This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] inspecting RPKI data: console.rpki-client.org
- Previous message (by thread): [routing-wg] Weekly Routing Table Report
- Next message (by thread): [routing-wg] Planned Downtime for the RPKI service
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Job Snijders
job at ntt.net
Fri Nov 20 15:19:23 CET 2020
Dear all, I'd like to introduce another tool to inspect RPKI data... the rpki-client console! Comes with an authentic 90s look & feel :-) The Frontpage - http://console.rpki-client.org/ ----------------------------------------------- On the front page you can see stdout + stderr of the most recent rpki-client run. The log shows which publication points were contacted and prints any issues encountered with specific RPKI files. Those of us publishing RPKI data should keep an eye out not to show up in this type of log with warnings or errors. For example: rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT However, the above line might be the result of some kind of experiment someone is conducting :-) The RPKI distributed database currently is more than 120,000 (!) certificate/roa/manifest files, and only a handful of files have some kind of completeness or expiration date issue. Good job everyone! :-) The ASN specific pages - http://console.rpki-client.org/AS2914.html ------------------------------------------------------------------- You can substitute the 'AS2914' portion in the URL for any ASN to see which .roa files reference the given ASN. Another example, here one can see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html If you encounter a HTTP 404 error, no ROAs reference the ASN. On the 'per ASN page' you can search click the .roa files on the left side to inspect the ROA. Each object in the RPKI has a unique Subject Key Identifier (SKI). An example of a SKI is this hexadecimal identifier '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which maps to a filename like 'rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa' Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI neither the path name nor the SKI are easy to remember :-) The console can show that .roa file in human readable format, just append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html Every object in the RPKI is subordinate to another object (all objects are signed by a parent certificate, except the Trust Anchors). The parent is identified by the Authority Key Identifier (AKI). So one object's AKI is another object's SKI! If you click the AKI, the console brings you to the parent object, from where you can continue to explore other objects related to parent. Certificates point to Manifests, and .mft files contain the 'directory indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html Here from this manifest overview, you can jump to the parent, or click the referenced .roa, .cer or .crl files. All directories on the webserver are 'open', except the root. This allows you to explore this RPKI cache by browsing through the filesystem directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/ Final notes ----------- The rpki-client console provides a view on *validated* RPKI data. First rpki-client runs and prunes bad files, then all HTML is generated. The console provides a view on the data as used in production Internet routers. Please note: the console's rendering is delayed by a bit over an hour compared to the real thing. Another entry point, you can use your browser's 'find on page' function to search for anything in all of it on this humongous page: http://console.rpki-client.org/roas.html The RPKI is very intricate collection of references, I hope this console offers another useful perspective on the tree-like structures. Enjoy! Kind regards, Job
- Previous message (by thread): [routing-wg] Weekly Routing Table Report
- Next message (by thread): [routing-wg] Planned Downtime for the RPKI service
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]