BGP Origin AS Validation – IOS XE 3.5S
Just yesterday IOS XE 3.5S for ASR1000 platform has been released. One of the new features introduced for ASR1000 platform is Origin AS Validation for BGP protocol. This feature helps prevent operators from inadvertently advertising routes to networks they do not control using RPKI server to authenticate that certain BGP prefixes.
RPKI (Resource Public Key Infrastructure) server acts as point of authentication that certain prefixes are allowed to originate from particular autonomous systems. Router downloads list of prefixes or prefix ranges from RPKI servers and stores it as SVOC record. When router receive prefix from eBGP neighbor it initially places it in Not Found state and examine it against SVOC table. If prefix does not exist in SVOC table it remains in Not Found state and is installed in the BGP routing table and will only be flagged as a bestpath or considered as a candidate for multipath if there is no Valid alternative. Standard BGP best path selection algorithm still occurs.
Received prefix can also be marked as Valid or Invalid. In first case prefix must be found in SVOC table and Origin AS must match, then prefix is installed in the BGP routing table. If prefix is found in SVOC table but either the corresponding Origin AS received from the eBGP peer is not the AS that appears in the SOVC table or the prefix length does not match then prefix is marked as Invalid and is not advertised to any peer nor be flagged as best path.
Validation state can by optionally be announced to iBGP peers using extended community attribute. This attribute is never send to eBGP peers.
The only configuration required is enabling TCP session to RPKI servers
router bgp 65100 bgp rpki server tcp 10.0.0.1 port 35000 refresh 600