| Age | Commit message (Collapse) | Author |
|---|
|
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
|
|
are used to store file descriptors.
OK tb@
|
|
ok claudio
|
|
OK tb@ claudio@
|
|
This changes the JSON output, without -x some keys are missing from 'metadata'
OK tb@
|
|
OK tb@
|
|
repo_abort() called by repo_check_timeout() will add messages to
be sent out.
OK tb@
|
|
Only trigger a duplicate error if a valid filepath is revisted. It is
possible that a bad CA references somebody else's files and if that
happens first it would block the valid access.
To make this work, pass the ok flag to filepath_add() and only set the
talmask bit if the file was ok. Since we need to do the duplicate check
before processing the entity introduce filepath_valid() which checks
if the path is in the tree and has its talmask bit set.
In repo_move_valid() handle conflicts more gracefully. When both a valid
and temporary file are present assume that one of the files was never ok
(talmask == 0) and silently remove that file from the filepath tree.
OK tb@
|
|
We need to pass this to filepath_add so lets use a better name.
OK tb@
|
|
Instead of only differentiating between CA and BGPsec Router certs,
make it recognize TA and EE certs as well. TAs and CAs have the cA
boolean in the basic constraints, while EE and BGPsec router certs
do not.
TAs are self-signed, CAs not self-issued, all other certs with the
cA boolean are invalid. EE certs do not have an extended key usage
and BGPsec certs contain the id-kp-bgpsec-router OID.
Handle the new purposes where needed.
ok job
|
|
can decide which of the two files to use.
With and OK tb@
|
|
The certificate SKI is not strictly unique so using it as a unique id is
problematic. It is also not really needed to do that since in theory we
already know the path (but this got lost in the privsep communication).
So add a cert id and pass this id back and forth between main process and
the parser. With this id we can lookup the authentication chain in the
parser and this even works with multiple paths to the same resource.
Since we no longer lookup by SKI the valid_aki_ski function is replaced
by find_issuer() which does the lookup by certid.
The loop protection is now extended to allow each TAL to reach each file
once but still triggers if a file is reaccessed by the tree of a TAL.
In filemode the lookup now uses an AIA uri based lookup tree. Again this
replaces the SKI based lookups from before.
Done together with tb@
OK tb@ job@
|
|
The previous approach introduced a cap, but it might not always be hit as
intended (I missed this on review). Fix this to check the cap after merging
an ASPA into an already existing VAP. Also free the list of providers since
nothing should be looking at it anymore.
Count VAPs that hit the limit with a new overflowed counter. There are
still a few aspects of the accounting that probably aren't entirely right.
This will be fixed at another point. It's just statistics after all.
with/ok claudio, ok job
|
|
The number of providers in a single ASPA object already was limited to
MAX_ASPA_PROVIDERS, now also impose a limit on the total number of providers
across multiple ASPA objects. If the MAX_ASPA_PROVIDERS limit is hit, omit
the Customer ASID's entry from OpenBGPD and JSON output.
OK tb@
|
|
OK tb@ claudio@
|
|
OK tb@ claudio@
|
|
Instead of burning one letter for each new file format (sidrops is known
to crank out new things faster than a normal person can read), use -x to
opt into parsing and processing file formats that aren't yet considered
stable. This is currently only the Signed Prefix List. While a repetition
of the ASPA debacle, this code hasn't yet seen enough stress testing to be
enabled by default.
ok claudio job
|
|
The OpenMetrics output shows per-repository counters for new files
added, the main process and JSON output emit the sum of all new files.
OK claudio@
|
|
Signed Prefix List are a CMS protected content type for use with the
RPKI to carry the complete list of prefixes which an Autonomous System
may originate to all or any of its routing peers. The validation of a
Signed Prefix List confirms that the holder of the listed ASN produced
the object, and that this list is a current, accurate and complete
description of address prefixes that may be announced into the routing
system originated by this AS.
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist
with and OK claudio@ tb@
|
|
Fix their indent in extern.h, move the X509_TIME_* macros to main.c since
they aren't (and can't really be) used elsewhere, document the meaning of
the magic numbers. Also move get_current_time() out of the middle of entity
handlers.
ok claudio job
|
|
|
|
No need to hoist a staleness indicator through the whole process and
count it explicitly.
OK tb@
|
|
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.
For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
|
OK tb@
|
|
OK tb@
|
|
A small mistake in a diff broke the counters. Make them AFI agnostic and
adjust ometric output.
guidance & ok claudio
|
|
According to RFC 8182, a given session_id and serial number represent an
immutable record of the state of the Repository Server at a certain
point in time.
Add a check to the RRDP notification file processing to compare whether
the delta hashes associated to previously seen serials are different in
newly fetched notification files. Fall back to a snapshot if a difference
is detected, because such a mutation is a strong desynchronization
indicator.
Idea from Ties de Kock (RIPE NCC).
Based on a diff by job@
With and OK job@ tb@
|
|
Use ibuf_fd_get/set/avail in the file descriptor passing code.
Switch some ibuf_seek() calls to ibuf_set() and use ibuf_add_zero() instead
of ibuf_reserve().
OK tb@ job@
|
|
In the RSYNC protocol a file's last modification time and its size are
used to determine whether sending a (partial) copy over the wire is needed.
Previously, when RRDP data structures are serialized to disk, the mtime of
files in DIR_VALID ended up being UTIME_NOW.
Thus, the mtimes of files obtained through RRDP will never match the mtimes
of the same files available through RSYNC - causing each and every file to
be added to the file transfer list.
Instead, use the internal timestamps of RPKI files as the last modified
timestamp. Specifically, for Signed Objects (ROAs, MFTs, GBRs, TAKs, ASPAs)
the CMS signing-time, for .cer files the X.509 notBefore, and for .crl files
the CRL lastUpdate. This results in a surprising optimization for the number
files which have to be transfered.
OK claudio@
|
|
Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
Using the time of invocation does not work well with fast publishing CAs. It
can take a few minutes to reach a repo and that CA may have issued certificates
that are not yet valid if that startup time of rpki-client is used to validate.
This still keeps the -P option to specify a fixed validation time.
OK beck@ job@ tb@
|
|
are kept / removed in the repository temporary storage.
After a discussion with tb@ and job@
|
|
OK tb@ (from a larger diff)
|
|
|
|
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.
ok tb@ claudio@
|
|
This is intended to be able to test rpki-client in a reproducable
way without worrying about the system time changing the results
ok claudio@
|
|
This fixes some wrong accounting for repositories that are referenced
from more than one TAL. It changes the ometric lable output a little bit
since there are repository metrics that no longer include the 'name' label.
OK tb@
|
|
authority as the manifest itself
OK tb@
|
|
the same time. So in case of a valid crl pass the CRL filename as entity
message to the parent process together with the MFT. This way the MFT and
CRL end up both in the valid cache even if some files in the MFT are missing.
On severe errors (like X.509 verify errors) the CRL is not moved since it
is not considered valid.
With and OK job@, tb@
|
|
Change the way the validated ASPA tree is built since OpenBGPD config
follows more the ASPA profile and puts the optional AFI to each provider
ASnum instead of duplicated everything into an IPv4 and IPv6 tree.
The JSON output of ASPA is still the same.
The inclusion of the aspa-set can currently be disabled by the -A flag.
OK tb@
|
|
Swap repo_id and filename to simplify the code in parser.c. In filemode
both repo_id and filename are ignored.
Additionally do not errx() in case of unknown file types. Instead send back
enough info that the code can move on.
OK tb@
|
|
Many statistic values are now accounted by repository via repo_stat_inc()
At end of the run sum_stats() accumulates these stats per TAL and globally.
The new output file metrics is written when the -m output flag is specified.
The metrics file is written in OpenMetrics format (with a few tweaks to
allow node_exporter to parse the file as well). The ometric code is a copy
from bgpctl(8) and should be kept in sync.
OK tb@
|
|
clock_gettime(CLOCK_MONOTONIC) for runtime calculation.
OK tb@
|
|
OK tb@
|
|
OK tb@
|
|
|
|
With/ok job
|
|
|
|
OK tb@
|
|
If the operator specifies the '-H' option once (or more) followed by a FQDN,
the utility will *only* connect to those hosts and skip all others.
OK claudio@ tb@
|
|
Add support validation of Signed Objects containing Trust Anchor Keys
(TAKs - aka 'Signed TALs'). Signed TALs provide a mechanism for RIRs
to distribute and sign the next Trust Anchor with the current Trust
Anchor. This might be an improvement over visiting RIR websites and
copy+pasting TAL data by hand.
OK tb@
|
