On 9/9/22 1:58 PM, Vincent Bernat wrote:
On 2022-09-09 19:36, Matt Corallo wrote:
The attacker is still limited to the target directory. The attacker can send files that were
excluded or not requested, but they still end up in the target directory. RPKI validators
download stuff in a dedicated download directory
Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to
find :(
It's explained in the manual page:
https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY
Heh, right, so not in any of the disclosure posts :p
(but it may be shared with several peers)
I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI
servers, so it shouldn't be shared, no?
Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory.
Looking at cfrpki, it looks like it works this way (didn't test).
Hmm, ouch, is there a corresponding security disclosure from cfrpki? I guess cfrpki sees pretty
limited use these days.
Thanks,
Matt