Created
March 29, 2019 17:03
-
-
Save irrashai/880dde0da18ca51c6fe2e79a2fd6d7e8 to your computer and use it in GitHub Desktop.
check_roa.sh: A script that checks valid ROAs for a list of IP blocks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script checks if there are valid ROAs for a list of IP blocks | |
| # Checks from two sources - rpki validator and bgpmon | |
| iplist="iplist.txt" | |
| notvalid=0 | |
| # Replace with your own validator | |
| rpki_validator="http://localcert.ripe.net:8088" | |
| if [ ! -f $iplist ] ; then | |
| echo "ERROR: $iplist not found." | |
| exit 2 | |
| fi | |
| # Checking rpki validator | |
| # Expected to see valid for all prefixes (i.e. announced by the ASN) | |
| echo "=== Results from rpki-validator ==" | |
| while IFS=',' read -r i j rest <&3; do | |
| { | |
| out=$(curl -s $rpki_validator/api/v1/validity/$j/$i) | |
| state=$(echo $out | jq -r '.[].validity.state') | |
| echo $i $j $state | |
| if [ "$state" != "Valid" ]; then | |
| notvalid=1; | |
| fi | |
| } 3<&- | |
| done 3< "$iplist" | |
| # Checking IP block with bgpmon | |
| # Will show invalid if detected as originating from other ASN | |
| echo "=== Results from bgpmon ===" | |
| for i in `cat $iplist | cut -d "," -f1` | |
| do | |
| status=`whois -h whois.bgpmon.net $i | grep -e "RPKI status" | cut -d":" -f2` | |
| echo $i $status | |
| if [ "$status" != "ROA validation successful" ]; then | |
| notvalid=1; | |
| fi | |
| done | |
| if [ $notvalid == 0 ]; then | |
| echo "OK: ROA validation successful." | |
| exit 0 | |
| else | |
| echo "WARN: Some ROAs are not valid." | |
| exit 2 | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment