1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • rpki-client 9.1 released

    From Sebastian Benoit@21:1/5 to All on Mon Jun 24 06:05:50 2024
    rpki-client 9.1 has just been released and will be available in the
    rpki-client directory of any OpenBSD mirror soon. It is recommended
    that all users update to this version for improved reliability.

    rpki-client is a FREE, easy-to-use implementation of the Resource
    Public Key Infrastructure (RPKI) for Relying Parties (RP) to
    facilitate validation of BGP announcements. The program queries the
    global RPKI repository system and validates untrusted network inputs.
    The program outputs validated ROA payloads, BGPsec Router keys, and
    ASPA payloads in configuration formats suitable for OpenBGPD and BIRD,
    and supports emitting CSV and JSON for consumption by other routing
    stacks.

    See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix
    Origin Validation help secure the global Internet routing system.

    rpki-client was primarily developed by Kristaps Dzonsons, Claudio
    Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit
    as part of the OpenBSD Project.

    This release includes the following changes to the previous release:

    - Impose same-origin policy for RRDP

    This addresses an oversight in the original RRDP specification
    (RFC8182) which allowed any publication server to cause load on
    another server by tricking RPs into making cross-origin requests.
    Imposing a same-origin policy in RRDP client/server communication
    isolates resources such as Delta and Snapshot files from different
    Repository Servers, reducing possible attack vectors.
    https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rrdp-same-origin

    - Introduce tiebreaking for trust anchors

    Instead of always using newly-retrieved trust anchors, compare a
    fetched TA with one stored in the cache. Later notBefore and earlier
    notAfter are used to identify a trust anchor certificate as newer.
    This prevents certain forms of replay attack.
    https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ta-tiebreaker

    - Fix internal identification of CA resource certificates

    The rpki-client utility tracks CA certificates across privilege
    separation boundaries. The original design was to use the subject key
    identifier, which is problematic because the SKI is not guaranteed to
    be globally unique. On the one hand, operators could choose to reuse
    their keys for multiple CAs and on the other hand, publishing a CA
    cert in the RPKI requires no proof of possession: anyone can publish
    CA certificates with any public key they please.

    - Verify self-signage for trust anchors

    In other PKIs, trust anchors come from a trusted source and contain
    little to no important information apart from the public key. Therefore,
    libcrypto's chain verifier does not check their signatures by default
    because this "doesn't add any security and just wastes time". None of
    this is true in the RPKI and therefore trust anchors need an extra
    verification step.

    - Introduce a check for filenames as presented by publication points

    Filenames presented by publication points are unsigned data, they must
    match the location in the signed object's EE certificate SIA extension
    which is signed data. This prevents some forms of replay attack.
    https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

    - Improved compliance with RFCs 6487 and 8209 for certificates and CRLs

    The issuer field of certificates and CRLs is checked to comply with
    section 4.4 of RFC 6487. Various aspects of URIs provided in SIA, AIA
    and CRL distribution points were improved. Criticality of key usage is
    now enforced and the extension is inspected for all certificate types.

    - Presence of CMS signing-time is now enforced and presence of
    CMS binary-signing-time is disallowed, per RFC 9589.
    https://www.rfc-editor.org/rfc/rfc9589.html

    - Lowered the maximum acceptable manifest number to 2^159 - 1, per
    https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-manifest-numbers

    - Limit number of validated ASPAs per customer ASID, per
    https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile

    - Ignore the CRL Number extension in CRLs, per
    https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-crl-numbers

    - Various minor bug fixes and improvements in logging and error reporting

    rpki-client works on all operating systems with a libcrypto library
    based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible
    with LibreSSL 3.6 or later, and zlib.

    rpki-client is known to compile and run on at least the following
    operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat,
    Rocky, Ubuntu, macOS, and of course OpenBSD!

    It is our hope that packagers take interest and help adapt
    rpki-client-portable to more distributions.

    The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html

    Reporting Bugs:
    ===============

    General bugs may be reported to [email protected]

    Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable

    We welcome feedback and improvements from the broader community.
    Thanks to all of the contributors who helped make this release
    possible.

    Assistance to coordinate security issues is available via
    [email protected].

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)