The RPKI Management API allows you to manage your Certificate Authority and ROAs systematically. Everything that you can do within the management interface in the LIR Portal is possible in the API, ranging from requesting which BGP announcements you do with your certified address space, to creating ROAs and setting up alerts. The API accepts HTTP POST messages with JSON in the payload.
Because the RPKI is private for your LIR, it is only accessible through the API after creating an access key. In order to this, please follow these steps:
Please note that the value of the key is displayed only once, when it is created, and the hashed value is stored in the database. You are responsible for maintaining your keys. You can create as many keys as you like and revoke unused keys as needed.
The API is available on both the production and pilot systems. This means you can test your configuration on the pilot first without affecting prodution data. These are the base URLs for the different servers:
Appending the key:
They key can be passed to the request as a URL parameter or as a request header value. We strongly recommend using the header to pass the API Key, so that the key is not stored in any server logs.
--header 'ncc-api-authorization: <api-key>'
or
?key=<api-key>
This is a GET call that results in a list of all resources on your certificate
https://my.ripe.net/api/rpki/resources
{
"resources": [
"84.205.64.0/19",
"93.175.144.0/20",
"193.30.30.0/23",
"2001:67c:e0::/48",
"2001:67c:2e8::/48",
"2001:67c:2888::/47",
"2001:67c:2900::/43",
"2001:67c:2d7c::/48",
"2001:7fb::/32",
"2001:7fd::/32"
]
}
This is a GET call that results in a list of all BGP announcements that are done with your certified address space, according to the RIPE NCC RIS Route Collectors.
Description:
$ https://my.ripe.net/api/rpki/announcements
[
{
"asn": "AS12654",
"prefix": "2001:7fb:fe0f::/48",
"visibility": 90,
"currentState": "VALID",
"suppressed": false
},
{
"asn": "AS12654",
"prefix": "84.205.71.0/24",
"visibility": 98,
"currentState": "VALID",
"suppressed": false
},
{
"asn": "AS12654",
"prefix": "2001:7fb:ff03::/48",
"visibility": 85,
"currentState": "UNKNOWN",
"suppressed": true
}
]
This is a GET call that results in a list of all ROAs that you have created.
$ https://my.ripe.net/api/rpki/roas
[
{
"asn": "AS12654",
"prefix": "84.205.76.0/24",
"maximalLength": 24,
"_numberOfValidsCaused": 1,
"_numberOfInvalidsCaused": 0
},
{
"asn": "AS12654",
"prefix": "2001:7fb:ff02::/48",
"maximalLength": 48,
"_numberOfValidsCaused": 1,
"_numberOfInvalidsCaused": 0
}
]
Description:
When you want to update your ROAs, POST the contents of a file with the ROAs you would like to add and/or delete. Multiple ROAs are allowed in the same call. The format of the JSON is as follows:
{
"added": [
{
"asn": "AS12654",
"prefix": "2001:7fb:fd03::/48",
"maximalLength": "48"
},
{
"asn": "AS12654",
"prefix": "2001:7fb:ff03::/48",
"maximalLength": "48"
}
],
"deleted": []
}
In this example, the file is saved as roas.json. Add the -v flag if you would like verbose output.
$ curl -H "Content-Type: application/json" --data @roa.json
https://my.ripe.net/api/rpki/roas/publish?key=[your-api-access-key]
It can be useful to get specific information on how your BGP announcements are affected by a ROA. This can be a ROA that you have already created, or one that doesn't exist (yet). The latter is useful for finding out what the effect on your BGP announcements would be, if you would create a certain ROA. Keep in mind that when determining the validity state of a BGP announcement, this query takes all your existing ROAs into account. We will only warn you about any INVALID BGP announcements if no other existing ROA authorises it.
$ curl -H "Content-Type: application/json" -d
'{"asn":"AS65411","prefix":"193.0.24.0/21","maximalLength":21}'
https://my.ripe.net/api/rpki/announcements/affected?key=[your-api-access-key]
[
{
"asn":"AS2121",
"prefix":"193.0.24.0/21",
"visibility":108,
"currentState":"INVALID_ASN",
"suppressed":false
}
]
In this case, the result is that one BGP announcement – 193.0.24.0/21 from AS2121 – will become INVALID because it would be originated from unauthorised ASN.
When you want to subscribe to email alerts, POST the contents of a file with the email addresses and the type of alerts you want to receive:
{
"emails":[
"[email protected]","[email protected]"
],
"routeValidityStates":[
"INVALID_ASN","INVALID_LENGTH","UNKNOWN"
]
}
In this example, the file is saved as alerts.json. Add the -v flag if you would like verbose output.
$ curl -H "Content-Type: application/json" --data @alerts.json
https://my.ripe.net/api/rpki/alerts?key=[your=api-access-key]
If one of your BGP announcements has the status UNKNOWN or INVALID and you do not wish to receive an email alert about it, then you can suppress it:
$ curl -H "Content-Type: application/json" -d '[{"asn":"AS2121","prefix":"193.0.24.0/21"}]'
https://my.ripe.net/api/rpki/alerts/suppress?key=[your-api-access-key]
You can re-enable alerts with unsuppress:
$ curl -H "Content-Type: application/json" -d '[{"asn":"AS2121","prefix":"193.0.24.0/21"}]'
https://my.ripe.net/api/rpki/alerts/unsuppress?key=[your-api-access-key]
Both commands will not return any data, but respond with status code "HTTP/1.1 200 OK" if successful.
Error codes
The API will return detailed messages if you make a mistake. In these examples, the '-i' flag is added to curl to display the associated HTTP status codes.
An incorrect API Access Key will result in a "401 Unauthorized" error.
$ curl https://my.ripe.net/api/rpki/roas?key=[false-api-access-key]
HTTP/1.1 401 Unauthorized
Date: Mon, 09 Feb 2015 12:59:49 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1728000
X-Response-Time: 39
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
If you try to create a ROA for a prefix that you are not the holder of, you will get a "403 Forbidden" error, with detailed information in the body.
$ curl -H "Content-Type: application/json" --data @roa.json
https://my.ripe.net/api/rpki/roas/publish?key=[your=api-access-key]
HTTP/1.1 403 Forbidden
Date: Mon, 09 Feb 2015 12:59:49 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1728000
X-Response-Time: 39
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
{"error":"You are not a holder of the prefix 194.0.24.0/21"}
If you make a syntax error in your JSON request, or try to post a ROA containing a non-existing prefix, you will get a "400 Bad Request" error.
$ curl -H "Content-Type: application/json" --data @roa.json
https://my.ripe.net/api/rpki/roas/publish?key=[your=api-access-key]
HTTP/1.1 400 Bad Request
Date: Mon, 09 Feb 2015 12:59:49 GMT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1728000
X-Response-Time: 39
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
{"error":"Bad request for '/api/rpki/roas/publish' with error 'Invalid Json'"}