nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RPKI Validator 2.11 with RESTful API

From: Alex Band <alexb () ripe net>
Date: Wed, 26 Jun 2013 22:08:27 +0200
We just released a new version of the RIPE NCC RPKI Validator with some major new functionality. 

The application has always been able to determine the RPKI validity state of a BGP announcement, but it was only 
visible in the UI. Many users have asked us to expose this functionality through an API, so it can be used for 
scripting and alerting. In addition, operators have expressed that they would like to know the reason of an 'Invalid' 
BGP announcement: whether it is an origination from unauthorised AS or if it is a more specific announcement than is 
allowed by the Maximum Length of the ROA.

All of this is now available in version 2.11. When you supply a combination of AS and IP prefix, they will be matched 
against all the Validated ROA Prefixes (VRPs) that are in the cache of the RPKI Validator. The result is returned in 
JSON format and contains the following information:

- The RPKI validity state
- The VRPs that caused the state
- In case of an 'Invalid' state, the reason

So for example, when running this:

$ curl http://localhost:8080/api/v1/validity/AS12654/93.175.147.0/24

The response will be:

{
 "validated_route":{
   "route":{
     "origin_asn":"AS12654",
     "prefix":"93.175.147.0/24"
   },
   "validity":{
     "state":"Invalid",
     "reason":"as",
     "description":"At least one VRP Covers the Route Prefix, but no VRP ASN matches the route origin ASN",
     "VRPs":{
       "matched":[],
       "unmatched_as":[{
       "asn":"AS196615",
       "prefix":"93.175.147.0/24",
       "max_length":24
     }],
     "unmatched_length":[]
   }
 }
}

Full documentation is available here:
https://www.ripe.net/developers/rpki-validator-api

You can download the application here:
http://www.ripe.net/certification/tools-and-resources

Kaia Global Networks offers a testbed where you can try out the functionality on a public instance of the RPKI 
Validator:
http://195.13.63.18:8080/export

We look forward to your feedback, to hear how we can improve on this functionality. 

Kind regards,

Alex Band
Product Manager
RIPE NCC
Previous By Date Next
Previous By Thread Next

Current thread: