[routing-wg] looking for online RPKI dashboard / looking glass?

Dear Gert,

On Tue, May 01, 2018 at 08:44:22PM +0200, Gert Doering wrote:
> is there an online looking glass to see RPKI status for ``everything a 
> given AS announces / transits''?
> 
> Say, I want to check my AS (AS5539) plus all downstream customers 
> (... visible at the vantage point of said tool, of course).
> 
> I have found whois.bgpmon.net, which I can use by feeding prefix after
> prefix into whois and then parsing the reply, but that's a bit cumbersome
> for "give me all there is to know".  Basically
> 
>   show ip bgp reg _5539_

I ran a terrible one-off for you on lg01.infra.ring.nlnog.net:

$ birdc 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/'
109.230.244.0/23                BGP.ext_community: (generic, 0x43000000, not-found
194.97.64.0/19                  BGP.ext_community: (generic, 0x43000000, valid
185.5.184.0/23                  BGP.ext_community: (generic, 0x43000000, not-found
185.54.120.0/22                 BGP.ext_community: (generic, 0x43000000, valid
194.39.121.0/24                 BGP.ext_community: (generic, 0x43000000, not-found
149.62.56.0/21                  BGP.ext_community: (generic, 0x43000000, not-found
193.189.94.0/24                 BGP.ext_community: (generic, 0x43000000, not-found
193.189.94.0/23                 BGP.ext_community: (generic, 0x43000000, not-found
31.214.222.0/23                 BGP.ext_community: (generic, 0x43000000, not-found
91.223.129.0/24                 BGP.ext_community: (generic, 0x43000000, not-found
82.118.35.0/24                  BGP.ext_community: (generic, 0x43000000, invalid
82.118.32.0/19                  BGP.ext_community: (generic, 0x43000000, valid
193.151.47.0/24                 BGP.ext_community: (generic, 0x43000000, not-found
193.149.32.0/19                 BGP.ext_community: (generic, 0x43000000, valid
195.30.0.0/16                   BGP.ext_community: (generic, 0x43000000, valid
185.143.68.0/23                 BGP.ext_community: (generic, 0x43000000, not-found
195.24.96.0/19                  BGP.ext_community: (generic, 0x43000000, valid
193.97.129.0/24                 BGP.ext_community: (generic, 0x43000000, not-found
194.97.128.0/19                 BGP.ext_community: (generic, 0x43000000, valid

$ birdc6 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/'
2a07:3340::/48                  BGP.ext_community: (generic, 0x43000000, not-found
2001:608::/32                   BGP.ext_community: (generic, 0x43000000, valid
2a02:7c40::/33                  BGP.ext_community: (generic, 0x43000000, not-found
2001:4150::/32                  BGP.ext_community: (generic, 0x43000000, valid
2001:67c:158c::/48              BGP.ext_community: (generic, 0x43000000, valid

> and then for each prefix returned, check RPKI status, flag green/red/yellow.
> 
> The RIPE LIRportal RPKI dashboard sort of does the job for all ASes that
> I have created ROAs for (so, if I maintain my customer ROAs, I would see
> them) but I cannot query an arbitrary AS, or "the whole customer cone".
> 
> (I expected RIPE Stats to have something like this in the BGP widget, but
> to my surprise, no...)

A while back I injected RPKI steroids into http://lg.ring.nlnog.net/ so
that it displays the "RPKI Origin Validation State" for each prefix it
displays.

This doesn't allow you to do 'show ip bgp reg _5539_' as you requested,
but that is something I can consider building into the thing.

Kind regards,

Job