Skip to content

Latest commit

 

History

History
159 lines (117 loc) · 5.97 KB

Setup.md

File metadata and controls

159 lines (117 loc) · 5.97 KB
Raw

Setting up RPKI READ

Deploying the RPKI READ monitoring system is straight forward and easy, you can run backend and frontend on a single server or separately on distinct nodes (+ a node for the database, if you want). We recommend using virtualenv with Python and to use pip to install required libraries within this environment to keep your local systems Python installation untouched.

Preliminaries

This software is under development and testing on Linux Debian 8 (Jessie).

On Debian the following packages can be installed via apt-get or aptitude:

  • libxml2-dev, needed by python for xml parsing and bgpmon
  • python-dev, needed to build and install python libraries via pip
  • python-pip, a package manager for python
  • python-virtualenv, run python code in a change-root like environment

additional, but optional:

  • screen, terminal/shell multiplexer
  • vim, the editor

Install shutcut:

# apt-get install libxml2-dev python-dev python-pip python-virtualenv
# apt-get install screen vim

On other Linux Distros search for equivalents in their package-management.

Backend

The RPKI READ backend consists of 3 components:

  1. the parser, to extract prefixes-to-origin relations from a XML BGP update stream
  2. the validator, to validate prefix to origin AS relations against an RPKI cache
  3. the database, to store latest validation results

Each of these components is implemented as a standalone python tool, i.e., they run on their own and are interchangeable. They follow common UNIX tools, i.e, read input from STDIN and write to STDOUT if feasible. Thus, the complete RPKI READ backend is basically running these 3 tools in a chain.

The validation results are stored in a database, RPKI READ currently uses a MongoDB. This database is also used by the web frontend to display validation results and statistics.

requirements

The backend mostly uses standard Python libraries however to parse IP prefixes and addresses we use netaddr, and for the mongodb database RPKI READ requires pymongo.

Besides that you need access to a BGPmon instance to receive its BGP update stream. And you will also need the URL of a RPKI cache for the validation procedure.

If you want to install and setup your own BGPmon instance see below for further details.

run

For the backend process run the following command chain, replace respective addresses and ports as needed:

python bgpmonUpdateParser.py -a <bgpmon-addr> -p <bgpmon-port> | \
python validator.py -a <rpki-cache-addr> -p <rpki-cache-port> | \
python dbHandler.py -m <mongodb-URI>

A mongodb-URI looks something like mongodb://<host>:<port>/<dbname>. To configure the backend have a look at the settings.

The 'bgpmonUpdateParser' also supports to read the RIB XML stream of a bgpmon instance first, before it starts to parse the BGP update stream. This way you fill the database with all currently known IP prefixes and their origin AS, including validation. To activate and use this feature specify the RIB XML stream port using the additional '-r ' parameter.

Frontend

The RPKI READ monitoring frontend provides a web GUI to view validation stats and results of currently announced IP prefixes and the respective origin AS.

requirements

The frontend uses Flask for all the web stuff, netaddr to parse IP prefixes and addresses, and pymongo for the database connection. Besides that you need access to the database of the RPKI READ backend, i.e., its URI and authentication params (if required).

run

To initialize the frontend check its configuration params in config.py, afterwards exec:

python webfrontend.py

The webfrontend runs on port 'localhost:5000' you may alter the port or setup a webproxy (e.g. 'nginx') to redirect traffic.

Apache and Systemd integration

For a production deployment we recommend to integrate RPKI READ with Apache, instead of the python standalone webserver described in the previous section. The RPKI READ backend will run as a Systemd service daemon, we provide the necessary scripts as well.

In the following we describe Apache integration assuming the steps above are already followed through. First install Apache and its WSGI module (mod_wsgi) via package manager of your Linux OS, e.g., apt or yum. Afterwards proceed as follows:

  1. Edit src/rpki-read.wsgi and replace the </path/to/rpki-read> according to your deployment.
  2. Copy etc/httpd/conf.d/rpki_read_wsgi.conf to the Apache config directory, e.g., /etc/httpd/conf.d/. And again replace </path/to/rpki-read> according to your deployment.
  3. Modify src/settings.py as required as well, if not already done.
  4. Set the absolute path to README.md in src/app/views.py (L 44)
  5. Modify src/app/config.py if required, e.g., match database connection.
  6. Copy Systemd config for RPKI READ backend etc/systemd/system/rpki-read.service to /etc/systemd/system
  7. Modify /etc/systemd/system/rpki-read.service and replace </path/to/rpki-read>.
  8. Enable RPKI READ service:
# systemctl daemon-reload
# systemctl enable rpki-read.service
# systemctl start rpki-read.service
  1. Reload Apache:
# systemctl reload httpd

BGPmon

At the moment bgpmon cannot be found in standard package repos. So you need to compile and install it from scratch. Its source code can be downloaded here.

Compile with ./configure && make, optional sudo make install.

Note: there is bug in bgpmon-7.4 causing segfaults when connecting to multiple bgp peers, but luckily we provide a patch for that. Apply the patch as follows:

$ cd /path/to/bgpmon-7.4-source
$ patch -p1 < /path/to/rpki-read/src/bgpmon/createSessionStruct.patch
$ ./configure
$ make
$ sudo make install

A configuration example for BGPmon is provided in bgpmon_config.txt.