Skip to main content

RPKI Origin Validation checker

Project description

Build Status Requirements Status

RPKI Origin Validation Checker

Rpki-ov-checker is a small tool to show what prefixes with what AS Origins are impacted by the RFC 6811 Origin Validation procedure.

The purpose is to quickly identify the operational impact of the various RPKI validation states.


pip3 install git+

Example use case

Here we extract routes from an IOS XR device and process them to figure out which customers we should contact to help them repair their RPKI ROAs or BGP announcements.

# obtain a list of all customer prefixes
$ ssh 'show bgp ipv4 uni community 2914:370 | include /' \
    | grep -v /32 | grep -v \( > customers-v4
$ dos2unix customers-v4

# obtain whole BGP RIB
$ ssh 'show bgp ipv4 uni | include /' \
    | grep -v /32 | grep -v \( > rib-v4
$ dos2unix rib-v4

# cook the output a bit, screen scraping sucks... I weep gently
$ sed 's/^...//' customers-v4 \
    | awk '{ print $1 }' \
    | egrep "^[0-9]" > customer_prefixes
$ sed 's/^...//;s/ .$//;s/{.*//' rib-v4 \
    | awk '{ print $1 " " $NF }' \
    | egrep "^[0-9]" > full_rib 

# run the checker and filter out customers
$ rpki-ov-checker full_rib | fgrep -f customer_prefixes | grep invalid | sort -R | head
invalid_covered_by_notfound 4809 covering route: 4134
invalid_covered_by_valid 134121 covering route: 207636
invalid_unreachable 3949
invalid_unreachable 9583
invalid_covered_by_valid 9730 covering route: 9498
invalid_unreachable 17639
invalid_unreachable 200872
invalid_covered_by_notfound 40676 covering route: 35913
invalid_covered_by_valid 24560 covering route: 24560
invalid_covered_by_valid 21734 covering route: 7470

invalid_unreachable the RIB entry is invalid, and no alternative valid or notfound route exists to that set of destination IP addresses. These entries are the problematic ones.

invalid_covered_by_valid the RIB entry is invalid, but covered by a valid route. The IP addresses covered by the route will remain reachable.

invalid_covered_by_notfound the RIB entry is invalid, but covered by a less specific route which is notfound.


Copyright (c) 2020 Job Snijders

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rpki-ov-checker-0.0.6.tar.gz (6.2 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page