Giter Site home page Giter Site logo

rpki-ov-checker's Introduction

Build Status Requirements Status

RPKI Origin Validation Checker

Rpki-ov-checker is a small tool to show what prefixes with what AS Origins are impacted by the RFC 6811 Origin Validation procedure.

The purpose is to quickly identify the operational impact of the various RPKI validation states.

Installation

pip3 install git+https://github.com/job/rpki-ov-checker

Example use case

Here we extract routes from an IOS XR device and process them to figure out which customers we should contact to help them repair their RPKI ROAs or BGP announcements.

# obtain a list of all customer prefixes
$ ssh r02.amstnl02.nl.bb.gin.ntt.net 'show bgp ipv4 uni community 2914:370 | include /' \
    | grep -v /32 | grep -v \( > customers-v4
$ dos2unix customers-v4

# obtain whole BGP RIB
$ ssh r02.amstnl02.nl.bb 'show bgp ipv4 uni | include /' \
    | grep -v /32 | grep -v \( > rib-v4
$ dos2unix rib-v4

# cook the output a bit, screen scraping sucks... I weep gently
$ sed 's/^...//' customers-v4 \
    | awk '{ print $1 }' \
    | egrep "^[0-9]" > customer_prefixes
$ sed 's/^...//;s/ .$//;s/{.*//' rib-v4 \
    | awk '{ print $1 " " $NF }' \
    | egrep "^[0-9]" > full_rib 

# run the checker and filter out customers
$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head
invalid_covered_by_notfound 123.101.0.0/21 4809 covering route: 123.101.0.0/16 4134
invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 207636
invalid_unreachable 83.231.209.0/24 3949
invalid_unreachable 124.30.247.0/24 9583
invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 9498
invalid_unreachable 120.29.92.0/24 17639
invalid_unreachable 31.40.164.0/24 200872
invalid_covered_by_notfound 45.12.139.0/24 40676 covering route: 45.12.136.0/22 35913
invalid_covered_by_valid 122.160.178.0/24 24560 covering route: 122.160.0.0/16 24560
invalid_covered_by_valid 61.90.251.0/24 21734 covering route: 61.90.192.0/18 7470

invalid_unreachable the RIB entry is invalid, and no alternative valid or notfound route exists to that set of destination IP addresses. These entries are the problematic ones.

invalid_covered_by_valid the RIB entry is invalid, but covered by a valid route. The IP addresses covered by the route will remain reachable.

invalid_covered_by_notfound the RIB entry is invalid, but covered by a less specific route which is notfound.

Copyright

Copyright (c) 2020 Job Snijders [email protected]

rpki-ov-checker's People

Contributors

job avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.