inspecting RPKI data: console.rpki-client.org

Fri Nov 20 17:02:04 UTC 2020

In before snark of "OMG "http" links to RPKI info HURF BLURF!"

( Just add the 's' yourself kids, Job is a good boy and does have this
properly TLS'd. :) )

Thank you Job, excellent tool!

On Fri, Nov 20, 2020 at 9:08 AM Job Snijders <job at ntt.net> wrote:

> Dear all,
>
> I'd like to introduce another tool to inspect RPKI data... the
> rpki-client console! Comes with an authentic 90s look & feel :-)
>
> The Frontpage - http://console.rpki-client.org/
> -----------------------------------------------
> On the front page you can see stdout + stderr of the most recent
> rpki-client run. The log shows which publication points were contacted
> and prints any issues encountered with specific RPKI files.
>
> Those of us publishing RPKI data should keep an eye out not to show up
> in this type of log with warnings or errors. For example:
>
>     rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft:
> mft expired on Oct 12 17:58:45 2020 GMT
>
> However, the above line might be the result of some kind of experiment
> someone is conducting :-)
>
> The RPKI distributed database currently is more than 120,000 (!)
> certificate/roa/manifest files, and only a handful of files have some
> kind of completeness or expiration date issue. Good job everyone! :-)
>
> The ASN specific pages - http://console.rpki-client.org/AS2914.html
> -------------------------------------------------------------------
> You can substitute the 'AS2914' portion in the URL for any ASN to see
> which .roa files reference the given ASN. Another example, here one can
> see all ROAs which authorize AS 8283 as origin:
> https://console.rpki-client.org/AS8283.html
> If you encounter a HTTP 404 error, no ROAs reference the ASN.
>
> On the 'per ASN page' you can search click the .roa files on the left
> side to inspect the ROA. Each object in the RPKI has a unique Subject
> Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
> '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which
> maps to a filename like '
> rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa
> '
>
> Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
> neither the path name nor the SKI are easy to remember :-)
>
> The console can show that .roa file in human readable format, just
> append .html:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html
>
> Every object in the RPKI is subordinate to another object (all objects
> are signed by a parent certificate, except the Trust Anchors). The
> parent is identified by the Authority Key Identifier (AKI). So one
> object's AKI is another object's SKI! If you click the AKI, the console
> brings you to the parent object, from where you can continue to explore
> other objects related to parent.
>
> Certificates point to Manifests, and .mft files contain the 'directory
> indexes' of the RPKI:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html
> From the manifest overview you can jump to the parent, click the
> referenced .roa, .cer or .crl files.
>
> All directories on the webserver are 'open', except the root. This
> allows you to explore this RPKI cache by browsing through the filesystem
> directly, example:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/
>
> Final notes
> -----------
> The rpki-client console provides a view on *validated* RPKI data. First
> rpki-client runs and prunes bad files, then all HTML is generated. The
> console provides a view on the data as used in production Internet
> routers. Please note: the console's rendering is delayed by a bit over
> an hour compared to the real thing.
>
> Another entry point, you can use your browser's 'find on page' function
> to search for anything in all of it on this humongous page:
> http://console.rpki-client.org/roas.html
>
> The RPKI is very intricate collection of references, I hope this console
> offers another useful perspective on the tree-like structures. Enjoy!
>
> Kind regards,
>
> Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201120/28fa1796/attachment.html>