Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to create your keypair and ROAs.
#! /bin/bash -e
#
# notes on setting up RPKI hosted on ARIN
#
umask u=rwx,g=rx,o=
keys=ARIN-RPKI-keypair.pem
pubkey=ARIN-RPKI-pubkey.pem
hash openssl
# private/public keypair
if [ ! -e $keys ]
then # -f4 use F4 (0x10001) for the E value (exponent)
openssl genrsa -f4 -out $keys 2048
fi
# extract public key only
if [ ! -e $pubkey ]
then openssl rsa -in $keys -pubout -outform PEM -out $pubkey
echo "cat $pubkey into ARINs web UI: https://www.arin.net/public/secure/resources/"
fi
if [ -z "$1" ]
then echo "usage: $(basename $0) [ASN]" >&2
exit 1
else as=$1
fi
# now generate and sign some ROAs from your IRR records
today=`date`
now=`date -d "$today" +%s`
nextyear=`date -d "$today +1year" +%m-%d-%Y`
today=`date -d "$today" +%m-%d-%Y`
{ while read maint
do whois -h whois.radb.net -- "-i mnt-by -T route $maint"
whois -h whois.radb.net -- "-i mnt-by -T route6 $maint"
done < <(whois -h whois.radb.net -- "-T aut-num AS$as" |awk '$1=="mnt-by:"{print$2}' |sort -u)
}|awk -F ': +' '
/^route/ {
route= $2
split(route,a,"/")
pfxnet= a[1]
pfxlen= a[2]
if($1=="route6")pfxmax=64
else pfxmax=28
# TODO: what if you have an upstream/provider who allows
# you to advertize tagged /32s (or v6/128s) for
# blackhole filtering? Will they reject your
# advertizement for failing max length?
}
/^descr/ {
descr= $2
}
/^source/ {
printf "%-15s %3i %3i %s\n", pfxnet, pfxlen, pfxmax, descr
}
'|sort -uk1,2 |while read pfxnet pfxlen pfxmax descr
# BEWARE! if there are dupe routes, the sort unique above arbitrarily picks one description
do if whois -nh whois.arin.net "r = $pfxnet/$pfxlen" |egrep -q '^NetType: +Direct' # filter out indirect allocations
then roa="1|$now|$descr|$as|$today|$nextyear|$pfxnet|$pfxlen|$pfxmax|"
echo -n "$roa" >$pfxnet.$now.roa
openssl dgst -sha256 -sign $keys -keyform PEM -out $pfxnet.sig $pfxnet.$now.roa
sig=`openssl enc -base64 -in $pfxnet.sig`
cat >$pfxnet.$now.roa <<-EOF
-----BEGIN ROA REQUEST-----
$roa
-----END ROA REQUEST-----
-----BEGIN SIGNATURE-----
$sig
-----END SIGNATURE-----
EOF
rm $pfxnet.sig
echo "cat $pfxnet.$now.roa into ARINs web UI: https://www.arin.net/public/secure/resources/"
fi done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment