Title: Example on how to use rpki-client to authenticate a signed Geofeed Date: Fri Sep 15 01:33:24 UTC 2023 Author: Job Snijders Table of Contents: * Finding * Downloading * Authenticating * JSON Finding the Geofeed file ========================= For some IP resources Geolocation information is available in the form of a signed Geofeed [RFC 9092] file. The 2001:67c:208c::/48 prefix is one of those. First, find a Geofeed file https://geolocatemuch.com/?resource=2001:67c:208c:: An alternative approach is to use whois and search for the keyword: $ whois 2001:67c:208c::/48 | grep -i geofeed remarks: Geofeed https://sobornost.net/geofeed.csv Downloading =========== $ wget -q https://sobornost.net/geofeed.csv $ ls -lahtr geofeed.csv -rw-r--r-- 1 job wheel 2.3K Nov 25 2022 geofeed.csv Authenticating the Geofeed file =============================== In order to authenticate a signed Geofeed file, 3 steps are needed. (1) installation of the software (2) population of the local RPKI cache (3) authenticating the signed Geofeed Install rpki-client 8.5 or later. Example based on Debian Trixie (or Bookworm backports, or Bullseye backports): Install the software: $ sudo apt install rpki-client $ sudo rpki-client -V rpki-client-portable 8.5 Now populate the local RPKI cache, rather than waiting for the scheduled systemd timer to fire. This may take a few minutes. $ sudo systemctl start rpki-client The above step is only needed for the impatient. Going forward the systemd timer will automatically periodically refresh the local RPKI cache. Now, authenticate the downloaded Geofeed file: $ sudo rpki-client -f geofeed.csv File: geofeed.csv Hash identifier: VOXBRdQpiyALlLRdo3OkLbLIY4PexRlci/0EM9Fc21U= Subject key identifier: D4:05:34:DB:56:A6:4D:A2:ED:4D:EF:AD:A9:C1:31:DA:19:56:DC:A7 Certificate issuer: /CN=caa805dbac364749b9b115590ab6ef0f970cdbd8 Certificate serial: 06 Authority key identifier: CA:A8:05:DB:AC:36:47:49:B9:B1:15:59:0A:B6:EF:0F:97:0C:DB:D8 Authority info access: rsync://rpki.ripe.net/repository/DEFAULT/yqgF26w2R0m5sRVZCrbvD5cM29g.cer Signing time: Fri 25 Nov 2022 16:34:55 +0000 Geofeed not before: Fri 25 Nov 2022 16:34:52 +0000 Geofeed not after: Sat 25 Nov 2023 16:34:52 +0000 Geofeed CSV records: IP: 2001:67c:208c::/48 (NL,NL-NH,Amsterdam,) Validation: OK Signature path: rsync://chloe.sobornost.net/rpki/RIPE-nljobsnijders/yqgF26w2R0m5sRVZCrbvD5cM29g.crl rsync://chloe.sobornost.net/rpki/RIPE-nljobsnijders/yqgF26w2R0m5sRVZCrbvD5cM29g.mft rsync://rpki.ripe.net/repository/DEFAULT/yqgF26w2R0m5sRVZCrbvD5cM29g.cer rsync://rpki.ripe.net/repository/DEFAULT/KpSo3VVK5wEHIJnHC2QHVV3d5mk.crl rsync://rpki.ripe.net/repository/DEFAULT/KpSo3VVK5wEHIJnHC2QHVV3d5mk.mft rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer rsync://rpki.ripe.net/repository/aca/Kn3R14fXk-TIr1bhl9Tu2Sr2uhM.crl rsync://rpki.ripe.net/repository/aca/Kn3R14fXk-TIr1bhl9Tu2Sr2uhM.mft rsync://rpki.ripe.net/repository/2a7dd1d787d793e4c8af56e197d4eed92af6ba13.cer rsync://rpki.ripe.net/repository/ripe-ncc-ta.crl rsync://rpki.ripe.net/repository/ripe-ncc-ta.mft rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer Signature path expires: Fri 15 Sep 2023 08:12:43 +0000 JSON Output =========== For use in automation pipelines, the rpki-client utility can also produce a JSON formatted output. $ sudo rpki-client -j -f geofeed.csv { "file": "geofeed.csv", "hash_id": "VOXBRdQpiyALlLRdo3OkLbLIY4PexRlci/0EM9Fc21U=", "type": "geofeed", "ski": "D4:05:34:DB:56:A6:4D:A2:ED:4D:EF:AD:A9:C1:31:DA:19:56:DC:A7", "cert_issuer": "/CN=caa805dbac364749b9b115590ab6ef0f970cdbd8", "cert_serial": "06", "aki": "CA:A8:05:DB:AC:36:47:49:B9:B1:15:59:0A:B6:EF:0F:97:0C:DB:D8", "aia": "rsync://rpki.ripe.net/repository/DEFAULT/yqgF26w2R0m5sRVZCrbvD5cM29g.cer", "signing_time": 1669394095, "valid_since": 1669394092, "valid_until": 1700930092, "expires": 1694765563, "records": [ { "prefix": "2001:67c:208c::/48", "location": "NL,NL-NH,Amsterdam," } ], "validation": "OK" }