howto/vyos.md
... ...
@@ -61,6 +61,35 @@ _Your peers ASN_
61 61
62 62
`show ip bgp summary`
63 63
64
+##RPKI/ROA Checking
65
+###Setup RPKI Caching Server
66
+Burble has made this super easy. More info can be found [here](https://wiki.dn42/ROA-slash-RPKI) on this wiki. Get started by running the below command on a Linux server with Docker installed.
67
+
68
+`sudo docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082`
69
+
70
+This will start a docker container that listens on the host server's IP at port 8082. This setup is using Cloudflare's GoRTR and automatically reaching out and downloading a custom JSON file generated by Burble just for the DN42 network.
71
+
72
+###Point VyOS Router at RPKI Caching Server
73
+`set protocols rpki cache GoRTR address x.x.x.x`
74
+
75
+`set protocols rpki cache GoRTR port 8082`
76
+
77
+You can check the connection with `show rpki cache-connection` and the received prefix-table with `show rpki prefix-table`.
78
+
79
+###Create Route Map
80
+```
81
+set policy route-map DN42-ROA rule 10 action 'permit'
82
+set policy route-map DN42-ROA rule 10 match rpki 'valid'
83
+set policy route-map DN42-ROA rule 20 action 'permit'
84
+set policy route-map DN42-ROA rule 20 match rpki 'notfound'
85
+set policy route-map DN42-ROA rule 30 action 'deny'
86
+set policy route-map DN42-ROA rule 30 match rpki 'invalid'
87
+```
88
+This example allows all routes in unless they are marked invalid or in other words possibly been a victim of BGP hijacking.
89
+###Assign Route Map to Neighbor
90
+`set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map import DN42-ROA`
91
+`set protocols bgp 424242XXXX neighbor x.x.x.x address-family ipv4-unicast route-map export DN42-ROA`
92
+
64 93
65 94
####Coming Soon
66 95
- Recommended firewall configuration