RPKI configuration and testing

To finish the basic configuration, I wanted to enable RPKI signing and verify the RPKI setup.

Add the RPKI to our prefix

As I don’t have a PI prefix, I needed to contact my LIR. I read somewhere that I technically could ask for hosting the RPKI myself but I preferred to use the easiest path. So, I contacted my LIR (LagrangeCloud), they enabled it after 3 days. The enablement (seen by others) was about an hour up to 24h.

Test the prefix signing

After an hour, bgp.tools told me that my prefix was IRR valid and RPKI signed.

So technically, everything is good, if we visit rpkitest.nlnetlabs.net, we have a little happy face. That’s mean our prefix is signed and seen by others:

So the prefix is hard to hijack (some people does not check RPKI).

Final testing

To check if everything is good, I decided to test the website isbgpsafeyet.com. It is a website provided by CloudFlare to test our ISPs to see if they drop invalid RPKI prefix.

As we are an ISP now, it can be useful to see if everything works.

First test

I cannot replicate without restarting the router entirely, but I can have invalid RPKI accepted because bird take some time to fetch the RPKI list.

Try to fix

After trying everything, bird cli tell me that the prefix is accepted but when I eval the prefix it is marked as ROA_INVALID, so invalid RPKI.

I restarted bird, it was the wrong thing to do because nothing changed. and then I discover the command to restart a single session (birdc disable <peer> && sleep 30 && birdc enable <peer>) and then all the invalid RPKI prefix were not in my routing table anymore!

Second test

After all of this, I go to the same website, press the test button and my own ISP is now doing good!

Conclusion

This was the last chapter about configuring our ISP edge router (where BGP is), now we need to route our prefix to the house, but it is for a new chapter.