Mailing List Archive

inspecting RPKI data: console.rpki-client.org
Dear all,

I'd like to introduce another tool to inspect RPKI data... the
rpki-client console! Comes with an authentic 90s look & feel :-)

The Frontpage - http://console.rpki-client.org/
-----------------------------------------------
On the front page you can see stdout + stderr of the most recent
rpki-client run. The log shows which publication points were contacted
and prints any issues encountered with specific RPKI files.

Those of us publishing RPKI data should keep an eye out not to show up
in this type of log with warnings or errors. For example:

rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft: mft expired on Oct 12 17:58:45 2020 GMT

However, the above line might be the result of some kind of experiment someone is conducting :-)

The RPKI distributed database currently is more than 120,000 (!)
certificate/roa/manifest files, and only a handful of files have some
kind of completeness or expiration date issue. Good job everyone! :-)

The ASN specific pages - http://console.rpki-client.org/AS2914.html
-------------------------------------------------------------------
You can substitute the 'AS2914' portion in the URL for any ASN to see
which .roa files reference the given ASN. Another example, here one can
see all ROAs which authorize AS 8283 as origin: https://console.rpki-client.org/AS8283.html
If you encounter a HTTP 404 error, no ROAs reference the ASN.

On the 'per ASN page' you can search click the .roa files on the left
side to inspect the ROA. Each object in the RPKI has a unique Subject
Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
'06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which
maps to a filename like 'rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa'

Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
neither the path name nor the SKI are easy to remember :-)

The console can show that .roa file in human readable format, just
append .html: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html

Every object in the RPKI is subordinate to another object (all objects
are signed by a parent certificate, except the Trust Anchors). The
parent is identified by the Authority Key Identifier (AKI). So one
object's AKI is another object's SKI! If you click the AKI, the console
brings you to the parent object, from where you can continue to explore
other objects related to parent.

Certificates point to Manifests, and .mft files contain the 'directory
indexes' of the RPKI: http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html
From the manifest overview you can jump to the parent, click the
referenced .roa, .cer or .crl files.

All directories on the webserver are 'open', except the root. This
allows you to explore this RPKI cache by browsing through the filesystem
directly, example: http://console.rpki-client.org/rpki.apnic.net/member_repository/

Final notes
-----------
The rpki-client console provides a view on *validated* RPKI data. First
rpki-client runs and prunes bad files, then all HTML is generated. The
console provides a view on the data as used in production Internet
routers. Please note: the console's rendering is delayed by a bit over
an hour compared to the real thing.

Another entry point, you can use your browser's 'find on page' function
to search for anything in all of it on this humongous page:
http://console.rpki-client.org/roas.html

The RPKI is very intricate collection of references, I hope this console
offers another useful perspective on the tree-like structures. Enjoy!

Kind regards,

Job
Re: inspecting RPKI data: console.rpki-client.org [ In reply to ]
Thank You!



*Paschal Masha*
Lead Network Engineer
6x7 Networks | +254735071089
Time Zone:GMT+3


On Fri, Nov 20, 2020 at 5:09 PM Job Snijders <job@ntt.net> wrote:

> Dear all,
>
> I'd like to introduce another tool to inspect RPKI data... the
> rpki-client console! Comes with an authentic 90s look & feel :-)
>
> The Frontpage - http://console.rpki-client.org/
> -----------------------------------------------
> On the front page you can see stdout + stderr of the most recent
> rpki-client run. The log shows which publication points were contacted
> and prints any issues encountered with specific RPKI files.
>
> Those of us publishing RPKI data should keep an eye out not to show up
> in this type of log with warnings or errors. For example:
>
> rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft:
> mft expired on Oct 12 17:58:45 2020 GMT
>
> However, the above line might be the result of some kind of experiment
> someone is conducting :-)
>
> The RPKI distributed database currently is more than 120,000 (!)
> certificate/roa/manifest files, and only a handful of files have some
> kind of completeness or expiration date issue. Good job everyone! :-)
>
> The ASN specific pages - http://console.rpki-client.org/AS2914.html
> -------------------------------------------------------------------
> You can substitute the 'AS2914' portion in the URL for any ASN to see
> which .roa files reference the given ASN. Another example, here one can
> see all ROAs which authorize AS 8283 as origin:
> https://console.rpki-client.org/AS8283.html
> If you encounter a HTTP 404 error, no ROAs reference the ASN.
>
> On the 'per ASN page' you can search click the .roa files on the left
> side to inspect the ROA. Each object in the RPKI has a unique Subject
> Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
> '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which
> maps to a filename like '
> rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa
> '
>
> Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
> neither the path name nor the SKI are easy to remember :-)
>
> The console can show that .roa file in human readable format, just
> append .html:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html
>
> Every object in the RPKI is subordinate to another object (all objects
> are signed by a parent certificate, except the Trust Anchors). The
> parent is identified by the Authority Key Identifier (AKI). So one
> object's AKI is another object's SKI! If you click the AKI, the console
> brings you to the parent object, from where you can continue to explore
> other objects related to parent.
>
> Certificates point to Manifests, and .mft files contain the 'directory
> indexes' of the RPKI:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html
> From the manifest overview you can jump to the parent, click the
> referenced .roa, .cer or .crl files.
>
> All directories on the webserver are 'open', except the root. This
> allows you to explore this RPKI cache by browsing through the filesystem
> directly, example:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/
>
> Final notes
> -----------
> The rpki-client console provides a view on *validated* RPKI data. First
> rpki-client runs and prunes bad files, then all HTML is generated. The
> console provides a view on the data as used in production Internet
> routers. Please note: the console's rendering is delayed by a bit over
> an hour compared to the real thing.
>
> Another entry point, you can use your browser's 'find on page' function
> to search for anything in all of it on this humongous page:
> http://console.rpki-client.org/roas.html
>
> The RPKI is very intricate collection of references, I hope this console
> offers another useful perspective on the tree-like structures. Enjoy!
>
> Kind regards,
>
> Job
>
Re: inspecting RPKI data: console.rpki-client.org [ In reply to ]
In before snark of "OMG "http" links to RPKI info HURF BLURF!"

( Just add the 's' yourself kids, Job is a good boy and does have this
properly TLS'd. :) )

Thank you Job, excellent tool!

On Fri, Nov 20, 2020 at 9:08 AM Job Snijders <job@ntt.net> wrote:

> Dear all,
>
> I'd like to introduce another tool to inspect RPKI data... the
> rpki-client console! Comes with an authentic 90s look & feel :-)
>
> The Frontpage - http://console.rpki-client.org/
> -----------------------------------------------
> On the front page you can see stdout + stderr of the most recent
> rpki-client run. The log shows which publication points were contacted
> and prints any issues encountered with specific RPKI files.
>
> Those of us publishing RPKI data should keep an eye out not to show up
> in this type of log with warnings or errors. For example:
>
> rpki-client: cc.rg.net/rpki/RGnet-cc/1opByAd8x8R2F-SzstgaYzVXK8Q.mft:
> mft expired on Oct 12 17:58:45 2020 GMT
>
> However, the above line might be the result of some kind of experiment
> someone is conducting :-)
>
> The RPKI distributed database currently is more than 120,000 (!)
> certificate/roa/manifest files, and only a handful of files have some
> kind of completeness or expiration date issue. Good job everyone! :-)
>
> The ASN specific pages - http://console.rpki-client.org/AS2914.html
> -------------------------------------------------------------------
> You can substitute the 'AS2914' portion in the URL for any ASN to see
> which .roa files reference the given ASN. Another example, here one can
> see all ROAs which authorize AS 8283 as origin:
> https://console.rpki-client.org/AS8283.html
> If you encounter a HTTP 404 error, no ROAs reference the ASN.
>
> On the 'per ASN page' you can search click the .roa files on the left
> side to inspect the ROA. Each object in the RPKI has a unique Subject
> Key Identifier (SKI). An example of a SKI is this hexadecimal identifier
> '06:96:B3:F7:CC:AD:55:45:A5:3A:64:32:31:2B:7F:E1:2B:7A:15:22' which
> maps to a filename like '
> rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa
> '
>
> Yeah... compared to DNS names mapping to IPv6 addresses, in the RPKI
> neither the path name nor the SKI are easy to remember :-)
>
> The console can show that .roa file in human readable format, just
> append .html:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/12F0D72E7BC111EA8503D815C4F9AE02.roa.html
>
> Every object in the RPKI is subordinate to another object (all objects
> are signed by a parent certificate, except the Trust Anchors). The
> parent is identified by the Authority Key Identifier (AKI). So one
> object's AKI is another object's SKI! If you click the AKI, the console
> brings you to the parent object, from where you can continue to explore
> other objects related to parent.
>
> Certificates point to Manifests, and .mft files contain the 'directory
> indexes' of the RPKI:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/A91A4C60/B526FF74D84111E9A4521413C4F9AE02/nvnkN242ZTJ1x5Y1mNa0W3CvgJk.mft.html
> From the manifest overview you can jump to the parent, click the
> referenced .roa, .cer or .crl files.
>
> All directories on the webserver are 'open', except the root. This
> allows you to explore this RPKI cache by browsing through the filesystem
> directly, example:
> http://console.rpki-client.org/rpki.apnic.net/member_repository/
>
> Final notes
> -----------
> The rpki-client console provides a view on *validated* RPKI data. First
> rpki-client runs and prunes bad files, then all HTML is generated. The
> console provides a view on the data as used in production Internet
> routers. Please note: the console's rendering is delayed by a bit over
> an hour compared to the real thing.
>
> Another entry point, you can use your browser's 'find on page' function
> to search for anything in all of it on this humongous page:
> http://console.rpki-client.org/roas.html
>
> The RPKI is very intricate collection of references, I hope this console
> offers another useful perspective on the tree-like structures. Enjoy!
>
> Kind regards,
>
> Job
>
Re: inspecting RPKI data: console.rpki-client.org [ In reply to ]
On Fri, Nov 20, 2020 at 12:02:04PM -0500, Tom Beecher wrote:
> In before snark of "OMG "http" links to RPKI info HURF BLURF!"

But Tom, that is exactly the whole point of the RPKI :-)

It's funny, but true! You really can safely use the RPKI data from the
console website in your own production environment, even after it has
been transported via mere HTTP - provided you have the TAL files to
build the chain of trust.

This applies also applies to the console's HTML itself: if you have the
TAL files + rpki-client + rsync + the openssl cli utility + ksh + perl;
you can generate any of the pages yourself and thus confirm their
authenticity and integrity.

Of course I don't expect anyone to jump through those hoops, but the
source code is here: https://github.com/job/console.rpki-client.org

I'll concede HTTPS does provide some privacy while looking at these
gorgeous ASN.1 data structures ;-)

Kind regards,

Job