[Sidrops] New validator implementation: OpenBSD's rpki-client(8)
Job Snijders <job@ntt.net> Mon, 17 June 2019 17:28 UTC
Return-Path: <job@instituut.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB26120077 for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2019 10:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tp6tq1MdsUx3 for <sidrops@ietfa.amsl.com>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DB1E120159 for <sidrops@ietf.org>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
Received: by mail-ed1-f54.google.com with SMTP id s49so17311892edb.1 for <sidrops@ietf.org>; Mon, 17 Jun 2019 10:28:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition:user-agent; bh=8/DEFmLUtm/YSUW5bZrvU+GKWNjUmjETDk2ux9TDWDM=; b=tVeivustKVQA2d1mUDZrzeUM2Zcb7B0f44vvoEIL2NQK0JoWlGb/kk/TRfirG0aHLK 4PGU19W00eKIL7EFFIQa/J2DVTqYqV1RQFmR1Uvp4d5Q8A3EiEMSUJk+NDxI8lypubUl fKc9dMNsyti2oW9uLH2Cw6v/5S/Qi5MB+j4PeMUYVaglg9qFqr11gqP4kk6qEVNWyvxO 0aqEHQhWD5Rvw8qq6npt0QhY5ayqx8TodTJl8ZMlZmXCWyZx5KFx9bV4iDpBQZ4SNPGL trUCNeS9jnAPDa7WPJPon8IaVGWfZp0h3V8LDExLVC2X56ba6WtaLE2pM8YZ6lQIHN60 pc7g==
X-Gm-Message-State: APjAAAW/Ceth8OuwCiCKGFrURhpc+GPrziOeBuLWDfDGz3+xTv87P4Iv e2iX5IQsJyBQD3c/O4YGl3tQmfEtsePh/g==
X-Google-Smtp-Source: APXvYqx/sVvqha7ukmUVgChNoQcjaU4kmqA58EbPcILciDLS1Fd+aWJZk/67xt00naFT306oSwPlnw==
X-Received: by 2002:a50:a4ad:: with SMTP id w42mr36562356edb.230.1560792479998; Mon, 17 Jun 2019 10:27:59 -0700 (PDT)
Received: from localhost ([2001:67c:208c:10:89c7:dffa:76e7:5cf0]) by smtp.gmail.com with ESMTPSA id 15sm2276962ejz.24.2019.06.17.10.27.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 10:27:58 -0700 (PDT)
Date: Mon, 17 Jun 2019 19:27:57 +0200
From: Job Snijders <job@ntt.net>
To: sidrops@ietf.org
Message-ID: <20190617172757.GI92329@hanna.meerval.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/yiH1PCLXZmqQalW5d1BWJAZXJfI>
Subject: [Sidrops] New validator implementation: OpenBSD's rpki-client(8)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jun 2019 17:28:07 -0000
Dear working group, I'm pleased to announce the publication of the liberally licensed rpki-client! The software is usable and produces useful output, but is still in volatile state. The portable version (which can run on Linux and FreeBSD) is now available via github: https://github.com/kristapsdz/rpki-client The OpenBSD project has imported a copy of the source code into its main development tree. It is expected to simmer there for a bit, there will be some back and forth between the openbsd specific and -portable version (like with other projects such as ssh and bgpd). My hope is that we can now bring the code to sufficient high quality level so that it can be a standard tool in the 6.6 release of the OpenBSD operating system (November 2019)! At that point we hopefully can point at the first Network Operating System that has a built-in BGP daemon *and* RPKI validator. I hope is that the likes of Arrcus, Cisco, and Juniper will take note and copy! :-) What the software can do so far: - download all RPKI repositories (with openrsync) - validate the RPKI tree - output RPKI VRPs in OpenBGPD format This may not sound like much, but getting to this stage was quite some work. Rpki-client is a CLI tool meant to be run from something like cron, it is not a daemon and does not support RTR. You'd probably end up using rpki-client in combinatino with Cloudflare's GoRTR if you need RTR. What the future holds ===================== 1/ rpki-client depends on OpenSSL. This is fine for all non-OpenBSD systems, but not acceptable for an OpenBSD release. People are working to extend LibreSSL in such a way that it supports the CMS functions that rpki-client requires. Having multiple commonly used cryptographic libraries that can be used in context RPKI would a huge win for the Internet community. 2/ Adherance to coding convention & style clean up. Rpki-client has been handed over from its principal author Kristaps Dzonsons to the wider OpenBSD community. An inaugural step in this process always is to make the code pretty and shiny. 3/ More outputs, currently the code only supports OpenBGPD format, we want to add JSON (for easier integration with GoRTR) and perhaps some other useful formats. 4/ Porting to other operating systems. The code has been released, we now have to wait for package maintainers and porters to pick up the code and package for CentOS, Debian, FreeBSD, etc! 5/ Add support for RRDP. Rpki-client currently only supports the rsync protocol. In order to support the lowest common denominator across all RIRs, a new tool was developed as part of the rpki-client project, namely openrsync https://github.com/kristapsdz/openrsync/ developing a full GNU rsync alternative took away from the time available to develop RRDP support, so we'll have to add that in later. Let me know if you have any questions! Kind regards, Job
- [Sidrops] New validator implementation: OpenBSD's… Job Snijders