RPKI Origin Validation checker
Project description
RPKI Origin Validation Checker
Rpki-ov-checker is a small tool to show what prefixes with what AS Origins are impacted by the RFC 6811 Origin Validation procedure.
The purpose is to quickly identify the operational impact of the various RPKI validation states.
Installation
pip3 install git+https://github.com/job/rpki-ov-checker
Example use case
Here we extract routes from an IOS XR device and process them to figure out which customers we should contact to help them repair their RPKI ROAs or BGP announcements.
# obtain a list of all customer prefixes
$ ssh r02.amstnl02.nl.bb.gin.ntt.net 'show bgp ipv4 uni community 2914:370 | include /' \
| grep -v /32 | grep -v \( > customers-v4
$ dos2unix customers-v4
# obtain whole BGP RIB
$ ssh r02.amstnl02.nl.bb 'show bgp ipv4 uni | include /' \
| grep -v /32 | grep -v \( > rib-v4
$ dos2unix rib-v4
# cook the output a bit, screen scraping sucks... I weep gently
$ sed 's/^...//' customers-v4 \
| awk '{ print $1 }' \
| egrep "^[0-9]" > customer_prefixes
$ sed 's/^...//;s/ .$//;s/{.*//' rib-v4 \
| awk '{ print $1 " " $NF }' \
| egrep "^[0-9]" > full_rib
# run the checker and filter out customers
$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head
invalid_covered_by_notfound 123.101.0.0/21 4809 covering route: 123.101.0.0/16 4134
invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 207636
invalid_unreachable 83.231.209.0/24 3949
invalid_unreachable 124.30.247.0/24 9583
invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 9498
invalid_unreachable 120.29.92.0/24 17639
invalid_unreachable 31.40.164.0/24 200872
invalid_covered_by_notfound 45.12.139.0/24 40676 covering route: 45.12.136.0/22 35913
invalid_covered_by_valid 122.160.178.0/24 24560 covering route: 122.160.0.0/16 24560
invalid_covered_by_valid 61.90.251.0/24 21734 covering route: 61.90.192.0/18 7470
invalid_unreachable the RIB entry is invalid, and no alternative valid or
notfound route exists to that set of destination IP addresses. These entries
are the problematic ones.
invalid_covered_by_valid the RIB entry is invalid, but covered by a valid
route. The IP addresses covered by the route will remain reachable.
invalid_covered_by_notfound the RIB entry is invalid, but covered by a
less specific route which is notfound.
Copyright
Copyright (c) 2020 Job Snijders job@ntt.net
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file rpki-ov-checker-0.0.1.tar.gz.
File metadata
- Download URL: rpki-ov-checker-0.0.1.tar.gz
- Upload date:
- Size: 5.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/45.1.0 requests-toolbelt/0.9.1 tqdm/4.42.1 CPython/3.7.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 669dfcb67c9ea0e55cd87957bd679d62f306a552819182c87bb9324a39e9c360 |
|
| MD5 | 31aa34c4f48af7fe6302f14f1a72e774 |
|
| BLAKE2b-256 | 43ecf6db542beab48fa54cf05805dde69e91ed87712e1cd6a6361a012c35d4ec |
File details
Details for the file rpki_ov_checker-0.0.1-py3-none-any.whl.
File metadata
- Download URL: rpki_ov_checker-0.0.1-py3-none-any.whl
- Upload date:
- Size: 7.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/45.1.0 requests-toolbelt/0.9.1 tqdm/4.42.1 CPython/3.7.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 408ce80251b49a3fe78a9ada97fb05268c46f8ee45f63108f0541e5a239439eb |
|
| MD5 | 707117becc6986cda70619257e32cf43 |
|
| BLAKE2b-256 | a33b8b04892ec2382b19b284d9134fdaba8a1e311556a72a0b9f346f13526123 |
