Running Interactively

Routinator can perform RPKI validation as a one-time operation and print a validated ROA payload (VRP) list in various formats using the vrps subcommand and specifying the desired format.

Warning

If you have installed Routinator through the NLnet Labs software package repository, the installation script will set up the application to run as a service. You should not run Routinator as a daemon and interactively at the same time on the same machine.

For example, to print the VRPs in CSV format to standard output, run:

routinator vrps --format csv

To generate a file with with the validated ROA payloads in JSON format, run:

routinator vrps --format json --output authorisedroutes.json

During the validation process, logging information will be printed to standard error. You can influence the amount of details returned with the --verbose and --quiet options. To learn more about what kind of information returned, refer to the Logging section.

If you have enabled BGPsec and/or ASPA validation, in some output formats the amount of data can be quite overwhelming. You can exclude specific data types for the output with the --no-route-origins, --no-router-keys and the --noaspas options.

Changed in version 0.13.0: Allow excluding specific data from the output.

Query Options

In case you are looking for specific information in the output, Routinator allows you to add selectors to see if a prefix or ASN is covered or matched by a VRP. You can do this using the --select-asn and --select-prefix options.

When using --select-asn, you can use both AS64511 and 64511 as the notation. With --select-prefix, the result will include VRPs regardless of their ASN and MaxLength. Both selector flags can be combined and used multiple times in a single query. The output for each additional selector will be added to the results.

A validation run will be started before returning the result, making sure you get the latest information. If you would like a result from the current cache, you can use the --noupdate option.

Here is an example selecting VRPs related to a specific ASN, produced in json format:

routinator vrps --format json --select-asn 196615

This results in:

{
  "metadata": {
    "generated": 1626853335,
    "generatedTime": "2021-07-21T07:42:15Z"
  },
  "roas": [
    { "asn": "AS196615", "prefix": "2001:7fb:fd03::/48", "maxLength": 48, "ta": "ripe" },
    { "asn": "AS196615", "prefix": "2001:7fb:fd04::/48", "maxLength": 48, "ta": "ripe" },
    { "asn": "AS196615", "prefix": "93.175.147.0/24", "maxLength": 24, "ta": "ripe" }
  ]
}

More Specific Prefixes

When you query for a prefix, by default Routinator will return the exact match, as well as less specifics. The reason is that a VRP of an overlapping less specific prefix can also affect the RPKI validity of a BGP announcement, depending on the Maximum Prefix Length (MaxLength) that is set.

In some cases you may want more specifics to be displayed as well. For this the --more-specifics option can be used. For example, when querying for 82.221.32.0/20:

routinator vrps --format json --select-asn 82.221.32.0/20

Routinator will return the exact match and the VRP for the less specific /17 prefix:

{
   "metadata": {
      "generated": 1644266267,
      "generatedTime": "2022-02-07T20:37:47Z"
   },
   "roas": [
      { "asn": "AS30818", "prefix": "82.221.32.0/20", "maxLength": 20, "ta": "ripe" },
      { "asn": "AS44515", "prefix": "82.221.0.0/17", "maxLength": 17, "ta": "ripe" }
   ]
}

When including the --more-specifics option in the same query:

routinator vrps --format json --select-asn 82.221.32.0/20 --more-specifics

You will now see that a more specific /23 prefix is returned as well:

{
   "metadata": {
      "generated": 1644266267,
      "generatedTime": "2022-02-07T20:37:47Z"
   },
   "roas": [
      { "asn": "AS44515", "prefix": "82.221.46.0/23", "maxLength": 23, "ta": "ripe" },
      { "asn": "AS30818", "prefix": "82.221.32.0/20", "maxLength": 20, "ta": "ripe" },
      { "asn": "AS44515", "prefix": "82.221.0.0/17", "maxLength": 17, "ta": "ripe" }
   ]
}

Tip

The --more-specifics option will also work if there is no exactly matching or less specific prefix. In that case you will get a list of all more specific VRPs covered by the prefix you supplied in the query.

Exclude Specific Data Types

If you have enabled BGPsec and/or ASPA validation, in some output formats the amount of data can be quite overwhelming. You can exclude specific payload types with the --no-route-origins, --no-router-keys and --noaspas options to disable inclusion of route origins, router keys, and ASPAs, respectively.

Deprecated since version 0.9.0: --filter-asn and --filter-prefix

Changed in version 0.11.0: Add the --more-specifics option

New in version 0.13.0: Allow excluding specific data from the output