Skip to content
This repository has been archived by the owner on Jul 15, 2021. It is now read-only.

Home

Jump to bottom
Tim Bruijnzeels edited this page May 16, 2018 · 15 revisions

Welcome to the RIPE NCC RPKI Validator 3.

The RPKI Validator can be used to perform RPKI Validation and use the output to perform BGP Origin Validation.

The project consists of two separately deployable units:

  • The RPKI Validator itself
  • A separate RPKI-RTR server

The validator is set up to run as a daemon, and has the following features:

  • Supports all current RPKI objects: certificates, manifests, CRLs, ROAs, router certificates and ghostbuster records
  • Supports the RRDP delta protocol
  • Supports caching RPKI data in case a repository is unavailable
  • Uses an asynchronous strategy to retrieve (often delegated) repositories, so that unavaible repositories do not block validation
  • Features an API
  • Has a full UI
  • Supports exceptions trough local filters and assertions

The RPKI-RTR server is a separate daemon, that allows routers to connect using the RPKI-RTR protocol. It's set up as a separate instance because not everyone needs to run this, but more importantly, if you do need to run this then a separate daemon allows one to run more than one instance for redundancy (it keeps state even when the validator is down).

Installation and releases

This project is still in its beta phase, but we expect to have the first production release by late May 2018.

If you want to run a beta release and help us test, please have a look at beta release installation options.

Using the Validator

The Validator has a UI, accessible here: http://localhost:8080/

Alternatively you can explore the REST API here: http://localhost:8080/swagger-ui.html#/.

Server PORT and ADDRESS

Note that the Validator uses port 8080 by default for its UI. However, you can change this by editing the "server.port" setting in the "application.properties" file (/etc/rpki-validator-3/application.properties on Centos).

You may want to run the validator behind an apache proxy if you want HTTPS and/or restrict access.

You may also want to have the validator bind to localhost only, rather than listen on all IP addresses. You can change this by editing the "server.address" setting in the "application.properties" file.

Install extra TALs

By default the validator will have TAs installed for AFRINIC, APNIC, LACNIC, RIPE NCC, but not ARIN.

You can add download the ARIN TAL here. Any of the formats will work, but the "RIPE NCC RPKI Validator" one will ensure that the TA will have a friendly name "ARIN". To upload it you can use the following script:

upload-tal.sh arin-ripevalidator.tal http://localhost:8080/api/trust-anchors/upload

The script should be in the root folder if you unpacked the generic build, or in /usr/bin if you installed the RPM. The source can be found here.

Clone this wiki locally