We just released a new version of the RIPE NCC RPKI Validator with some major new functionality.
The application has always been able to determine the RPKI validity state of a BGP announcement, but it was only visible in the UI. Many users have asked us to expose this functionality through an API, so it can be used for scripting and alerting. In addition, operators have expressed that they would like to know the reason of an 'Invalid' BGP announcement: whether it is an origination from unauthorised AS or if it is a more specific announcement than is allowed by the Maximum Length of the ROA. All of this is now available in version 2.11. When you supply a combination of AS and IP prefix, they will be matched against all the Validated ROA Prefixes (VRPs) that are in the cache of the RPKI Validator. The result is returned in JSON format and contains the following information: - The RPKI validity state - The VRPs that caused the state - In case of an 'Invalid' state, the reason So for example, when running this: $ curl http://localhost:8080/api/v1/validity/AS12654/93.175.147.0/24 The response will be: { "validated_route":{ "route":{ "origin_asn":"AS12654", "prefix":"93.175.147.0/24" }, "validity":{ "state":"Invalid", "reason":"as", "description":"At least one VRP Covers the Route Prefix, but no VRP ASN matches the route origin ASN", "VRPs":{ "matched":[], "unmatched_as":[{ "asn":"AS196615", "prefix":"93.175.147.0/24", "max_length":24 }], "unmatched_length":[] } } } Full documentation is available here: https://www.ripe.net/developers/rpki-validator-api You can download the application here: http://www.ripe.net/certification/tools-and-resources Kaia Global Networks offers a testbed where you can try out the functionality on a public instance of the RPKI Validator: http://195.13.63.18:8080/export We look forward to your feedback, to hear how we can improve on this functionality. Kind regards, Alex Band Product Manager RIPE NCC
