inspecting RPKI data: console.rpki-client.org
Dear all, I'd like to introduce another tool to inspect RPKI data... the rpki-client console! Comes with an authentic 90s look & feel :-) The Frontpage - http://console.rpki-client.org/ ----------------------------------------------- On the front page you can see stdout + stderr of the most recent rpki-client run. The log shows which publication points were contacted and prints any issues encountered with specific RPKI files. Those of us publishing RPKI data should keep an eye out not to show up in this type of log with warnings or errors. For example: rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT However, the above line might be the result of some kind of experiment someone is conducting :-) The RPKI distributed database currently is more than 120,000 (!) certificate/roa/manifest files, and only a handful of files have some kind of completeness or expiration date issue. Good job everyone! :-) The ASN specific pages - http://console.rpki-client.org/AS2914.html ------------------------------------------------------------------- You can substitute the 'AS2914' portion in the URL for any ASN to see which .roa files reference the given ASN. Another example, here one can see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html If you encounter a HTTP 404 error, no ROAs reference the ASN. On the 'per ASN page' you can search click the .roa files on the left side to inspect the ROA. Each object in the RPKI has a unique Subject Key Identifier (SKI). An example of a SKI is this hexadecimal identifier '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which maps to a filename like 'rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa' Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI neither the path name nor the SKI are easy to remember :-) The console can show that .roa file in human readable format, just append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52... Every object in the RPKI is subordinate to another object (all objects are signed by a parent certificate, except the Trust Anchors). The parent is identified by the Authority Key Identifier (AKI). So one object's AKI is another object's SKI! If you click the AKI, the console brings you to the parent object, from where you can continue to explore other objects related to parent. Certificates point to Manifests, and .mft files contain the 'directory indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52...
From the manifest overview you can jump to the parent, click the referenced .roa, .cer or .crl files.
All directories on the webserver are 'open', except the root. This allows you to explore this RPKI cache by browsing through the filesystem directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/ Final notes ----------- The rpki-client console provides a view on *validated* RPKI data. First rpki-client runs and prunes bad files, then all HTML is generated. The console provides a view on the data as used in production Internet routers. Please note: the console's rendering is delayed by a bit over an hour compared to the real thing. Another entry point, you can use your browser's 'find on page' function to search for anything in all of it on this humongous page: http://console.rpki-client.org/roas.html The RPKI is very intricate collection of references, I hope this console offers another useful perspective on the tree-like structures. Enjoy! Kind regards, Job
Thank You! *Paschal Masha* Lead Network Engineer 6x7 Networks | +254735071089 Time Zone:GMT+3 On Fri, Nov 20, 2020 at 5:09 PM Job Snijders <job@ntt.net> wrote:
Dear all,
I'd like to introduce another tool to inspect RPKI data... the rpki-client console! Comes with an authentic 90s look & feel :-)
The Frontpage - http://console.rpki-client.org/ ----------------------------------------------- On the front page you can see stdout + stderr of the most recent rpki-client run. The log shows which publication points were contacted and prints any issues encountered with specific RPKI files.
Those of us publishing RPKI data should keep an eye out not to show up in this type of log with warnings or errors. For example:
rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT
However, the above line might be the result of some kind of experiment someone is conducting :-)
The RPKI distributed database currently is more than 120,000 (!) certificate/roa/manifest files, and only a handful of files have some kind of completeness or expiration date issue. Good job everyone! :-)
The ASN specific pages - http://console.rpki-client.org/AS2914.html ------------------------------------------------------------------- You can substitute the 'AS2914' portion in the URL for any ASN to see which .roa files reference the given ASN. Another example, here one can see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html If you encounter a HTTP 404 error, no ROAs reference the ASN.
On the 'per ASN page' you can search click the .roa files on the left side to inspect the ROA. Each object in the RPKI has a unique Subject Key Identifier (SKI). An example of a SKI is this hexadecimal identifier '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which maps to a filename like ' rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa '
Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI neither the path name nor the SKI are easy to remember :-)
The console can show that .roa file in human readable format, just append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52...
Every object in the RPKI is subordinate to another object (all objects are signed by a parent certificate, except the Trust Anchors). The parent is identified by the Authority Key Identifier (AKI). So one object's AKI is another object's SKI! If you click the AKI, the console brings you to the parent object, from where you can continue to explore other objects related to parent.
Certificates point to Manifests, and .mft files contain the 'directory indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52... From the manifest overview you can jump to the parent, click the referenced .roa, .cer or .crl files.
All directories on the webserver are 'open', except the root. This allows you to explore this RPKI cache by browsing through the filesystem directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/
Final notes ----------- The rpki-client console provides a view on *validated* RPKI data. First rpki-client runs and prunes bad files, then all HTML is generated. The console provides a view on the data as used in production Internet routers. Please note: the console's rendering is delayed by a bit over an hour compared to the real thing.
Another entry point, you can use your browser's 'find on page' function to search for anything in all of it on this humongous page: http://console.rpki-client.org/roas.html
The RPKI is very intricate collection of references, I hope this console offers another useful perspective on the tree-like structures. Enjoy!
Kind regards,
Job
In before snark of "OMG "http" links to RPKI info HURF BLURF!" ( Just add the 's' yourself kids, Job is a good boy and does have this properly TLS'd. :) ) Thank you Job, excellent tool! On Fri, Nov 20, 2020 at 9:08 AM Job Snijders <job@ntt.net> wrote:
Dear all,
I'd like to introduce another tool to inspect RPKI data... the rpki-client console! Comes with an authentic 90s look & feel :-)
The Frontpage - http://console.rpki-client.org/ ----------------------------------------------- On the front page you can see stdout + stderr of the most recent rpki-client run. The log shows which publication points were contacted and prints any issues encountered with specific RPKI files.
Those of us publishing RPKI data should keep an eye out not to show up in this type of log with warnings or errors. For example:
rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT
However, the above line might be the result of some kind of experiment someone is conducting :-)
The RPKI distributed database currently is more than 120,000 (!) certificate/roa/manifest files, and only a handful of files have some kind of completeness or expiration date issue. Good job everyone! :-)
The ASN specific pages - http://console.rpki-client.org/AS2914.html ------------------------------------------------------------------- You can substitute the 'AS2914' portion in the URL for any ASN to see which .roa files reference the given ASN. Another example, here one can see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html If you encounter a HTTP 404 error, no ROAs reference the ASN.
On the 'per ASN page' you can search click the .roa files on the left side to inspect the ROA. Each object in the RPKI has a unique Subject Key Identifier (SKI). An example of a SKI is this hexadecimal identifier '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which maps to a filename like ' rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa '
Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI neither the path name nor the SKI are easy to remember :-)
The console can show that .roa file in human readable format, just append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52...
Every object in the RPKI is subordinate to another object (all objects are signed by a parent certificate, except the Trust Anchors). The parent is identified by the Authority Key Identifier (AKI). So one object's AKI is another object's SKI! If you click the AKI, the console brings you to the parent object, from where you can continue to explore other objects related to parent.
Certificates point to Manifests, and .mft files contain the 'directory indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B52... From the manifest overview you can jump to the parent, click the referenced .roa, .cer or .crl files.
All directories on the webserver are 'open', except the root. This allows you to explore this RPKI cache by browsing through the filesystem directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/
Final notes ----------- The rpki-client console provides a view on *validated* RPKI data. First rpki-client runs and prunes bad files, then all HTML is generated. The console provides a view on the data as used in production Internet routers. Please note: the console's rendering is delayed by a bit over an hour compared to the real thing.
Another entry point, you can use your browser's 'find on page' function to search for anything in all of it on this humongous page: http://console.rpki-client.org/roas.html
The RPKI is very intricate collection of references, I hope this console offers another useful perspective on the tree-like structures. Enjoy!
Kind regards,
Job
On Fri, Nov 20, 2020 at 12:02:04PM -0500, Tom Beecher wrote:
In before snark of "OMG "http" links to RPKI info HURF BLURF!"
But Tom, that is exactly the whole point of the RPKI :-) It's funny, but true! You really can safely use the RPKI data from the console website in your own production environment, even after it has been transported via mere HTTP - provided you have the TAL files to build the chain of trust. This applies also applies to the console's HTML itself: if you have the TAL files + rpki-client + rsync + the openssl cli utility + ksh + perl; you can generate any of the pages yourself and thus confirm their authenticity and integrity. Of course I don't expect anyone to jump through those hoops, but the source code is here: https://github.com/job/console.rpki-client.org I'll concede HTTPS does provide some privacy while looking at these gorgeous ASN.1 data structures ;-) Kind regards, Job
participants (3)
-
Job Snijders -
Paschal Masha -
Tom Beecher