RPKI boefje doesn't return the expected "KAT-INVALID-RPKI" finding

[dekkers]

We have a bug in the RPKI boefje. Is it possible to use the deliberate known 'bad' IP space in our unit tests? The following subnet is marked as 'invalid': 209.24.0.0/24 as shown on: https://bgp.he.net/net/209.24.0.0/24.

Other IPs that can be used are shown on this site: https://nlnog.net/tools/rpki-mapper/. The prefixes listed are:

• 209.24.0.0/24: ROA Signed and Invalid; IRR Match - Parent entry found
• 209.24.1.0/24: ROA Signed and Valid; IRR Match - Parent Entry Found
• 194.32.71.0/24: ROA Signed and Invalid; IRR Valid

When checking against a known 'invalid' IP address OpenKAT doesn't return the expected "KAT-INVALID-RPKI" finding. Below are the snippets from the raw file for this IP.

{"vrps_records": [{"prefix": "209.24.0.0/24", "expires": "2024-02-20T21:00", "ta": "arin"}], "notexpired": true, "exists": true}

{"id": "5eef5d00-435f-4d95-9822-17507c6444a3", "boefje_meta": {"id": "fc6c0804-8466-4115-822c-1c18d9d85b85", "started_at": "2024-02-19T10:44:26.334369Z", "ended_at": "2024-02-19T10:44:28.350640Z", "boefje": {"id": "rpki", "version": null}, "input_ooi": "IPAddressV4|internet|209.24.0.0", "arguments": {"input": {"object_type": "IPAddressV4", "scan_profile": "scan_profile_type='declared' reference=Reference('IPAddressV4|internet|209.24.0.0') level=<ScanLevel.L1: 1>", "primary_key": "IPAddressV4|internet|209.24.0.0", "address": "209.24.0.0", "network": {"name": "internet"}, "netblock": "None"}}, "organization": "ee", "runnable_hash": "1a03da7f91ba020c7ae223e8991fd3d444769ce2ff6ea9ec2590b3cc027fd584", "environment": {}}, "mime_types": [{"value": "boefje/rpki"}], "secure_hash": "sha512:37317ffb3b7f5917e8cbecfa9a97cc871f7c4098837c8d9d2f5c6bb66d3807b92afafd2ab9db7ae18c129786a2889817f8142e9c7c42a15427708906f461242e", "signing_provider_url": null, "hash_retrieval_link": "bd895b44-29a1-4e0a-92ee-4a1f6cfacb5e"}

{"id": "7632550f-9c0c-492c-978f-3446450dfeb6", "boefje_meta": {"id": "fc6c0804-8466-4115-822c-1c18d9d85b85", "started_at": "2024-02-19T10:44:26.334369Z", "ended_at": "2024-02-19T10:44:28.350640Z", "boefje": {"id": "rpki", "version": null}, "input_ooi": "IPAddressV4|internet|209.24.0.0", "arguments": {"input": {"object_type": "IPAddressV4", "scan_profile": "scan_profile_type='declared' reference=Reference('IPAddressV4|internet|209.24.0.0') level=<ScanLevel.L1: 1>", "primary_key": "IPAddressV4|internet|209.24.0.0", "address": "209.24.0.0", "network": {"name": "internet"}, "netblock": "None"}}, "organization": "ee", "runnable_hash": "1a03da7f91ba020c7ae223e8991fd3d444769ce2ff6ea9ec2590b3cc027fd584", "environment": {}}, "mime_types": [{"value": "p"}, {"value": "e"}, {"value": "/"}, {"value": "c"}, {"value": "m"}, {"value": "h"}, {"value": "t"}, {"value": "i"}, {"value": "boefje/rpki"}, {"value": "a"}, {"value": "-"}, {"value": "r"}, {"value": "k"}], "secure_hash": "sha512:b4fb721835aad5a5ba111e03e035e844c83ad56d5a6104f577dd04d1eb8d9f385a11f847212d744ef7734397d0da4064081bbe3d9c7480b914328cc39280a831", "signing_provider_url": null, "hash_retrieval_link": "6ef7eef4-64de-4f21-9a0b-e9d1d09dc753"}

Originally posted by @stephanie0x00 in https://github.com/minvws/nl-kat-coordination/issues/2511#issuecomment-1952201274

[underdarknl]

First things first. Our current RPKI Boefje only checks if there is a RPKI record and if it has not expired. This test does not check if there are any announced routes available that are unsigned or are signed using invalid keys.

There is another required Boefje to see if (from you vantage point) you are seeing routes to the target host being hijacked. This Boefje could check a few things:

• A, is my upstream connections blocking traffic if a signing key is invalid? https://rpkitest.nlnetlabs.net/ A simple ping to 77.162.48.82 and 2a02:a445:fb2f:1:222d:342d:9ffe:9d7f should tell you if this is the case.
• B, for my own assets, given enough vantage points (eg, remote boefjes), are we seeing any upstream providers signal invalid RPKI records? Eg, is someone else trying to announce our netblocks?