RPKI(Resource Public Key Infrastructure)主要应用在存在RPKI服务器,需要对BGP路由起源是否正确进行验证的组网中。通过验证从邻居收到的BGP路由是否合法来控制选路结果,从而确保域内的主机能够安全地访问外部服务。需要在客户端配置RPKI会话的基本信息并且使能BGP路由起源AS验证结果影响BGP选路,才能完成整个客户端RPKI的配置。
安装RPKI服务器:
1、环境:一台UNIX-like OS的服务器,2G以上内存,安装JAVA 8或9,开启rsync
2、下载安装包:<链接>
3、解压压缩包
1
|
[root@i-uiiyw0xz tmp]
# tar zxvf rpki-validator-app-2.23-dist.tar.gz
|
4、运行安装脚本
1
2
3
4
5
6
7
8
9
|
[root@i-uiiyw0xz rpki-validator-app-2.23]
# ./rpki-validator.sh start
[ warn ] JAVA_HOME is not
set
, will try to
find
java on path.
[ info ] Starting rpki-validator...
[ info ] writing logs under log directory
[ info ] Web user interface is available on port 8080
[ info ] Routers can connect on port 8282
[ info ] Writing PID 7688 to validator.pid
[root@i-uiiyw0xz rpki-validator-app-2.23]
# echo $?
0
|
5、检查
1
2
3
4
5
6
7
8
9
10
|
[root@i-uiiyw0xz rpki-validator-app-2.23]
# ps aux | grep 7688
root 7688 32.8 26.5 4206136 1041544 pts
/1
Sl 13:42 1:37
/usr/bin/java
-Dapp.name=rpki-validator -Dconfig.
file
=conf
/rpki-validator
.conf -Xms512m -Xmx1536m -Dapp.name=rpki-validator -Dconfig.
file
=conf
/rpki-validator
.conf -classpath :lib/* net.ripe.rpki.validator.config.Main
root 8034 0.0 0.0 103244 848 pts
/1
S+ 13:47 0:00
grep
7688
[root@i-uiiyw0xz rpki-validator-app-2.23]
# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
/Program
name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 963
/sshd
tcp 0 0 :::8080 :::* LISTEN 7688
/java
tcp 0 0 :::22 :::* LISTEN 963
/sshd
|
6、打开网页
本地验证:
1
2
3
4
5
6
7
8
|
[root@i-uiiyw0xz rpki-validator-app-2.23]
# curl http://localhost:8080 -I
HTTP
/1
.1 200 OK
Date: Wed, 16 Aug 2017 01:45:50 GMT
Set-Cookie: JSESSIONID=4ek3wa1gmbtkmrrrmlgjk2e0;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text
/html
; charset=UTF-8
Content-Length: 13977
Server: Jetty(9.2.17.v20160517)
|
远端验证:
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1952658,如需转载请自行联系原作者