Overview

RouterOS implements the Resource Public Key Infrastructure (RPKI) to Router Protocol defined in RFC8210. RTR is a very light weight low memory footprint protocol, to reliably get prefix validation data from RPKI validators.
More information on RPKI and how to set up validators can be found in the RIPE blog:
https://blog.apnic.net/2019/10/28/how-to-installing-an-rpki-validator/

Basic Example

Let's consider that we have our own RTR server on our network with IP address 192.168.1.1:

/routing/bgp/rpki
add group=myRpkiGroup address=192.168.1.1 port=8282 refresh-interval=20

If connection is established and database from the validator is received, we can check prefix validity:

[admin@rack1_b33_CCR1036] /routing> rpki-check group=myRpkiGroup prfx=70.132.18.0/24 origin-as=16509
    valid

Now cached database can be used by routing filters to accept/reject prefixes based on RPKI validity. At first we need to set up filter rule which defines against which RPKI group perform the verification. After that filters are ready to match status from RPKI database. Status, can have one of three values:

• valid - database has a record and origin AS is valid.
• invalid - database has a record and origin AS is invalid.
• unknown - database does not have information of prefix and origin AS.

/routing/filter/rule
add chain=bgp_in rule={ rpki-verify=myRpkiGroup }
add chain=bgp_in rule={ if ([rpki invalid]) then={ action reject } else={ action accept }

Configuration Options

/routing/bgp/rpki