rov-check

What is rov-check?

rov-check is a simple tool to check whether your network is protected by RPKI Route Origin Validation (ROV). It is currently under development and will be expanded with additional features in the future.

rov-check is developed by the Japan Network Information Center (JPNIC) and provided for the project commissioned by the Ministry of Internal Affairs and Communications of Japan (FY2024 Survey on the Introduction and Promotion of Network Security Technologies in ISPs). This project is carried out by JPNIC in collaboration with NTT Communications and Mitsubishi Research Institute.

Please check our Terms of Use before using rov-check.

Start rov-check test

By pressing the button below, you can start the rov-check test and it will automatically show you if your network is protected by ROV and send the results and other information to our server. The automated test may take up to 30 seconds.

How to use rov-check

You can just press the button above to use rov-check. You also can use your local terminal or BGP router to perform the rov-check test.

Prefix Name	Prefix	IP Address/URL
Valid Prefix	202.1.212.0/24 2407:9900::/36	202.1.212.1 https://v4.valid.rov-check.nic.ad.jp/ 2407:9900::1 https://v6.valid.rov-check.nic.ad.jp/
Invalid Prefix	202.1.213.0/24 2407:9900:1000::/36	202.1.213.1 https://v4.invalid.rov-check.nic.ad.jp/ 2407:9900:1000::1 https://v6.invalid.rov-check.nic.ad.jp/
NotFound Prefix	202.1.214.0/24 2407:9900:2000::/36	202.1.214.1 https://v4.notfound.rov-check.nic.ad.jp/ 2407:9900:2000::1 https://v6.notfound.rov-check.nic.ad.jp/

Prefix Name

Prefix

IP Address/URL

Valid Prefix

202.1.212.0/24

2407:9900::/36

202.1.212.1
https://v4.valid.rov-check.nic.ad.jp/

2407:9900::1
https://v6.valid.rov-check.nic.ad.jp/

Invalid Prefix

202.1.213.0/24

2407:9900:1000::/36

202.1.213.1
https://v4.invalid.rov-check.nic.ad.jp/

2407:9900:1000::1
https://v6.invalid.rov-check.nic.ad.jp/

NotFound Prefix

202.1.214.0/24

2407:9900:2000::/36

202.1.214.1
https://v4.notfound.rov-check.nic.ad.jp/

2407:9900:2000::1
https://v6.notfound.rov-check.nic.ad.jp/

Method 1 - Web HTTPS

Send GET requests to the "URL" in the table above using your Web browser or cURL command (e.g., curl https://v4.valid.rov-check.nic.ad.jp/). If only the Invalid Prefix does not respond, your network is protected by RPKI ROV (*1). If all three prefixes respond, your network is not protected by RPKI ROV (*2). Other results indicate a judgement error.

Method 2 - ICMP

Send ICMP Echo Requests to the "IP Address" in the table above (e.g., ping 202.1.212.1). If only the Invalid Prefix does not respond, your network is protected by RPKI ROV (*1). If all three prefixes respond, your network is not protected by RPKI ROV (*2). Other results indicate a judgment error.

Method 3 - Routing Table (For AS Operators)

Check your BGP router's FIB for the "Prefix" in the table above (e.g., show ip bgp 202.1.212.0/24). If only the Invalid Prefix is missing from the routing table, your network is protected by RPKI ROV (*1). If all three prefixes are present, your network is not protected by RPKI ROV (*2). Other results indicate a judgment error.

(*1): rov-check result can be affected by ROV implementation statuses or route filters by on-path peer/transit AS. rov-check result is based on the reachability from JPNIC AS. Even if you get "Protected by ROV" result, you are not protected when ROV is not implemented for a specific peer/transit route.

(*2): rov-check result can be affected by ROV implementation statuses or route filters by on-path peer/transit AS. rov-check result is based on the reachability from JPNIC AS. Even if you get "Not Protected by ROV" result, you can be protected when ROV is implemented for a specific peer/transit route.

Glossary

See the following links for details: BGP / RPKI / ROA / ROV.

Invalid Routes

In rov-check, the combination of Prefix and Origin AS recorded in the RPKI ROA is considered valid routing information. Any different combinations advertised in BGP are referred to as "invalid routes."

This definition includes not only intentionally hijacked routes but also cases where an unintended ROA was mistakenly created, resulting the route being advertised in BGP to be invalid.

Technical Details

JPNIC operates rov-check using AS131971. This AS advertises multiple routes, including the prefixes listed in "How to use rov-check." A ROA is created for the Valid Prefix, designating AS131971 as the Origin AS, making it Valid under ROV. A ROA for the Invalid Prefix designates AS2515 as the Origin AS, making it Invalid under ROV. No ROA is created for the NotFound Prefix, making it NotFound under ROV.

When you hit "Start rov-check", your browser sends requests to 6 Web servers in each prefixes over IPv4/IPv6. Based on if each requests could receive a response, the rov-check shows you the results like "proteted" or "not protected".

Upon this logic, even if your AS is implementing ROV but not dropping Invalid routes, the rov-check shows you "not protected". Likewise, even if your AS is not implementing ROV at all but all the transits and peers are dropping Invalid routes, the rov-check shows you "protected".

We focus on if you are truly "protected" from Invalid routes, not just if your AS is implementing ROV or not.

The neighboring peers of AS131971 has notified about this research and our intention to advertise invalid routes and asked to advertise these routes on prior consultation and agreement.

You can learn about our connectivity from the Websites like:

PeeringDB

bgp.tools

Hurricane Electric BGP Toolkit

Contact Information

For inquiries, feedback, or comments about rov-check, please contact pj.da.cin@ofni-hcra (JPNIC R&D).