[Sidrops] New validator implementation: OpenBSD's rpki-client(8)

Job Snijders <job@ntt.net> Mon, 17 June 2019 17:28 UTC

Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB26120077 for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2019 10:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tp6tq1MdsUx3 for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DB1E120159 for <sidrops@ietf.org>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
Received: by mail-ed1-f54.google.com with SMTP id s49so17311892edb.1 for <sidrops@ietf.org>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=8/DEFmLUtm/YSUW5bZrvU+GKWNjUmjETDk2ux9TDWDM=; b=tVeivustKVQA2d1mUDZrzeUM2Zcb7B0f44vvoEIL2NQK0JoWlGb/kk/TRfirG0aHLK 4PGU19W00eKIL7EFFIQa/J2DVTqYqV1RQFmR1Uvp4d5Q8A3EiEMSUJk+NDxI8lypubUl fKc9dMNsyti2oW9uLH2Cw6v/5S/Qi5MB+j4PeMUYVaglg9qFqr11gqP4kk6qEVNWyvxO 0aqEHQhWD5Rvw8qq6npt0QhY5ayqx8TodTJl8ZMlZmXCWyZx5KFx9bV4iDpBQZ4SNPGL trUCNeS9jnAPDa7WPJPon8IaVGWfZp0h3V8LDExLVC2X56ba6WtaLE2pM8YZ6lQIHN60 pc7g==
X-Gm-Message-State: APjAAAW/Ceth8OuwCiCKGFrURhpc+GPrziOeBuLWDfDGz3+xTv87P4Iv e2iX5IQsJyBQD3c/O4YGl3tQmfEtsePh/g==
X-Google-Smtp-Source: APXvYqx/sVvqha7ukmUVgChNoQcjaU4kmqA58EbPcILciDLS1Fd+aWJZk/67xt00naFT306oSwPlnw==
X-Received: by 2002:a50:a4ad:: with SMTP id w42mr36562356edb.230.1560792479998; Mon, 17 Jun 2019 10:27:59 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:89c7:dffa:76e7:5cf0]) by smtp.gmail.com with ESMTPSA id 15sm2276962ejz.24.2019.06.17.10.27.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 10:27:58 -0700 (PDT)
Date: Mon, 17 Jun 2019 19:27:57 +0200
From: Job Snijders <job@ntt.net>
To: sidrops@ietf.org
Message-ID: <20190617172757.GI92329@hanna.meerval.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/yiH1PCLXZmqQalW5d1BWJAZXJfI>
Subject: [Sidrops] New validator implementation: OpenBSD's rpki-client(8)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 17:28:07 -0000

Dear working group,

I'm pleased to announce the publication of the liberally licensed
rpki-client! The software is usable and produces useful output, but is
still in volatile state.

The portable version (which can run on Linux and FreeBSD) is now
available via github: https://github.com/kristapsdz/rpki-client
The OpenBSD project has imported a copy of the source code into its main
development tree. It is expected to simmer there for a bit, there will
be some back and forth between the openbsd specific and -portable
version (like with other projects such as ssh and bgpd).

My hope is that we can now bring the code to sufficient high quality
level so that it can be a standard tool in the 6.6 release of the
OpenBSD operating system (November 2019)! At that point we hopefully can
point at the first Network Operating System that has a built-in BGP
daemon *and* RPKI validator. I hope is that the likes of Arrcus, Cisco,
and Juniper will take note and copy! :-)

What the software can do so far:

    - download all RPKI repositories (with openrsync)
    - validate the RPKI tree
    - output RPKI VRPs in OpenBGPD format

This may not sound like much, but getting to this stage was quite some
work. Rpki-client is a CLI tool meant to be run from something like
cron, it is not a daemon and does not support RTR. You'd probably end up
using rpki-client in combinatino with Cloudflare's GoRTR if you need
RTR.

What the future holds
=====================

1/ rpki-client depends on OpenSSL. This is fine for all non-OpenBSD
   systems, but not acceptable for an OpenBSD release. People are
   working to extend LibreSSL in such a way that it supports the CMS
   functions that rpki-client requires. Having multiple commonly used
   cryptographic libraries that can be used in context RPKI would a huge
   win for the Internet community.

2/ Adherance to coding convention & style clean up. Rpki-client has been
   handed over from its principal author Kristaps Dzonsons to the wider
   OpenBSD community. An inaugural step in this process always is to
   make the code pretty and shiny.

3/ More outputs, currently the code only supports OpenBGPD format, we
   want to add JSON (for easier integration with GoRTR) and perhaps some
   other useful formats.

4/ Porting to other operating systems. The code has been released, we
   now have to wait for package maintainers and porters to pick up the
   code and package for CentOS, Debian, FreeBSD, etc!

5/ Add support for RRDP. Rpki-client currently only supports the rsync
   protocol. In order to support the lowest common denominator across all
   RIRs, a new tool was developed as part of the rpki-client project,
   namely openrsync https://github.com/kristapsdz/openrsync/
   developing a full GNU rsync alternative took away from the time
   available to develop RRDP support, so we'll have to add that in
   later.

Let me know if you have any questions!

Kind regards,

Job