Skip to content
This repository has been archived by the owner on Jul 15, 2021. It is now read-only.

Home

Jump to bottom
Tim Bruijnzeels edited this page May 3, 2018 · 15 revisions

Welcome to the RIPE NCC RPKI Validator 3.

The RPKI Validator can be used to perform RPKI Validation and use the output to perform BGP Origin Validation.

The project consists of two separately deployable units:

  • The RPKI Validator itself
  • A separate RPKI-RTR server

The validator is set up to run as a daemon, and has the following features:

  • Supports all current RPKI objects: certificates, manifests, CRLs, ROAs, router certificates and ghostbuster records
  • Supports the RRDP delta protocol
  • Supports caching RPKI data in case a repository is unavailable
  • Uses an asynchronous strategy to retrieve (often delegated) repositories, so that unavaible repositories do not block validation
  • Features an API
  • Has a full UI
  • Supports exceptions trough local filters and assertions

The RPKI-RTR server is a separate daemon, that allows routers to connect using the RPKI-RTR protocol. It's set up as a separate instance because not everyone needs to run this, but more importantly, if you do need to run this then a separate daemon allows one to run more than one instance for redundancy (it keeps state even when the validator is down).

Installation and releases

This project is still in its beta phase, but we expect to have the first production release by late May 2018.

If you want to run a beta release and help us test, please have a look at beta release installation options.

Using the Validator

The Validator has a UI, accessible here: http://localhost:8080/

Alternatively you can explore the REST API here: http://localhost:8080/swagger-ui.html#/.

Note that the Validator uses port 8080 by default for its UI. However, you can change this by editing the "server.port" setting in the "application.properties" file (/etc/rpki-validator-3/application.properties on Centos). You may want to run the validator behind an apache proxy if you want HTTPS and/or restrict access.

By default the validator will have TAs installed for AFRINIC, APNIC, LACNIC, RIPE NCC, but not ARIN. You can add download the ARIN TAL here. Any of the formats will work, but the "RIPE NCC RPKI Validator" one will ensure that the TA will have a friendly name "ARIN". To upload it to the validator use the following command:

curl -X POST -F "file=@arin-ripevalidator.tal" http://localhost:8080/api/trust-anchors/upload

Clone this wiki locally