mirror/nlnetlabs-routinator
1
0
Fork 0
mirror of https://github.com/NLnetLabs/routinator.git synced 2024-05-19 06:50:04 +00:00
Code Issues Releases Activity
nlnetlabs-routinator/doc/transports.md
Alex Band d415311a38 fix trasnport typo
2019-03-19 20:54:22 +01:00

86 lines
2.7 KiB
Markdown
Raw Blame History

# Secure transports for RPKI-RTR
[RFC6810](https://tools.ietf.org/html/rfc6810#page-17) defines a number of
secure transports for RPKI-RTR that can be used to secure communication
between a router and a RPKI relying party.
Subsequent survey in the form of [RFC7128](https://tools.ietf.org/html/rfc7128#page-7)
suggests these secure transport have not been widely implemented.
Implementations, however, do exist, and a secure transport could be valuable
in situations where the RPKI relying party is provided as a public service,
or across a non-trusted network.
## SSH transport for RPKI-RTR
SSH transport for RPKI-RTR can be configured with the help of [netcat](http://netcat.sourceforge.net/)
and [OpenSSH](https://www.openssh.com/).
Begin by installing the `openssh-server` and `netcat` packages.
Install Routinator and ensure it is running in RTR listener mode on localhost:
```bash
routinator rtrd -a -l 127.0.0.1:3323
```
Create a username and a password for the router to log into the host with,
such as `rpki`.
Configure OpenSSH to expose an `rpki-rtr` subsystem that acts as a proxy
into Routinator by editing the `/etc/ssh/sshd_config` file or equivalent to
include the following line:
```text
# Define an `rpki-rtr` subsystem which is actually `netcat` used to proxy STDIN/STDOUT to a running `routinator rtrd -a -l 127.0.0.1:3323`
Subsystem rpki-rtr /bin/nc 127.0.0.1 3323
# Certain routers may use old KEX algos and Ciphers which are no longer enabled by default.
# These examples are required in IOS-XR 5.3 but no longer enabled by default in OpenSSH 7.3
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
```
Restart the OpenSSH server daemon.
An example router-side configuration for a device running IOS-XR:
```text
router bgp 65534
rpki server 192.168.0.100
username rpki
password rpki
transport ssh port 22
```
## TLS transport for RPKI-RTR
TLS transport for RPKI-RTR can be configured with the help of [stunnel](https://www.stunnel.org/).
Begin by installing the `stunnel` package.
Install Routinator and ensure it is running in RTR listener mode on localhost:
```bash
routinator rtrd -a -l 127.0.0.1:3323
```
Acquire (via for example [letsencrypt](https://letsencrypt.org/)) or generate
an SSL certificate. In the example below, an SSL certificate for
the domain `example.com` generated by `letsencrypt` is used.
Create an stunnel configuration file by editing `/etc/stunnel/rpki.conf`
or equivalent:
```text
[rpki]
; Use a letsencrypt certificate for example.com
cert = /etc/letsencrypt/live/example.com/fullchain.pem
key = /etc/letsencrypt/live/example.com/privkey.pem
; Listen for TLS rpki-rtr on port 323 and proxy to port 3323 on localhost
accept = 323
connect = 127.0.0.1:3323
```
Restart stunnel.
View Git Blame Copy Permalink