dotysan · May 24, 2018 16:23
diff --git a/arin-rpki-roagen.sh b/arin-rpki-roagen.sh
 #! /bin/bash -e
 #
 # notes on setting up RPKI hosted on ARIN
 #
 umask u=rwx,g=rx,o=

 keys=ARIN-RPKI-keypair.pem
 pubkey=ARIN-RPKI-pubkey.pem
 hash openssl

 # private/public keypair
 if [ ! -e $keys ]
 then	# -f4 use F4 (0x10001) for the E value (exponent)
 	openssl genrsa -f4 -out $keys 2048
 fi

 # extract public key only
 if [ ! -e $pubkey ]
 then	openssl rsa -in $keys -pubout -outform PEM -out $pubkey
 	echo "cat $pubkey into ARINs web UI: https://www.arin.net/public/secure/resources/"
 fi

 if [ -z "$1" ]
 then	echo "usage: $(basename $0) [ASN]" >&2
 	exit 1
 else as=$1
 fi

 # now generate and sign some ROAs from your IRR records
 today=`date`
 now=`date -d "$today" +%s`
 nextyear=`date -d "$today +1year" +%m-%d-%Y`
 today=`date -d "$today" +%m-%d-%Y`
 {	while read maint
 	do	whois -h whois.radb.net -- "-i mnt-by -T route $maint"
 		whois -h whois.radb.net -- "-i mnt-by -T route6 $maint"
 	done < <(whois -h whois.radb.net -- "-T aut-num AS$as" |awk '$1=="mnt-by:"{print$2}' |sort -u)
 }|awk -F ': +' '
 	/^route/ {
 		route= $2
 		split(route,a,"/")
 		pfxnet= a[1]
 		pfxlen= a[2]
 		if($1=="route6")pfxmax=64
 		else pfxmax=28
 		# TODO: what if you have an upstream/provider who allows
 		# you to advertize tagged /32s (or v6/128s) for
 		# blackhole filtering? Will they reject your
 		# advertizement for failing max length?
 	}
 	/^descr/ {
 		descr= $2
 	}
 	/^source/ {
 		printf "%-15s %3i %3i %s\n", pfxnet, pfxlen, pfxmax, descr
 	}
 '|sort -uk1,2 |while read pfxnet pfxlen pfxmax descr
 # BEWARE! if there are dupe routes, the sort unique above arbitrarily picks one description
 do if whois -nh whois.arin.net "r = $pfxnet/$pfxlen" |egrep -q '^NetType: +Direct' # filter out indirect allocations
 then	roa="1|$now|$descr|$as|$today|$nextyear|$pfxnet|$pfxlen|$pfxmax|"
 	echo -n "$roa" >$pfxnet.$now.roa
 	openssl dgst -sha256 -sign $keys -keyform PEM -out $pfxnet.sig $pfxnet.$now.roa
 	sig=`openssl enc -base64 -in $pfxnet.sig`
 	cat >$pfxnet.$now.roa <<-EOF
 		-----BEGIN ROA REQUEST-----
 		$roa
 		-----END ROA REQUEST-----
 		-----BEGIN SIGNATURE-----
 		$sig
 		-----END SIGNATURE-----
 	EOF
 	rm $pfxnet.sig
 	echo "cat $pfxnet.$now.roa into ARINs web UI: https://www.arin.net/public/secure/resources/"
 fi done
	#! /bin/bash -e
	#
	# notes on setting up RPKI hosted on ARIN
	#
	umask u=rwx,g=rx,o=

	keys=ARIN-RPKI-keypair.pem
	pubkey=ARIN-RPKI-pubkey.pem
	hash openssl

	# private/public keypair
	if [ ! -e $keys ]
	then # -f4 use F4 (0x10001) for the E value (exponent)
	openssl genrsa -f4 -out $keys 2048
	fi

	# extract public key only
	if [ ! -e $pubkey ]
	then openssl rsa -in $keys -pubout -outform PEM -out $pubkey
	echo "cat $pubkey into ARINs web UI: https://www.arin.net/public/secure/resources/"
	fi

	if [ -z "$1" ]
	then echo "usage: $(basename $0) [ASN]" >&2
	exit 1
	else as=$1
	fi

	# now generate and sign some ROAs from your IRR records
	today=`date`
	now=`date -d "$today" +%s`
	nextyear=`date -d "$today +1year" +%m-%d-%Y`
	today=`date -d "$today" +%m-%d-%Y`
	{ while read maint
	do whois -h whois.radb.net -- "-i mnt-by -T route $maint"
	whois -h whois.radb.net -- "-i mnt-by -T route6 $maint"
	done < <(whois -h whois.radb.net -- "-T aut-num AS$as" \|awk '$1=="mnt-by:"{print$2}' \|sort -u)
	}\|awk -F ': +' '
	/^route/ {
	route= $2
	split(route,a,"/")
	pfxnet= a[1]
	pfxlen= a[2]
	if($1=="route6")pfxmax=64
	else pfxmax=28
	# TODO: what if you have an upstream/provider who allows
	# you to advertize tagged /32s (or v6/128s) for
	# blackhole filtering? Will they reject your
	# advertizement for failing max length?
	}
	/^descr/ {
	descr= $2
	}
	/^source/ {
	printf "%-15s %3i %3i %s\n", pfxnet, pfxlen, pfxmax, descr
	}
	'\|sort -uk1,2 \|while read pfxnet pfxlen pfxmax descr
	# BEWARE! if there are dupe routes, the sort unique above arbitrarily picks one description
	do if whois -nh whois.arin.net "r = $pfxnet/$pfxlen" \|egrep -q '^NetType: +Direct' # filter out indirect allocations
	then roa="1\|$now\|$descr\|$as\|$today\|$nextyear\|$pfxnet\|$pfxlen\|$pfxmax\|"
	echo -n "$roa" >$pfxnet.$now.roa
	openssl dgst -sha256 -sign $keys -keyform PEM -out $pfxnet.sig $pfxnet.$now.roa
	sig=`openssl enc -base64 -in $pfxnet.sig`
	cat >$pfxnet.$now.roa <<-EOF
	-----BEGIN ROA REQUEST-----
	$roa
	-----END ROA REQUEST-----
	-----BEGIN SIGNATURE-----
	$sig
	-----END SIGNATURE-----
	EOF
	rm $pfxnet.sig
	echo "cat $pfxnet.$now.roa into ARINs web UI: https://www.arin.net/public/secure/resources/"
	fi done