Latest

Origin Validation for BGP in Juniper Networks

Origin Validation for BGP in Juniper Networks

If an administrator of an autonomous system (AS) starts advertising all or part of another company's allocated network, BGP has no built-in ability to detect the issue and respond in a way that avoids service disruptions.

Origin validation mitigates the vulnerability of transitive trust by allowing a provider to limit the advertisements it accepts from a client. The mechanics require the exchange of routing policies using an expanded BGP community attribute.

Routes are occasionally advertised inadvertently owing to operator error. To address this security vulnerability, set BGP to check the originating AS and reject invalid announcements. This functionality employs a cache server to authenticate prefixes or prefix ranges.

Origin Validation for BGP in Juniper Networks
Fig 1.1- Origin Validation for BGP in Juniper Networks

In our scenario, Device R1 has an IBGP connection to Device R3 and an EBGP connection to Device R2. Device R1 gets route validation (RV) records from the cache server via the protocol defined in Internet document draft-ietf-sidr-rpki-rtr-19, The RPKI/Router Protocol. 

The RPKI-Router Protocol communicates via TCP. Device R1 uses the RV records to create a local RV database. On Device R3, the validation status is configured using the BGP community called validation-state, which is received with the route.

⭐Related : BGP Cheat Sheet for Network Engineers
⭐Related : 51 facts about BGP routing Protocol for Network Engineers 

Lets check the scenario and the configuration of the Router R1 here.

Router R1 Configurations

user@R1# set ge-1/2/0 unit 0 description to-R3
user@R1# set ge-1/2/0 unit 0 family inet address 10.10.10.2/30
user@R1# set ge-1/2/1 unit 0 description to-R2
user@R1# set ge-1/2/1 unit 0 family inet address 10.10.10.5/30
user@R1# set ge-1/2/2 unit 0 description to-cache
user@R1# set ge-1/2/2 unit 0 family inet address 10.10.10.9/30
user@R1# set lo0 unit 0 family inet address 10.10.1.1/32
Configure an IBGP session with Device R1. Configure an EBGP session with Device R2.

user@R1# set group int type internal
user@R1# set group int local-address 10.10.1.1
user@R1# set group int export send-direct
user@R1# set group int neighbor 10.1.1.1
user@R1# set group ext type external
user@R1# set group ext import validation
user@R1# set group ext export send-direct
user@R1# set group ext peer-as 200
user@R1# set group ext neighbor 10.10.10.6
Configure the routing policy that exports direct routes from the routing table into BGP.

user@R1# set from protocol direct
user@R1# set then accept

Configure the routing policy that specifies attributes to be modified based on the validation state of each BGP route.

user@R1# set term valid from protocol bgp
user@R1# set term valid from validation-database valid
user@R1# set term valid then validation-state valid
user@R1# set term valid then community add origin-validation-state-valid
user@R1# set term valid then accept
user@R1# set term invalid from protocol bgp
user@R1# set term invalid from validation-database invalid
user@R1# set term invalid then validation-state invalid
user@R1# set term invalid then community add origin-validation-state-invalid
user@R1# set term invalid then reject
user@R1# set term unknown from protocol bgp
user@R1# set term unknown then validation-state unknown
user@R1# set term unknown then community add origin-validation-state-unknown
user@R1# set term unknown then accept
user@R1# set community origin-validation-state-invalid members 0x4300:0.0.0.0:2
user@R1# set community origin-validation-state-unknown members 0x4300:0.0.0.0:1
user@R1# set community origin-validation-state-valid members 0x4300:0.0.0.0:0
Configure the session with the RPKI cache server and AS number 

user@R1# set group test session 10.10.10.10
user@R1# set autonomous-system 100
From configuration mode, confirm your configuration by running the show interfaces, show protocols, show policy-options, and show routing-options commands.