RPKIVIZ: Visualizing the RPKI

By on 23 Apr 2020

Category: Tech matters

Tags: , , ,

Blog home

Resource Public Key Infrastructure (RPKI) is a global authorization infrastructure that allows the holder of Internet Number Resources (INRs) to make verifiable statements about those resources.

With RPKI standardized by the IETF several years ago, the SIDROPS Working Group was formed to update these standards and create additional ones to reflect the experience of network operators looking to deploy such Secure Inter-Domain Routing (SIDR) technologies. 

A particular area of concern the Working Group has been looking at ways to combat are errors by adverse or inadvertent actions towards the RPKI provisioning side (Certification Authority/repository), as these can harm the routing system. Visualizing the RPKI is a first step to help people to detect and diagnose such errors.

In an effort to assist operators to more easily detect and diagnose misconfigurations with their RPKI deployment before they turn into routing errors, we at ZDNS have developed a free, visualization tool, RPKIVIZ. Currently available as a beta version, we are seeking community feedback to help us make it even more user friendly.

Read: Rise of the invalids

What is visualized

RPKIVIZ displays the content and correlations of RPKI objects (ROA/manifest/certificate/CRL). It generates a graphical output of:

  1. Its validation state (valid or invalid or with warnings).
  2. Its validation chain.
  3. All relevant RPKI data objects in this chain, arranged in a tree structure that mirrors relationships among those objects.
  4. All (if any) validation warnings or errors by the form of error icons on the problematic elements.
Figure 1 — RPKIVIZ display.

Moving a cursor over an RPKI object will cause additional data to be displayed about the object.

Figure 2 — Hovering over RPKI objects will display additional data.

In addition, RPKIVIZ also offers a statistical view of the RPKI global repositories, from which you can get a list of invalid objects by clicking the red indicator with its summation number.

Figure 3 — Statistical view of RPKI global repositories.

RPKIVIZ uses the validated RPKI data offered by RPSTIR 2, an open-source RPKI relying party software that synchronizes with global RPKI repositories at least once per day.

The backend process transforms the validation chains in JSON format and statistics information is immediately updated in its validated cache.

Read: RPSTIR: A Relying Party Security Technology for Internet Routing

How to use RPKIVIZ

Certification Authority/repository operators, ISP operators and any stakeholder of the RPKI will benefit from the RPKIVIZ by using its visualized data to detect and diagnose errors occurring in the RPKI provisioning side. And researchers are also expected to use RPKIVIZ to find more interesting insights.

The RPKI Search bar provides the main entrance to this service. Visualized data information can be searched for by file name or the INR (IP address or ASN) bound to specific ROAs.

Figure 4 — You can search by file name or IP addresses or ASNs bound to specific ROAs.

The targeted RPKI objects can also be searched for by its file name.

Figure 5 — Or search by file name.

Help us make RPKIVIZ even better

As mentioned, RPKIVIZ is in its beta version and we encourage users to provide feedback on how we can improve it. You can leave a comment below or email us at rpki@zdns.cn.

On behalf of my team, I would like to extend thanks to Dr. Stephen Kent for his guidance in maintaining and evolving RPSTIR, and to George Michaelson for his suggestion to create this kind of visualizer for public use.

Di Ma is a Principle Research Fellow at ZDNS, and co-founder and acting Co-Chair of the APNIC Routing Security SIG.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please answer the math question * Time limit is exhausted. Please click the refresh button next to the equation below to reload the CAPTCHA (Note: your comment will not be deleted).

Top