This blog is part of the VTPP (VNET Threat Perception Platform) project, a three-year programme co-funded by the European Commission under the DIGITAL-ECCC-2022-CYBER-03 call. The project covers DDoS mitigation with FastNetMon, vulnerability scanning with OpenVAS, custom AI/ML detection plugins for Zeek, HSM-backed key management, RPKI validation and a Krill CA, and a full-scale deployment of Security Onion as the IDS/SIEM/NSM backbone.
Part 2: Deploying Routinator 3000 and FORT RPKI
In this phase, we deploy our Relying Parties (RPs). These servers will poll the RIRs globally using RRDP (Routing Repository Delta Protocol). RRDP operates over HTTPS, which is highly advantageous because it easily traverses corporate firewalls and utilizes standard web caching, drastically reducing the load on RIR servers compared to the legacy Rsync method.
1. Routinator 3000 on Rocky Linux
NLnet Labs‘ Routinator ( https://nlnetlabs.nl/projects/routing/routinator/ ) is currently one of the most widely deployed RPs. Its Rust-based architecture makes it incredibly fast and memory-safe, protecting against buffer overflow attacks that could theoretically be delivered via maliciously crafted ROA payloads.
Installation & Initialization:
# Add the NLnet Labs repository and install Routinator
$ sudo curl -1sLf 'https://packages.nlnetlabs.nl/gpg.key' | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-nlnetlabs
$ sudo yum install epel-release
$ sudo yum install routinator
# Initialize the repository. The ARIN RPA must be explicitly accepted due to ARIN's specific legal requirements.
$ sudo -u routinator routinator init --accept-arin-rpaConfiguration ( /etc/routinator/routinator.conf ):
We must configure Routinator to act as an RTR server. TCP Port 3323 is the standard port for plain-text RTR.
# Bind to the internal network interface for router access
rtr-listen = ["10.0.0.11:3323"]
# Enable the HTTP UI/API for Prometheus monitoring
http-listen = ["10.0.0.11:8323"]
# Refresh interval from the RIRs (default is usually 10 mins)
refresh = 600
# Performance tuning: increase the number of validation threads based on the VM's CPU core count
validation-threads = 4Start the Service:
$ sudo systemctl enable --now routinatorExample configuration of SSH Encrypted Tunneling of RTR over TCP/22 ( /etc/ssh/sshd_config):
# Define new subsystem for RPKI RTR Tunneling
Subsystem rpki-rtr /bin/nc 127.0.0.1 3323
Ciphers +3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1
# Only allow the rpki user to execute this one command
Match User vnetrpki
ForceCommand /bin/nc localhost 3323
PasswordAuthentication yes
Match all2. FORT Validator on Alma Linux
FORT ( https://fortproject.net/en/validator ), maintained by NIC.mx (the Mexican ccTLD registry), is a C-based validator. It is exceptionally lightweight and strict in its adherence to RFCs, making it a perfect counterbalance to Routinator in our redundancy strategy.
Installation & Initialization:
# Install dependencies required for FORT's C libraries
$ sudo yum install epel-release jansson-devel libcurl-devel libxml2-devel openssl-devel
# Install FORT
$ sudo yum install fort
# FORT requires you to manually fetch the Trust Anchors (TALs)
$ sudo mkdir -p /etc/fort/tal
$ sudo curl -o /etc/fort/tal/afrinic.tal https://rpki.afrinic.net/tal/afrinic.tal
# (Repeat for APNIC, ARIN, LACNIC, RIPE)Configuration ( /etc/fort/config.json ):
FORT uses a straightforward JSON schema. We configure TCP 3323 listening port, it is generally preferred today.
{
"server": {
"address": "10.0.0.21",
"port": "3323",
"interval": 3600
},
"local-repository": "/var/lib/fort/repository",
"tal": "/etc/fort/tal/",
"output": {
"roa": "/var/lib/fort/roas.csv"
}
}In this stage, we turn our Linux VM instances into RPKI Relying Party (RP) servers. Their job is to transform complex cryptographic trees into a simple table for the router.
Technical Concept: The RTR Protocol (RFC 8210)
The RPKI-to-Router (RTR) protocol is the bridge between the Linux VMs and the Cisco routers. Unlike BGP, which is heavy, RTR is a lightweight binary protocol.
- PDUs (Protocol Data Units): The RP sends „IP Prefix PDUs“ to the router.
- Serial Numbers: The RP and Router track a „Cache Serial Number.“ When the RP gets new data from the RIRs, it tells the router: „I am now at Serial 500.“ The router then requests only the differences between its current Serial 499 and the new 500.
Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Cybersecurity Competence Centre. Neither the European Union nor the granting authority can be held responsible for them.