Thank You!
*Paschal Masha* Lead Network Engineer 6x7 Networks | +254735071089 Time Zone:GMT+3 On Fri, Nov 20, 2020 at 5:09 PM Job Snijders <j...@ntt.net> wrote: > Dear all, > > I'd like to introduce another tool to inspect RPKI data... the > rpki-client console! Comes with an authentic 90s look & feel :-) > > The Frontpage - http://console.rpki-client.org/ > ----------------------------------------------- > On the front page you can see stdout + stderr of the most recent > rpki-client run. The log shows which publication points were contacted > and prints any issues encountered with specific RPKI files. > > Those of us publishing RPKI data should keep an eye out not to show up > in this type of log with warnings or errors. For example: > > rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: > mft expired on Oct 12 17:58:45 2020 GMT > > However, the above line might be the result of some kind of experiment > someone is conducting :-) > > The RPKI distributed database currently is more than 120,000 (!) > certificate/roa/manifest files, and only a handful of files have some > kind of completeness or expiration date issue. Good job everyone! :-) > > The ASN specific pages - http://console.rpki-client.org/AS2914.html > ------------------------------------------------------------------- > You can substitute the 'AS2914' portion in the URL for any ASN to see > which .roa files reference the given ASN. Another example, here one can > see all ROAs which authorize AS 8283 as origin: > https://console.rpki-client.org/AS8283.html > If you encounter a HTTP 404 error, no ROAs reference the ASN. > > On the 'per ASN page' you can search click the .roa files on the left > side to inspect the ROA. Each object in the RPKI has a unique Subject > Key Identifier (SKI). An example of a SKI is this hexadecimal identifier > '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which > maps to a filename like ' > rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa > ' > > Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI > neither the path name nor the SKI are easy to remember :-) > > The console can show that .roa file in human readable format, just > append .html: > http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html > > Every object in the RPKI is subordinate to another object (all objects > are signed by a parent certificate, except the Trust Anchors). The > parent is identified by the Authority Key Identifier (AKI). So one > object's AKI is another object's SKI! If you click the AKI, the console > brings you to the parent object, from where you can continue to explore > other objects related to parent. > > Certificates point to Manifests, and .mft files contain the 'directory > indexes' of the RPKI: > http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html > From the manifest overview you can jump to the parent, click the > referenced .roa, .cer or .crl files. > > All directories on the webserver are 'open', except the root. This > allows you to explore this RPKI cache by browsing through the filesystem > directly, example: > http://console.rpki-client.org/rpki.apnic.net/member_repository/ > > Final notes > ----------- > The rpki-client console provides a view on *validated* RPKI data. First > rpki-client runs and prunes bad files, then all HTML is generated. The > console provides a view on the data as used in production Internet > routers. Please note: the console's rendering is delayed by a bit over > an hour compared to the real thing. > > Another entry point, you can use your browser's 'find on page' function > to search for anything in all of it on this humongous page: > http://console.rpki-client.org/roas.html > > The RPKI is very intricate collection of references, I hope this console > offers another useful perspective on the tree-like structures. Enjoy! > > Kind regards, > > Job >