Created
March 16, 2026 09:08
-
-
Save tonusoo/3e3cc16fe2008fcb9b47aa6e4831c73d to your computer and use it in GitHub Desktop.
RTBH prefixes validation on Junos || PoC setup || NANOG mailing list thread: https://lists.nanog.org/archives/list/nanog@lists.nanog.org/thread/O5XX6BHOSMINX4HKT2SMVOI66SMYXFOR/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@vjr-17> show configuration routing-options bmp | |
| /* Rotonda */ | |
| station BMP-feed-for-RTBH-1 { | |
| /* if the session breaks, then the router tries to reestablish it every 30 seconds */ | |
| connection-mode active; | |
| /* Route Monitoring messages are sent only for peers defined under specific BGP groups */ | |
| route-monitoring { | |
| none; | |
| } | |
| station-address 10.10.8.3; | |
| station-port 10179; | |
| } | |
| /* Rotonda */ | |
| station BMP-feed-for-RTBH-2 { | |
| connection-mode active; | |
| route-monitoring { | |
| none; | |
| } | |
| station-address 10.10.9.3; | |
| station-port 10179; | |
| } | |
| /* pmbmpd (pmacct BMP collector daemon) */ | |
| station BMP-full-feed { | |
| connection-mode active; | |
| station-address 10.5.5.13; | |
| station-port 10179; | |
| } | |
| root@vjr-17> | |
| root@vjr-17> show configuration protocols bgp group IPT-fulltable-v4 bmp | |
| monitor enable; | |
| route-monitoring { | |
| pre-policy; | |
| } | |
| root@vjr-17> | |
| root@vjr-17> show configuration protocols bgp group IPT-fulltable-v6 bmp | |
| monitor enable; | |
| route-monitoring { | |
| pre-policy; | |
| } | |
| root@vjr-17> | |
| root@vjr-17> show configuration routing-options validation | |
| group RPKI-validators { | |
| /* Routinator 3000 */ | |
| session 10.10.8.2 { | |
| port 3323; | |
| } | |
| /* Routinator 3000 */ | |
| session 10.10.9.2 { | |
| port 3323; | |
| } | |
| } | |
| group RTR-sessions-for-RTBH { | |
| /* RTRTR / aggressive timers to prevent stale records / 10.10.8.3 is same server as 10.10.8.2 */ | |
| session 10.10.8.3 { | |
| /* send the Serial Query every 10 seconds */ | |
| refresh-time 10; | |
| /* drop the session if 30 seconds have passed since the last received PDU */ | |
| hold-time 30; | |
| /* flush the route validation records if 60 seconds have passed since the last received PDU */ | |
| record-lifetime 60; | |
| port 3323; | |
| } | |
| /* RTRTR / aggressive timers to prevent stale records / 10.10.9.3 is same server as 10.10.9.2 */ | |
| session 10.10.9.3 { | |
| refresh-time 10; | |
| hold-time 30; | |
| record-lifetime 60; | |
| port 3323; | |
| } | |
| } | |
| root@vjr-17> | |
| root@vjr-17> show configuration policy-options policy-statement rpki-check | |
| term reject-rpki-invalid { | |
| from { | |
| protocol bgp; | |
| validation-database invalid; | |
| } | |
| then { | |
| validation-state invalid; | |
| reject; | |
| } | |
| } | |
| term mark-rpki-valid { | |
| from { | |
| protocol bgp; | |
| validation-database valid; | |
| } | |
| then { | |
| validation-state valid; | |
| next policy; | |
| } | |
| } | |
| term skip-rpki-unknown { | |
| from { | |
| protocol bgp; | |
| validation-database unknown; | |
| } | |
| then { | |
| validation-state unknown; | |
| next policy; | |
| } | |
| } | |
| then next policy; | |
| root@vjr-17> | |
| root@vjr-17> show configuration policy-options policy-statement ipt-rtbh-v4 | |
| term accept-blackhole { | |
| from { | |
| family inet; | |
| community blackhole; | |
| route-filter 0.0.0.0/0 prefix-length-range /32-/32; | |
| } | |
| then { | |
| local-preference 170; | |
| origin igp; | |
| /* requires accept-remote-nexthop */ | |
| next-hop 192.0.2.1; | |
| accept; | |
| } | |
| } | |
| term reject-invalid-length { | |
| from { | |
| family inet; | |
| community blackhole; | |
| } | |
| then reject; | |
| } | |
| then next policy; | |
| root@vjr-17> | |
| root@vjr-17> show configuration policy-options policy-statement ipt-rtbh-v6 | |
| term accept-blackhole { | |
| from { | |
| family inet6; | |
| community blackhole; | |
| route-filter ::/0 prefix-length-range /128-/128; | |
| } | |
| then { | |
| local-preference 170; | |
| origin igp; | |
| /* requires accept-remote-nexthop */ | |
| next-hop 100::1; | |
| accept; | |
| } | |
| } | |
| term reject-invalid-length { | |
| from { | |
| family inet6; | |
| community blackhole; | |
| } | |
| then reject; | |
| } | |
| then next policy; | |
| root@vjr-17> |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RTRTR configuration file
/etc/rtrtr.conf: