The RPKI validation performed by BGPalerter can be configured in config.yml in the rpki section.
rpki:
vrpProvider: ntt
preCacheROAs: true,
refreshVrpListMinutes: 15This configuration will be used across the entire process (e.g., by monitorRPKI, monitorHijack, monitorROAs).
Below you can see the parameters available:
| Parameter | Description |
|---|---|
| preCacheROAs | When this parameter is set to true (default), BGPalerter will download Validated ROA Payloads (VRPs) lists locally instead of using online validation. More info here. |
| refreshVrpListMinutes | If preCacheROAs is set to true, this parameter allows to specify a refresh time for the VRPs lists (read here for the minimum refresh time allowed). |
| vrpProvider | A string indicating the provider of the VRPs list. Possible options are: ntt (default), cloudflare, rpkiclient, ripe, external, api. The external and api options are used to specify your own VRP source, read here. |
| vrpFile | A JSON file with an array of VRPs. See example below. |
| markDataAsStaleAfterMinutes | The amount of minutes (integer) after which an unchanged VRP list is marked as stale. Set to 0 to disable the check. |
Using external VRP providers for the monitoring is quick and easy, but you are essentially trusting somebody else writing the VRP file correctly.
Instead, you can specify your own VRPs in two ways:
- Using your own API producing JSON output;
- Using your favourite rpki validator to generate a file locally.
In case the download of the VRP data fails, an online provider is used (the error is reported in the logs).
To use your own API you need to set the following options in config.yml:
rpki:
vrpProvider: api
url: https://my-api.api.com/vrps/
preCacheROAs: trueRemember, you must specify the url when you use "api" as vrpProvider
The API must return the JSON format described here;
You can generate your JSON VRP file periodically and BGPalerter will detect changes and reload it automatically. To do so, you have to use the following options in config.yml:
rpki:
vrpProvider: external
vrpFile: myfile.json
preCacheROAs: trueRemember, you must specify vrpFile when you use "external" as vrpProvider
The VRPs file must be in the following format:
[
{
"prefix": "123.4.5.0/22",
"asn": 1234,
"maxLength": 24
},
{
"prefix": "321.4.5.0/22",
"asn": 9876,
"maxLength": 22
}
]Also the following format is supported:
{
roas: [ ... ] // containing items as described above
}You can use any of the RPKI validator that support JSON as output format to generate it. Below some copy-paste examples.
-
Download rpki-client here;
-
Create a cron job every 15 minutes with the following
rpki-client -j test/
-
Set the
vrpFileparameter inconfig.ymlrpki: vrpFile: test/export.json preCacheROAs: true
-
Download Routinator here
-
Run the Routinator daemon with the HTTP service
routinator server --http 127.0.0.1:8323
-
Set the
vrpProviderparameter inconfig.ymlvrpProvider: api url: http://127.0.0.1:8323/json preCacheROAs: true
Please, help with other examples
You can use BGPalerter to test ROAs before deploying them for real.
How:
- enable connectorRISDump (optional but useful);
- add the "ROA" in the VRP file using the JSON format described above;
- be sure there is a prefix rule in config.yml covering the prefix of the ROA;
- leave BGPalerter on for some time.
You will get notified if your new staged roa conflicts with what announced at the BGP level. If you are starting BGPalerter after you already created the VRP file, by enabling connectorRISDump you would be able to get an immediate feedback based on a BGP dump. In any case, new BGP updates are going to be processed in real-time and compared with the VRP file provided.