netsec-sig - [Security-WG] Fwd: [routing-wg] new tool: rpki-ov-checker
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: Jeff Bartig <>, "" <>
- Subject: [Security-WG] Fwd: [routing-wg] new tool: rpki-ov-checker
- Date: Thu, 6 Feb 2020 06:49:36 -0600
Based on Jeff’s comment yesterday on the irr-wg Slack channel I thought this might be useful.
---------- Forwarded message ---------
From: Job Snijders <>
Date: Thu, Feb 6, 2020 at 05:41
Subject: [routing-wg] new tool: rpki-ov-checker
To: <>
From: Job Snijders <>
Date: Thu, Feb 6, 2020 at 05:41
Subject: [routing-wg] new tool: rpki-ov-checker
To: <>
I wrote a simple tool to figure out what kind of invalid a rpki invalid
is, this can aid people in understanding the impact of "invalid ==
reject" routing policies. Only "invalid_unreachable" routes present
an operational issue in my opinion, IP addresses covered by "notfound"
or "valid" less specific routes will still be reachable.
You pass it a file name (or via stdin) with one prefix and origin ASN
per line (white space separated) representing your full BGP RIB, and
then you can grep specific for the task at hand to extract the info you
need:
$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head
invalid_covered_by_notfound 123.101.0.0/21 4809 covering route: 123.101.0.0/16 4134
invalid_covered_by_valid 46.3.74.0/24 134121 covering route: 46.3.0.0/16 207636
invalid_unreachable 83.231.209.0/24 3949
invalid_unreachable 124.30.247.0/24 9583
invalid_covered_by_valid 125.21.232.0/24 9730 covering route: 125.21.0.0/16 9498
invalid_unreachable 120.29.92.0/24 17639
invalid_unreachable 31.40.164.0/24 200872
invalid_covered_by_notfound 45.12.139.0/24 40676 covering route: 45.12.136.0/22 35913
invalid_covered_by_valid 122.160.178.0/24 24560 covering route: 122.160.0.0/16 24560
invalid_covered_by_valid 61.90.251.0/24 21734 covering route: 61.90.192.0/18 7470
NTT is using this to figure out who we need to help fix their ROA or
correct their BGP announcements.
Get the goods at https://github.com/job/rpki-ov-checker
Enjoy!
Kind regards,
Job
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] Fwd: [routing-wg] new tool: rpki-ov-checker, David Farmer, 02/06/2020
Archive powered by MHonArc 2.6.19.