Last active
May 24, 2018 16:23
-
-
Save dotysan/8672534 to your computer and use it in GitHub Desktop.
How to create your keypair and ROAs.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash -e | |
| # | |
| # notes on setting up RPKI hosted on ARIN | |
| # | |
| umask u=rwx,g=rx,o= | |
| keys=ARIN-RPKI-keypair.pem | |
| pubkey=ARIN-RPKI-pubkey.pem | |
| hash openssl | |
| # private/public keypair | |
| if [ ! -e $keys ] | |
| then # -f4 use F4 (0x10001) for the E value (exponent) | |
| openssl genrsa -f4 -out $keys 2048 | |
| fi | |
| # extract public key only | |
| if [ ! -e $pubkey ] | |
| then openssl rsa -in $keys -pubout -outform PEM -out $pubkey | |
| echo "cat $pubkey into ARINs web UI: https://www.arin.net/public/secure/resources/" | |
| fi | |
| if [ -z "$1" ] | |
| then echo "usage: $(basename $0) [ASN]" >&2 | |
| exit 1 | |
| else as=$1 | |
| fi | |
| # now generate and sign some ROAs from your IRR records | |
| today=`date` | |
| now=`date -d "$today" +%s` | |
| nextyear=`date -d "$today +1year" +%m-%d-%Y` | |
| today=`date -d "$today" +%m-%d-%Y` | |
| { while read maint | |
| do whois -h whois.radb.net -- "-i mnt-by -T route $maint" | |
| whois -h whois.radb.net -- "-i mnt-by -T route6 $maint" | |
| done < <(whois -h whois.radb.net -- "-T aut-num AS$as" |awk '$1=="mnt-by:"{print$2}' |sort -u) | |
| }|awk -F ': +' ' | |
| /^route/ { | |
| route= $2 | |
| split(route,a,"/") | |
| pfxnet= a[1] | |
| pfxlen= a[2] | |
| if($1=="route6")pfxmax=64 | |
| else pfxmax=28 | |
| # TODO: what if you have an upstream/provider who allows | |
| # you to advertize tagged /32s (or v6/128s) for | |
| # blackhole filtering? Will they reject your | |
| # advertizement for failing max length? | |
| } | |
| /^descr/ { | |
| descr= $2 | |
| } | |
| /^source/ { | |
| printf "%-15s %3i %3i %s\n", pfxnet, pfxlen, pfxmax, descr | |
| } | |
| '|sort -uk1,2 |while read pfxnet pfxlen pfxmax descr | |
| # BEWARE! if there are dupe routes, the sort unique above arbitrarily picks one description | |
| do if whois -nh whois.arin.net "r = $pfxnet/$pfxlen" |egrep -q '^NetType: +Direct' # filter out indirect allocations | |
| then roa="1|$now|$descr|$as|$today|$nextyear|$pfxnet|$pfxlen|$pfxmax|" | |
| echo -n "$roa" >$pfxnet.$now.roa | |
| openssl dgst -sha256 -sign $keys -keyform PEM -out $pfxnet.sig $pfxnet.$now.roa | |
| sig=`openssl enc -base64 -in $pfxnet.sig` | |
| cat >$pfxnet.$now.roa <<-EOF | |
| -----BEGIN ROA REQUEST----- | |
| $roa | |
| -----END ROA REQUEST----- | |
| -----BEGIN SIGNATURE----- | |
| $sig | |
| -----END SIGNATURE----- | |
| EOF | |
| rm $pfxnet.sig | |
| echo "cat $pfxnet.$now.roa into ARINs web UI: https://www.arin.net/public/secure/resources/" | |
| fi done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment