anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(rpki): ripestat validator + sqlite cache

Browse Source 
RipeStatValidator makes two RIPE STAT calls per uncached IP:
network-info -> announced prefix, rpki-validation -> ROA state.
2-second timeout; any network failure returns status='unknown'.

SQLite cache keyed by IP, 12-hour TTL, pruned on validator init.
Cache avoids per-event HTTP for the high-churn attacker pool —
steady-state cost approaches zero for repeat offenders.
This commit is contained in:
anti
2026-05-21 16:13:01 -04:00
parent 1a11287f76
commit b799ade816
4 changed files with 336 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
decnet/rpki/cache.py Normal file
View File

@@ -0,0 +1,73 @@
"""SQLite-backed RPKI result cache.
Schema: ``(ip, asn) -> (rpki_status, rpki_prefix, fetched_at)``.
Key is ``ip`` only — for a given IP the announcing ASN is stable
within the cache TTL, and ASN-change events are rare enough that
letting the entry expire naturally is sufficient.
TTL: 12 hours. On :func:`open_db` the caller should call
:func:`prune` once to evict stale rows.
"""
from __future__ import annotations
import sqlite3
import time
from pathlib import Path
from typing import Optional, Tuple
TTL_S = 43_200 # 12 hours
_CREATE = """
CREATE TABLE IF NOT EXISTS rpki_cache (
ip TEXT NOT NULL PRIMARY KEY,
asn INTEGER NOT NULL,
rpki_status TEXT NOT NULL,
rpki_prefix TEXT,
fetched_at REAL NOT NULL
)
"""
def open_db(path: Path) -> sqlite3.Connection:
"""Open (or create) the cache database at *path* and return the connection."""
con = sqlite3.connect(str(path), check_same_thread=False, timeout=5)
con.execute(_CREATE)
con.commit()
return con
def get(con: sqlite3.Connection, ip: str) -> Optional[Tuple[str, Optional[str]]]:
"""Return ``(rpki_status, rpki_prefix)`` if a fresh entry exists, else ``None``."""
row = con.execute(
"SELECT rpki_status, rpki_prefix, fetched_at FROM rpki_cache WHERE ip = ?",
(ip,),
).fetchone()
if row is None:
return None
if time.time() - row[2] > TTL_S:
return None
return (row[0], row[1])
def put(
con: sqlite3.Connection,
ip: str,
asn: int,
status: str,
prefix: Optional[str],
) -> None:
"""Insert or replace a cache entry."""
con.execute(
"INSERT OR REPLACE INTO rpki_cache "
"(ip, asn, rpki_status, rpki_prefix, fetched_at) VALUES (?, ?, ?, ?, ?)",
(ip, asn, status, prefix, time.time()),
)
con.commit()
def prune(con: sqlite3.Connection) -> int:
"""Delete all entries older than :data:`TTL_S`. Returns the count deleted."""
cutoff = time.time() - TTL_S
cur = con.execute("DELETE FROM rpki_cache WHERE fetched_at < ?", (cutoff,))
con.commit()
return cur.rowcount

79
decnet/rpki/ripestat/validator.py
View File

@@ -3,18 +3,87 @@
Resolves the most-specific announced prefix covering ``ip`` via the
RIPE STAT ``network-info`` endpoint, then validates ``(asn, prefix)``
via ``rpki-validation``. Results are cached in a SQLite database under
:data:`~decnet.rpki.paths.RPKI_ROOT` to avoid per-event network calls.
:data:`~decnet.rpki.paths.RPKI_ROOT`.
HTTP is wired in the next commit; this skeleton returns ``unknown``
unconditionally so the rest of the pipeline compiles and tests pass.
Two HTTP calls per uncached IP (``network-info`` + ``rpki-validation``),
each with a 2-second timeout. Any network failure collapses to
``status="unknown"`` — the caller upserts the attacker row regardless.
"""
from __future__ import annotations
from decnet.rpki.base import RpkiResult, Validator
import json
import logging
import sqlite3
import urllib.request
from datetime import datetime, timezone
from typing import Optional
from decnet.rpki import cache as _cache
from decnet.rpki.base import RpkiResult, RpkiStatus, Validator
from decnet.rpki.paths import ensure_root
logger = logging.getLogger("decnet.rpki.ripestat")
_TIMEOUT_S = 2
_STAT_BASE = "https://stat.ripe.net/data"
_UA = "Mozilla/5.0 (compatible; fetch/1.0)"
class RipeStatValidator(Validator):
name = "ripestat"
def __init__(self) -> None:
db_path = ensure_root() / "cache.db"
self._con: sqlite3.Connection = _cache.open_db(db_path)
_cache.prune(self._con)
def validate(self, ip: str, asn: int) -> RpkiResult:
return RpkiResult(status="unknown")
cached = _cache.get(self._con, ip)
if cached is not None:
status, prefix = cached
return RpkiResult(status=status, prefix=prefix) # type: ignore[arg-type]
try:
prefix = self._network_info(ip)
if prefix is None:
return self._store(ip, asn, "not-found", None)
status = self._rpki_validation(asn, prefix)
return self._store(ip, asn, status, prefix)
except Exception as exc:
logger.debug("rpki.ripestat: lookup failed for %s / AS%s: %s", ip, asn, exc)
return RpkiResult(status="unknown")
# ---------- internal ----------
def _network_info(self, ip: str) -> Optional[str]:
"""Return the most-specific announced prefix containing *ip*, or None."""
data = self._fetch(f"{_STAT_BASE}/network-info/data.json?resource={ip}")
return data.get("data", {}).get("prefix") or None
def _rpki_validation(self, asn: int, prefix: str) -> RpkiStatus:
"""Return RPKI state for (asn, prefix)."""
data = self._fetch(
f"{_STAT_BASE}/rpki-validation/data.json?resource={asn}&prefix={prefix}"
)
raw = data.get("data", {}).get("status", "unknown")
if raw in ("valid", "invalid", "not-found"):
return raw
return "unknown"
def _fetch(self, url: str) -> dict:
req = urllib.request.Request(url, headers={"User-Agent": _UA})
with urllib.request.urlopen(req, timeout=_TIMEOUT_S) as resp: # nosec B310 — HTTPS RIPE STAT base URL only; IP/ASN components are validated upstream
return json.loads(resp.read())
def _store(
self, ip: str, asn: int, status: str, prefix: Optional[str]
) -> RpkiResult:
try:
_cache.put(self._con, ip, asn, status, prefix)
except Exception as exc:
logger.debug("rpki.ripestat: cache write failed: %s", exc)
return RpkiResult(
status=status, # type: ignore[arg-type]
prefix=prefix,
validated_at=datetime.now(timezone.utc),
)