What is RPKI?

RPKI (Resource Public Key Infrastructure) was well explained by APNIC here

In the past, BKNIX provided the validated cache (ROA objects) implemented by RPKI Relying Party (RP) software called rcynic which is the part of RPKI toolkit 'rpki.net'
Currently, BKNIX aims to run more than one software on multiple hosts for diversity and redundancy.
Rcynic was replaced by Routinator. Additionally, GoRTR and RIPE Validator are concurrently running together on different ports.
Additionally, StayRTR and FORT Validator are concurrently running together on different ports.

BGP Speakers can retrieve this information via 'rpki-rtr' which is described in [RFC6810].
Note that this communication is unencrypted.

Statistics
This statistics page can be found here




Config guide
Nokia (Alcatel-Lucent)
SROS:C-12.0.R6
configure
	router
        origin-validation
            rpki-session 203.159.70.26
            	port 323
                description "BKNIX (rpki.bknix.co.th)"
                no shutdown
            exit
            rpki-session 2001:deb:0:4070::26
            	port 323
                description "BKNIX (rpki.bknix.co.th)"
                no shutdown
            exit
	    rpki-session 203.159.70.36
          	port 323
                description "BKNIX (rpki.bknix.net)"
                no shutdown
            exit
            rpki-session 2001:deb:0:4070::36
          	port 323
                description "BKNIX (rpki.bknix.net)"
                no shutdown
          exit
        exit
Above setup tells the router to setup rpki-rtr with the validated cache only.
It can enable the validation process at the specific peer(s) or peer-group.
configure router
  bgp
    best-path-selection
      origin-validation-unusable		#Enable/Disable BGP routes which its origin validation state is invalid to be use or unuse in best path selection.
    exit
    group "Peer AS"
      enable-origin-validation ipv4 ipv6        #Enable/Disable Origin Validation for the bgp family
    exit
  exit
exit

Cisco (IOS-XE)
IOS XE-3.5.0/15.1(3) or later
router bgp (your AS)
bgp rpki server tcp 203.159.70.26 port 323 refresh 60
bgp rpki server tcp 203.159.70.36 port 4323 refresh 60
!
address-family ipv4
  no bgp bestpath prefix-validate disable	 #Enable Origin Validation process
  no bgp bestpath prefix-validate allow-invalid     #Do not allow invalid routes to be considered for bestpath
  exit-address-family
!
address-family ipv6
  no bgp bestpath prefix-validate disable	 #Enable Origin Validation process
  no bgp bestpath prefix-validate allow-invalid     #Do not allow invalid routes to be considered for bestpath
  exit-address-family
!

Juniper (JUNOS)
Release 12.2 or later
routing-options {
  validation {
    group RPKI {
      session 203.159.70.26 {
        refresh-time 60;
        port 323;
      }
      session 203.159.70.36 {
        refresh-time 60;
        port 323;
      }
    }
  }
}
create your own policy How to manipulate received routes with different validation state.
policy-options {
    policy-statement BKNIX-RS-v4-IN {
    term valid {
      from {
        protocol bgp;
        validation-database valid;
      }
      then {
        validation-state valid;
        accept;
      }
    }
    term not-found {
      from {
        protocol bgp;
        validation-database unknown;
      }
      then {
        validation-state unknown;
        accept;
      }
    }
    term invalid {
      from {
        protocol bgp;
        validation-database invalid;
      }
      then {
        validation-state invalid;
        reject;						#To allow invalid route,use accept; instead
      }
    }
    then reject;
  }
}
...
then apply the configuration to peers
protocols {
  bgp {
    group BKNIX-RS {
      neighbor 203.159.68.68 {
        import BKNIX-RS-v4-IN;
      }
      neighbor 203.159.68.69 {
        import BKNIX-RS-v4-IN;
      }
      neighbor 2001:deb:0:68::68 {
        import BKNIX-RS-v6-IN;
      }
      neighbor 2001:deb:0:68::69 {
        import BKNIX-RS-v6-IN;
      }
    }
  }
}

ขับเคลื่อนโดย
สนับสนุนโดย