netbox-rpki 0.1.6.2

NetBox plugin for BGP RPKI support.

NetBox RPKI Plugin

Netbox plugin for adding BGP RPKI elements.

• Free software: Apache-2.0
• Documentation
• Repository
• Python Package

Features

Implements NetBox models, forms, API endpoints, GraphQL types, tables, and standard UI views for modeling Resource Public Key Infrastructure (RPKI) data.

The plugin still covers the original core inventory objects for organizations, resource certificates, ROAs, and their prefix or ASN relationships, and now also includes the implemented standards-aligned data-model expansion for:

• repositories and publication points
• trust anchors, trust anchor locators, and trust anchor keys
• end-entity certificates and a generic signed-object layer
• certificate revocation lists, revoked certificate references, manifests, and manifest entries
• ASPAs, RSCs, and router certificates
• validator instances, validation runs, object validation results, and validated ROA or ASPA payload views
• routing-intent profiles, rules, overrides, and the initial ROA intent and reconciliation result model family

This newer model layer is implemented as schema plus registry-driven plugin surfaces. The writable intent-policy objects are available now, while derivation and reconciliation run or result objects are currently read-only reporting surfaces.

Models / DB tables

Core inventory models

Organization

• Represents a customer or consumer of Regional Internet Registry (RIR) RPKI services.
• Fields include org_id, name, ext_url, and parent_rir.

Resource Certificate

• Represents the resource certificate element of the RPKI architecture.
• Tracks certificate identity and lifecycle fields such as issuer, subject, serial, valid_from, valid_to, auto_renews, public_key, publication_url, ca_repository, self_hosted, and rpki_org.
• Now links into the newer architecture through optional trust-anchor and publication-point references.

Route Origination Authorization (ROA)

• Represents an RPKI ROA authorizing origination of one or more prefixes by an ASN.
• Tracks origin_as, validity dates, auto_renews, and the signing resource certificate.
• Now links into the generic signed-object layer through an optional signed-object reference.

ROA Prefix

• Represents the attestation relationship between a ROA and a prefix, including max_length.
• This model is available through the plugin but is not a top-level menu item.

Certificate Prefix

• Represents the relationship between a resource certificate and a prefix.
• This model is available through the plugin but is not a top-level menu item.

Certificate ASN

• Represents the relationship between a resource certificate and an ASN.
• This model is available through the plugin but is not a top-level menu item.

Repository and publication models

Repository

• Represents an rsync, RRDP, or mixed repository endpoint used to hold RPKI publication data.

Publication Point

• Represents a publication location within a repository and tracks retrieval and validation state.

Trust and certificate hierarchy models

Trust Anchor

• Represents a trust anchor and its rollover state.

Trust Anchor Locator

• Stores TAL-style discovery information for a trust anchor.

Trust Anchor Key

• Represents a published trust-anchor key object and rollover relationships.

End-Entity Certificate

• Represents the EE certificate used to sign individual RPKI signed objects.

Signed object and repository-integrity models

Signed Object

• Generic model for published RPKI signed objects such as ROAs, manifests, ASPAs, RSCs, and trust-anchor keys.
• Tracks object type, publication metadata, manifest linkage, CMS metadata, validity, and validation state.

Certificate Revocation List

• Represents a CRL issued by a resource certificate and linked to publication and manifest state.

Revoked Certificate

• Represents an individual revoked certificate or EE certificate reference carried by a CRL.

Manifest

• Represents an RPKI manifest object.

Manifest Entry

• Represents an individual manifest member and can link to the referenced signed object, certificate, EE certificate, or CRL.

Additional signed-object families

ASPA

• Represents an Autonomous System Provider Authorization object.

ASPA Provider

• Represents a provider ASN authorized by an ASPA.

RSC

• Represents an RPKI Signed Checklist object.

RSC File Hash

• Represents an individual file-hash member of an RSC.

Router Certificate

• Represents a BGPsec router certificate tied to an ASN, resource certificate, and publication point.

Validation and validated-payload models

Validator Instance

• Represents an external validator and its current run state.

Validation Run

• Represents one validation execution against repository content.

Object Validation Result

• Stores validation outcome and disposition for an individual signed object.

Validated ROA Payload

• Represents a validated prefix-origin payload produced from a ROA.

Validated ASPA Payload

• Represents a validated customer-provider authorization payload produced from an ASPA.

Intent and reconciliation models

Routing Intent Profile

• Defines routing-intent policy defaults and prefix or ASN selection behavior.

Routing Intent Rule

• Represents an ordered rule used to include, exclude, or modify derived ROA intent.

ROA Intent Override

• Represents an explicit per-prefix or per-scope exception to derived ROA intent.

Intent Derivation Run

• Stores metadata for a derived-intent calculation run.
• This is currently exposed as a read-only reporting surface.

ROA Intent

• Represents a derived ROA intent row tied to a derivation run, profile, scope, and optional override.
• This is currently exposed as a read-only reporting surface.

ROA Intent Match

• Stores a candidate match between a derived intent row and a locally recorded ROA.
• This is currently exposed as a read-only reporting surface.

ROA Reconciliation Run

• Stores metadata for a reconciliation comparison between intent and published ROA records.
• This is currently exposed as a read-only reporting surface.

ROA Intent Result

• Stores the intent-side reconciliation result for a derived ROA intent row.
• This is currently exposed as a read-only reporting surface.

Published ROA Result

• Stores the published-side reconciliation result for a recorded ROA.
• This is currently exposed as a read-only reporting surface.

Screencaps

RPKI Organizations/Certificates/Resources

RPKI ROAs

Compatibility

netbox-plugin.yaml

The plugin currently declares NetBox compatibility for the 4.5.x release line.

Validation completed against real development installs of:

• NetBox 4.5.0
• NetBox 4.5.7

Validation evidence for both versions includes successful plugin bootstrap and manage.py check with the plugin enabled, plus the full Python test suite passing (196 tests). Browser smoke coverage was also run successfully against the NetBox 4.5.0 environment (7 Playwright specs passed).

Installing

For adding to a NetBox Docker setup see the general instructions for using netbox-docker with plugins.

Install using pip:

pip install netbox_rpki

or by adding to your local_requirements.txt or plugin_requirements.txt (netbox-docker):

netbox_rpki

Enable the plugin in /opt/netbox/netbox/netbox/configuration.py, or if you use netbox-docker, your /configuration/plugins.py file :

PLUGINS = [
    'netbox_rpki'
]

PLUGINS_CONFIG = {
    "netbox_rpki": {'top_level_menu': False},
}

Run python -m manage.py migrate from the .../netbox/netbox/ directory in your netbox installation. (or include the manage.py migrate command in Dockerfile-Plugins if using netbox-docker.)

Browser E2E Tests

The repo includes a minimal Playwright suite under tests/e2e/ for real plugin Web UI CRUD coverage.

• It targets a running local NetBox dev instance, defaulting to http://127.0.0.1:8000
• It logs in as the local admin user created by devrun/dev.sh start
• It prepares only the core NetBox prerequisites the plugin forms depend on and cleans up prior E2E-marked plugin objects
• It does not require dev.sh seed, though seeded data remains compatible with the suite
• The recommended entry point in WSL is cd devrun && ./dev.sh e2e

See tests/e2e/README.md for setup, environment variables, and exact commands.