{"id":32210126,"url":"https://github.com/bgp/stayrtr","last_synced_at":"2026-02-18T21:03:22.870Z","repository":{"id":39902666,"uuid":"365253689","full_name":"bgp/stayrtr","owner":"bgp","description":"RPKI-To-Router server implementation in Go","archived":false,"fork":false,"pushed_at":"2026-02-09T10:20:40.000Z","size":9037,"stargazers_count":140,"open_issues_count":17,"forks_count":27,"subscribers_count":11,"default_branch":"master","last_synced_at":"2026-02-09T15:27:12.720Z","etag":null,"topics":["bgp","go","rpki","rtr"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bgp.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-05-07T14:07:17.000Z","updated_at":"2026-02-09T10:20:51.000Z","dependencies_parsed_at":"2023-12-18T16:51:15.323Z","dependency_job_id":"0e3c60da-dd8b-4dee-9d41-7cf9a638cd36","html_url":"https://github.com/bgp/stayrtr","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"purl":"pkg:github/bgp/stayrtr","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fstayrtr","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fstayrtr/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fstayrtr/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fstayrtr/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bgp","download_url":"https://codeload.github.com/bgp/stayrtr/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bgp%2Fstayrtr/sbom","scorecard":{"id":236134,"data":{"date":"2025-08-11","repo":{"name":"github.com/bgp/stayrtr","commit":"98a592f3cc53e842a2af29b3180b035966c14bc6"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.9,"checks":[{"name":"Code-Review","score":7,"reason":"Found 13/18 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":3,"reason":"4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/codeql.yml:1","Warn: no topLevel permission defined: .github/workflows/docker-tag.yml:1","Warn: no topLevel permission defined: .github/workflows/docker.yml:1","Warn: no topLevel permission defined: .github/workflows/go-tag.yml:1","Warn: no topLevel permission defined: .github/workflows/go.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: BSD 3-Clause \"New\" or \"Revised\" License: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.6.2 not signed: https://api.github.com/repos/bgp/stayrtr/releases/203855595","Warn: release artifact v0.5.1 not signed: https://api.github.com/repos/bgp/stayrtr/releases/94096981","Warn: release artifact v0.5.0 not signed: https://api.github.com/repos/bgp/stayrtr/releases/93503041","Warn: release artifact v0.4.0 not signed: https://api.github.com/repos/bgp/stayrtr/releases/90247324","Warn: release artifact v0.6.2 does not have provenance: https://api.github.com/repos/bgp/stayrtr/releases/203855595","Warn: release artifact v0.5.1 does not have provenance: https://api.github.com/repos/bgp/stayrtr/releases/94096981","Warn: release artifact v0.5.0 does not have provenance: https://api.github.com/repos/bgp/stayrtr/releases/93503041","Warn: release artifact v0.4.0 does not have provenance: https://api.github.com/repos/bgp/stayrtr/releases/90247324"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-tag.yml:10"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/codeql.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-tag.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker-tag.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/docker.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go-tag.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go-tag.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/go-tag.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go-tag.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/go.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/go.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/bgp/stayrtr/go.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:6","Warn: containerImage not pinned by hash: Dockerfile:20","Warn: containerImage not pinned by hash: Dockerfile:28","Warn: containerImage not pinned by hash: Dockerfile:40","Warn: containerImage not pinned by hash: Dockerfile:51","Warn: containerImage not pinned by hash: package/Dockerfile:1: pin your Docker image by updating ruby to ruby@sha256:c4a4b497157a1e61ea26d26eea6d5b02d378fc8d1a9e76a2866c5c40c8f057b6","Warn: containerImage not pinned by hash: package/Dockerfile.release:1: pin your Docker image by updating alpine to alpine@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Info: 0 out of 11 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 12 third-party GitHubAction dependencies pinned","Info: 0 out of 7 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (25) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T05:48:18.915Z","repository_id":39902666,"created_at":"2025-08-17T05:48:18.915Z","updated_at":"2025-08-17T05:48:18.915Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29596127,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-18T20:59:56.587Z","status":"ssl_error","status_checked_at":"2026-02-18T20:58:41.434Z","response_time":162,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bgp","go","rpki","rtr"],"created_at":"2025-10-22T06:25:47.930Z","updated_at":"2026-02-18T21:03:22.852Z","avatar_url":"https://github.com/bgp.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# StayRTR\n\n![animated stayrtr logo](stayrtr.gif)\n\n[![Docker Pulls](https://img.shields.io/docker/pulls/rpki/stayrtr.svg)](https://hub.docker.com/r/rpki/stayrtr)\n\n\u003ca href=\"https://repology.org/project/stayrtr/versions\"\u003e\n \u003cimg src=\"https://repology.org/badge/vertical-allrepos/stayrtr.svg\" alt=\"Packaging status\" align=\"right\"\u003e\n\u003c/a\u003e\n\nStayRTR is an open-source implementation of RPKI-to-Router protocol (RFC 6810, RFC 8210); based on GoRTR using the [the Go Programming Language](http://golang.org/).\n\n* `/lib` contains a library to create your own server and client.\n* `/prefixfile` contains the structure of a JSON export file and signing capabilities.\n* `/cmd/stayrtr/stayrtr.go` is a simple implementation that fetches a list and offers it to a router.\n* `/cmd/rtrdump/rtrdump.go` allows copying the PDUs sent by a RTR server as a JSON file.\n* `/cmd/rtrmon/rtrmon.go` compare and monitor two RTR servers (using RTR and/or JSON), outputs diff and Prometheus metrics.\n\n## Disclaimer\n\n_This software comes with no warranty._\n\n## Sponsors\n\nThe StayRTR project was built on contributions of money and time.\nSpecial thanks for support to the Route Server Support Foundation [RSSF](https://www.rssf.nl), [Internet Society](https://www.internetsociety.org/) and [PCCW Global](https://www.pccwglobal.com/).\n\n## Features of the server\n\n* Dissemination of validated ROA and BGPsec payloads\n* Refreshes a JSON list of prefixes\n* Automatic expiration of outdated information (when using JSON produced by [rpki-client](https://www.rpki-client.org))\n* Prometheus metrics\n* TLS\n* SSH\n\n## Features of the extractor\n\n* Generate a list of prefixes received via RTR into a JSON file\n* Lightweight\n* TLS\n* SSH\n\n## Features of the API\n\n* Protocol v0 of [RFC6810](https://tools.ietf.org/html/rfc6810)\n* Protocol v1 of [RFC8210](https://tools.ietf.org/html/rfc8210)\n* Event-driven API\n* TLS\n* SSH\n\n## To start developing\n\nYou need a working [Go environment](https://golang.org/doc/install) (1.24 or newer).\nThis project also uses [Go Modules](https://github.com/golang/go/wiki/Modules).\n\n```bash\n$ git clone git@github.com:bgp/stayrtr.git \u0026\u0026 cd stayrtr\n$ go build cmd/stayrtr/stayrtr.go\n```\n\n## With Docker\n\nIf you do not want to use Docker, please go to the next section.\n\nIf you have **Docker**, you can start StayRTR with `docker run -ti -p 8082:8082 rpki/stayrtr` someday when it has been built.\n\nYou can now use any CLI attributes as long as they are after the image name:\n\n```bash\n$ docker run -ti -p 8083:8083 rpki/stayrtr -bind :8083\n```\n\nIf you want to build your own image of StayRTR:\n\n```bash\n$ docker build -t mystayrtr -f Dockerfile.stayrtr.prod .\n$ docker run -ti mystayrtr -h\n```\n\nIt will download the code from GitHub and compile it with Go and also generate an ECDSA key for SSH.\n\nPlease note: if you plan to use SSH with the default container (`rpki/stayrtr`),\nreplace the key `private.pem` since it is a testing key that has been published.\nAn example is given below:\n\n```bash\n$ docker run -ti -v $PWD/mynewkey.pem:/private.pem rpki/stayrtr -ssh.bind :8083\n```\n\n## Install it\n\nThere are a few solutions to install it.\n\nGo can directly fetch it from the source\n\n```bash\n$ go get github.com/bgp/stayrtr/cmd/stayrtr\n```\n\nYou can use the Makefile (by default it will be compiled for Linux, add `GOOS=darwin` for Mac)\n\n```bash\n$ make build-stayrtr\n```\n\nThe compiled file will be in `/dist`.\n\nOr you can use a tarball file from the [Releases page](https://github.com/bgp/stayrtr/releases):\n\n## Run it\n\nOnce you have a binary:\n\n```bash\n$ ./stayrtr -tls.bind 127.0.0.1:8282\n```\n\n## Package it\n\nIf you want to package it (deb/rpm), you can use the pre-built docker-compose file.\n\n```bash\n$ docker-compose -f docker-compose-pkg.yml up\n```\n\nYou can find both files in the `dist/` directory.\n\n### Usage with a proxy\n\nThis was tested with a basic Squid proxy. The `User-Agent` header is passed\nin the CONNECT.\n\nYou have to export the following two variables in order for StayRTR to use the proxy.\n\n```\nexport HTTP_PROXY=schema://host:port\nexport HTTPS_PROXY=schema://host:port\n```\n\n### With SSL\n\nYou can run StayRTR and listen for TLS connections only (just pass `-bind \"\"`).\n\nFirst, you will have to create a SSL certificate.\n\n```bash\n$ openssl ecparam -genkey -name prime256v1 -noout -outform pem \u003e private.pem\n$ openssl req -new -x509 -key private.pem -out server.pem\n```\n\nThen, you have to run\n\n```bash\n$ ./stayrtr -tls.bind :8282 -tls.key private.pem -tls.cert server.pem\n```\n\n### With SSH\n\nYou can run StayRTR and listen for SSH connections only (just pass `-bind \"\"`).\n\nYou will have to create an ECDSA key. You can use the following command:\n\n```bash\n$ openssl ecparam -genkey -name prime256v1 -noout -outform pem \u003e private.pem\n```\n\nThen you can start:\n\n```bash\n$ ./stayrtr -ssh.bind :8282 -ssh.key private.pem -bind \"\"\n```\n\nBy default, there is no authentication.\n\nYou can use password and key authentication:\n\nFor example, to configure user **rpki** and password **rpki**:\n\n```bash\n$ ./stayrtr -ssh.bind :8282 -ssh.key private.pem -ssh.method.password=true -ssh.auth.user rpki -ssh.auth.password rpki -bind \"\"\n```\n\nAnd to configure a bypass for every SSH key:\n\n```bash\n$ ./stayrtr -ssh.bind :8282 -ssh.key private.pem -ssh.method.key=true -ssh.auth.key.bypass=true -bind \"\"\n```\n\n## Configure filters and overrides (SLURM)\n\nStayRTR supports SLURM configuration files ([RFC8416](https://tools.ietf.org/html/rfc8416)).\n\nCreate a json file (`slurm.json`):\n\n```\n{\n \"slurmVersion\": 1,\n \"validationOutputFilters\": {\n \"prefixFilters\": [\n {\n \"prefix\": \"10.0.0.0/8\",\n \"comment\": \"Everything inside will be removed\"\n },\n {\n \"asn\": 65001,\n },\n {\n \"asn\": 65002,\n \"prefix\": \"192.168.0.0/24\",\n },\n ],\n \"bgpsecFilters\": []\n },\n \"locallyAddedAssertions\": {\n \"prefixAssertions\": [\n {\n \"asn\": 65001,\n \"prefix\": \"2001:db8::/32\",\n \"maxPrefixLength\": 48,\n \"comment\": \"Manual add\"\n }\n ],\n \"bgpsecAssertions\": [\n ]\n }\n }\n```\n\nWhen starting StayRTR, add the `-slurm ./slurm.json` argument.\n\nThe log should display something similar to the following:\n\n```\nINFO[0001] Slurm filtering: 112214 kept, 159 removed, 1 asserted\nINFO[0002] New update (112215 uniques, 112215 total prefixes).\n```\n\nFor instance, if the original JSON fetched contains the VRP: `10.0.0.0/24-24 AS65001`,\nit will be removed.\n\nThe JSON exported by StayRTR will contain the overrides and the file can be signed again.\nOthers StayRTR can be configured to fetch the VRPs from the filtering StayRTR:\nthe operator manages one SLURM file on a leader StayRTR.\n\n## Debug the content\n\nYou can check the content provided over RTR with rtrdump tool\n\n```bash\n$ ./rtrdump -connect 127.0.0.1:8282 -file debug.json\n```\n\nYou can also fetch the re-generated JSON from the `-export.path` endpoint (default: `http://localhost:9847/rpki.json`)\n\n## Monitoring rtr and JSON endpoints\n\nWith `rtrmon` you can monitor the difference between rtr and/or JSON endpoints.\nYou can use this to, for example, track that your StayRTR instance is still in\nsync with your RP instance. Or to track that multiple RP instances are in sync.\n\nIf your CA software has an endpoint that exposes objects in the standard JSON\nformat, you can even make sure that the objects that your CA software should\ngenerate actually are visible to RPs, to monitor the full cycle.\n\n```\n$ ./rtrmon \\\n -primary.host tcp://rtr.rpki.cloudflare.com:8282 \\\n -secondary.host https://console.rpki-client.org/rpki.json \\\n -secondary.refresh 30s \\\n -primary.refresh 30s\n```\n\nrtrmon has two endpoints:\n * `/metrics`: for prometheus metrics\n * `/diff.json` (default, can be overridden by the `-file` flag): for a JSON file containing the difference between sources\n\n### diff\n\nThe `diff.json` endpoint contains four keys.\n\n * `metadata-primary`: configuration of the primary source\n * `metadata-secondary`: configuration of the secondary source\n * `only-primary`: objects in the primary source but not in the secondary source.\n * `only-secondary`: objects in the secondary source but not in the primary source.\n\n### Metrics\nBy default the Prometheus endpoint is on `http://[host]:9866/metrics`.\nAmong others, this endpoint contains the following metrics:\n\n * `rpki_vrps`: Current number of VRPS and current difference between the primary and secondary.\n * `rtr_serial`: Serial of the rtr session (when applicable).\n * `rtr_session`: Session ID of the RTR session.\n * `rtr_state`: State of the rtr session (up/down).\n * `update`: Timestamp of the last update.\n * `vrp_diff`: The number of VRPs which were seen in `lhs` at least `visibility_seconds` ago not in `rhs`.\n\nUsing these metrics you can visualise or alert on, for example:\n\n * Unexpected behaviour\n * Did the number of VRPs drop more than 10% compared to the 24h average?\n * Liveliness\n * Is the RTR serial increasing?\n * Is rtrmon still getting updates?\n * Convergence\n * Do both my RP instances see the same objects eventually?\n * Are objects first visible in the JSON `difference` (e.g. 1706) seconds ago visible in RTR?\n\nWhen the objects are not converging, the `diff.json` endpoint may help while investigating the issues.\n\n### Data sources\n\nUse your own validator, as long as the JSON source follows the following schema:\n\n```\n{\n \"roas\": [\n {\n \"prefix\": \"10.0.0.0/24\",\n \"maxLength\": 24,\n \"asn\": 65001\n },\n ...\n ]\n}\n```\n\n* **Third-party JSON formatted VRP exports:**\n * [console.rpki-client.org](https://console.rpki-client.org/rpki.json) (default, based on OpenBSD's `rpki-client`)\n * [NTT](https://rpki.gin.ntt.net/api/export.json) (based on OpenBSD's `rpki-client`)\n\nBy default, the session ID will be randomly generated. The serial will start at zero.\n\nMake sure the refresh rate of StayRTR is more frequent than the refresh rate of the JSON.\n\n## Configurations\n\n### Compatibility matrix\n\nA simple comparison between software and devices.\nImplementations on versions may vary.\n\n| Device/software | Plaintext | TLS | SSH | Notes |\n| --------------- | --------- | --- | --- | ----------------- |\n| RTRdump | Yes | Yes | Yes | |\n| RTRlib | Yes | No | Yes | Only SSH key |\n| Juniper | Yes | No | No | |\n| Cisco | Yes | No | Yes | Only SSH password |\n| Nokia | Yes | No | No | |\n| Arista | Yes | No | No | |\n| FRRouting | Yes | No | Yes | Only SSH key |\n| Bird2 | Yes | No | Yes | Only SSH key |\n| Quagga | Yes | No | No | |\n| OpenBGPD | Yes | No | No | |\n\n### Configure on Juniper\n\nConfigure a session to the RTR server (assuming it runs on `192.168.1.100:8282`)\n\n```\nlouis@router\u003e show configuration routing-options validation\ngroup TEST-RPKI {\n session 192.168.1.100 {\n port 8282;\n }\n}\n```\n\nAdd policies to validate or invalidate prefixes\n\n```\nlouis@router\u003e show configuration policy-options policy-statement STATEMENT-EXAMPLE\nterm RPKI-TEST-VAL {\n from {\n protocol bgp;\n validation-database valid;\n }\n then {\n validation-state valid;\n next term;\n }\n}\nterm RPKI-TEST-INV {\n from {\n protocol bgp;\n validation-database invalid;\n }\n then {\n validation-state invalid;\n reject;\n }\n}\n```\n\nDisplay status of the session to the RTR server.\n\n```\nlouis@router\u003e show validation session 192.168.1.100 detail\nSession 192.168.1.100, State: up, Session index: 1\n Group: TEST-RPKI, Preference: 100\n Port: 8282\n Refresh time: 300s\n Hold time: 600s\n Record Life time: 3600s\n Serial (Full Update): 1\n Serial (Incremental Update): 1\n Session flaps: 2\n Session uptime: 00:25:07\n Last PDU received: 00:04:50\n IPv4 prefix count: 46478\n IPv6 prefix count: 8216\n```\n\nShow content of the database (list the PDUs)\n\n```\nlouis@router\u003e show validation database brief\nRV database for instance master\n\nPrefix Origin-AS Session State Mismatch\n1.0.0.0/24-24 13335 192.168.1.100 valid\n1.1.1.0/24-24 13335 192.168.1.100 valid\n```\n\n### Configure on Cisco\n\nYou may want to use the option to do SSH-based connection.\n\nOn Cisco, you can have only one RTR server per IP.\n\nTo configure a session for `192.168.1.100:8282`:\nReplace `65001` by the configured ASN:\n\n```\nrouter bgp 65001\n rpki server 192.168.1.100\n transport tcp port 8282\n !\n!\n```\n\nFor an SSH session, you will also have to configure\n`router bgp 65001 rpki server 192.168.1.100 password xxx`\nwhere `xxx` is the password.\nSome experimentations showed you have to configure\nthe username/password first, otherwise it will not accept the port.\n\n```\nrouter bgp 65001\n rpki server 192.168.1.100\n username rpki\n transport ssh port 8282\n !\n!\nssh client tcp-window-scale 14\nssh timeout 120\n```\n\nThe last two SSH statements solved an issue causing the\nconnection to break before receiving all the PDUs (TCP window full problem).\n\nTo visualize the state of the session:\n\n```\nRP/0/RP0/CPU0:ios#sh bgp rpki server 192.168.1.100\n\nRPKI Cache-Server 192.168.1.100\n Transport: SSH port 8282\n Connect state: ESTAB\n Conn attempts: 1\n Total byte RX: 1726892\n Total byte TX: 452\n Last reset\n Timest: Apr 05 01:19:32 (04:26:58 ago)\n Reason: protocol error\nSSH information\n Username: rpki\n Password: *****\n SSH PID: 18576\nRPKI-RTR protocol information\n Serial number: 15\n Cache nonce: 0x0\n Protocol state: DATA_END\n Refresh time: 600 seconds\n Response time: 30 seconds\n Purge time: 60 seconds\n Protocol exchange\n VRPs announced: 67358 IPv4 11754 IPv6\n VRPs withdrawn: 80 IPv4 34 IPv6\n Error Reports : 0 sent 0 rcvd\n Last protocol error\n Reason: response timeout\n Detail: response timeout while in DATA_START state\n```\n\nTo visualize the accepted PDUs:\n\n```\nRP/0/RP0/CPU0:ios#sh bgp rpki table\n\n Network Maxlen Origin-AS Server\n 1.0.0.0/24 24 13335 192.168.1.100\n 1.1.1.0/24 24 13335 192.168.1.100\n```\n\n### Configure on Arista\n```\nrouter bgp \u003casn\u003e\n rpki cache \u003cname\u003e\n host \u003cipv4|ipv6|hostname\u003e [vrf \u003cvrfname\u003e] [port \u003c1-65535\u003e] # default port is 323\n local-interface \u003cinterface\u003e\n preference \u003c1-10\u003e # the lower the value, the more preferred\n # default is 5\n refresh-interval \u003c1-86400 seconds\u003e # default is 3600\n expire-interval \u003c600-172800 seconds\u003e # default is 7200\n retry-interval \u003c1-7200 seconds\u003e # default is 600\n```\nIf multiple caches are configured, the preference controls the priority. \nCaches which are more preferred will be connected to first, if they are not reachable then connections will be attempted to less preferred caches. \nIf caches have the same preference value, they will all be connected to and the VRPs that are synced from them will be merged together.\n\nTo visualize the state of the session:\n\n```\nshow bgp rpki cache [\u003cname\u003e]\nshow bgp rpki cache counters [errors]\nshow bgp rpki roa summary\n```\n\nTo visualize the accepted PDUs:\n\n```\nshow bgp rpki roa (ipv4|ipv6) [prefix]\n```\n\n### Configure on Nokia SR OS\n\nConfigure a session to the RTR server (assuming it runs on `192.168.1.100:8282`):\n\n```\n[ex:/configure router \"Base\" origin-validation]\nA:grhankin@br1-nyc# info\n rpki-session 192.168.1.100 {\n admin-state enable\n port 8282\n }\n```\n\nAdd policies to validate or invalidate prefixes with an optional step of adding communities:\n\n```\n[ex:/configure policy-options]\nA:grhankin@er2-nyc# info\n community \"VRP_INVALID_COMM\" {\n member \"ext:4300:2\" { }\n }\n community \"VRP_NOT_FOUND_COMM\" {\n member \"ext:4300:1\" { }\n }\n community \"VRP_VALID_COMM\" {\n member \"ext:4300:0\" { }\n }\n policy-statement \"ORIGIN_POLICY\" {\n entry 10 {\n from {\n origin-validation-state invalid\n }\n action {\n action-type reject\n community {\n add [\"VRP_INVALID_COMM\"]\n }\n }\n }\n entry 20 {\n from {\n origin-validation-state not-found\n }\n action {\n action-type accept\n local-preference 100\n community {\n add [\"VRP_NOT_FOUND_COMM\"]\n }\n }\n }\n entry 30 {\n from {\n origin-validation-state valid\n }\n action {\n action-type accept\n local-preference 110\n community {\n add [\"VRP_VALID_COMM\"]\n }\n }\n }\n }\n```\nDisplay status of the session to the RTR server:\n\n```\n[/]\nA:grhankin@br1-nyc# show router origin-validation rpki-session detail\n\n===============================================================================\nRPKI Session Information\n===============================================================================\nIP Address : 192.168.1.100\n-------------------------------------------------------------------------------\nPort : 8282 Oper State : established\nUptime : 0d 15:27:54 Flaps : 38\nActive IPv4 Records: 324319 Active IPv6 Records: 67880\nAdmin State : Up Local Address : n/a\nHold Time : 600 Refresh Time : 300\nStale Route Time : 3600 Connect Retry : 120\nSerial ID : 411 Session ID : 15502\n===============================================================================\nNo. of Sessions : 1\n===============================================================================\n```\n\nShow content of the database:\n\n```\n[/]\nA:grhankin@br1-nyc# show router origin-validation database summary\n===============================================================================\nStatic and Dynamic VRP Database Summary\n===============================================================================\nSource IPv4 Entries IPv6 Entries\nDescription\n-------------------------------------------------------------------------------\n192.168.1.100 [B] 324319 67880\nStatic 0 0\n===============================================================================\n```\n\n```\n[/]\nA:grhankin@br1-nyc# show router origin-validation database origin-as 38016\n===============================================================================\nStatic and Dynamic VRP Database Entries\n===============================================================================\nPrefix Range [Flags] Origin AS\n Session IP [Flags]\n-------------------------------------------------------------------------------\n124.252.0.0/16-16 [Dynamic] 38016\n 192.168.1.100 [B]\n124.252.255.0/24-24 [Dynamic] 38016\n 192.168.1.100 [B]\n135.92.55.0/24-24 [Dynamic] 38016\n 192.168.1.100 [B]\n2406:c800::/32-32 [Dynamic] 38016\n 192.168.1.100 [B]\n2406:c800:a1ca::/48-48 [Dynamic] 38016\n 192.168.1.100 [B]\n2406:c800:e000::/48-48 [Dynamic] 38016\n 192.168.1.100 [B]\n-------------------------------------------------------------------------------\nNo. of VRP Database Entries: 6\n-------------------------------------------------------------------------------\nFlags: B = Base instance session\n M = Management instance session\n Static-V = Static-Valid; Static-I = Static-Invalid\n===============================================================================\n```\n\n## License\n\nLicensed under the BSD 3 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbgp%2Fstayrtr","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbgp%2Fstayrtr","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbgp%2Fstayrtr/lists"}