Matthias Wählisch

Call for Input: RPKI Browser

Matthias Wählisch
Contributors: Andreas Reuter

3 min read

1 You have liked this article 0 times.
0

The RPKI Browser is a graphical user interface to the objects of the distributed RPKI repository. The development is at very early stage. In this article, we ask for external input in terms of use cases, features etc.


Background

An RPKI repository consists of multiple objects, such as certificates, revocation lists, and Route Origin Authorisations (ROAs). There are several command line tools available to inspect these objects. However, there is only limited work that provides an intuitive graphical interface. The RPKI Browser implements a graphical interface to analyse the content of RPKI objects and their dependencies. The RPKI Browser is open source, and currently at a very early stage. To shape the development of this tool with the requirements of potential users in mind, we would like to ask for input from the operator community.

In this note, we briefly explain the current state of the RPKI Browser to kick off the discussion for use cases, features etc. Please, let us know what you expect from an RPKI Object Browser. Either leave your comments below or send an email to .

The RPKI Browser is available at http://rpki-browser.realmv6.org . We will publish the source code on Github as soon as a more mature version is ready.

RPKI Browser - Basic Functions

The RPKI Browser periodically fetches all RPKI data from a set of predefined trust anchors. At the moment, data from all five RIRs is hourly collected.

The current GUI consists mainly of two parts, the menu and the content view.

Menu

In the menu (shown below), you can select the repository that you want to inspect, and you can configure filters. Please note that filtering for AS numbers requires the prefix "AS" (e.g., AS3320).

Example of an AS Filter

Content View

The column at the left hand side shows the RPKI object tree. Showing all possible objects would overload the view. We decided to include only certificates and ROAs. The root of the tree is the selected trust anchor.The colour of a node indicates the cryptographic validation state of the object, i.e., green = passed, yellow = warning, red = error.

The column at the right hand side shows the content of the selected object as well as related objects. For a certificate the corresponding manifest and certificate revocation list (CRL) are presented; for a ROA, the corresponding end-entity (EE) certificate is shown.

Screenshots (click on the images to get a larger view)

Certificate Content ROA Content EE Certificate Content of Selected ROA

 

Conclusion

We highly encourage you to participate in the development process of the RPKI Browser, even at early stage. The current set of functions is very limited and serves more as an illustration of the basic idea. Let us know your use cases and requirements for such a tool! Which features (e.g., additional views, download of object data) would you like to see implemented? Send an email to or leave your comments below.

1 You have liked this article 0 times.
0

You may also like

View more

About the author

Matthias Wählisch Based in Dresden, Germany

Matthias is a full professor and holds the Chair of Distributed and Networked Systems at the Faculty of Computer Science at TU Dresden. He is also a Research Fellow of the Barkhausen Institut. His research and teaching focus is on efficient, reliable, and secure Internet communication. This includes the design and evaluation of networking protocols and architectures, as well as Internet measurements and analysis. His efforts are driven by the hope of improving Internet communication based on sound research. He is actively involved in the IETF since 2005 and co-founded some successful open source projects such as RIOT (https://riot-os.org/) and RTRlib (https://rtrlib.rpki.net/). Matthias is a member of the Advisory Board of BCIX, the Berlin Internet Exchange Point, and INSO, the Internet Namespace Security Observatory supported by the Internet Society (ISOC), and a co-founder of DD-IX, the Dresden Internet Exchange.

Comments 0