Making Better Routing Decisions Through RPKI Validation

One of the goals of Resource Certification (RPKI) is to enable network operators to make more informed BGP routing decisions. This is why you will need a comprehensive toolset to tap into the RPKI data set. For this purpose, we provide the RIPE NCC RPKI Validator. The toolset runs as a service and has no dependencies other than a UNIX-like system, with Java and rsync available. Management can be carried out through an intuitive web interface.

Screenshot of the RIPE NCC RPKI Validator web interface

Trust Anchors

This toolset comes pre-loaded with the trust anchors – the entry points for the RPKI root certificates – from the RIRs, who have a Resource Certification system running. Optionally, you can add other trust anchors of parties you trust.

Fetch and Validate ROAs

The RPKI Validator fetches and validates all ROAs under the trust anchor, and automatically refreshes the data set every four hours. You have the option to force an update if you know there is a recent change.

Ignore Filters

Because you are always in complete control of your routing decisions, you have the option to override the ROA data set with your local controls. The first option you have is to apply an ignore filter. By adding an entry, the Validator will ignore any RPKI prefixes that overlap with the filter's prefix. It will be as if a ROA never existed for this particular prefix.

White List

By adding a white list entry, you can manually authorise an ASN to originate a prefix in addition to validated ROAs from the repository. Please note that white list entries may invalidate announcements for this prefix from other ASNs, just like ROAs. Please use this feature with caution and check the side effects that may result from your white list entry.

BGP Preview

This page provides a preview of the likely RPKI validity states your routers will associate with BGP announcements. This preview is based on:

• BGP announcements that are widely seen (five peers or more) by the RIPE NCC RIS Route Collectors

• Validation rules defined in the IETF standard

• The validated ROAs found by this validator after applying your filters and additional white list entries

Please note that the actual validation of announcements happens in your routers and that the announcements that your routers see may differ from the announcements used here.

These are the states you will see in the preview and the possible reasons:

• VALID

  • This route announcement is covered by at least one ROA

• INVALID

  • The prefix is announced from an unauthorised AS. This means:
    1. There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
    2. This could be a hijacking attempt
  • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix

• UNKNOWN

  • The prefix in this announcement is not covered (or only partially covered) by an existing ROA

Export

Here you will be able to export your BGP decision-making data set to a Comma Separated Values (CSV) file. This file contains all validated ROAs after applying your filters and additional white list entries. It can be used to integrate your current (RPSL-based) decision-making workflow.

Router Sessions

The RIPE NCC RPKI Validator is capable of communicating with RPKI-capable routers. The router will fetch the full data set from the validation service and you can use it to create route maps based on the RPKI validation state of the route announcements the router sees.

RPKI-Router functionality is based on open IETF standards and is being implemented by several router vendors. Cisco currently has RPKI support available on several platforms, with more to follow.  Juniper supports RPKI since release 12.2.  Quagga offers support through the BGP Secure Routing Extension (BGP-SRx).

More Information:
Tools and Resources