aboutsummaryrefslogtreecommitdiff
path: root/scripts/guess-roas-from-routeviews.py
blob: 403c99bf80303a9ce2e7092ed62b5631c64f460d (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

"""
$Id$

Pull RFC 3779 resources from a cert, attempt to mine routeviews (via
DNS, using the dnspython toolkit) for what the ROAs might look like
for the addresses found in the cert.

This doesn't handle IPv6, because neither, apparently, does the
routeviews DNS interface.  Oh well.

NB: this is wild-assed guessing at best.  Even if the routeviews data
were signed, which it is not, you have no particular reason to believe
it.  Do not use output of this script production.  Sanity check.
Beware of dog.  If you issue ROAs using this script and your wallpaper
peels, your cat explodes, or your children turn blue, it's your own
fault for using this script.  You have been warned.

Copyright (C) 2009  Internet Systems Consortium ("ISC")

Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
"""

import sys, dns.resolver, rpki.x509
from rpki.ipaddrs import v4addr
from rpki.resource_set import roa_prefix_ipv4, resource_set_ipv4, resource_range_ipv4

roas = []

for filename in sys.argv[1:]:
  resources = rpki.x509.X509(Auto_file = filename).get_3779resources().v4

  while resources:
    labels = str(resources[0].min).split(".")
    labels.reverse()

    try:
      for answer in dns.resolver.query(".".join(labels) + ".asn.routeviews.org", "txt"):
        asn, prefix, prefixlen = answer.strings
        roa_prefix = roa_prefix_ipv4(v4addr(prefix), long(prefixlen))
        roa = "%s\t%s\t%s" % (roa_prefix, long(asn), filename)
        if roa not in roas:
          roas.append(roa)
        resources = resources.difference(resource_set_ipv4([roa_prefix.to_resource_range()]))

    except dns.resolver.NXDOMAIN:
      resources = resources.difference(resource_set_ipv4([resource_range_ipv4(resources[0].min, v4addr(resources[0].min + 256))]))

roas.sort()

for roa in roas:
  print roa
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 20:33:01 +0000