Nathalie Trenaman

RPKI Test

Nathalie Trenaman
Contributors: Emile Aben, Jasper den Hertog, Job Snijders
11

How can you quickly figure out if a network you are using is dropping invalid Resource Public Key Infrastructure (RPKI) BGP announcements? You can do so by opening up a browser and visiting our RPKI test web page.


During RIPE 78, the community asked us to configure the meeting's network in a way so invalid RPKI BGP announcements are dropped. This is indeed the current configuration, but it is not easy to check. So we built an experimental webpage where you can check if the network you are using is doing RPKI Origin Validation.

We have a short URL that redirects to this test page: https://www.ripe.net/s/rpki-test

This is not a new trick, it was also used before for IPv6 testing. To adjust this to work for RPKI, we used two test prefixes (courtesy of NTT Communications):

  • One that is covered by a valid ROA
  • Another one that is invalid (on purpose of course)

There is a webserver in both that serves content, so if you cannot fetch the content from the invalid and you can do so from the valid, this is a strong indication that the network you are on is dropping invalid RPKI BGP routes.

Please test this tool and check if the network you are on drops invalid RPKI BGP announcements.

Currently, this is only available on IPv4 as we wanted to have this finished before the end of the RIPE 78. We are aiming to make it available to IPv6 too, and be future-proof soon!

If you are interested in what RPKI is, and how it improves routing security, please find more information on our RPKI web pages.

The source code for this little application can found on GitHub.

11

You may also like

View more

About the author

Nathalie Trenaman Based in Amsterdam

I'm the Routing Security Programme Manager at RIPE NCC. In my spare time I am the chair of NLNOG.

Comments 11