nlnetlabs / routinator Goto Github PK

View Code? Open in Web Editor NEW

452.0 37.0 69.0 13.15 MB

An RPKI Validator and RTR server written in Rust

Home Page: https://nlnetlabs.nl/projects/routing/routinator/

License: BSD 3-Clause "New" or "Revised" License

Rust 98.74% Dockerfile 0.81% Shell 0.38% HTML 0.08%

rpki rust validator routing-security bgp rtr rsync tal cryptography ripe

routinator's Introduction

Routinator

Routinator 3000 is free, open-source RPKI Relying Party software. The project is written in Rust, a programming language designed for performance and memory safety.

Lightweight and portable

Routinator has minimal system requirements and it can run on almost any hardware and platform, with packages available for most. You can also easily run with Docker or Cargo, the Rust package manager.

Full-featured and secure

Routinator runs as a service that periodically downloads and verifies RPKI data. The built-in HTTPS server offers a user interface, API endpoints for various file formats, as well as logging, status and Prometheus metrics.

Flexible RPKI-to-Router (RTR) support

Routinator has a built-in RTR server to let routers fetch verified RPKI data. You can also run RTR as a separate daemon using our RPKI data proxy RTRTR, letting you centralise validation and securely distribute processed data to various locations.

Open-source with professional support services

NLnet Labs offers professional support and consultancy services with a service-level agreement. Community support is available on Discord, and our mailing list. Routinator is liberally licensed under the BSD 3-Clause license.

Launch Smoothly

Getting started with Routinator is really easy by installing a binary package for either Debian and Ubuntu or for Red Hat Enterprise Linux (RHEL) and compatible systems such as Rocky Linux. Alternatively, you can run with Docker or build from the source code using Cargo, Rust’s build system and package manager.

Please refer to the comprehensive documentation to learn what works best for you.

routinator's People

Contributors

Stargazers

Watchers

routinator's Issues

Minor things for the next releases

This issue collects small things that should be done in upcoming releases.

drop privileges in daemon mode; bind to RTR sockets before,
extended logging config,
config files.

Feature-request: Allow the -n switch to have a argument to update if last update is more than X seconds ago

I have a script that runs routinator and then creates config based on the json output. It currently updates everything, including rsync. I can check the age of the current data in the script, but it might be useful for other users as well if the '-n' switch has an optional argument. If the age of the data is mode than 'argument' seconds old, update it, otherwise, use the current data.

RTR session crashed

Nov  7 11:07:41 noc2 routinator[93742]: The RIPE NCC Certification Repository is subject to Terms and Conditions
Nov  7 11:07:41 noc2 routinator[93742]: See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc
Nov  7 11:07:41 noc2 routinator[93742]: The RIPE NCC Certification Repository is subject to Terms and Conditions
Nov  7 11:07:41 noc2 routinator[93742]: See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc
Nov  7 11:07:57 noc2 routinator[93742]: rsync://rpki.ripe.net/repository/DEFAULT/ce/2991fc-2a43-4aac-8725-03ddfcca7cdc/1/1-PLmqwITyHkp7BlKU0rsqAUtjEw.mft: failed to load.
Nov  7 11:07:58 noc2 routinator[93742]: rsync://rpki.ripe.net/repository/DEFAULT/a6/fe114b-acb2-40c4-a856-edffb3939db7/1/4vgr8a5QpQSRpLgMNtk90WLuxug.mft: failed to load.
Nov  7 11:08:02 noc2 routinator[93742]: skipping unknown file rsync://ca.rg.net/rpki/RGnet/kk7leA2QyWB46-RxM5KVfKhI7nk.gbr
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: note: Run with `RUST_BACKTRACE=1` for a backtrace.
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28
Nov  7 11:08:06 noc2 routinator[93742]: thread 'tokio-runtime-worker-1' panicked at 'index out of bounds: the len is 0 but the index is 1', /opt/rpki-validator/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.1.1/src/rtr/send.rs:223:28

Divert rsync output to log.

Routinator in closed environment - switch|flag to avoid installing TALs

Would it be possible to implement a switch|flag (e.g. --no-install-tals) at install time. To tell Routinator to not install them.

Case: This can be useful in the context of running Routinator in a closed environment not connected to the internet. E.g. Freifunk, DN42, ICVPN, Closed Lab Environment (Where you do not need route certificates for the whole Internet.) So as to avoid Routinator refusing to start. Because 4 out of 5 TALs are present. Currently removing all TALs manually after install is finished has the same effect. But I would like to be able to do this upon install time. (Currently I myself run Routinator for an ASN in DN42. Where this caused me a bit of head egg at the beginning. Before I figured it out.)

NB: Without the public TALs. I currently for my DN42 network use an exception file with Routinator. Works great for the experience. Where I do not need all ~70k signed certificates for routes on the public Internet / DFZ.

Improve SLURM error reporting

Dec 17 17:09:40 maggie routinator[23890]: Failed to load exceptions file /path/to/export_rfc8416_dn42.json: expected u32 for 'locallyAddedAssertions.prefixFilters.[].asn'

Am I wrong (doing incorrect formatting of file) or is the above a bug? (I am not sure. As I am unsure of the restrictions or lack thereof concerning the u32 type)

The expections file I am trying to load with the -x option is this export_rfc8416_dn42.json.

What troubles me in particular. Is the error message (above) from /var/etc/syslog is incomprehensible. In the sense I am sorely missing a more in-depth explanation behind the error message. E.g. on what line first number number the error message concerns. (hence this issue)

make JSON output form compatible with RIPE Validator

Arouteserver (and other software) relies on having the TAL name per entry in the JSON format, this is used for granular filtering on what ROAs to use and which not to use.

ARouteServer 2018-11-04 03:41:43,420 WARNING Invalid ROA: {u'prefix': u'91.231.153.0/24', u'asn': u'AS21485', u'maxLength': 24}, missing trust anchor

If the intention is that Routinator can be used as a drop-in replacement for RIPE NCC's validator, please make the JSON format compatible:

{
  "roas" : [ {
    "asn" : "AS0",
    "prefix" : "202.13.72.0/24",
    "maxLength" : 24,
    "ta" : "APNIC RPKI Root"
  }, {
    "asn" : "AS0",
    "prefix" : "203.147.108.0/31",
    "maxLength" : 31,
    "ta" : "APNIC RPKI Root"
  }, 
   ....

routinator config should output the TOML formatted config

Determine the signed object type from the object itself, not its name.

Currently, we use the file ending to decide what kind of object we are dealing with. The more robust way would be to use the eContentType field of the signed object.

Issue building on FreeBSD

Hi,

I just tried building the project on FreeBSD after installing rust from packages.

This is the output I get:

Compiling ber v0.1.0 (https://github.com/NLnetLabs/ber-rs.git#18a0b990)
Compiling rpki v0.1.0 (https://github.com/NLnetLabs/rpki-rs.git#8cd80010)
error[E0658]: use of unstable library feature 'slice_rsplit' (see issue #41020)
  --> /root/.cargo/git/checkouts/rpki-rs-a43ad3b5562cba05/8cd8001/src/rsync.rs:85:30
   |
85 |         let tail = self.path.rsplit(|ch| *ch == b'/').next().unwrap().len();
   |                              ^^^^^^

error: aborting due to previous error

For more information about this error, try `rustc --explain E0658`.
error: Could not compile `rpki`.

To learn more, run the command again with --verbose.
#

I'm running everything as root. It's a test vm I created just for this, so nothing else is running and is installed there.

Correctly process RTR serial number wrap-arounds.

RTR serial numbers are 32 bit values that wrap around. The maths for this case are defined in RFC 1982. We haven’t implemented that yet. Currently, after 2^32 versions, the client will be given a reset. Unless someone sets a history size of 2^32 (and has enough memory and time to follow through), in which case things will go horribly wrong.

Wrong port (3323/tcp instead of 323/tcp) in README

According to RFC6810:

https://tools.ietf.org/html/rfc6810#section-12

IANA has assigned 'well-known' TCP Port Numbers to the RPKI-Router
Protocol for the following, see Section 7:

	rpki-rtr
	rpki-rtr-tls

https://tools.ietf.org/html/rfc6810#section-7

Caches and routers MUST implement unprotected transport over TCP
using a port, rpki-rtr (323)

Caches and routers MAY use TLS transport [RFC5246] using a port,
rpki-rtr-tls (324);

Please follow the standards, thanks.

Guess the update time and put that into V1 End-of-Data PDU

Currently, we simply put the refresh interval into the refresh value of the V1 End-of-Data PDU.

Instead we should remember when we are going to do the next validation run, guess how long it takes, and publish the time until then.

Comments in JSON exception files generates error

I recently tried to include comments at the top of a JSON exception file I load into routinator.
Routinator complains about the comments line prefixed with //.
Throws and error message.
Refuses to start.

Q: Is valid JSON single line comments not acceptable in an exception file? (or have I misunderstood an RFC somewhere? Read the RFC for the format of the exception file. But did not stumble over any obvious lines detailing if JSON comments is acceptable or not to include)

Allow RTR and HTTP to be turned off selectively in `rtrd` mode

Currently, RTR is always on and HTTP needs to be enabled. Instead, we can enable both by default on their default ports and localhost and provide means to turn them off selectively.

For the command line, this could be something like --listen-tcp=none and for the config file, listen-tcp: [].

Improve daemon mode for system service

Daemon mode currently only detaches from the terminal. It needs to do all the things that daemon mode should do.

Hint: this basically includes all the options provided by daemonize crate we are already using. All of it needs to be configurable, of course.

Protect against loops in the repository.

Default prometheus exporter port for routinator

Prometheus maintains a list of allocations of default ports for exporters, and routinator has been added to the list as port 9556.

This could be reflected as a recommendation or a default in config.rs, or in documentation (README.md, doc/routinator.1) as a value for listen-http.

Add markdownlint to Travis builds.

We keep messing up the Markdown documentation files. To avoid that, we should add markdownlint to the Travis build script.

Install fails on debian

cargo install routinator fails

root@rpki0:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.8 (stretch)
Release:	9.8
Codename:	stretch

is my Rust too old?

root@rpki0:~# dpkg -l | egrep "rust|cargo"
ii  cargo                           0.25.0-3~deb9u1                amd64        Rust package manager
ii  libstd-rust-1.24:amd64          1.24.1+dfsg1-1~deb9u4          amd64        Rust standard libraries
ii  libstd-rust-dev:amd64           1.24.1+dfsg1-1~deb9u4          amd64        Rust standard libraries - development files
ii  rust-gdb                        1.24.1+dfsg1-1~deb9u4          all          Rust debugger (gdb)
ii  rustc                           1.24.1+dfsg1-1~deb9u4          amd64        Rust systems programming language

root@rpki0:~# cargo install routinator
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading routinator v0.3.1
  Installing routinator v0.3.1
 Downloading slab v0.4.2
 Downloading futures v0.1.25
 Downloading futures-cpupool v0.1.8
 Downloading log v0.4.6
 Downloading chrono v0.4.6
 Downloading toml v0.4.10
 Downloading tokio v0.1.17
 Downloading tokio-process v0.2.3
 Downloading num_cpus v1.10.0
 Downloading clap v2.32.0
 Downloading tempfile v3.0.7
 Downloading derive_more v0.14.0
 Downloading rpki v0.3.1
 Downloading json v0.11.13
 Downloading dirs v1.0.5
 Downloading fern v0.5.7
 Downloading httparse v1.3.3
 Downloading bytes v0.4.12
 Downloading libc v0.2.50
 Downloading cfg-if v0.1.7
 Downloading num-integer v0.1.39
 Downloading num-traits v0.2.6
 Downloading time v0.1.42
 Downloading serde v1.0.89
 Downloading tokio-timer v0.2.10
 Downloading tokio-executor v0.1.6
 Downloading tokio-fs v0.1.6
 Downloading tokio-udp v0.1.3
 Downloading tokio-reactor v0.1.9
 Downloading tokio-tcp v0.1.3
 Downloading tokio-sync v0.1.4
 Downloading tokio-codec v0.1.1
 Downloading tokio-trace-core v0.1.0
 Downloading tokio-io v0.1.12
 Downloading tokio-current-thread v0.1.5
 Downloading tokio-threadpool v0.1.12
 Downloading mio v0.6.16
 Downloading crossbeam-utils v0.6.5
 Downloading lazy_static v1.3.0
 Downloading iovec v0.1.2
 Downloading byteorder v1.3.1
 Downloading crossbeam-queue v0.1.2
 Downloading crossbeam-deque v0.7.1
 Downloading rand v0.6.5
 Downloading crossbeam-epoch v0.7.1
 Downloading memoffset v0.2.1
 Downloading scopeguard v0.3.3
 Downloading arrayvec v0.4.10
 Downloading nodrop v0.1.13
 Downloading rand_chacha v0.1.1
 Downloading rand_core v0.4.0
 Downloading rand_xorshift v0.1.1
 Downloading rand_jitter v0.1.3
 Downloading rand_os v0.1.3
 Downloading rand_pcg v0.1.2
 Downloading rand_hc v0.1.0
 Downloading rand_isaac v0.1.1
 Downloading rand_core v0.3.1
 Downloading autocfg v0.1.2
 Downloading lazycell v1.2.1
 Downloading net2 v0.2.33
 Downloading parking_lot v0.7.1
 Downloading lock_api v0.1.5
 Downloading parking_lot_core v0.4.0
 Downloading owning_ref v0.4.0
 Downloading stable_deref_trait v1.1.1
 Downloading smallvec v0.6.9
 Downloading rustc_version v0.2.3
 Downloading semver v0.9.0
 Downloading semver-parser v0.7.0
 Downloading fnv v1.0.6
 Downloading atty v0.2.11
 Downloading bitflags v1.0.4
 Downloading unicode-width v0.1.5
 Downloading vec_map v0.8.1
 Downloading textwrap v0.10.0
 Downloading strsim v0.7.0
 Downloading remove_dir_all v0.5.1
 Downloading quote v0.6.11
 Downloading proc-macro2 v0.4.27
 Downloading syn v0.15.29
 Downloading unicode-xid v0.1.0
 Downloading hex v0.3.2
 Downloading ring v0.13.5
 Downloading base64 v0.9.3
 Downloading untrusted v0.6.2
 Downloading bcder v0.2.1
 Downloading cc v1.0.31
 Downloading safemem v0.3.0
 Downloading syslog v4.0.1
 Downloading daemonize v0.3.0
 Downloading tokio-uds v0.2.5
 Downloading mio-uds v0.6.7
 Downloading error-chain v0.11.0
 Downloading backtrace v0.3.14
 Downloading backtrace-sys v0.1.28
 Downloading rustc-demangle v0.1.13
 Downloading tokio-signal v0.2.7
 Downloading signal-hook v0.1.8
 Downloading arc-swap v0.3.7
 Downloading ansi_term v0.11.0
   Compiling json v0.11.13
   Compiling httparse v1.3.3
   Compiling num-traits v0.2.6
   Compiling remove_dir_all v0.5.1
   Compiling lazycell v1.2.1
   Compiling hex v0.3.2
   Compiling autocfg v0.1.2
   Compiling arc-swap v0.3.7
error: the struct `#[repr(align(u16))]` attribute is experimental (see issue #33626)
  --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/debt.rs:19:1
   |
19 | #[repr(align(64))]
   | ^^^^^^^^^^^^^^^^^^

error: non-string literals in attributes, or string literals in top-level positions, are experimental (see issue #34981)
  --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/debt.rs:19:1
   |
19 | #[repr(align(64))]
   | ^^^^^^^^^^^^^^^^^^

error: the struct `#[repr(align(u16))]` attribute is experimental (see issue #33626)
  --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/gen_lock.rs:47:1
   |
47 | #[repr(align(64))]
   | ^^^^^^^^^^^^^^^^^^

error: non-string literals in attributes, or string literals in top-level positions, are experimental (see issue #34981)
  --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/gen_lock.rs:47:1
   |
47 | #[repr(align(64))]
   | ^^^^^^^^^^^^^^^^^^

error: slice pattern syntax is experimental (see issue #23121)
    --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/lib.rs:1030:32
     |
1030 |                 .fold([0, 0], |[a1, a2], s| {
     |                                ^^^^^^^^

error: slice pattern syntax is experimental (see issue #23121)
    --> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/arc-swap-0.3.7/src/lib.rs:1031:25
     |
1031 |                     let [v1, v2] = s.snapshot();
     |                         ^^^^^^^^

error: aborting due to 6 previous errors

error: Could not compile `arc-swap`.
warning: build failed, waiting for other jobs to finish...
error: failed to compile `routinator v0.3.1`, intermediate artifacts can be found at `/tmp/cargo-install.jd7HnFHHy3Qf`

Caused by:
  build failed
root@rpki0:~#

Missing TAL Behaviour Clarification

The manpage states:

Unfortunately, the terms and conditions of
the North American registry ARIN do not allow us to include their TAL
with the Routinator. We instead include a crippled version that will
cause Routinator to refuse to work and print instructions on how to get
the TAL instead.

The observed behaviour is consistent with the above. However, we currently plan to enable SOV without relying on the ARIN TAL (because of issues with the RPA), and the docs are silent on how to do this correctly.

It appears that routinator will start correctly if the placeholder arin.tal file is removed beforehand.
Please clarify:

Is this the expected behaviour?
Is this the correct/supported way to run without one of the RIR TALs?
Is this behaviour to remain consistent in future releases?

If yes to all, then a documentation update is in order.

Document how to run RTR over SSH.

RTR can be run over SSH by proxying the RTR port provided by Routinator through sshd. Research and document the best method to do this.

Brainstorming of monitoring metrics

Now that we have Prometheus monitoring instrumentation, we need to come up with useful metrics to collect and expose.

This is issue is here to collect ideas for such metrics that users will find useful.

Add an option for the rsync command

Provide an option, both command line and config file, to set the command to run as rsync.

Objects may expire before re-validation

In order to remove expired VRPs from the output, the repository needs to be updated and re-validated before the first object expires.

Detach from terminal after checking validity of TALs.

In daemon mode, only detach from the terminal and switch to syslog logging after having checked that all the TALs are okay. This is to avoid missing the no-real message upon first start.

routinator currently broken?

$ cargo install --force --git https://github.com/NLnetLabs/routinator.git

results in tons of errors:

   Compiling mio v0.6.16
   Compiling clap v2.32.0
error[E0658]: `crate` in paths is experimental (see issue #45477)
  --> /home/job/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.13.5/src/bssl.rs:15:5
   |
15 | use crate::{c, error};
   |     ^^^^^

error[E0658]: `crate` in paths is experimental (see issue #45477)
  --> /home/job/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.13.5/src/aead/mod.rs:28:5
   |
28 | use crate::{constant_time, error, init, poly1305, polyfill};
   |     ^^^^^

error[E0658]: `crate` in paths is experimental (see issue #45477)
   --> /home/job/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.13.5/src/polyfill.rs:128:13
    |
128 |         use crate::error;
    |             ^^^^^
    |
   ::: /home/job/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.13.5/src/aead/mod.rs:120:17
    |
120 |     let nonce = slice_as_array_ref!(nonce, NONCE_LEN)?;
    |                 ------------------------------------- in this macro invocation

Config file listen-tcp entry is not documented.

Needs to be added to the man page. It appears in the sample config, though.

Monitoring integration

This is an issue to explore which monitoring products and platforms we might want to offer out-of-the-box integration for.

So far we have (in no particular order):

Prometheus
Icinga
Metronome
Zabbix
Nagios
Influxdb
SNMP, SMUX, AgentX

Feel free to add whatever it is you are using if it isn’t in the list already!

To elaborate a bit: we are planning to produce a set of metrics regarding both the Routinator’s health and the content of the RPKI cache it has and also provide some active service monitoring, probably based on an RTR client.

Validate certificate policy.

We currently don’t check the policy of RPKI certificates. Since that is actually very simple – there must be exactly one policy with a specific OID – we might as well.

Delete repository directories that disappeared

Currently, we only ever add new rsync modules to the repository tree. If such a module is not used anymore (i.e., it is never reference in any of the objects encountered) it should be removed.

RRDP support.

Release 0.1

This is a list of things that need to be done before a release.

properly add --listen option
notifications in RTR
implement daemon mode
include TALs in executable for binary executable distribution
add default working directories
update man page

Add systemd unit file for rtrd to Debian packaging.

The Debian packaging currently doesn't include a init script or systemd unit file for starting Routinator in rtrd mode. We need to explore how these files differ on various Debian-based distributions and whether we can add mechanism to include appropriate ones, at least for a subset of common distributions.

Verbose logging should be more noisy

Currently the verbose log doesn't seem to be verbose, so it's hard to judge what's actually happening.

$ .cargo/bin/routinator -r -v -l 127.0.0.1:3323
The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

skipping unknown file rsync://ca.rg.net/rpki/RGnet/kk7leA2QyWB46-RxM5KVfKhI7nk.gbr
Starting RTR listener...

RFC6810 is only partally supported, answering End of Data PDU in rfc8210 format

Routinator is partally supporting rfc6810 (PDU, versjon 0) since it is answering End of Data PDU according to rfc8210 (Version 1).

Tested on Juniper router with Junos 17.3R3.10.
Junos does not support rfc8210, but when changing EndOfData reply, the session to the Juniper router
came up.

Routinator 3000 needs to reply End of Data according to version.

POC code diff:
(I'm no rust programmer, so its a hack)

diff --git a/src/rtr/pdu.rs b/src/rtr/pdu.rs
index e8e2c23..7218072 100644
--- a/src/rtr/pdu.rs
+++ b/src/rtr/pdu.rs
@@ -397,9 +397,9 @@ impl AsMut<[u8]> for Prefix {
 pub struct EndOfData {
     header: Header,
     serial: u32,
-    refresh: u32,
-    retry: u32,
-    expire: u32,
+//    refresh: u32,
+//    retry: u32,
+//    expire: u32,
 }
 
 #[allow(dead_code)] 
@@ -413,11 +413,11 @@ impl EndOfData {
         expire: u32
     ) -> Self {
         EndOfData {
-            header: Header::new(version, 7, session, 24),
+            header: Header::new(version, 7, session, 12),
             serial: serial.to_be(),
-            refresh: refresh.to_be(),
-            retry: retry.to_be(),
-            expire: expire.to_be(),
+//            refresh: refresh.to_be(),
+//            retry: retry.to_be(),
+//            expire: expire.to_be(),
         }
     }
 
@@ -433,17 +433,17 @@ impl EndOfData {
         u32::from_be(self.serial)
     }
 
-    pub fn refresh(&self) -> u32 {
-        u32::from_be(self.refresh)
-    }
-
-    pub fn retry(&self) -> u32 {
-        u32::from_be(self.retry)
-    }
-
-    pub fn expire(&self) -> u32 {
-        u32::from_be(self.expire)
-    }
+//    pub fn refresh(&self) -> u32 {
+//        u32::from_be(self.refresh)
+//    }
+//
+//    pub fn retry(&self) -> u32 {
+//        u32::from_be(self.retry)
+//    }
+//
+//    pub fn expire(&self) -> u32 {
+//        u32::from_be(self.expire)
+//    }
 }

.cer files can be router keys

Currently, Routinator assumes that all .cer files are CA certificates. That isn’t true and we need to at least gracefully ignore router key certificates. Check that we do.

Actually implementing router key support is for later.

Routinator won't compile on 32 bits machine

If ones tries one will get the following error:

Compiling rpki v0.2.0
Compiling routinator v0.2.0
error[E0425]: cannot find value res in this scope
--> /root/.cargo/registry/src/github.com-1ecc6299db9ec823/routinator-0.2.0/src/config.rs:1325:5
|
1325 | res > ::std::usize::MAX as i64
| ^^^ not found in this scope
error: aborting due to previous error

As far as I understand at the code, it seems that the routinator cpmares a 32 bit counter (for elapsed seconds> to a 64 bit value.

TAL's are not being placed if arin.tal is already existing

I deploy Routinator with ansible and thus place the arin.tal using get_url in Ansible. If you start routinator afterwards, it does not check if it has tals for all five RIRs but instead only runs with output of Arin.

Removing the tals directory creates all the tals and the fake Arin one.

Missing listen-tcp in config file crashes Routinator.

Log when a TAL cannot be parsed

We found an issue where an invalid TAL file causes routinator to exit silently. To reproduce just include some garbage .tal file. Routinator should give a more helpful error message to the user, e.g. "cannot parse wrong.tal"

Improve logging configuration.

Allow better configuration of where to log to and what. Complete list of configurable things:

targets
- syslog
- file
- stderr
identity for syslog
format for file (or just: start with time?)

Extend outform with openbgpd format

It would be cool if routinator's -f option allows openbgpd format so that users of the software can immediately plug the output into the openbgpd daemon.

The openbgpd format is as following:

roa-set {
    57.0.0.0/8 source-as 2647
    100.128.0.0/9 maxlen 24 source-as 21928
    35.0.0.0/10 source-as 237
    78.192.0.0/10 maxlen 11 source-as 12322
    79.192.0.0/10 source-as 3320
    8.128.0.0/10 source-as 37963
    ... etc ...
}

What is of note is that the maxlen argument is optional if the prefixlen and the MaxLength are the same value.

Only read TALs once.

Currently, Routinator in RTR server mode reads the TAL files for each validation run. Instead, it should read the TALs only once upon start to be more resistant against accidental or malicious changes.

Add config file

All configuration should be possible through a config file. Command line options should override file options.

Add `--roa-export` output format

Add output in the format provided by RIPE NCC’s Validator V1’s --roa-export … whatever that may be.

routinator needs a minimal man page and some improved error codes

The man page need some description of the "cache" structure so one doesn't run into thongs as below.
script.txt

Ignore unreachable repositories?

I'm not sure routinator should bomb out when one of the repositories is unreachable for some reason, thoughts?

$ routinator -f json -o /var/www/htdocs/export.json.tmp
The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

The RIPE NCC Certification Repository is subject to Terms and Conditions
See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc

rsync: getaddrinfo: ca.rg.net 873: no address associated with name
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]
IO error: Permission denied (os error 13)
Aborted.

route6:

When generating a rpsl output (routinator vrps --format rpsl --output /tmp/20190320-0804.rpsl) I get:

[...]
route: 2001:67c:16d0::/47
origin: AS44574
descr: RPKI attestation
mnt-by: NA
created: 2019-03-20T07:25:28.285693328+00:00
last-modified: 2019-03-20T07:25:28.285693328+00:00
source: ROA-RIPE-RPKI-ROOT
[...]

I have tools that expect the label to be route6: för IPv6 prefixes
Is that possible to make?

/mm

Use exitcode other than 0 when a (rsync)source can not be used

When one of the rsync sources failes, routinator exits with exitcode 0, which should be something else because we are missing data. Imho, it would be better to complain about the missing data and not update any filters than it is to silently ignore the error and move prefixes to 'unknown'.