Re: rsync and RPKI Validation
> On 9 Sep 2022, at 4:36 pm, Vincent Bernat wrote: > > On 2022-09-09 04:56, Matt Corallo wrote: >> Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows >> malicious remote servers to write arbitrary files inside the directories of >> connecting peers") and its potential impact on RPKI validators? It looks >> like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their >> release/security package streams. >> Are rsync-based (or rsync-fallback, which I believe is still required for >> all RPKI validators?) RPKI validators all vulnerable to takeover from this, >> or is there some reason why this doesn't apply to RPKI validation? > > The attacker is still limited to the target directory. The attacker can send > files that were excluded or not requested, but they still end up in the > target directory. RPKI validators download stuff in a dedicated download > directory (but it may be shared with several peers), so they should be safe. If the topic is whether rsync is fit for purpose for the RPKI I’d like to reference a still relevant presentation from IETF 89: https://www.ietf.org/proceedings/89/slides/slides-89-sidr-6.pdf As far as I am aware the issues raised in this presentation remain current. My takeaway from that presentation is that there is some simple advice about using rsync in the context of the RPKI cache sync operation: don’t. thanks, Geoff
Re: ROA Will Expire Soon - ARIN
In our experience, I think, we do a 24 month rpki cert tied the key shared with ARIN. You simply create a new rpki cert in the ARIN hosted service. Due operational reasons we will delete an old cert a month after publishing the new cert just to keep things clean. We don't have a lot of space turnover so we will typically do a new cert 2 or 3 times a year. If your underlying resources are pretty much static, just make your cert good for as long as you can. On Fri, Sep 9, 2022, 9:08 AM Ca By wrote: > > > On Fri, Sep 9, 2022 at 9:04 AM Brad Gorman wrote: > >> A message is sent to points of contact of an Org one month before >> expiration of a ROA in the ARIN repository. At any time prior to the ROA >> expiry, a new (duplicate) ROA can be created for the same resources with a >> new expiry date in the future. The soon to expire ROA can be deleted once >> the new ROA has been published to the repository or you can simply wait for >> it to expire. >> >> >> >> >> >> Brad >> >> > Any chance arin can post a step by step guide on the arin website? > > Seems like a big deal to have an roa expire, and a well documented process > will create a lot of confidence. > > As where an expired roa outage will cause a company to never use rpki > again. > >> >> >> *From: *NANOG on behalf of Ca >> By >> *Date: *Friday, September 9, 2022 at 10:12 AM >> *To: *John Sweeting >> *Cc: *North American Network Operators' Group >> *Subject: *Re: ROA Will Expire Soon - ARIN >> >> >> >> >> >> >> >> On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: >> >> You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also >> be sending you an email off list. >> >> >> >> John >> >> >> >> Where is ARIN’s documented procedure for how hosted ROAs handle renewal >> prior to expiration ? >> >> >> >> >> >> >> Sent from my iPhone >> >> > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: >> > >> > >> > Can someone from ARIN please reach out to me. We don't want the ROA to >> expire... >> > >> > Kind Regards, >> > Terrance >> >>
Re: rsync CVE-2022-29154 and RPKI Validation
On 9/9/22 1:58 PM, Vincent Bernat wrote: On 2022-09-09 19:36, Matt Corallo wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :( It's explained in the manual page: https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY Heh, right, so not in any of the disclosure posts :p (but it may be shared with several peers) I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no? Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. Looking at cfrpki, it looks like it works this way (didn't test). Hmm, ouch, is there a corresponding security disclosure from cfrpki? I guess cfrpki sees pretty limited use these days. Thanks, Matt
Weekly Global IPv4 Routing Table Report
This is an automated weekly mailing describing the state of the Global IPv4 Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG. Daily listings are sent to bgp-st...@lists.apnic.net. For historical data, please see https://thyme.apnic.net. If you have any comments please contact Philip Smith . IPv4 Routing Table Report 04:00 +10GMT Sat 10 Sep, 2022 BGP Table (Global) as seen in Japan. Report Website: https://thyme.apnic.net Detailed Analysis: https://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 909260 Prefixes after maximum aggregation (per Origin AS): 342376 Deaggregation factor: 2.66 Unique aggregates announced (without unneeded subnets): 439339 Total ASes present in the Internet Routing Table: 73642 Prefixes per ASN: 12.35 Origin-only ASes present in the Internet Routing Table: 63244 Origin ASes announcing only one prefix: 26032 Transit ASes present in the Internet Routing Table: 10398 Transit-only ASes present in the Internet Routing Table:399 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 55 Max AS path prepend of ASN (265020) 50 Prefixes from unregistered ASNs in the Routing Table: 974 Number of instances of unregistered ASNs: 974 Number of 32-bit ASNs allocated by the RIRs: 40143 Number of 32-bit ASNs visible in the Routing Table: 1 Prefixes from 32-bit ASNs in the Routing Table: 160214 Number of bogon 32-bit ASNs visible in the Routing Table: 7 Special use prefixes present in the Routing Table:1 Prefixes being announced from unallocated address space:510 Number of addresses announced to Internet: 3069022080 Equivalent to 182 /8s, 237 /16s and 143 /24s Percentage of available address space announced: 82.9 Percentage of allocated address space announced: 82.9 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 99.6 Total number of prefixes smaller than registry allocations: 308637 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 237518 Total APNIC prefixes after maximum aggregation: 67545 APNIC Deaggregation factor:3.52 Prefixes being announced from the APNIC address blocks: 232440 Unique aggregates announced from the APNIC address blocks:96417 APNIC Region origin ASes present in the Internet Routing Table: 12948 APNIC Prefixes per ASN: 17.95 APNIC Region origin ASes announcing only one prefix: 3752 APNIC Region transit ASes present in the Internet Routing Table: 1752 Average APNIC Region AS path length visible:4.6 Max APNIC Region AS path length visible: 34 Number of APNIC region 32-bit ASNs visible in the Routing Table: 8184 Number of APNIC addresses announced to Internet: 773537536 Equivalent to 46 /8s, 27 /16s and 63 /24s APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-151865 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:264936 Total ARIN prefixes after maximum aggregation: 120942 ARIN Deaggregation factor: 2.19 Prefixes being announced from the ARIN address blocks: 265432 Unique aggregates announced from the ARIN address blocks:128088 ARIN Region origin ASes present in the Internet Routing Table:19052 ARIN Prefixes per ASN:
Re: rsync CVE-2022-29154 and RPKI Validation
On 2022-09-09 19:36, Matt Corallo wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :( It's explained in the manual page: https://manpages.debian.org/unstable/rsync/rsync.1.en.html#MULTI-HOST_SECURITY (but it may be shared with several peers) I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no? Yes, it shouldn't, but maybe RPKI servers are still downloading all of them in a single directory. Looking at cfrpki, it looks like it works this way (didn't test).
Re: rsync CVE-2022-29154 and RPKI Validation
On 9/9/22 2:36 AM, Vincent Bernat wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory Ah, okay, thanks, its a shame that wasn't included in any of the disclosure posts I managed to find :( (but it may be shared with several peers) I assume I'm mis-reading this - RPKI servers aren't able to overwrite output from other RPKI servers, so it shouldn't be shared, no? Thanks, Matt
Re: ROA Will Expire Soon - ARIN
On Fri, Sep 9, 2022 at 9:04 AM Brad Gorman wrote: > A message is sent to points of contact of an Org one month before > expiration of a ROA in the ARIN repository. At any time prior to the ROA > expiry, a new (duplicate) ROA can be created for the same resources with a > new expiry date in the future. The soon to expire ROA can be deleted once > the new ROA has been published to the repository or you can simply wait for > it to expire. > > > > > > Brad > > Any chance arin can post a step by step guide on the arin website? Seems like a big deal to have an roa expire, and a well documented process will create a lot of confidence. As where an expired roa outage will cause a company to never use rpki again. > > > *From: *NANOG on behalf of Ca > By > *Date: *Friday, September 9, 2022 at 10:12 AM > *To: *John Sweeting > *Cc: *North American Network Operators' Group > *Subject: *Re: ROA Will Expire Soon - ARIN > > > > > > > > On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: > > You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be > sending you an email off list. > > > > John > > > > Where is ARIN’s documented procedure for how hosted ROAs handle renewal > prior to expiration ? > > > > > > > Sent from my iPhone > > > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: > > > > > > Can someone from ARIN please reach out to me. We don't want the ROA to > expire... > > > > Kind Regards, > > Terrance > >
Re: ROA Will Expire Soon - ARIN
Peter, ROAs created using ARIN’s Hosted RPKI service do not auto-renew. A point of contact (admin,tech,routing) linked to the organization can create and delete ROAs. This does not require contacting the ARIN Help Desk. Best regards, Brad Gorman Sr Product Owner, Routing Security American Registry for Internet Numbers From: NANOG on behalf of Peter Potvin via NANOG Reply-To: Peter Potvin Date: Friday, September 9, 2022 at 10:19 AM To: Ca By Cc: North American Network Operators' Group Subject: Re: ROA Will Expire Soon - ARIN I have been wondering the same thing when it comes to how ARIN's hosted RPKI ROAs handle renewal. Do they automatically renew by default, do we need to delete and re-create the ROA or do we have to reach out to the helpdesk every time one is due to expire? ~ Peter On Fri., Sep. 9, 2022, 10:12 a.m. Ca By, mailto:cb.li...@gmail.com>> wrote: On Fri, Sep 9, 2022 at 5:21 AM John Sweeting mailto:jsweet...@arin.net>> wrote: You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be sending you an email off list. John Where is ARIN’s documented procedure for how hosted ROAs handle renewal prior to expiration ? Sent from my iPhone > On Sep 9, 2022, at 8:01 AM, Terrance Devor > mailto:ter.de...@gmail.com>> wrote: > > > Can someone from ARIN please reach out to me. We don't want the ROA to > expire... > > Kind Regards, > Terrance The information contained in this message may be privileged, confidential and protected from disclosure. This message is intended only for the designated recipient(s). It is subject to access, review and disclosure by the sender's Email System Administrator. If you have received this message in error, please advise by return e-mail so that our address records can be corrected and please delete immediately without reading, copying or forwarding to others. Any unauthorized review, use, disclosure or distribution is prohibited. Copyright © 2022 Accuris Technologies Ltd. All Rights Reserved. L'information contenue dans ce message pourrait être de nature privilégiée, confidentielle et protégée contre toute divulgation. Ce message est destiné à l'usage exclusif du(des) destinataire(s) visé(s). Le gestionnaire de système du courrier électronique de l'expéditeur pourrait avoir accès à ce message, l'examiner et le divulguer. Si ce message vous est transmis par erreur, veuillez nous en aviser par courrier électronique à notre adresse, afin que l'on puisse corriger nos registres, puis veuillez le supprimer immédiatement, sans le lire, le copier ou le transmettre à des tiers. Tout examen, toute utilisation, divulgation ou distribution non autorisé de cette information est interdit. Droit d'auteur © 2022 Accuris Technologies Ltd. Tous droits réservés.
Re: ROA Will Expire Soon - ARIN
A message is sent to points of contact of an Org one month before expiration of a ROA in the ARIN repository. At any time prior to the ROA expiry, a new (duplicate) ROA can be created for the same resources with a new expiry date in the future. The soon to expire ROA can be deleted once the new ROA has been published to the repository or you can simply wait for it to expire. Brad From: NANOG on behalf of Ca By Date: Friday, September 9, 2022 at 10:12 AM To: John Sweeting Cc: North American Network Operators' Group Subject: Re: ROA Will Expire Soon - ARIN On Fri, Sep 9, 2022 at 5:21 AM John Sweeting mailto:jsweet...@arin.net>> wrote: You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be sending you an email off list. John Where is ARIN’s documented procedure for how hosted ROAs handle renewal prior to expiration ? Sent from my iPhone > On Sep 9, 2022, at 8:01 AM, Terrance Devor > mailto:ter.de...@gmail.com>> wrote: > > > Can someone from ARIN please reach out to me. We don't want the ROA to > expire... > > Kind Regards, > Terrance
Re: ROA Will Expire Soon - ARIN
And create the new roa for ten or whatever the max time is On Fri, Sep 9, 2022, 7:28 AM TJ Trout wrote: > Just make a new roa for the same prefixes, you don't even need to delete > the old one. > > On Fri, Sep 9, 2022, 7:18 AM Peter Potvin via NANOG > wrote: > >> I have been wondering the same thing when it comes to how ARIN's hosted >> RPKI ROAs handle renewal. Do they automatically renew by default, do we >> need to delete and re-create the ROA or do we have to reach out to the >> helpdesk every time one is due to expire? >> >> ~ Peter >> >> On Fri., Sep. 9, 2022, 10:12 a.m. Ca By, wrote: >> >>> >>> >>> On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: >>> You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be sending you an email off list. >>> >>> John >>> >>> Where is ARIN’s documented procedure for how hosted ROAs handle renewal >>> prior to expiration ? >>> >>> >>> Sent from my iPhone > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: > > > Can someone from ARIN please reach out to me. We don't want the ROA to expire... > > Kind Regards, > Terrance >>> >> The information contained in this message may be privileged, confidential >> and protected from disclosure. This message is intended only for the >> designated recipient(s). It is subject to access, review and disclosure by >> the sender's Email System Administrator. If you have received this message >> in error, please advise by return e-mail so that our address records can be >> corrected and please delete immediately without reading, copying or >> forwarding to others. Any unauthorized review, use, disclosure or >> distribution is prohibited. >> Copyright © 2022 Accuris Technologies Ltd. All Rights Reserved. >> >> L'information contenue dans ce message pourrait être de nature >> privilégiée, confidentielle et protégée contre toute divulgation. Ce >> message est destiné à l'usage exclusif du(des) destinataire(s) visé(s). Le >> gestionnaire de système du courrier électronique de l'expéditeur pourrait >> avoir accès à ce message, l'examiner et le divulguer. Si ce message vous >> est transmis par erreur, veuillez nous en aviser par courrier électronique >> à notre adresse, afin que l'on puisse corriger nos registres, puis veuillez >> le supprimer immédiatement, sans le lire, le copier ou le transmettre à des >> tiers. Tout examen, toute utilisation, divulgation ou distribution non >> autorisé de cette information est interdit. >> Droit d'auteur © 2022 Accuris Technologies Ltd. Tous droits réservés. >> >
Re: ROA Will Expire Soon - ARIN
Just make a new roa for the same prefixes, you don't even need to delete the old one. On Fri, Sep 9, 2022, 7:18 AM Peter Potvin via NANOG wrote: > I have been wondering the same thing when it comes to how ARIN's hosted > RPKI ROAs handle renewal. Do they automatically renew by default, do we > need to delete and re-create the ROA or do we have to reach out to the > helpdesk every time one is due to expire? > > ~ Peter > > On Fri., Sep. 9, 2022, 10:12 a.m. Ca By, wrote: > >> >> >> On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: >> >>> You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also >>> be sending you an email off list. >>> >> >> John >> >> Where is ARIN’s documented procedure for how hosted ROAs handle renewal >> prior to expiration ? >> >> >> >>> Sent from my iPhone >>> >>> > On Sep 9, 2022, at 8:01 AM, Terrance Devor >>> wrote: >>> > >>> > >>> > Can someone from ARIN please reach out to me. We don't want the ROA to >>> expire... >>> > >>> > Kind Regards, >>> > Terrance >>> >> > The information contained in this message may be privileged, confidential > and protected from disclosure. This message is intended only for the > designated recipient(s). It is subject to access, review and disclosure by > the sender's Email System Administrator. If you have received this message > in error, please advise by return e-mail so that our address records can be > corrected and please delete immediately without reading, copying or > forwarding to others. Any unauthorized review, use, disclosure or > distribution is prohibited. > Copyright © 2022 Accuris Technologies Ltd. All Rights Reserved. > > L'information contenue dans ce message pourrait être de nature > privilégiée, confidentielle et protégée contre toute divulgation. Ce > message est destiné à l'usage exclusif du(des) destinataire(s) visé(s). Le > gestionnaire de système du courrier électronique de l'expéditeur pourrait > avoir accès à ce message, l'examiner et le divulguer. Si ce message vous > est transmis par erreur, veuillez nous en aviser par courrier électronique > à notre adresse, afin que l'on puisse corriger nos registres, puis veuillez > le supprimer immédiatement, sans le lire, le copier ou le transmettre à des > tiers. Tout examen, toute utilisation, divulgation ou distribution non > autorisé de cette information est interdit. > Droit d'auteur © 2022 Accuris Technologies Ltd. Tous droits réservés. >
Re: ROA Will Expire Soon - ARIN
I have been wondering the same thing when it comes to how ARIN's hosted RPKI ROAs handle renewal. Do they automatically renew by default, do we need to delete and re-create the ROA or do we have to reach out to the helpdesk every time one is due to expire? ~ Peter On Fri., Sep. 9, 2022, 10:12 a.m. Ca By, wrote: > > > On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: > >> You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also >> be sending you an email off list. >> > > John > > Where is ARIN’s documented procedure for how hosted ROAs handle renewal > prior to expiration ? > > > >> Sent from my iPhone >> >> > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: >> > >> > >> > Can someone from ARIN please reach out to me. We don't want the ROA to >> expire... >> > >> > Kind Regards, >> > Terrance >> > -- The information contained in this message may be privileged, confidential and protected from disclosure. This message is intended only for the designated recipient(s). It is subject to access, review and disclosure by the sender's Email System Administrator. If you have received this message in error, please advise by return e-mail so that our address records can be corrected and please delete immediately without reading, copying or forwarding to others. Any unauthorized review, use, disclosure or distribution is prohibited. Copyright © 2022 Accuris Technologies Ltd. All Rights Reserved. L'information contenue dans ce message pourrait être de nature privilégiée, confidentielle et protégée contre toute divulgation. Ce message est destiné à l'usage exclusif du(des) destinataire(s) visé(s). Le gestionnaire de système du courrier électronique de l'expéditeur pourrait avoir accès à ce message, l'examiner et le divulguer. Si ce message vous est transmis par erreur, veuillez nous en aviser par courrier électronique à notre adresse, afin que l'on puisse corriger nos registres, puis veuillez le supprimer immédiatement, sans le lire, le copier ou le transmettre à des tiers. Tout examen, toute utilisation, divulgation ou distribution non autorisé de cette information est interdit. Droit d'auteur © 2022 Accuris Technologies Ltd. Tous droits réservés.
Re: ROA Will Expire Soon - ARIN
On Fri, Sep 9, 2022 at 5:21 AM John Sweeting wrote: > You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be > sending you an email off list. > John Where is ARIN’s documented procedure for how hosted ROAs handle renewal prior to expiration ? > Sent from my iPhone > > > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: > > > > > > Can someone from ARIN please reach out to me. We don't want the ROA to > expire... > > > > Kind Regards, > > Terrance >
Re: ROA Will Expire Soon - ARIN
You can contact the ARIN Helpdesk at +1-703-227-0660. Someone will also be sending you an email off list. Sent from my iPhone > On Sep 9, 2022, at 8:01 AM, Terrance Devor wrote: > > > Can someone from ARIN please reach out to me. We don't want the ROA to > expire... > > Kind Regards, > Terrance
ROA Will Expire Soon - ARIN
Can someone from ARIN please reach out to me. We don't want the ROA to expire... Kind Regards, Terrance
Re: Router ID on IPv6-Only
On Fri, 9 Sept 2022 at 09:31, Crist Clark wrote: > As I said in the original email, I realize router IDs just need to be > unique in > an AS. We could have done random ones with IPv4, but using a well chosen In some far future this will be true. We meet eBGP speakers across the world, and not everyone supports route refresh, _TODAY_, I suspect mostly because internally developed eBGP implementations and developers were not very familiar with how real life BGP works. RFC6286 is not supported by all common implementations, much less uncommon. And even for common implementations it requires a very new image (20.4 for Junos, many are even in 17.4 still). So while we can consider BGP router-id to be only locally significant when RFC6286 is implemented, in practice you want to be defensive in your router-id strategy, i.e. avoid at least scheme of 1,2,3,4,5,6... on thesis that will be common scheme and liable to increase support costs down the line due to collision probability being higher. While it might also add commercial advantage for transit providers, to have low router-id to win billable traffic. > And to get even a little more specific about our particular use case and > the > suggestion here to build the device location into the ID, we're > generally not I would strongly advise against any information-to-ID mapping schemes. This adds complexity and reduces flexibility and requires you to know the complete problem ahead of time, which is difficult, only have rules you absolutely must have. I am sure most people here have experience having too cutesy addressing schemes some time in their past, where forming an IP address had unnecessary rules in them, which just created complexity and cost in future. If you can add an arbitrary 32b ID to your database, this problem becomes very easy. If not, it's tricky. -- ++ytti
