Router keys may cause CAs to be rejected. #398
Milestone
Comments
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this issue
Oct 19, 2020
Pkgsrc changes: * Re-compute cargo dependencies Upstream changes: Bug Fixes * Apply unsafe filter (if requested) also on subsequent validation runs in server mode. ([#407]) * Update all metrics on all validation runs. ([#407]) * Show the status code instead of -1 in RRDP status metrics. ([#408]) Other Changes * Improve log message when listing resources being added to the unsafe filter list. ([#406]) [#406]: NLnetLabs/routinator#406 [#407]: NLnetLabs/routinator#407 [#408]: NLnetLabs/routinator#408 Breaking Changes * Validation now follows the rules suggested by [draft-ietf-sidrops-6486bis]\: Any invalid object mentioned on the manifest will lead to the issuing CA and all its objects being rejected. However, unlike suggested by the draft, Routinator currently will not fall back to cached older versions of the CA's objects that may still be valid. In addition, unknown RPKI object types are currently accepted with a warning logged. This behaviour can be changed via the `unknown-types` policy option. ([#371], [#401]) * Similarly, CRL handling has been tightened significantly. Each CA must now have exactly one CRL which must be the one stated in the manifest's EE certificate. Any violation will lead to the whole CA being rejected with the same consequences as above. ([#397]) * The default for dealing with stale objects has been changed to `reject` in accordance with the same draft. ([#387]) * Parsing of local exception files is now more strict in accordance with [RFC 8416]. Any additional member in the JSON objects will lead to an error. However, error reporting has been greatly improved and now the line and column of an error will be indicated. ([#372]) * The alias `--allow-dubios-hosts` for the correctly spelled option has been removed. ([#384]) * The minimal supported Rust version is now 1.42.0. New * All VRPs overlapping with resources from rejected CAs dubbed `unsafe VRPs' can filtered via the new `unsafe-vrps` option. Doing so will avoid situations were routes become RPKI invalid if their VRPs are split over multiple CAs or there are less specific ROAs. By default, unsafe VRPs are only warned about. ([#377], [#400]) * New metrics for the VRPs produced and filtered on the various TALs. ([#377]) * The logging output of the latest validation run is now available via the HTTP service's `/log` endpoint. ([#396]) * TCP keep-alive is now supported and enabled by default on RTR connections as suggested by [RFC 8210]. It can be disabled and its idle time changed from the default 60 seconds via the new `rtr-tcp-keepalive` command line and config file option. ([#390]) * The `pid-file`, `working-dir`, `chroot`, `user`, and `group` config file and server command options now also work without the `--detach` command line option. ([#392]) * The `init` command will now change ownership of the cache directory if the `user` and `group` options are set via config file or command line options. ([#392]) * Irrelevant log messages from libraries are now also filtered when using syslog logging. ([#385]) * Release builds will now abort on panic, i.e., when an unexpected internal condition is detected. This ensures that there won't be a Routinator in a coma. ([#394]) * The feature `rta` enables the new command `rta` for validating Resource Tagged Assertions as described in [draft-michaelson-rpki-rta]. This feature is not enabled by default and needs to be activated by adding the option `--features rta` to the Cargo build command. Bug Fixes * Update start and end times will not change between consecutive metrics reports any more. ([#389]) * Local exceptions will now be loaded before starting a validation run both in vrps and server mode instead of discarding the run after it finished when loading fails. In server mode, we now wait 10 seconds after loading local exceptions fails and try again instead of repeatedly starting validation runs and discarding them. ([594186c]) * EE certificates encountered in the repository are now validated as router certificates rather than regular RPKI EE certificates. ([#398]) Other Changes * Logging has been cleaned up. The meaning of the four log levels is now better defined see the man page and all log output has been reassigned accordingly. ([#396]) [#357]: NLnetLabs/routinator#357 [#371]: NLnetLabs/routinator#371 [#372]: NLnetLabs/routinator#372 [#377]: NLnetLabs/routinator#377 [#384]: NLnetLabs/routinator#384 [#385]: NLnetLabs/routinator#385 [#387]: NLnetLabs/routinator#387 [#389]: NLnetLabs/routinator#389 [#390]: NLnetLabs/routinator#390 [#392]: NLnetLabs/routinator#392 [#394]: NLnetLabs/routinator#394 [#396]: NLnetLabs/routinator#396 [#397]: NLnetLabs/routinator#397 [#398]: NLnetLabs/routinator#398 [#400]: NLnetLabs/routinator#400 [#401]: NLnetLabs/routinator#401 [594186c]: NLnetLabs/routinator@594186c [RFC 8210]: https://tools.ietf.org/html/rfc8210 [RFC 8416]: https://tools.ietf.org/html/rfc8416 [draft-ietf-sidrops-6486bis]: https://datatracker.ietf.org/doc/draft-ietf-sidrops-6486bis/ [draft-michaelson-rpki-rta]: https://datatracker.ietf.org/doc/html/draft-michaelson-rpki-rta
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, Routinator treats all .cer objects encountered as certificates following the RPKI profile. However, BGP router certificates are also stored in the repository as .cer objects yet follow a revised profile described in RFC 8209. The current certificate decoding and validation code will reject these certificates. That was fine under the old rules but now this will cause the entire issuing CA to be rejected even though it is actually perfectly fine.
Fixing this will require some significant changes to the certificate decoding mechanisms and will delay the release. Sadly, there is no way around it.
The text was updated successfully, but these errors were encountered: