[routing-wg] looking for online RPKI dashboard / looking glass?
Jay Borkenhagen jayb at braeburn.org
Tue May 1 21:33:22 CEST 2018
Gert Doering writes: > Hi, > > is there an online looking glass to see RPKI status for ``everything a > given AS announces / transits''? > > Say, I want to check my AS (AS5539) plus all downstream customers > (... visible at the vantage point of said tool, of course). > > I have found whois.bgpmon.net, which I can use by feeding prefix after > prefix into whois and then parsing the reply, but that's a bit cumbersome > for "give me all there is to know". Basically > > show ip bgp reg _5539_ > > and then for each prefix returned, check RPKI status, flag green/red/yellow. > > Hi Gert, I know it's not precisely what you were asking for, but RPKI origin validation is configured on our route-server.ip.att.net, freely accessible via telnet. You could run something like: show route aspath-regex ".*5539.*" terse active-path | match / I just ran that command and I see some prefixes validating in all three categories: Valid, Invalid, and Not Found. Of course, this method is influenced significantly by how the as7018 network learns routes that pass through as5539: if our best path to some destination does not come via 5539, it won't show up using this method. The as7018 network itself is not yet making any bgp decisions based on validation status, so our route-server still receives Invalid routes. That won't remain the case forever, though. :) If you're interested in the validated ROAs known by route-server: show validation database origin-autonomous-system 5539 Feel free to ping me privately if you have questions about the way route-server is configured. Jay B.