On 1 July, we stopped maintenance of the RIPE NCC RPKI Validator, roughly a decade after launching it. For many years, we provided the community with a public RPKI Validator on https://rpki-validator.ripe.net/ that used the RIPE NCC RPKI Validator. Now it’s time to migrate this service to Routinator.
Finalising the Phase-out of RIPE NCC RPKI Validator
As we had planned in our RPKI roadmap, on 1 July, we stopped maintenance of the RIPE NCC RPKI Validator, about a decade after launching it. You can read more about our decision to end support here. For many years, we provided the community with a public RPKI Validator on https://rpki-validator.ripe.net/ that used the RIPE NCC RPKI Validator. Now it’s time to migrate this service to Routinator. We will perform this migration on Thursday, 16 September 2021.
The friendly folks at NLNetLabs have worked hard to create a User Interface for Routinator, which is already available at https://routinator.nlnetlabs.nl/. They have also created a useful video explaining the most important features in the UI.
Once we migrate to Routinator, there will be a few changes in the UI, but the behaviour will be mostly the same. In this article, I’ll explain the most notable differences. While I’m referring now to the pages on nlnetlabs.nl, from 16 September, you’ll find the same pages on https://rpki-validator.ripe.net.
This is the place to go if you want to verify that the ROA you have created has the required effect on the Internet. Simply type in your prefix (an AS number is optional!) and click “Validate”.
This will show the validation state of your prefix. If it results in green for “valid”, this prefix has a Validated ROA Payload (VRP) that matches the route we see in BGP.
If it shows orange, for “invalid length” or “invalid ASN”, this indicates that there is a VRP, but the size of the prefix or the associated ASN does not match with what we see in BGP. This means that the route might get rejected by a network that performs RPKI Route Origin Validation.
In case there is no VRP found for this prefix, it will tell you, “No VRP Covers the Route Prefix”.
This user interface has a few key differences from the RIPE NCC Validator:
- If you search for a prefix, you can let Routinator find the associated ASN it originates from using information from the RIPE NCC RIS Route Collector.
- If you search for an aggregate prefix, you’ll get an overview of all the more specific announcements that are found, which are validated against RPKI as well.
- It’s possible to show all the prefixes that are held by a particular organisation. The Extended Delegated Stats that each RIR produces are used to determine this list.
The RIPE NCC RPKI Validator used the RIS whois dump files for the BGP announcement information, which can be up to eight hours old. The first iteration of the Routinator user interface uses the same source data, but future releases will provide information that is closer and closer to real-time.
In Routinator, you will find all the hosted and delegated repositories at https://routinator.nlnetlabs.nl/repositories.
For each repository, you can see the number of Verified ROA Payloads (VRPs), which can help you troubleshoot your own instance of Relying Party software. It also shows you an extensive dashboard with the status of manifests and Certificate Revocation Lists (CRLs).
On rpki-validator.ripe.net, this information was listed under “Trust Anchors”.
The “connections” tab shows you a health dashboard for this instance at https://routinator.nlnetlabs.nl/connections. It displays (among other things) when the data was refreshed and how long it took to fetch the data.
In the dashboard at https://routinator.nlnetlabs.nl/metrics, you can find, per Trust Anchor, the amount of different objects (ROAs, VRPs, Manifests, CRLs) and their status. Here you can also see if there are any locally filtered objects. On rpki-validator.ripe.net, these entries were found under “Ignore Filter”. Our service will not filter objects locally, but you may choose to do so in your local instance.
Please note that all information that the Routinator user interface displays is fetched directly from its API, allowing you to build your own automation around it.
We don’t recommend to run any production service against rpki-validator.ripe.net or routinator.nlnetlabs.nl, as these are “best-effort” services and uptime is not guaranteed.
And that’s it for the major changes to the user interface that you’ll see once we complete migration. In the meantime, you can check out Routinator’s UI at https://routinator.nlnetlabs.nl/ and explore it for yourself ahead of this transition.