<div dir="ltr"><div>Hi Gert, Job, routing-wg,</div><div><br></div>Disclaimer: I'm not offering a solution, just a possibility, facilitator hat on.<div><br></div><div>In the context of the upcoming RIPE+iNOG Network Operator Tools hackathon in June (details at <a href="https://labs.ripe.net/Members/becha/join-network-operators-tools-hackathon" target="_blank">https://labs.ripe.net/Members/<wbr>becha/join-network-operators-<wbr>tools-hackathon</a> ), I would say that this would make for a great project proposal (an improvement for an existing RIPE tool / NLNOG Ring / standalone tool etc.). Of course the best option would be to join us and hack on it in person - but if that doesn't fly, <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">formulate a proposal and </span>either find an advocate who's attending or send it to me as a proxy of last resort.</div><div><br></div><div>Cheers,</div><div>Cristian</div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">--<span> </span></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div class="gmail_signature" style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Cristian Sirbu</div><div><a href="https://www.trueneutral.eu/" target="_blank" style="color:rgb(17,85,204);font-size:small">www.trueneutral.eu</a><span style="font-size:small"> | </span><a href="https://inog.net/" target="_blank" style="color:rgb(17,85,204);font-size:small">inog.net</a><span style="font-size:small"> | </span><a href="https://twitter.com/cmsirbu" target="_blank" style="color:rgb(17,85,204);font-size:small">twitter.com/cmsirbu</a><br></div><div><b style="font-size:12.8px">PGP</b><span style="font-size:12.8px"><span> </span>2C940C28 08F2378F 45C74E11 8AFA4E29<span> </span></span><b style="font-size:12.8px">710D0D66</b></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 1, 2018 at 7:53 PM, Job Snijders <span dir="ltr"><<a href="mailto:job@ntt.net" target="_blank">job@ntt.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear Gert,<br>
<span class=""><br>
On Tue, May 01, 2018 at 08:44:22PM +0200, Gert Doering wrote:<br>
> is there an online looking glass to see RPKI status for ``everything a <br>
> given AS announces / transits''?<br>
> <br>
> Say, I want to check my AS (AS5539) plus all downstream customers <br>
> (... visible at the vantage point of said tool, of course).<br>
> <br>
> I have found <a href="http://whois.bgpmon.net" rel="noreferrer" target="_blank">whois.bgpmon.net</a>, which I can use by feeding prefix after<br>
> prefix into whois and then parsing the reply, but that's a bit cumbersome<br>
> for "give me all there is to know".  Basically<br>
> <br>
>   show ip bgp reg _5539_<br>
<br>
</span>I ran a terrible one-off for you on <a href="http://lg01.infra.ring.nlnog.net" rel="noreferrer" target="_blank">lg01.infra.ring.nlnog.net</a>:<br>
<br>
$ birdc 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./<wbr>valid/;s/0x2./invalid/'<br>
<a href="http://109.230.244.0/23" rel="noreferrer" target="_blank">109.230.244.0/23</a>                BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://194.97.64.0/19" rel="noreferrer" target="_blank">194.97.64.0/19</a>                  BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://185.5.184.0/23" rel="noreferrer" target="_blank">185.5.184.0/23</a>                  BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://185.54.120.0/22" rel="noreferrer" target="_blank">185.54.120.0/22</a>                 BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://194.39.121.0/24" rel="noreferrer" target="_blank">194.39.121.0/24</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://149.62.56.0/21" rel="noreferrer" target="_blank">149.62.56.0/21</a>                  BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://193.189.94.0/24" rel="noreferrer" target="_blank">193.189.94.0/24</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://193.189.94.0/23" rel="noreferrer" target="_blank">193.189.94.0/23</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://31.214.222.0/23" rel="noreferrer" target="_blank">31.214.222.0/23</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://91.223.129.0/24" rel="noreferrer" target="_blank">91.223.129.0/24</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://82.118.35.0/24" rel="noreferrer" target="_blank">82.118.35.0/24</a>                  BGP.ext_community: (generic, 0x43000000, invalid<br>
<a href="http://82.118.32.0/19" rel="noreferrer" target="_blank">82.118.32.0/19</a>                  BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://193.151.47.0/24" rel="noreferrer" target="_blank">193.151.47.0/24</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://193.149.32.0/19" rel="noreferrer" target="_blank">193.149.32.0/19</a>                 BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://195.30.0.0/16" rel="noreferrer" target="_blank">195.30.0.0/16</a>                   BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://185.143.68.0/23" rel="noreferrer" target="_blank">185.143.68.0/23</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://195.24.96.0/19" rel="noreferrer" target="_blank">195.24.96.0/19</a>                  BGP.ext_community: (generic, 0x43000000, valid<br>
<a href="http://193.97.129.0/24" rel="noreferrer" target="_blank">193.97.129.0/24</a>                 BGP.ext_community: (generic, 0x43000000, not-found<br>
<a href="http://194.97.128.0/19" rel="noreferrer" target="_blank">194.97.128.0/19</a>                 BGP.ext_community: (generic, 0x43000000, valid<br>
<br>
$ birdc6 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./<wbr>valid/;s/0x2./invalid/'<br>
2a07:3340::/48                  BGP.ext_community: (generic, 0x43000000, not-found<br>
2001:608::/32                   BGP.ext_community: (generic, 0x43000000, valid<br>
2a02:7c40::/33                  BGP.ext_community: (generic, 0x43000000, not-found<br>
2001:4150::/32                  BGP.ext_community: (generic, 0x43000000, valid<br>
2001:67c:158c::/48              BGP.ext_community: (generic, 0x43000000, valid<br>
<span class=""><br>
> and then for each prefix returned, check RPKI status, flag green/red/yellow.<br>
> <br>
> The RIPE LIRportal RPKI dashboard sort of does the job for all ASes that<br>
> I have created ROAs for (so, if I maintain my customer ROAs, I would see<br>
> them) but I cannot query an arbitrary AS, or "the whole customer cone".<br>
> <br>
> (I expected RIPE Stats to have something like this in the BGP widget, but<br>
> to my surprise, no...)<br>
<br>
</span>A while back I injected RPKI steroids into <a href="http://lg.ring.nlnog.net/" rel="noreferrer" target="_blank">http://lg.ring.nlnog.net/</a> so<br>
that it displays the "RPKI Origin Validation State" for each prefix it<br>
displays.<br>
<br>
This doesn't allow you to do 'show ip bgp reg _5539_' as you requested,<br>
but that is something I can consider building into the thing.<br>
<br>
Kind regards,<br>
<br>
Job<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Cristian Sirbu</div><div><a href="https://www.trueneutral.eu/" style="color:rgb(17,85,204);font-size:small" target="_blank">www.trueneutral.eu</a><span style="font-size:small"> | </span><a href="https://inog.net/" style="color:rgb(17,85,204);font-size:small" target="_blank">inog.net</a><span style="font-size:small"> | </span><a href="https://twitter.com/cmsirbu" style="color:rgb(17,85,204);font-size:small" target="_blank">twitter.com/cmsirbu</a><br></div><div><b style="font-size:12.8px">PGP</b><span style="font-size:12.8px"> 2C940C28 08F2378F 45C74E11 8AFA4E29 </span><b style="font-size:12.8px">710D0D66</b><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>