Contributed by Peter N. M. Hansteen on from the key my route dept.
In what can only be called a great stride forward in routing security, Sebastian Benoit (benno@)
announced
the availability of rpki-client
version 9.0.
The announcement reads,
Subject: rpki-client 9.0 released From: Sebastian Benoit <benno () openbsd ! org> Date: 2024-03-03 17:24:06 rpki-client 9.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended that all users update to this version for improved reliability. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.
See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - Added support for RPKI Signed Prefix Lists Signed Prefix Lists carry the complete list of prefixes which an Autonomous System may originate its routing peers. The validation of a Signed Prefix List confirms that the holder of the listed ASN produced the object. This list is a current, accurate and complete description of address prefixes that may be announced into the routing system originated by this AS. https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-prefixlist Signed prefix lists are only parsed in filemode or if rpki-client is run with the new -x flag. - Added an -x flag to opt into parsing and evaluation of file types that are still considered experimental. At this point in time this covers the signed prefix lists. - Added a metric to track the number of new files that were moved to the validated cache. In the OpenMetrics output, per-repository counters are shown. The main process and the JSON output only show the total. - Per the announcement in the last release, the stale manifest counters were removed from the OpenMetrics and the JSON output. - Ensure that the FileAndHashes list in a Manifest contains no duplicate file names and no duplicate hashes. - Various refactoring work, notably to reduce the warning spam generated by OpenSSL 3's deprecations and to remove unergonomic internal structs. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: =============== General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via security@openbsd.org.
Lots more goodness to be found in the upcoming OpenBSD 7.5!
(Comments are closed)