Re: [Sidrops] Bug Fix Validator 3
Tim Bruijnzeels <tim@nlnetlabs.nl> Mon, 16 December 2019 15:58 UTC
Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCF412006D for <sidrops@ietfa.amsl.com>; Mon, 16 Dec 2019 07:58:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yJLq3pGkvhLY for <sidrops@ietfa.amsl.com>; Mon, 16 Dec 2019 07:58:38 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A757D120047 for <sidrops@ietf.org>; Mon, 16 Dec 2019 07:58:37 -0800 (PST)
Received: from [IPv6:2001:981:4b52:1:6ce4:cea7:acc6:f768] (unknown [IPv6:2001:981:4b52:1:6ce4:cea7:acc6:f768]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id E5A162C03B; Mon, 16 Dec 2019 16:58:32 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1576511912; bh=dNAB6NChQ2pANf2sQ6pRv5103Yh8xrDPa97x34gA4N4=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hB+JnNpLaff5cZttAY+IuWSbbYqWMPBvc33UR+9jvh7Z5hrRegTOgGHN9mNSlgezK HHfft946dlspe/K9YQbRHi8cR9LK4YGiR0LVjs8fKknU5UCKrVSsc2HM/AmnRqpiY/ rfsSs2wmvBPojfDZBWw7E5SEWOhhoslnOxyGwKBU=
Content-Type: multipart/alternative; boundary="Apple-Mail=_02DAD432-2A1C-4328-A29F-5C14FCD1E325"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <A123A6B4-D07E-44A8-B997-CDE3964E52B7@ripe.net>
Date: Mon, 16 Dec 2019 16:58:32 +0100
Cc: SIDR Operations WG <sidrops@ietf.org>
Message-Id: <78AB7069-A4CB-4371-B63D-BB48CC5C5F7A@nlnetlabs.nl>
References: <A123A6B4-D07E-44A8-B997-CDE3964E52B7@ripe.net>
To: Nathalie Trenaman <nathalie@ripe.net>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/JKFmdCdepKHdoYQWO0NvxzV78Vk>
Subject: Re: [Sidrops] Bug Fix Validator 3
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Dec 2019 15:58:40 -0000
Hi all, > On 16 Dec 2019, at 16:49, Nathalie Trenaman <nathalie@ripe.net> wrote: > > Hi all, > > We have just released a bug fix version of our Validator 3. > > You can find them here: > > Centos7 - https://ftp.ripe.net/tools/rpki/validator3/prod/centos7/repo/rpki-validator-3.1-2019.12.16.15.18.18.noarch.rpm <https://ftp.ripe.net/tools/rpki/validator3/prod/centos7/repo/rpki-validator-3.1-2019.12.16.15.18.18.noarch.rpm> > Debian - https://ftp.ripe.net/tools/rpki/validator3/prod/deb/rpki-validator-3.1-2019.12.16.15.18.18.deb <https://ftp.ripe.net/tools/rpki/validator3/prod/deb/rpki-validator-3.1-2019.12.16.15.18.18.deb> > Generic build - https://ftp.ripe.net/tools/rpki/validator3/prod/generic/rpki-validator-3.1-2019.12.16.15.18.18-dist.tar.gz <https://ftp.ripe.net/tools/rpki/validator3/prod/generic/rpki-validator-3.1-2019.12.16.15.18.18-dist.tar.gz> > > If you have yum repository configured, "yum install rpki-validator" will do the job. > > This was an interesting bug - We always relied on the idea that serial numbers of manifest objects increase --- apparently all the Trust Anchors so far (except for some of the sub-repositories under APNIC) generated increasing serial numbers and it always worked. It looks like Krill doesn't do it, that's why Validator 3 doesn't always pick up the latest manifest and can use stale data. According to the RFC serial numbers don't have to increase, they just need to be different (the Krill implementation follows that RFC), so it was a bug on our side that is now fixed. To be precise: the 'manifestNumber' (section 4.2.1 of RFC 6486) increases with '1' every new publication, but the embedded EE certificate's Serial Number (4.2.2.2 of RFC5280) is a random number. I remember reading advice that this certificate Serial Number should not be predictable, but I can't find where right now. Thanks, Tim
- [Sidrops] Bug Fix Validator 3 Nathalie Trenaman
- Re: [Sidrops] Bug Fix Validator 3 Tim Bruijnzeels