The RPKI-to-Router server used at Cloudflare
Branch: master
Clone or download
Latest commit 0999908 Nov 13, 2018


GoRTR is an open-source implementation of RPKI to Router protocol (RFC 6810) using the the Go Programming Language.

  • /lib contains a library to create your own server and client.
  • /file contains the structure of a JSON export file and signing capabilities.
  • /cmd/gortr/gortr.go is a simple implementation that fetches a list and offers it to a router.


This software comes with no warranty.

Features of the server

  • Refreshes a JSON list of prefixes (from either Cloudflare or a RIPE Validator)
  • Prometheus metrics
  • Lightweight
  • TLS
  • Signature verification and expiration control

Features of the API

To start developing

You need a working Go environment (1.10 or newer).

$ git clone && cd gortr
$ go build cmd/gortr/gortr.go

Install it

$ go get

Copy to your local directory if you want to use Cloudflare's signed JSON file.

Create TLS certificates if you want to use the TLS feature:

$ openssl ecparam -genkey -name prime256v1 -noout -outform pem > private.pem
$ openssl req -new -x509 -key private.pem -out server.pem

If you want to sign your list of prefixes, generate an ECDSA key (similar to the first command above). Then generate the public key.

$ openssl ec -in private.pem -pubout -outform pem > public.pem

Run it

$ ./gortr -bind

Make sure is in the current directory. Or pass -verify.key=path/to/

Data sources

Use your own validator, as long as the JSON source follows the following schema:

  "roas": [
      "prefix": "",
      "maxLength": 24,
      "asn": "AS65001"
  • Cloudflare (list curated, signed, compressed and cached in +150 PoPs)
  • Third-party RIPE Validators:

To use a data source that do not contains signatures or validity information, pass: -verify=false -checktime=false

Configure on Juniper

Configure a session to the RTR server

louis@router> show configuration routing-options validation
group TEST-RPKI {
    session {
        port 8282;

Add policies to validate or invalidate prefixes

louis@router> show configuration policy-options policy-statement STATEMENT-EXAMPLE
    from {
        protocol bgp;
        validation-database valid;
    then {
        validation-state valid;
        next term;
    from {
        protocol bgp;
        validation-database invalid;
    then {
        validation-state invalid;

Display status of the session to the RTR server.

louis@router> show validation session detail
Session, State: up, Session index: 1
  Group: TEST-RPKI, Preference: 100
  Port: 8282
  Refresh time: 300s
  Hold time: 600s
  Record Life time: 3600s
  Serial (Full Update): 1
  Serial (Incremental Update): 1
    Session flaps: 2
    Session uptime: 00:25:07
    Last PDU received: 00:04:50
    IPv4 prefix count: 46478
    IPv6 prefix count: 8216

Show content of the database

louis@router> show validation database brief
RV database for instance master

Prefix                 Origin-AS Session                                 State   Mismatch              13335                           valid              13335                           valid


Licensed under the BSD 3 License.