Making Better Routing Decisions Through RPKI Validation

One of the goals of Resource Certification (RPKI) is to enable network operators to make more informed BGP routing decisions. This is why you will need a comprehensive toolset to tap into the RPKI dataset. For this purpose, we provide the RIPE NCC RPKI Validator. The toolset runs as a service and has no dependencies other than a UNIX-like system, with Java 1.6 and rsync available.

After downloading and unpacking the archive, simply run the "rpki-validator.sh" script from the base folder to view the start, stop and configuration options of the application. By default, a web user interface for viewing, configuring and querying will be available on port 8080. In addition, RPKI-capable routers can connect to the RPKI Validator on port 8282 to fetch the validated ROA dataset.

 

RPKI listings

Screenshot of the RIPE NCC RPKI Validator web interface

Trust Anchors

This toolset comes pre-loaded with the trust anchors – the entry points for the RPKI root certificates – from four RIRs: AFRINIC, APNIC, Lacnic and the RIPE NCC. In order to obtain the trust anchor for the ARIN RPKI repository, you will first have to accept their Relying Party Agreement.

Fetch and Validate ROAs

The RPKI Validator fetches and validates all ROAs under the trust anchor, and automatically refreshes the dataset every four hours. You have the option to force an update if you know there's been a recent change.

Ignore Filters

Because you are always in complete control of your routing decisions, you have the option to override the ROA dataset with your local controls. The first option you have is to apply an ignore filter. By adding an entry, the Validator will ignore any RPKI prefixes that overlap with the filter's prefix. It will be as if a ROA never existed for this particular prefix.

White List

By adding a white list entry, you can manually authorise an ASN to originate a prefix in addition to validated ROAs from the repository. Please note that white list entries may invalidate announcements for this prefix from other ASNs, just like ROAs. Please use this feature with caution and check the side effects that may result from your white list entry.

BGP Preview

This page provides a preview of the likely RPKI validity states your routers will associate with BGP announcements. This preview is based on:

  • BGP announcements that are widely seen (five peers or more) by the RIPE NCC RIS Route Collectors

  • Validation rules defined in the IETF standard

  • The validated ROAs found by this validator after applying your filters and additional white list entries

Please note that the actual validation of announcements happens in your routers and that the announcements that your routers see may differ from the announcements used here.

These are the states you will see in the preview and the possible reasons:

  • VALID

    • This route announcement is covered by at least one ROA

  • INVALID

    • The prefix is announced from an unauthorised AS. This means:
      1. There is a ROA for this prefix for another AS, but no ROA authorising this AS; or
      2. This could be a hijacking attempt
    • The announcement is more specific than is allowed by the maximum length set in a ROA that matches the prefix
  • UNKNOWN

    • The prefix in this announcement is not covered (or only partially covered) by an existing ROA

Export and API

Here you will be able to export your BGP decision-making dataset to a Comma Separated Values (CSV) or JavaScript Object Notation (JSON) file. These files contain all validated ROAs after applying your filters and additional white list entries. It can be used to integrate your current (RPSL-based) decision-making workflow.

In addition, the application allows you to query a RESTful API. When you supply a combination of Autonomous System (AS) and prefix, they will be matched against all the Validated ROA Prefixes (VRPs) that are in the cache of the RPKI Validator. The result is returned in JSON format and contains the following information:

  • The RPKI validity state, as described in RFC 6811
  • The Validated ROA Prefixes (VRPs) that caused the state
  • In case of an 'Invalid' state, the reason:
    • The prefix is originated from an unauthorised AS
    • The prefix is more specific than allowed in the Maximum Length of the ROA

 

You can find detailed documentation on the RPKI Validator API page.

Router Sessions

The RIPE NCC RPKI Validator is capable of communicating with RPKI-capable routers. The router will fetch the full dataset from the validation service and you can use it to create route maps based on the RPKI validation state of the route announcements the router sees.

RPKI-Router functionality is based on open IETF standards and is being implemented by several router vendors. Cisco currently has RPKI support available on several platforms, with more to follow. Juniper supports RPKI since release 12.2. Quagga offers support through the BGP Secure Routing Extension (BGP-SRx).

More Information:
Tools and Resources