Cisco’s Origin Validation Implementation
Cisco’s Origin Validation ImplementationKeyur PatelArjun SreekantiahNanog 67, June, 2016, Chicago, USAPresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Public1
Code Availability! CA ToolsetFreeware (ISC/RPKI.NET)! Cache Validator SoftwareFreeware (ISC/RPKI.NET)! Router SoftwareOrigin Validation (RPKI RTR & BGP Modifications) availablein Cisco IOS and IOS-XRCisco IOS code available in IOS XE-3.5.0/15.1(3)SCisco IOS platforms targeted ASR1K, 7600, ME3600/ME3800, ASR 903Cisco IOS-XR available in the XR-4.2.1Cisco IOS-XR platforms targeted CRS, C12K-XR, ASR9K2
IOS Policy and Path Validation State! Route-maps extended to modify policies based on pathvalidation state! Effective way of tweaking bestpath selection for IBGPpaths! IOS Route-map example:route-map rpki-map permit 10match rpki invalidset local-preference 50route-map rpki-map permit 20match rpki validset local-preference 2003
IOS Config Commandsrouter bgp 65536bgp router-id 192.0.2.1bgp log-neighbor-changesbgp rpki server tcp 10.0.96.254 port 32000 refresh 120neighbor 192.0.2.2 remote-as 64496neighbor 194.0.2.2 remote-as 64497neighbor 198.61.100.2 remote-as 65539neighbor 192.0.3.1 remote-as 65536!address-family ipv4neighbor 192.0.2.2 activateneighbor 194.0.2.2 activateneighbor 194.0.2.2 route-map rpki inneighbor 198.61.100.2 activateneighbor 192.0.3.1 activateneighbor 192.0.3.1 announce rpki stateexit-address-family4
IOS Show CommandsRouter-65536#show ip bgpBGP table version is 8, local router ID is 192.0.2.1Status codes: s suppressed, d damped, h history, * valid, best,i - internal, r RIB-failure, S Stale, m multipath,b backup-path, f RT-Filter, x best-external,a additional-path,c RIB-compressed,Origin codes: i - IGP, e - EGP, ? - incompleteRPKI validation codes: V valid, I invalid, N Not foundNetworkNext HopMetric LocPrf Weight PathV* 192.0.2.128/25192.0.2.200 64496 iI*192.0.2.129/32198.61.100.200 65539 iN* 203.0.113.0198.61.100.200 65539 iRouter-65536#5
IOS Records (RPKI) TableRouter-65536#show ip bgp rpki table1 BGP sovc network entries using 88 bytes of memory1 BGP sovc record entries using 20 bytes of rce0Neighbor10.0.96.254/32000Router-65536#6
IOS Show Commands – Valid PrefixRouter-65536#show ip bgp 192.0.2.128BGP routing table entry for 192.0.2.128/25, version 2Paths: (1 available, best #1, table default)Advertised to update-groups:1Refresh Epoch 164496192.0.2.2 from 192.0.2.2 (192.0.2.2)Origin IGP, metric 0, localpref 100, valid, external, bestpath 07AEE980 RPKI State validRouter-65536#7
IOS Show Commands – Invalid PrefixRouter-65536#show ip bgp 192.0.2.129BGP routing table entry for 192.0.2.129/32, version 6Paths: (1 available, no best path)Not advertised to any peerRefresh Epoch 165539198.61.100.2 from 198.61.100.2 (198.61.100.2)Origin IGP, metric 0, localpref 100, valid, externalpath 07AEE8F0 RPKI State invalidRouter-65536#8
IOS Show Commands – Incomplete PrefixRouter-65536#show ip bgp203.0.113.0BGP routing table entry for 203.0.113.0/24, version 8Paths: (1 available, best #1, table default)Advertised to update-groups:1Refresh Epoch 165539198.61.100.2 from 198.61.100.2 (198.61.100.2)Origin IGP, metric 0, localpref 100, valid, external,bestpath 07AEE938 RPKI State not foundRouter-65536#9
IOS-XR Policy and Path Validation State! RPL extended to modify policies based on path validationstate! Effective way of tweaking bestpath selection for IBGP paths! IOS-XR RPL example:route-policy rpkiif validation-state is invalid thenset local-preference 50else if validation-state is valid thenset local-preference 200elsepassendifend policy10
IOS-XR Config &unicast&&&&&route-policy&rpki&in&&&&.&&&11
IOS-XR Show CommandsIOX#sh#bgp#origin as#validity&[snip]RPKI validation codes: V valid, I invalid, U unknown, d disabled, nnot-applicableNetworkNext HopMetric LocPrf Weight PathV* 192.0.2.128/25192.0.0.200 64496 iI*192.0.2.129/25198.61.100.200 65539 iU* 203.0.113.0/24198.61.100.200 65539 ?Processed 3 prefixes, 3 paths12
IOS-XR Records (RPKI) TableIOX#show bgp rpki 97039703320333344443130Cache147.28.0.11* 198.180.150.1147.28.0.11147.28.0.11* 198.180.150.1* Source cache is down / ROAs are pending removalProcessed 5 RPKI entries13
IOS-XR Show Commands – Valid PrefixPE1#show bgp 192.2.0.128/25Mon May 16 02:07:31.702 PDTBGP routing table entry for 192.2.0.128/25Versions:ProcessbRIB/RIB SendTblVerSpeaker2323Last Modified: May 15 14:22:54.000 for 11:44:38Paths: (1 available, best #1)Advertised to peers (in unique update groups):40.0.0.250.0.0.2Path #1: Received by speaker 064496192.0.2.2 from 192.0.2.2 (192.0.2.2)Origin IGP, localpref 100, valid, external, best, group-bestReceived Path ID 0, Local Path ID 1, version 23Origin-AS validity: valid14
Cisco’s Origin Validation Implementation! Implementation of RPKI Router Protocol! BGP changes needed for Origin Validation! BGP Origin Validation State Extended Community15
RPKI Router Protocol Implementation(RPKI RTR)! Cisco IOS and IOS-XR supports router sideimplementation of RPKI RTR! Cisco IOS release supports TCP as a transport! Cisco IOS-XR release supports TCP & SSHv2 as atransport16
BGP Modifications for Origin AS Validation! Origin AS Validation support for IPv4 and IPv6 AFI! {origin-as, prefix/min-max} information received viaRPKI Router protocol is stored under a separateRPKI tableUsed towards validation of BGP announcements! Changes to inbound processing of an updatemessagePerform Origin Validation and set an appropriate pathvalidation state on a path for a given prefixApply any inbound policies if configured! BGP Bestpath modified to incorporate pathvalidation state comparison17
BGP Modifications & Origin ValidationState Extended Community! Changes to the update generation for IBGP peersOutbound policies may use path validation state to manipulatedifferent BGP attributesAnnounce path validation state using a well-known extendedcommunity defined in draft-ietf-sidr-origin-validationsignaling-08Helps avoid re-computation of path validation state on areceiving IBGP speakerAllows receiving IBGP speaker to compare path validationstate of IBGP paths against EBGP paths18
Router Software Origin Validation (RPKI RTR & BGP Modifications) available in Cisco IOS and IOS-XR Cisco IOS code available in IOS XE-3.5.0/15.1(3)S Cisco IOS platforms targeted ASR1K, 7600, ME3600/ ME3800, ASR 903 Cisco IOS-XR available in the XR-4.2.1 Cisco IOS-X
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se
Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single
Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .
Sep 11, 2017 · Note: Refer to the Getting Started with Cisco Commerce User Guide for detailed information on how to use common utilities for a record in Cisco Commerce. See Cisco Commerce Estimates and Configurations User Guide for more information.File Size: 664KBPage Count: 5Explore furtherSolved: Cisco Serial Number Lookups - Cisco Communitycommunity.cisco.comHow to view and/or update your CCO profilewww.cisco.comSolved: How do I associate a contract to my Cisco.com .community.cisco.comHow do I find my Cisco Contract Number? - Ciscowww.cisco.comPower calculator tool - Cisco Communitycommunity.cisco.comRecommended to you b
Apr 05, 2017 · Cisco 4G LTE and Cisco 4G LTE-Advanced Network Interface Module Installation Guide Table 1 Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Description Mode Operating Region Band NIM-4G-LTE-LA Cisco 4G LTE NIM module (LTE 2.5) for LATAM/APAC carriers. This SKU is File Size: 2MBPage Count: 18Explore furtherCisco 4G LTE Software Configuration Guide - GfK Etilizecontent.etilize.comSolved: 4G LTE Configuration - Cisco Communitycommunity.cisco.comCisco 4G LTE Software Configuration Guide - Ciscowww.cisco.comCisco 4G LTE-Advanced Configurationwww.cisco.com4G LTE Configuration - Cisco Communitycommunity.cisco.comRecommended to you b
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS
Cisco 2951 2 2 Cisco 3925 4 4 Cisco 3945 4 4 Cisco 3925E 3 3 Cisco 3945E 3 3 Cisco 1841 1 1 Cisco 2801 2 1 Cisco 2811 2 1 Cisco 2821 2 1 Cisco 2851 2 1 Cisco 3825 4 2 Cisco 3845 4 4 Table 1A provides relevant software information Router Chassis Software Release Minimum Software Package Cisco 1921 15.0(1)M2 IP Base
