RPKI

asturmas · Fri Jan 31, 2014 10:33 am

Someone'm already use RPKI in CCR? How to do it? http://www.ripe.net/lir-services/resour ... tification

For example ripe only have configuration for cisco and juniper http://www.ripe.net/lir-services/resour ... figuration

asturmas · Sun Feb 09, 2014 12:53 pm

Any help?

JanZorz · Tue Jul 08, 2014 2:36 pm

I'm eagerly waiting for Mikrotik to deploy RPKI route origin validation. Currently I'm doing it on ASR1k router but would gladly move this function to CCR1036 as it seems to be powerfull enough to take care of this stuff. Mikrotik staff, any information when can we expect RPKI in RouterOS?

Cheers, Jan Zorz

mrz · Tue Jul 08, 2014 2:39 pm

We have plans for RPKI in RouteroS v7

JanZorz · Tue Jul 08, 2014 5:40 pm

Thank you very much for this information. Any idea when ROS 7 will be available for testing? I'm willing to test RPKI for you (IPv6 and IPv4 routes) if you send me the code as soon as it's available

Cheers, Jan Zorz

rextended · Tue Jul 08, 2014 7:16 pm

First wait the fix of all bug on ROS 6.x or you have 7.x full of bug...

asturmas · Sat Jul 12, 2014 3:32 am

Any ETA for ROS 7?

asturmas · Fri Jun 10, 2016 4:38 am

Two years later... Still no plans to RPKI or Router OS 7?

Hammy · Tue May 02, 2017 4:00 pm

Still waiting...

Wed May 03, 2017 5:18 am

Still waiting on the long over due RouterOS v7

helectro · Fri May 19, 2017 1:49 pm

+1 me too still

JimmyNyholm · Fri Aug 04, 2017 12:22 am

+1 Any day now....

kcdyer · Wed Nov 08, 2017 4:38 pm

RPKI would be great right about now...

watigre · Tue Sep 18, 2018 8:53 am

novedades sobre ros 7 con rpki?

ab130kd · Tue Oct 02, 2018 1:56 pm

ANY SOLUTION FOR ??? https://www.ripe.net/manage-ips-and-asn ... figuration
RIPE need certification....

chubbs596 · Tue Oct 02, 2018 8:48 pm

RPKI is becoming a requirement more and more,

When can we expect this?

schadom · Thu Oct 11, 2018 7:45 pm

+1

We have plans for RPKI in RouteroS v7

MT might consider backporting RPKI from ROSv7 to 6.x

Hammy · Fri Oct 19, 2018 10:02 pm

Some Internet Exchanges are going to start requiring RPKI validation to participate in 2019.

MIKROTIK NEEDS TO RELEASE A RELIABLE RPKI IMPLEMENTATION BY THE END OF THE YEAR!

patrick7 · Fri Oct 19, 2018 10:38 pm

dream on

mutinsa · Sat Oct 20, 2018 3:16 pm

schadom · Mon Oct 22, 2018 4:19 pm

Some Internet Exchanges are going to start requiring RPKI validation to participate in 2019.

MIKROTIK NEEDS TO RELEASE A RELIABLE RPKI IMPLEMENTATION BY THE END OF THE YEAR!

Yes, SwissIX for example.

MT please really consider to implement RPKI in ROS. Most other vendors already have it and the trend is clearly going in that direction. ROS would need to be able to query an external RPKI server (like https://github.com/RIPE-NCC/rpki-validator-3) and allow for filtering (ROA valid, invalid, not-found) via route filters.

kcdyer · Tue Oct 23, 2018 6:38 pm

Yes, SwissIX for example.

YYCIX in Calgary AB, Canada is starting to implement as well.
https://yycix.ca/communities.html

I'm sure it's just a matter of time before we cannot even peer in the in exchange without it.

schadom · Wed Oct 31, 2018 9:07 pm

I'm sure it's just a matter of time before we cannot even peer in the in exchange without it.

If you have valid ROAs for all your routes, no need to worry with IXPs or routeservers for now, although ultimately we also need to increase ROV adoption among networks, therefore we need routing software like ROS to support it!

chubbs596 · Thu Nov 01, 2018 7:19 am

+10000 for RPKI

netravnen · Mon Dec 17, 2018 11:54 pm

We have plans for RPKI in RouteroS v7

Any chance one can be a test pilot along-side Jan Z. on this one? Alpha testing ROS 7?

2014 was around first time RPKI was asked about. Not we hit 2018.... Still ways to go for ROS 7 being available with RPKI and Large BGP Communities support (I assume?).

coelliale · Wed Jun 26, 2019 8:06 am

2019 up up up

mmc · Wed Jun 26, 2019 9:59 am

rpki is an urgent must - and because it's a long path from beta to stable production (which is necessary for bgp), we need the beta asap...

rpki would have prevented this worldwide issue:
https://blog.cloudflare.com/how-verizon ... ine-today/

mutinsa · Fri Jun 28, 2019 3:21 pm

up

+1.

helectro · Fri Jun 28, 2019 7:57 pm

+1 again

TigerHuang · Sat Jun 29, 2019 8:05 am

+1 push it

netravnen · Sat Jun 29, 2019 5:48 pm

Thank you very much for this information. Any idea when ROS 7 will be available for testing? I'm willing to test RPKI for you (IPv6 and IPv4 routes) if you send me the code as soon as it's available ;)

I agree with J.Z. here. If you are willing to accept select community members into an Alpha stage ROSv7 testing program.

netravnen · Sat Jun 29, 2019 5:58 pm

Yes, SwissIX for example.
YYCIX in Calgary AB, Canada is starting to implement as well.
https://yycix.ca/communities.html

I'm sure it's just a matter of time before we cannot even peer in the in exchange without it.

Validity state Standard Extended Large
Prefix is included in client's AS-SET None None 53339:11:1
Prefix is NOT included in client's AS-SET None None 53339:11:2
Origin ASN is included in client's AS-SET None None 53339:11:3
Origin ASN is NOT included in client's AS-SET None None 53339:11:4
Prefix matched by a RPKI ROA for the authorized origin ASN None None 53339:11:5
Prefix matched by an entry of the ARIN Whois DB dump None None 53339:11:6

Hurts a bit you cannot do indirect discard of RPKI invalid routes there based upon the only current supported standard/extended bgp communities in ROSv6. :| When they only have deployed the functionality with bgp large communities at YYCIX.

luciano · Fri Dec 13, 2019 3:47 pm

Hi! Still need a RPKI implementation. Here in Brazil, our RIR start to permit the use of RPKI. And here in Latin America a great number of ISP running they ASes on Mikrotik boxes.

Any update about this on RouterOS?

tippenring · Tue Dec 17, 2019 11:03 pm

Any idea when ROS 7 will be available for testing? I'm willing to test RPKI for you (IPv6 and IPv4 routes) if you send me the code as soon as it's available

You didn't even try. It took you longer to post this reply than go check. https://www.mikrotik.com/download

mutinsa · Sat Dec 21, 2019 12:06 pm

+1.

up

netravnen · Sat Dec 21, 2019 12:25 pm

Hi! Still need an RPKI implementation. Here in Brazil, our RIR start to permit the use of RPKI. And here in Latin America a great number of ISP running they ASes on Mikrotik boxes.

A major PRO PLUS for implementing RPKI support directly into ROS!

The business case becomes stronger and stronger for going forward with this feature and implementing it into RouterOS. (I mean, using as-path and prefix-lists does not really get you quite the same long way RPKI does, in terms of up-to-date routing security in regards to dropping invalids. Especially now that ARIN has moved to publishing their ROA certs updates every few minutes - https://teamarin.net/2019/12/09/the-roa ... c-to-rrdp/)

pe1chl · Sat Dec 21, 2019 12:45 pm

Back in 2014 the RouterOS v7 project was still the holy grail that would fix all problems. All new routing, all new BGP, etc etc etc.
Then nothing happened for 5 years and now there is a v7 beta, but unfortunately it is "just" a build with a new Linux kernel and nothing of those exciting features is in sight.
(almost no changes in functionality between v6 and v7beta)

The only "positive" thing that could be said is that v7beta does not contain any BGP at all, so we can still hope this is because there is an entirely new BGP but it is not completed, but it could be in a v7 final version.
Of course there is still no ETA for that. So best is to put this on the backburner for a couple more years...

mutinsa · Sat Mar 28, 2020 8:18 am

+++

Back in 2014 the RouterOS v7 project was still the holy grail that would fix all problems. All new routing, all new BGP, etc etc etc.
Then nothing happened for 5 years and now there is a v7 beta, but unfortunately it is "just" a build with a new Linux kernel and nothing of those exciting features is in sight.
(almost no changes in functionality between v6 and v7beta)

The only "positive" thing that could be said is that v7beta does not contain any BGP at all, so we can still hope this is because there is an entirely new BGP but it is not completed, but it could be in a v7 final version.
Of course there is still no ETA for that. So best is to put this on the backburner for a couple more years...

markwien · Thu Apr 02, 2020 11:51 am

Because of issue with rustelecom urgent call to implement RPKI Origin Validation to ROS 6!

MCN · Thu Apr 23, 2020 11:19 pm

So, as of now - with a STABLE version of ROS (April 23 2020)

RPKI is not supported / available on Mikrotik ROS.

Is this correct?

It would be nice to see a time line when this would be available.

But no rush - want it to be done correctly!

pe1chl · Thu Apr 23, 2020 11:42 pm

So, as of now - with a STABLE version of ROS (April 23 2020)

RPKI is not supported / available on Mikrotik ROS.

Is this correct?

yes

It would be nice to see a time line when this would be available.

But no rush - want it to be done correctly!

MikroTik never gives time estimates to implementation of new features.
And as you can read above, it was sort of announced 6 years ago.
So no rush, be patient!

Fri Apr 24, 2020 8:00 am

#soon

ploquets · Wed May 27, 2020 12:38 am

Please, Mikrotik Staff, we need RPKI this year.... Impressive how this thread is from 2014 and nobody seems to care about it.

eworm · Thu Jun 04, 2020 1:54 pm

What's new in 7.0beta7 (2020-Jun-3 16:31):
[...]
!) enabled BGP support with multicore peer processing (CLI only);
!) enabled RPKI support (CLI only);
[...]

paulct · Thu Jun 04, 2020 4:24 pm

Thanks for listening Mikrotik.

paulct · Thu Jun 04, 2020 4:52 pm

does the rpki in v7 include route origin validation?

paulct · Thu Jun 04, 2020 4:54 pm

does the rpki in v7 include route origin validation?

I see it does, good news.Time to run a lab soon.

mrz · Thu Jun 04, 2020 5:00 pm

Yes,
RouterOS implements RTR client. You connect to the server which will send route validity information.
This informaton can be used to validate routes in route filters against group with "rpki-validate".
ANd then further in filters "match-rpki" can be used to match exact state.

sebastianmeade2 · Sat Sep 19, 2020 2:27 am

Hello, to validate do I need an external server? how do i do it? What external hardware do I need or do you recommend?
Thank you

Yes,
RouterOS implements RTR client. You connect to the server which will send route validity information.
This informaton can be used to validate routes in route filters against group with "rpki-validate".
ANd then further in filters "match-rpki" can be used to match exact state.

pe1chl · Sat Sep 19, 2020 3:39 pm

Is it too much trouble for you go google how RPKI works, how the structure of RTR client, RPKI server etc is, and how to obtain and install a server?

Who is online