This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[routing-wg] looking for online RPKI dashboard / looking glass?

Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Cristian Sirbu ml at trueneutral.eu
Tue May 1 21:37:21 CEST 2018

Hi Gert, Job, routing-wg,

Disclaimer: I'm not offering a solution, just a possibility, facilitator
hat on.

In the context of the upcoming RIPE+iNOG Network Operator Tools hackathon
in June (details at https://labs.ripe.net/Members/
becha/join-network-operators-tools-hackathon ), I would say that this would
make for a great project proposal (an improvement for an existing RIPE tool
/ NLNOG Ring / standalone tool etc.). Of course the best option would be to
join us and hack on it in person - but if that doesn't fly, formulate a
proposal and either find an advocate who's attending or send it to me as a
proxy of last resort.

Cheers,
Cristian

-- 
Cristian Sirbu
www.trueneutral.eu | inog.net | twitter.com/cmsirbu
*PGP* 2C940C28 08F2378F 45C74E11 8AFA4E29 *710D0D66*


On Tue, May 1, 2018 at 7:53 PM, Job Snijders <job at ntt.net> wrote:

> Dear Gert,
>
> On Tue, May 01, 2018 at 08:44:22PM +0200, Gert Doering wrote:
> > is there an online looking glass to see RPKI status for ``everything a
> > given AS announces / transits''?
> >
> > Say, I want to check my AS (AS5539) plus all downstream customers
> > (... visible at the vantage point of said tool, of course).
> >
> > I have found whois.bgpmon.net, which I can use by feeding prefix after
> > prefix into whois and then parsing the reply, but that's a bit cumbersome
> > for "give me all there is to know".  Basically
> >
> >   show ip bgp reg _5539_
>
> I ran a terrible one-off for you on lg01.infra.ring.nlnog.net:
>
> $ birdc 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep
> "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed
> 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/'
> 109.230.244.0/23                BGP.ext_community: (generic, 0x43000000,
> not-found
> 194.97.64.0/19                  BGP.ext_community: (generic, 0x43000000,
> valid
> 185.5.184.0/23                  BGP.ext_community: (generic, 0x43000000,
> not-found
> 185.54.120.0/22                 BGP.ext_community: (generic, 0x43000000,
> valid
> 194.39.121.0/24                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 149.62.56.0/21                  BGP.ext_community: (generic, 0x43000000,
> not-found
> 193.189.94.0/24                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 193.189.94.0/23                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 31.214.222.0/23                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 91.223.129.0/24                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 82.118.35.0/24                  BGP.ext_community: (generic, 0x43000000,
> invalid
> 82.118.32.0/19                  BGP.ext_community: (generic, 0x43000000,
> valid
> 193.151.47.0/24                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 193.149.32.0/19                 BGP.ext_community: (generic, 0x43000000,
> valid
> 195.30.0.0/16                   BGP.ext_community: (generic, 0x43000000,
> valid
> 185.143.68.0/23                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 195.24.96.0/19                  BGP.ext_community: (generic, 0x43000000,
> valid
> 193.97.129.0/24                 BGP.ext_community: (generic, 0x43000000,
> not-found
> 194.97.128.0/19                 BGP.ext_community: (generic, 0x43000000,
> valid
>
> $ birdc6 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep
> "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed
> 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/'
> 2a07:3340::/48                  BGP.ext_community: (generic, 0x43000000,
> not-found
> 2001:608::/32                   BGP.ext_community: (generic, 0x43000000,
> valid
> 2a02:7c40::/33                  BGP.ext_community: (generic, 0x43000000,
> not-found
> 2001:4150::/32                  BGP.ext_community: (generic, 0x43000000,
> valid
> 2001:67c:158c::/48              BGP.ext_community: (generic, 0x43000000,
> valid
>
> > and then for each prefix returned, check RPKI status, flag
> green/red/yellow.
> >
> > The RIPE LIRportal RPKI dashboard sort of does the job for all ASes that
> > I have created ROAs for (so, if I maintain my customer ROAs, I would see
> > them) but I cannot query an arbitrary AS, or "the whole customer cone".
> >
> > (I expected RIPE Stats to have something like this in the BGP widget, but
> > to my surprise, no...)
>
> A while back I injected RPKI steroids into http://lg.ring.nlnog.net/ so
> that it displays the "RPKI Origin Validation State" for each prefix it
> displays.
>
> This doesn't allow you to do 'show ip bgp reg _5539_' as you requested,
> but that is something I can consider building into the thing.
>
> Kind regards,
>
> Job
>
>


-- 
Cristian Sirbu
www.trueneutral.eu | inog.net | twitter.com/cmsirbu
*PGP* 2C940C28 08F2378F 45C74E11 8AFA4E29 *710D0D66*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/routing-wg/attachments/20180501/68fa12fc/attachment.html>

Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ routing-wg Archives ]