[164148] in North American Network Operators' Group
RPKI Validator 2.11 with RESTful API
daemon@ATHENA.MIT.EDU (Alex Band)
Wed Jun 26 16:08:55 2013
From: Alex Band <alexb@ripe.net>
Date: Wed, 26 Jun 2013 22:08:27 +0200
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We just released a new version of the RIPE NCC RPKI Validator with some =
major new functionality.=20
The application has always been able to determine the RPKI validity =
state of a BGP announcement, but it was only visible in the UI. Many =
users have asked us to expose this functionality through an API, so it =
can be used for scripting and alerting. In addition, operators have =
expressed that they would like to know the reason of an 'Invalid' BGP =
announcement: whether it is an origination from unauthorised AS or if it =
is a more specific announcement than is allowed by the Maximum Length of =
the ROA.
All of this is now available in version 2.11. When you supply a =
combination of AS and IP prefix, they will be matched against all the =
Validated ROA Prefixes (VRPs) that are in the cache of the RPKI =
Validator. The result is returned in JSON format and contains the =
following information:
- The RPKI validity state
- The VRPs that caused the state
- In case of an 'Invalid' state, the reason
So for example, when running this:
$ curl http://localhost:8080/api/v1/validity/AS12654/93.175.147.0/24
The response will be:
{
"validated_route":{
"route":{
"origin_asn":"AS12654",
"prefix":"93.175.147.0/24"
},
"validity":{
"state":"Invalid",
"reason":"as",
"description":"At least one VRP Covers the Route Prefix, but no VRP =
ASN matches the route origin ASN",
"VRPs":{
"matched":[],
"unmatched_as":[{
"asn":"AS196615",
"prefix":"93.175.147.0/24",
"max_length":24
}],
"unmatched_length":[]
}
}
}
Full documentation is available here:
https://www.ripe.net/developers/rpki-validator-api
You can download the application here:
http://www.ripe.net/certification/tools-and-resources
Kaia Global Networks offers a testbed where you can try out the =
functionality on a public instance of the RPKI Validator:
http://195.13.63.18:8080/export
We look forward to your feedback, to hear how we can improve on this =
functionality.=20
Kind regards,
Alex Band
Product Manager
RIPE NCC=
