Hi Gert, Job, routing-wg, Disclaimer: I'm not offering a solution, just a possibility, facilitator hat on.
In the context of the upcoming RIPE+iNOG Network Operator Tools hackathon in June (details at https://labs.ripe.net/Members/ becha/join-network-operators-tools-hackathon ), I would say that this would make for a great project proposal (an improvement for an existing RIPE tool / NLNOG Ring / standalone tool etc.). Of course the best option would be to join us and hack on it in person - but if that doesn't fly, formulate a proposal and either find an advocate who's attending or send it to me as a proxy of last resort. Cheers, Cristian -- Cristian Sirbu www.trueneutral.eu | inog.net | twitter.com/cmsirbu *PGP* 2C940C28 08F2378F 45C74E11 8AFA4E29 *710D0D66* On Tue, May 1, 2018 at 7:53 PM, Job Snijders <[email protected]> wrote: > Dear Gert, > > On Tue, May 01, 2018 at 08:44:22PM +0200, Gert Doering wrote: > > is there an online looking glass to see RPKI status for ``everything a > > given AS announces / transits''? > > > > Say, I want to check my AS (AS5539) plus all downstream customers > > (... visible at the vantage point of said tool, of course). > > > > I have found whois.bgpmon.net, which I can use by feeding prefix after > > prefix into whois and then parsing the reply, but that's a bit cumbersome > > for "give me all there is to know". Basically > > > > show ip bgp reg _5539_ > > I ran a terrible one-off for you on lg01.infra.ring.nlnog.net: > > $ birdc 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep > "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed > 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/' > 109.230.244.0/23 BGP.ext_community: (generic, 0x43000000, > not-found > 194.97.64.0/19 BGP.ext_community: (generic, 0x43000000, > valid > 185.5.184.0/23 BGP.ext_community: (generic, 0x43000000, > not-found > 185.54.120.0/22 BGP.ext_community: (generic, 0x43000000, > valid > 194.39.121.0/24 BGP.ext_community: (generic, 0x43000000, > not-found > 149.62.56.0/21 BGP.ext_community: (generic, 0x43000000, > not-found > 193.189.94.0/24 BGP.ext_community: (generic, 0x43000000, > not-found > 193.189.94.0/23 BGP.ext_community: (generic, 0x43000000, > not-found > 31.214.222.0/23 BGP.ext_community: (generic, 0x43000000, > not-found > 91.223.129.0/24 BGP.ext_community: (generic, 0x43000000, > not-found > 82.118.35.0/24 BGP.ext_community: (generic, 0x43000000, > invalid > 82.118.32.0/19 BGP.ext_community: (generic, 0x43000000, > valid > 193.151.47.0/24 BGP.ext_community: (generic, 0x43000000, > not-found > 193.149.32.0/19 BGP.ext_community: (generic, 0x43000000, > valid > 195.30.0.0/16 BGP.ext_community: (generic, 0x43000000, > valid > 185.143.68.0/23 BGP.ext_community: (generic, 0x43000000, > not-found > 195.24.96.0/19 BGP.ext_community: (generic, 0x43000000, > valid > 193.97.129.0/24 BGP.ext_community: (generic, 0x43000000, > not-found > 194.97.128.0/19 BGP.ext_community: (generic, 0x43000000, > valid > > $ birdc6 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep > "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed > 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/' > 2a07:3340::/48 BGP.ext_community: (generic, 0x43000000, > not-found > 2001:608::/32 BGP.ext_community: (generic, 0x43000000, > valid > 2a02:7c40::/33 BGP.ext_community: (generic, 0x43000000, > not-found > 2001:4150::/32 BGP.ext_community: (generic, 0x43000000, > valid > 2001:67c:158c::/48 BGP.ext_community: (generic, 0x43000000, > valid > > > and then for each prefix returned, check RPKI status, flag > green/red/yellow. > > > > The RIPE LIRportal RPKI dashboard sort of does the job for all ASes that > > I have created ROAs for (so, if I maintain my customer ROAs, I would see > > them) but I cannot query an arbitrary AS, or "the whole customer cone". > > > > (I expected RIPE Stats to have something like this in the BGP widget, but > > to my surprise, no...) > > A while back I injected RPKI steroids into http://lg.ring.nlnog.net/ so > that it displays the "RPKI Origin Validation State" for each prefix it > displays. > > This doesn't allow you to do 'show ip bgp reg _5539_' as you requested, > but that is something I can consider building into the thing. > > Kind regards, > > Job > > -- Cristian Sirbu www.trueneutral.eu | inog.net | twitter.com/cmsirbu *PGP* 2C940C28 08F2378F 45C74E11 8AFA4E29 *710D0D66*
