You are here: Home > Publications > RIPE Labs > Alex Band > Resource Certification Web Validator Released

Resource Certification Web Validator Released

Alex Band — 13 Apr 2011
We have just released the RIPE NCC Resource Certification Web Validator. It will allow you to validate a Route Origin Authorisation (ROA) file against the RIPE NCC Trust Anchor through a web form, either online or locally.

One very important goal we have with the RIPE NCC Resource Certification service is to make the entry barrier into the system as low as possible. We have achieved this by initially offering a hosted system, allowing you to set up a Certificate Authority with just a single click. Creating and managing ROAs can be done with a simple drag and drop interface. Work on a non-hosted system, allowing you to run your own Certificate Authority that securely interfaces with the RIPE NCC, is underway now and will be finished around RIPE 62 in May 2011.

A crucial aspect of using the Resource Certification service for making routing decisions is to actively check if a route announcement is valid by using a  validation tool . Until now, the RIPE NCC only provided a basic command line tool which outputs text or a comma separated file. 

We have now released the RIPE NCC Resource Certification Web Validator . It will allow you to validate a ROA file against the RIPE NCC Trust Anchor through an online web form on the RIPE NCC website. This service is intended to give you a quick, ad-hoc method of validating ROAs, without having to install a  validation tool

However, when using Resource Certification for production purposes, validation should always be done locally, by the relying party themselves, using one of the validation tools. This is why we are also making the source code for the Web Validator available for download , so it can be run locally. For transparency, it will also allow you verify the code we are using for the service.

The way you use the Web Validator is by uploading a ROA file. You may have received such a file from one of your peers as proof that they are authorised to announce a particular prefix. ROA files can be obtained through rsync from the RIPE NCC ROA Repository:

 rsync://rpki.ripe.net/repository/

Alternatively, you can download them from the ROA Repository available in the Certification Portal :

Download link for ROA

 

After choosing a ROA file and clicking 'Validate!', the Web Validator will perform the validation and provide additional details about the uploaded object:

 

Validation results for web validator

Please note that this service will only accept ROA files, not certificates or other signed objects, and only validates against the RIPE NCC Trust Anchor . We plan to expand this functionality to allow checking against other Trust Anchors. Additionally, the web front end will also be made available in future versions of the RIPE NCC Validation Tool, along with scripting and RPKI-Router  validation support.

If you have any feedback, please post a comment here or on the the  RIPE NCC Services Working Group mailing list , or send an email to  certification _at_ ripe _dot_ net

0 Comments

Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.