Juniper Route Origin Validation (RPKI) Setup

Basic setup instructions for Juniper routers in order to setup route origin validation (RPKI). These instructions will establish a basic session between the RPKI capable router and your RPKI server running the RIPE RPKI Validator, Rcynic RPKI tool suite, or other RPKI server of your choosing.

Author: Humberto Nieves

Setting up Juniper routers to communicate with your RPKI server is not very intensive and can be done relatively quickly. These instructions are a compilation from different sources, and settings we have used in our test lab. Links to the sources can be found below under resource links. 

  1. First we will setup the JUNOS routing-options to have a session to our RPKI server.
    • edit routing-options validation group rpki-validator session <RPKI Server IP Address>
  2. Next we will set the refresh time for the server to request updates from the RPKI server and the port that the RPKI service is running on. Refresh time and port depend on what RPKI suite you are running on your server.
    • If you are running the RIPE RPKI Validator, we have used a refresh-time of 840 seconds, a hold-time of 1680 seconds and the default port of 8282. The reason for this is because we found that the RPKI Validator (as of version 2.22) doesn't conduct incremental updates and responds to Serial Queries (PDU Type 1) from the router with a Cache Reset (PDU Type 8) forcing the router to receive a full update as opposed to an incremental update. On our test network, with roughly 297,700 routes, a full update takes roughly 7 minutes. For this reason we have chosen an update time that exceeds the 7 minute mark, it allows for a 7 minutes no update period, and then a full update the following 7 minutes. The hold-time is the amount of time in seconds that can pass without any activity between the RPKI server and the router. Receipt of data resets the timer. The timer must be at a minimum twice the amount of the refresh-time.
    • If you are running the RCYNIC RPKI Suite, we have used a refresh-time of 120 seconds, hold-time of 240 seconds and use port 323. The RCYNIC RPKI suite responds to Serial Queries from the router with incremental updates, which allows for a shorter refresh time and decreased bandwidth usage. A full update, using the Cache Reset (PDU Type 8), is done every 30 minutes by RCYNIC.
    • set refresh-time <time> hold-time <time> port <port>
  3. Next we will return to the top of the menu using the top command and then we will create a policy-statement that we will name validation. This will store our policy information for the valid, invalid, and unknown routes.
    • edit policy-options policy-statement validation
  4. Within the validation policy-statement the different validation states will be defined. Three terms will be created, valid, invalid, and unknown. Within each we will declare two sections. A from section where we declare where we are getting our information, and a then section declaring what action to take. Within each from the protocol will be declared and what table within the validation-database to read from. Under the then section we will declare the local-preference for each route. The default is 100 and higher is more preferred. We will then declare the validation-state, what community to add the route to and then to accept the information.
    • set term valid from protocol bgp validation-database valid
    • set term valid then validation-state valid community add origin-validation-state-valid
    • set term valid then local-preference 110
    • set term valid then accept
    • set term invalid from protocol bgp validation-database invalid
    • set term invalid then validation-state invalid community add origin-validation-state-invalid
    • set term invalid then local-preference 90
    • set term invalid then accept
    • set term unknown from protocol bgp validation-database unknown
    • set term unknown then validation-state unknown community add origin-validation-state-unknown
    • set term unknown then accept
  5. In the previous commands the routes are being added to communities, we will now create these communities within the router. First we will type in top to return to the top of the config options, and then type edit policy-options and enter the commands below.
    • set community origin-validation-state-invalid members 0x43:100:2
    • set community origin-validation-state-unknown members 0x43:100:1
    • set community origin-validation-state-valid members 0x43:100:0
  6. Lastly we will edit the BGP setting for this router in order to apply the route origin validation settings we have created. You will goto the BGP settings and apply the validation policy to the BGP peer group that you have setup. (That is outside the scope of these instructions.) Once inside your peer group you will import the specific validation policy that we just created. First return to the top and execute the commands below.
    • edit protocols bgp group <BGP peer group>
    • set import validation
  7. Commit the changes with commit and then check on the validation session.

In order to check the validation status from the configuration menu you can run the command:

  • run show validation session

Under State you will see the value of Up if the connection is established and the router is communicating with the RPKI server. If the State is Connect, then it means that the router is attempting to connect to the RPKI server. If it fails to connect check the following:

  1. That all security devices allow RPKI traffice between the router and RPKI server.
  2. That the RPKI service is running at the correct IP address and port that you input on the router during step 1 and 2. 
  3. Ensure there were no error messages when you did the commit at step 7.

​Hope that these instructions were helpful. We would like to point you as well to other resources that were helpful to us in creating these. The first is the RIPE website that has a lot of good guidance on using the RIPE RPKI Validator, router configurations and other very useful information. The other is the Juniper site with a lot of indepth information on configuration options for JunOS. The links to both are below.

External Links & Resources