Automated monitoring and recovery system for RPKI sessions between Huawei routers and Routinator validators
Features • Quick Start • Documentation • Support • Contributing
HuaweiRPKICheck is a production-grade monitoring solution that ensures the reliability of RPKI (Resource Public Key Infrastructure) sessions between Huawei routers and Routinator validators. It provides automatic detection and recovery of problematic sessions, comprehensive logging, and real-time alerting capabilities.
- 🚀 Zero Downtime - Automatic recovery keeps RPKI validation running 24/7
- 🔒 Enterprise Security - Military-grade encryption for credentials
- 📊 Real-time Monitoring - Instant detection of session issues
- 🤖 Self-Healing - Automatic recovery from common failures
- 📈 Comprehensive Logging - Full audit trail for compliance
|
|
|
|
# Clone the repository
cd /opt
git clone https://github.com/paolokappa/HuaweiRPKICheck.git
cd HuaweiRPKICheck
# Install dependencies
pip3 install -r requirements.txt
# Configure your settings
cp HuaweiRPKICheck.conf.example HuaweiRPKICheck.conf
nano HuaweiRPKICheck.conf
# Encrypt credentials
python3 HuaweiRPKI_credgen.py
# Set up automated monitoring
crontab -e
# Add: */5 * * * * /usr/bin/python3 /opt/HuaweiRPKICheck/HuaweiRPKICheck.py# Test connectivity
python3 HuaweiRPKICheck.py --test
# Run with verbose output
python3 HuaweiRPKICheck.py --test --verbose
# Start continuous monitoring
python3 scripts/monitor_routinator_complete.pygraph TB
A[Huawei Router] -->|SSH| B[HuaweiRPKICheck]
B -->|RTR Protocol| C[Routinator]
B -->|SMTP| D[Alert System]
B -->|Logs| E[Monitoring Dashboard]
style A fill:#ff6b6b
style B fill:#4ecdc4
style C fill:#45b7d1
style D fill:#f7dc6f
style E fill:#bb8fce
HuaweiRPKICheck/
│
├── 📂 src/ # Core application
│ └── HuaweiRPKICheck.py # Main monitoring engine
│
├── 📂 scripts/ # Utility scripts
│ ├── monitor_routinator_complete.py
│ ├── test_rtr_connection.py
│ └── analyze_routinator_tuning.sh
│
├── 📂 config/ # Configuration
│ ├── HuaweiRPKICheck.conf # Encrypted config
│ └── *.example # Templates
│
├── 📂 docs/ # Documentation
│ ├── TROUBLESHOOTING.md # Problem solving
│ ├── CLAUDE.md # AI instructions
│ └── SECURITY.md # Security guide
│
└── 📂 tests/ # Test suite
| Feature | Description | Status |
|---|---|---|
| 🔐 Credential Encryption | Fernet symmetric encryption for all secrets | ✅ Active |
| 🔑 Key Management | Secure key generation and storage | ✅ Active |
| 🚫 No Plaintext | Zero plaintext credentials in code or config | ✅ Enforced |
| 📝 Audit Logging | Complete audit trail of all operations | ✅ Active |
| 🛡️ Access Control | File permission enforcement (600) | ✅ Active |
| Metric | Value | Target |
|---|---|---|
| 🎯 Detection Time | < 30 seconds | ✅ 1 minute |
| ⚡ Recovery Time | < 3 minutes | ✅ 5 minutes |
| 📊 Uptime | 99.9% | ✅ 99% |
| 🔄 Check Frequency | 5 minutes | ✅ 10 minutes |
| 💾 Memory Usage | < 50MB | ✅ 100MB |
We identified and fixed a critical issue with the RTR protocol packet format that was causing session disconnections:
# ❌ OLD (Incorrect) - Caused "invalid length" errors
struct.pack('!BBHHI', 1, 2, 0, 0, 8) # 12 bytes - WRONG!
# ✅ NEW (Correct) - Proper RTR format
struct.pack('!BBHI', 1, 2, 0, 8) # 8 bytes - CORRECT!Impact: This fix resolved sessions getting stuck in "Negotiation" state with Routinator validators.
stateDiagram-v2
[*] --> Idle
Idle --> Negotiation: Connection Init
Negotiation --> Established: Handshake OK
Negotiation --> Idle: Timeout (3min)
Established --> Syn: Resync
Syn --> Established: Sync Complete
Established --> Idle: Connection Lost
Idle --> [*]: Reset
export RPKI_CHECK_INTERVAL=300 # Check interval in seconds
export RPKI_LOG_LEVEL=INFO # Logging verbosity
export [email protected]
export RPKI_MAX_RETRIES=3# Timeouts (in minutes)
NEGOTIATION_TIMEOUT = 3 # Max time in negotiation state
ESTABLISHED_STUCK = 30 # Max time without records
SYN_TIMEOUT = 2 # Max time in sync state
# Retry Configuration
MAX_RETRIES = 3 # Connection attempts
BACKOFF_MULTIPLIER = 5 # Exponential backoff╔════════════════════════════════════════════════════════════╗
║ RPKI Session Monitor ║
╠════════════════════════════════════════════════════════════╣
║ Total Sessions : 2 ║
║ Established : 2 ✅ ║
║ Idle : 0 ║
║ Negotiating : 0 ║
║ Need Reset : 0 ║
╠════════════════════════════════════════════════════════════╣
║ Health Status : HEALTHY ✅ ║
╚════════════════════════════════════════════════════════════╝
Session Details:
┌─────────────────────┬──────────────┬─────────────┬──────────┐
│ Validator │ State │ IPv4 Records│ Age │
├─────────────────────┼──────────────┼─────────────┼──────────┤
│ routinator1.example │ Established │ 588,576 │ 1h 23m │
│ routinator2.example │ Established │ 588,552 │ 2d 14h │
└─────────────────────┴──────────────┴─────────────┴──────────┘
# Test RTR connectivity
python3 scripts/test_rtr_connection.py
# Debug authentication
python3 scripts/debug_auth.py
# Analyze parsing
python3 scripts/debug_parsing.py
# Check Routinator tuning
./scripts/analyze_routinator_tuning.sh| Issue | Cause | Solution |
|---|---|---|
| 🔴 Stuck in Negotiation | RTR packet format error | Update to v3.1.0 |
| 🟡 No Sessions Retrieved | SSH connection issue | Check credentials |
| 🟠 RTR Connection Failed | Firewall/Port issue | Verify port 3323 |
| 🔵 High Memory Usage | Too many retries | Adjust timeout values |
| Document | Description |
|---|---|
| 📘 Installation Guide | Complete setup instructions |
| 📙 Troubleshooting | Problem resolution guide |
| 📗 API Reference | Developer documentation |
| 📕 Security Guide | Security best practices |
| 📓 Change Log | Version history |
We welcome contributions! Please see our Contributing Guidelines.
# Fork and clone
git clone https://github.com/YOUR_USERNAME/HuaweiRPKICheck.git
# Create feature branch
git checkout -b feature/amazing-feature
# Make changes and test
python3 -m pytest tests/
# Commit with conventional commits
git commit -m "feat: add amazing feature"
# Push and create PR
git push origin feature/amazing-feature
This project is licensed under the MIT License - see the LICENSE file for details.
Paolo Caparrelli
GOLINE SA
Via Croce Campagna, 2 - 6855 Stabio - Switzerland
| Organization | Contribution |
|---|---|
| GOLINE SA | Development and maintenance |
| Huawei | Router platform and RPKI implementation |
| NLnet Labs | Routinator RPKI validator |
| Python Community | Paramiko and Cryptography libraries |
| Open Source Community | Testing and feedback |
If this project helps you, please consider giving it a ⭐️
Made with ❤️ by GOLINE SA for Network Engineers
© 2024-2025 GOLINE SA - Switzerland
- ✨ Outlook-compatible HTML email templates
- 🎨 Professional corporate-friendly design
- 📱 Mobile responsive email layout
- 🔒 Enhanced security with inline styles
- 📊 Improved status reporting tables
- 🔧 Combined v2.0 email functionality with v3.1 improvements
- ⚡ Fixed cron exit codes
- 🚀 Reduced negotiation timeout to 3 minutes
- 📧 Working email system to [email protected]
- 🐛 Fixed RTR protocol packet format
- ⏱️ Enhanced timeout management
- 🔄 Improved session recovery logic
- 📧 Added email notification system
- 🛡️ Improved error handling
- 📊 Enhanced logging capabilities