mirror/nlnetlabs-routinator
1
0
Fork 0
mirror of https://github.com/NLnetLabs/routinator.git synced 2024-05-19 06:50:04 +00:00
Code Issues Releases Activity
nlnetlabs-routinator/doc/transports.md
Alex Band d415311a38 fix trasnport typo
2019-03-19 20:54:22 +01:00

2.7 KiB
Raw Blame History

Secure transports for RPKI-RTR

RFC6810 defines a number of secure transports for RPKI-RTR that can be used to secure communication between a router and a RPKI relying party.

Subsequent survey in the form of RFC7128 suggests these secure transport have not been widely implemented. Implementations, however, do exist, and a secure transport could be valuable in situations where the RPKI relying party is provided as a public service, or across a non-trusted network.

SSH transport for RPKI-RTR

SSH transport for RPKI-RTR can be configured with the help of netcat and OpenSSH.

Begin by installing the openssh-server and netcat packages.

Install Routinator and ensure it is running in RTR listener mode on localhost:

routinator rtrd -a -l 127.0.0.1:3323

Create a username and a password for the router to log into the host with, such as rpki.

Configure OpenSSH to expose an rpki-rtr subsystem that acts as a proxy into Routinator by editing the /etc/ssh/sshd_config file or equivalent to include the following line:

# Define an `rpki-rtr` subsystem which is actually `netcat` used to proxy STDIN/STDOUT to a running `routinator rtrd -a -l 127.0.0.1:3323`
Subsystem       rpki-rtr        /bin/nc 127.0.0.1 3323

# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1

Restart the OpenSSH server daemon.

An example router-side configuration for a device running IOS-XR:

router bgp 65534
 rpki server 192.168.0.100
  username rpki
  password rpki
  transport ssh port 22

TLS transport for RPKI-RTR

TLS transport for RPKI-RTR can be configured with the help of stunnel.

Begin by installing the stunnel package.

Install Routinator and ensure it is running in RTR listener mode on localhost:

routinator rtrd -a -l 127.0.0.1:3323

Acquire (via for example letsencrypt) or generate an SSL certificate. In the example below, an SSL certificate for the domain example.com generated by letsencrypt is used.

Create an stunnel configuration file by editing /etc/stunnel/rpki.conf or equivalent:

[rpki]
; Use a letsencrypt certificate for example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem

; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost
accept = 323
connect = 127.0.0.1:3323

Restart stunnel.