inspecting RPKI data:

Tom Beecher beecher at
Fri Nov 20 17:02:04 UTC 2020

In before snark of "OMG "http" links to RPKI info HURF BLURF!"

( Just add the 's' yourself kids, Job is a good boy and does have this
properly TLS'd. :) )

Thank you Job, excellent tool!

On Fri, Nov 20, 2020 at 9:08 AM Job Snijders <job at> wrote:

> Dear all,
> I'd like to introduce another tool to inspect RPKI data... the
> rpki-client console! Comes with an authentic 90s look & feel :-)
> The Frontpage -
> -----------------------------------------------
> On the front page you can see stdout + stderr of the most recent
> rpki-client run. The log shows which publication points were contacted
> and prints any issues encountered with specific RPKI files.
> Those of us publishing RPKI data should keep an eye out not to show up
> in this type of log with warnings or errors. For example:
>     rpki-client:
> mft expired on Oct 12 17:58:45 2020 GMT
> However, the above line might be the result of some kind of experiment
> someone is conducting :-)
> The RPKI distributed database currently is more than 120,000 (!)
> certificate/roa/manifest files, and only a handful of files have some
> kind of completeness or expiration date issue. Good job everyone! :-)
> The ASN specific pages -
> -------------------------------------------------------------------
> You can substitute the 'AS2914' portion in the URL for any ASN to see
> which .roa files reference the given ASN. Another example, here one can
> see all ROAs which authorize AS 8283 as origin:
> If you encounter a HTTP 404 error, no ROAs reference the ASN.
> On the 'per ASN page' you can search click the .roa files on the left
> side to inspect the ROA. Each object in the RPKI has a unique Subject
> Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
> '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which
> maps to a filename like '
> '
> Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
> neither the path name nor the SKI are easy to remember :-)
> The console can show that .roa file in human readable format, just
> append .html:
> Every object in the RPKI is subordinate to another object (all objects
> are signed by a parent certificate, except the Trust Anchors). The
> parent is identified by the Authority Key Identifier (AKI). So one
> object's AKI is another object's SKI! If you click the AKI, the console
> brings you to the parent object, from where you can continue to explore
> other objects related to parent.
> Certificates point to Manifests, and .mft files contain the 'directory
> indexes' of the RPKI:
> From the manifest overview you can jump to the parent, click the
> referenced .roa, .cer or .crl files.
> All directories on the webserver are 'open', except the root. This
> allows you to explore this RPKI cache by browsing through the filesystem
> directly, example:
> Final notes
> -----------
> The rpki-client console provides a view on *validated* RPKI data. First
> rpki-client runs and prunes bad files, then all HTML is generated. The
> console provides a view on the data as used in production Internet
> routers. Please note: the console's rendering is delayed by a bit over
> an hour compared to the real thing.
> Another entry point, you can use your browser's 'find on page' function
> to search for anything in all of it on this humongous page:
> The RPKI is very intricate collection of references, I hope this console
> offers another useful perspective on the tree-like structures. Enjoy!
> Kind regards,
> Job
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list