You are here: Home > Publications > RIPE Labs > Nathalie Nathalie > RPKI Webtest

RPKI Webtest

How can you quickly figure out if a network you are using is dropping invalid Resource Public Key Infrastructure (RPKI) BGP announcements? You can do so by opening up a browser and visiting our RPKI test web page.

During RIPE 78, the community asked us to configure the meeting's network in a way so invalid RPKI BGP announcements are dropped. This is indeed the current configuration, but it is not easy to check. So we built an experimental webpage where you can check if the network you are using is doing RPKI Origin Validation.

We have a short URL that redirects to this test page: https://www.ripe.net/s/rpki-test

This is not a new trick, it was also used before for IPv6 testing. To adjust this to work for RPKI, we used two test prefixes (courtesy of NTT Communications):

  • One that is covered by a valid ROA
  • Another one that is invalid (on purpose of course)

There is a webserver in both that serves content, so if you cannot fetch the content from the invalid and you can do so from the valid, this is a strong indication that the network you are on is dropping invalid RPKI BGP routes.

Please test this tool and check if the network you are on drops invalid RPKI BGP announcements.

Currently, this is only available on IPv4 as we wanted to have this finished before the end of the RIPE 78. We are aiming to make it available to IPv6 too, and be future-proof soon!

If you are interested in what RPKI is, and how it improves routing security, please find more information on our RPKI web pages.

2 Comments

Ondřej Caletka says:
23 May, 2019 04:42 PM
Awesome job, thank you for that! Just don't forget to deploy HTTPS for the test as well.

Actually, it may be an interesting test how easily one can do domain control validation for a domain name pointing to a network with an invalid ROA.
Alex Band says:
24 May, 2019 10:11 AM
This is brilliant!

By the way, the RIPE NCC also has RIS beacons with each RPKI Validation state that can be used for this purpose:
https://labs.ripe.net/[…]/
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.