Dear Gert, On Tue, May 01, 2018 at 08:44:22PM +0200, Gert Doering wrote:
is there an online looking glass to see RPKI status for ``everything a given AS announces / transits''?
Say, I want to check my AS (AS5539) plus all downstream customers (... visible at the vantage point of said tool, of course).
I have found whois.bgpmon.net, which I can use by feeding prefix after prefix into whois and then parsing the reply, but that's a bit cumbersome for "give me all there is to know". Basically
show ip bgp reg _5539_
I ran a terrible one-off for you on lg01.infra.ring.nlnog.net: $ birdc 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/' 109.230.244.0/23 BGP.ext_community: (generic, 0x43000000, not-found 194.97.64.0/19 BGP.ext_community: (generic, 0x43000000, valid 185.5.184.0/23 BGP.ext_community: (generic, 0x43000000, not-found 185.54.120.0/22 BGP.ext_community: (generic, 0x43000000, valid 194.39.121.0/24 BGP.ext_community: (generic, 0x43000000, not-found 149.62.56.0/21 BGP.ext_community: (generic, 0x43000000, not-found 193.189.94.0/24 BGP.ext_community: (generic, 0x43000000, not-found 193.189.94.0/23 BGP.ext_community: (generic, 0x43000000, not-found 31.214.222.0/23 BGP.ext_community: (generic, 0x43000000, not-found 91.223.129.0/24 BGP.ext_community: (generic, 0x43000000, not-found 82.118.35.0/24 BGP.ext_community: (generic, 0x43000000, invalid 82.118.32.0/19 BGP.ext_community: (generic, 0x43000000, valid 193.151.47.0/24 BGP.ext_community: (generic, 0x43000000, not-found 193.149.32.0/19 BGP.ext_community: (generic, 0x43000000, valid 195.30.0.0/16 BGP.ext_community: (generic, 0x43000000, valid 185.143.68.0/23 BGP.ext_community: (generic, 0x43000000, not-found 195.24.96.0/19 BGP.ext_community: (generic, 0x43000000, valid 193.97.129.0/24 BGP.ext_community: (generic, 0x43000000, not-found 194.97.128.0/19 BGP.ext_community: (generic, 0x43000000, valid $ birdc6 'show route where bgp_path ~ [= * 5539 * =] primary all' | egrep "unreach|ext_comm" | sed 's/unreach.*//' | paste - - | sed 's/0x1./not-found/;s/0x0./valid/;s/0x2./invalid/' 2a07:3340::/48 BGP.ext_community: (generic, 0x43000000, not-found 2001:608::/32 BGP.ext_community: (generic, 0x43000000, valid 2a02:7c40::/33 BGP.ext_community: (generic, 0x43000000, not-found 2001:4150::/32 BGP.ext_community: (generic, 0x43000000, valid 2001:67c:158c::/48 BGP.ext_community: (generic, 0x43000000, valid
and then for each prefix returned, check RPKI status, flag green/red/yellow.
The RIPE LIRportal RPKI dashboard sort of does the job for all ASes that I have created ROAs for (so, if I maintain my customer ROAs, I would see them) but I cannot query an arbitrary AS, or "the whole customer cone".
(I expected RIPE Stats to have something like this in the BGP widget, but to my surprise, no...)
A while back I injected RPKI steroids into http://lg.ring.nlnog.net/ so that it displays the "RPKI Origin Validation State" for each prefix it displays. This doesn't allow you to do 'show ip bgp reg _5539_' as you requested, but that is something I can consider building into the thing. Kind regards, Job