rtr secure transports 2019-03-19 06:34:37 +01:00			`# Secure transports for RPKI-RTR`

			`[RFC6810](https://tools.ietf.org/html/rfc6810#page-17) defines a number of`
			`secure transports for RPKI-RTR that can be used to secure communication`
			`between a router and a RPKI relying party.`

			`Subsequent survey in the form of [RFC7128](https://tools.ietf.org/html/rfc7128#page-7)`
			`suggests these secure transport have not been widely implemented.`
			`Implementations, however, do exist, and a secure transport could be valuable`
			`in situations where the RPKI relying party is provided as a public service,`
			`or across a non-trusted network.`

			`## SSH transport for RPKI-RTR`

fix trasnport typo 2019-03-19 20:54:22 +01:00			`SSH transport for RPKI-RTR can be configured with the help of [netcat](http://netcat.sourceforge.net/)`
document rpki-rtr secure transports 2019-03-19 06:34:37 +01:00			`and [OpenSSH](https://www.openssh.com/).`

			Begin by installing the `openssh-server` and `netcat` packages.

			`Install Routinator and ensure it is running in RTR listener mode on localhost:`

			```bash
			`routinator rtrd -a -l 127.0.0.1:3323`
			```

			`Create a username and a password for the router to log into the host with,`
			such as `rpki`.

			Configure OpenSSH to expose an `rpki-rtr` subsystem that acts as a proxy
			into Routinator by editing the `/etc/ssh/sshd_config` file or equivalent to
			`include the following line:`

			```text
			# Define an `rpki-rtr` subsystem which is actually `netcat` used to proxy STDIN/STDOUT to a running `routinator rtrd -a -l 127.0.0.1:3323`
			`Subsystem rpki-rtr /bin/nc 127.0.0.1 3323`

			`# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.`
			`# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3`
			`Ciphers +3des-cbc`
			`KexAlgorithms +diffie-hellman-group1-sha1`
			```

			`Restart the OpenSSH server daemon.`

			`An example router-side configuration for a device running IOS-XR:`

			```text
			`router bgp 65534`
			`rpki server 192.168.0.100`
			`username rpki`
			`password rpki`
			`transport ssh port 22`
			```

			`## TLS transport for RPKI-RTR`

			`TLS transport for RPKI-RTR can be configured with the help of [stunnel](https://www.stunnel.org/).`

			Begin by installing the `stunnel` package.

			`Install Routinator and ensure it is running in RTR listener mode on localhost:`

			```bash
			`routinator rtrd -a -l 127.0.0.1:3323`
			```

			`Acquire (via for example [letsencrypt](https://letsencrypt.org/)) or generate`
			`an SSL certificate. In the example below, an SSL certificate for`
			the domain `example.com` generated by `letsencrypt` is used.

			Create an stunnel configuration file by editing `/etc/stunnel/rpki.conf`
			`or equivalent:`

			```text
			`[rpki]`
			`; Use a letsencrypt certificate for example.com`
			`cert = /etc/letsencrypt/live/example.com/fullchain.pem`
			`key = /etc/letsencrypt/live/example.com/privkey.pem`

			`; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost`
			`accept = 323`
			`connect = 127.0.0.1:3323`
			```

			`Restart stunnel.`