RouterOS implements the Resource Public Key Infrastructure (RPKI) to Router Protocol defined in RFC8210. RTR is a very light weight low memory footprint protocol, to reliably get prefix validation data from RPKI validators.
More information on RPKI and how to set up validators can be found in the RIPE blog:
Let's consider that we have our own RTR server on our network with IP address 192.168.1.1:
If connection is established and database from the validator is received, we can check prefix validity:
Now cached database can be used by routing filters to accept/reject prefixes based on RPKI validity. At first we need to set up filter rule which defines against which RPKI group perform the verification. After that filters are ready to match status from RPKI database. Status, can have one of three values:
|address (IPv4/6) mandatory||Address of the RTR server|
|disabled(yes | no; Default: no)||Whether item is ignored.|
|expire-interval (integer [600..172800]; Default: 7200)||Time interval [s] polled data is considered valid in the absence of the valid subsequent update from the validator.|
|group (string) mandatory||Name of the group a database is assigned to.|
|port (integer [0..65535]; Default: 323)||Connection port number|
|preference (integer [0..4294967295]; Default: 0)|
If there are multiple RTR sources, preference number indicates more preferred one. Lesser number is more preferred.
|refresh-interval (integer [1..86400]; Default: 3600)||Time interval [s] to poll the newest data from the validator.|
|retry-interval (integer [1..7200]; Default: 600)||Time Interval [s] to retry after the failed data poll from the validator.|
|vrf(name; Default: main)||Name of the VRF table used to bind connection to.|