OpenBSD Journal

rpki-client 9.0 released

Contributed by Peter N. M. Hansteen on from the key my route dept.

In what can only be called a great stride forward in routing security, Sebastian Benoit (benno@) announced the availability of rpki-client version 9.0.

The announcement reads,

Subject:    rpki-client 9.0 released
From:       Sebastian Benoit <benno () openbsd ! org>
Date:       2024-03-03 17:24:06

rpki-client 9.0 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users update to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of BGP announcements. The program queries the
global RPKI repository system and validates untrusted network inputs.
The program outputs validated ROA payloads, BGPsec Router keys, and
ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
and supports emitting CSV and JSON for consumption by other routing
stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
as part of the OpenBSD Project.

This release includes the following changes to the previous release:

- Added support for RPKI Signed Prefix Lists

  Signed Prefix Lists carry the complete list of prefixes which an
  Autonomous System may originate its routing peers. The validation of a
  Signed Prefix List confirms that the holder of the listed ASN produced
  the object. This list is a current, accurate and complete description
  of address prefixes that may be announced into the routing system
  originated by this AS.

  https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist

  Signed prefix lists are only parsed in filemode or if rpki-client is run
  with the new -x flag.

- Added an -x flag to opt into parsing and evaluation of file types that are
  still considered experimental. At this point in time this covers the signed
  prefix lists.

- Added a metric to track the number of new files that were moved to the
  validated cache. In the OpenMetrics output, per-repository counters are
  shown. The main process and the JSON output only show the total.

- Per the announcement in the last release, the stale manifest counters were
  removed from the OpenMetrics and the JSON output.

- Ensure that the FileAndHashes list in a Manifest contains no duplicate
  file names and no duplicate hashes.

- Various refactoring work, notably to reduce the warning spam generated by
  OpenSSL 3's deprecations and to remove unergonomic internal structs.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible
with LibreSSL 3.6 or later, and zlib.

rpki-client is known to compile and run on at least the following
operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at
https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.

Assistance to coordinate security issues is available via
security@openbsd.org.

Lots more goodness to be found in the upcoming OpenBSD 7.5!

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]