Home - RIPE-NCC/rpki-validator-3 GitHub Wiki

Welcome to the RIPE NCC RPKI Validator 3.

The RPKI Validator can be used to perform RPKI Validation and use the output to perform BGP Origin Validation.

The project consists of two separately deployable units:

  • The RPKI Validator itself
  • A separate RPKI-RTR server

The validator is set up to run as a daemon, and has the following features:

  • Supports all current RPKI objects: certificates, manifests, CRLs, ROAs, router certificates and ghostbuster records
  • Supports the RRDP delta protocol
  • Supports caching RPKI data in case a repository is unavailable
  • Uses an asynchronous strategy to retrieve (often delegated) repositories, so that unavaible repositories do not block validation
  • Features an API
  • Has a full UI
  • Supports exceptions trough local filters and assertions

The RPKI-RTR server is a separate daemon, that allows routers to connect using the RPKI-RTR protocol. It's set up as a separate instance because not everyone needs to run this, but more importantly, if you do need to run this then a separate daemon allows one to run more than one instance for redundancy (it keeps state even when the validator is down).

System Requirements

You will need a unix like system with OpenJDK 8 or higher and rsync. We develop on Mac OSX and test RPMs that we build for Centos7. But the generic build should work on more systems.

You will need at least 1.5GB available on your server (2GB in total if you also run the RPKI-RTR server). One (virtual) CPU should be enough. The repository objects are stored in a file based database, rather than in memory - we recommend at least 10GB of available disk space (under /var/lib/rpki-validator-3/db for the RPM).

Installation and releases

Upon every commit to master a new version of the RPKI Validator and RTR Server is built. We build these packages only once. The package is then deployed and tested in different stages, and possibly promoted. This way we can be sure that no code changes (and bugs) are introduced when we promote a build to the next stage.

The first stage is "dev". Releases deployed here are highly volatile. We use this for quick internal testing of features.

The second stage is "beta". Still fairly volatile, but used to test features that should be ready for the next release candidate. If you want you can help test the latest releases that made it to "beta".

The third stage is "Release Candidate". Releases that are made available here should be stable enough to make it to production next. We have tested them on our side, but we would really welcome your help.

The final stage is "Production". More information about production releases here.

Server PORT and ADDRESS

NOTE: By default the validator and rpki-rtr server are configured to listen on localhost ONLY

You can change this by editing the "server.address" setting in the "application.properties" file. If you do, then we recommend that you make sure that your server is not accessible on the public internet. You may also want to set up an apache or Nginx proxy if you want HTTPS and/or restrict access.

Note that the Validator uses port 8080 by default for its UI. However, you can change this by editing the "server.port" setting in the "application.properties" file (/etc/rpki-validator-3/application.properties on Centos).

Once set up you can access the Validator UI, accessible here: http://localhost:8080/

Alternatively you can explore the REST API here: http://localhost:8080/swagger-ui.html#/.

Install extra TALs

By default the validator will have TAs installed for AFRINIC, APNIC, LACNIC, RIPE NCC, but not ARIN.

You can add download the ARIN TAL here. Any of the formats will work, but the "RIPE NCC RPKI Validator" one will ensure that the TA will have a friendly name "ARIN". To upload it you can use the following script:

upload-tal.sh arin-ripevalidator.tal http://localhost:8080/

The script should be in the root folder if you unpacked the generic build, or in /usr/bin if you installed the RPM. The source can be found here.

Alternatively, you can put extra TAL files to the preconfigured-tals directory of the RPKI Validator installation. This directory is scanned on the start and all the parseable TALs are picked up for validation. For RPM installation the directory is /var/lib/rpki-validator-3/preconfigured-tals/.