mirror/nttgin-BGPalerter
1
0
Fork 0
mirror of https://github.com/nttgin/BGPalerter.git synced 2024-05-19 06:50:08 +00:00
Code Issues Releases Wiki Activity

added documentation for rpki

Browse Source
This commit is contained in:
Massimo Candela
2020-11-04 20:03:33 +01:00
parent a286a6236b
commit 1545712963
2 changed files with 62 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/configuration.md
View File

@@ -21,6 +21,7 @@ The following are common parameters which it is possible to specify in the confi
|volume| Defines a directory that will contain the data that needs persistence. For example, configuration files and logs will be created in such directory (default to "./"). | A string | /home/bgpalerter/ | No |
|persistStatus| If set to true, when BGPalerter is restarted the list of alerts already sent is recovered. This avoids duplicated alerts. The process must be able to write on disc inside `.cache/`. | A boolean | true | No |
|generatePrefixListEveryDays| This parameter allows to automatically re-generate the prefix list after the specified amount of days. Set to 0 to disable it. | An integer | 2 | No |
|rpki| A dictionary containing the RPKI configuration (see [here](rpki.md) for more details). | | | Yes |
The following are advanced parameters, please don't touch them if you are not doing research/experiments.
@@ -318,29 +319,11 @@ Parameters for this monitor module:
|Parameter| Description|
|---|---|
|checkUncovered| If set to true, the monitor will alert also for prefixes not covered by ROAs in addition of RPKI invalid prefixes. |
|preCacheROAs| When this parameter is set to true (default), BGPalerter will download Validated ROA Payloads (VRPs) lists locally instead of using online validation. More info [here](https://github.com/massimocandela/rpki-validator).|
|refreshVrpListMinutes| If `preCacheROAs` is set to true, this parameter allows to specify a refresh time for the VRPs lists (it has to be > 15 minutes) |
|thresholdMinPeers| Minimum number of peers that need to see the BGP update before to trigger an alert. |
|vrpProvider| A string indicating the provider of the VRPs list. Possible options are: `ntt` (default), `ripe`, `external`. Use external only if you wish to specify a file with `vrpFile`. More info [here](https://github.com/massimocandela/rpki-validator#options).|
|vrpFile| A JSON file with an array of VRPs. See example below.|
|maxDataSamples| Maximum number of collected BGP messages for each alert which doesn't reach yet the `thresholdMinPeers`. Default to 1000. As soon as the `thresholdMinPeers` is reached, the collected BGP messages are flushed, independently from the value of `maxDataSamples`.|
|cacheValidPrefixesSeconds| Amount of seconds ROAs get cached in order to identify RPKI repository malfunctions (e.g. disappearing ROAs). Default to 7 days. |
> VRPs file example:
> ```json5
> [
> {
> "prefix": "123.4.5.0/22",
> "asn": "1234",
> "maxLength": 24
> },
> {
> "prefix": "321.4.5.0/22",
> "asn": "9876",
> "maxLength": 22
> }
> ]
> ```
### Reports

60
docs/rpki.md Normal file
View File

@@ -0,0 +1,60 @@
# RPKI configuration
The RPKI validation performed by BGPalerter can be configured in `config.yml` in the `rpki` section.
```yaml
rpki:
vrpProvider: ntt
preCacheROAs: true,
refreshVrpListMinutes: 15
```
This configuration will be used across the entire process (e.g., by `monitorRPKI`, `monitorHijack`, `monitorROAs`).
Below you can see the parameters available:
|Parameter| Description|
|---|---|
|preCacheROAs| When this parameter is set to true (default), BGPalerter will download Validated ROA Payloads (VRPs) lists locally instead of using online validation. More info [here](https://github.com/massimocandela/rpki-validator).|
|refreshVrpListMinutes| If `preCacheROAs` is set to true, this parameter allows to specify a refresh time for the VRPs lists (it has to be > 15 minutes) |
|vrpProvider| A string indicating the provider of the VRPs list. Possible options are: `ntt` (default), `ripe`, `cloudflare`, `external`. Use external only if you wish to specify a file with `vrpFile`. More info [here](https://github.com/massimocandela/rpki-validator#options).|
|vrpFile| A JSON file with an array of VRPs. See example below.|
## Generating a VRP file
Using external VRP providers for the monitoring is quick and easy, but you are essentially trusting somebody else writing the VRP file correctly.
You can generate your JSON VRP file periodically and BGPalerter will load it automatically.
VRPs file example:
```json5
[
{
"prefix": "123.4.5.0/22",
"asn": "1234",
"maxLength": 24
},
{
"prefix": "321.4.5.0/22",
"asn": "9876",
"maxLength": 22
}
]
```
You can use any of the RPKI validator that support JSON as output format. Below some copy-paste examples.
### rpki-client
* Download rpki-client [here](https://www.rpki-client.org/);
* Install jq
* on Linux `apt-get install jq`
* on Mac `brew install jq`
* Create a cron job every 15 minutes with the following
* `rpki-client -j test/ && cat test/export.json | jq .roas > test/vrps.json`
> Please, help with other examples