nanog mailing list archives

Re: inspecting RPKI data: console.rpki-client.org

From: Job Snijders <job () ntt net>
Date: Fri, 20 Nov 2020 22:41:23 +0000

On Fri, Nov 20, 2020 at 12:02:04PM -0500, Tom Beecher wrote:

In before snark of "OMG "http" links to RPKI info HURF BLURF!"


But Tom, that is exactly the whole point of the RPKI :-)

It's funny, but true! You really can safely use the RPKI data from the
console website in your own production environment, even after it has
been transported via mere HTTP - provided you have the TAL files to
build the chain of trust.

This applies also applies to the console's HTML itself: if you have the
TAL files + rpki-client + rsync + the openssl cli utility + ksh + perl;
you can generate any of the pages yourself and thus confirm their
authenticity and integrity.

Of course I don't expect anyone to jump through those hoops, but the
source code is here: https://github.com/job/console.rpki-client.org

I'll concede HTTPS does provide some privacy while looking at these
gorgeous ASN.1 data structures ;-)

Kind regards,

Job

Current thread:

inspecting RPKI data: console.rpki-client.org Job Snijders (Nov 20)
- Re: inspecting RPKI data: console.rpki-client.org Paschal Masha (Nov 20)
- Re: inspecting RPKI data: console.rpki-client.org Tom Beecher (Nov 20)
  - Re: inspecting RPKI data: console.rpki-client.org Job Snijders (Nov 20)