inspecting RPKI data: console.rpki-client.org
job at ntt.net
Fri Nov 20 14:06:40 UTC 2020
I'd like to introduce another tool to inspect RPKI data... the
rpki-client console! Comes with an authentic 90s look & feel :-)
The Frontpage - http://console.rpki-client.org/
On the front page you can see stdout + stderr of the most recent
rpki-client run. The log shows which publication points were contacted
and prints any issues encountered with specific RPKI files.
Those of us publishing RPKI data should keep an eye out not to show up
in this type of log with warnings or errors. For example:
rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT
However, the above line might be the result of some kind of experiment someone is conducting :-)
The RPKI distributed database currently is more than 120,000 (!)
certificate/roa/manifest files, and only a handful of files have some
kind of completeness or expiration date issue. Good job everyone! :-)
The ASN specific pages - http://console.rpki-client.org/AS2914.html
You can substitute the 'AS2914' portion in the URL for any ASN to see
which .roa files reference the given ASN. Another example, here one can
see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html
If you encounter a HTTP 404 error, no ROAs reference the ASN.
On the 'per ASN page' you can search click the .roa files on the left
side to inspect the ROA. Each object in the RPKI has a unique Subject
Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
maps to a filename like 'rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa'
Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
neither the path name nor the SKI are easy to remember :-)
The console can show that .roa file in human readable format, just
append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html
Every object in the RPKI is subordinate to another object (all objects
are signed by a parent certificate, except the Trust Anchors). The
parent is identified by the Authority Key Identifier (AKI). So one
object's AKI is another object's SKI! If you click the AKI, the console
brings you to the parent object, from where you can continue to explore
other objects related to parent.
Certificates point to Manifests, and .mft files contain the 'directory
indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html
>From the manifest overview you can jump to the parent, click the
referenced .roa, .cer or .crl files.
All directories on the webserver are 'open', except the root. This
allows you to explore this RPKI cache by browsing through the filesystem
directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/
The rpki-client console provides a view on *validated* RPKI data. First
rpki-client runs and prunes bad files, then all HTML is generated. The
console provides a view on the data as used in production Internet
routers. Please note: the console's rendering is delayed by a bit over
an hour compared to the real thing.
Another entry point, you can use your browser's 'find on page' function
to search for anything in all of it on this humongous page:
The RPKI is very intricate collection of references, I hope this console
offers another useful perspective on the tree-like structures. Enjoy!
More information about the NANOG