From job at ntt.net Mon Jun 3 14:06:17 2019 From: job at ntt.net (Job Snijders) Date: Mon, 3 Jun 2019 16:06:17 +0200 Subject: [RPKI] missing file in RG repo? Message-ID: <20190603140617.GD1645@hanna.meerval.net> Hi all, Does anyone know what is wrong with the RG repository? What is this reference to RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft? $ rpki-client -v /home/job/source/rpki-client/tals/ripe.tal > /etc/bgpd/rpki.conf rpki-client: rpki.ripe.net/ta: loading The RIPE NCC Certification Repository is subject to Terms and Conditions See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc rpki-client: /var/cache/rpki-client/rpki.ripe.net/ta: loaded rpki-client: rpki.ripe.net/repository: loading The RIPE NCC Certification Repository is subject to Terms and Conditions See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: period stats: 1 pending repos rpki-client: period stats: 1 pending entries rpki-client: /var/cache/rpki-client/rpki.ripe.net/repository: loaded rpki-client: read: short read: 14 remain rpki-client: read: short read: 14 remain rpki-client: read: short read: 4 remain rpki-client: read: short read: 14 remain rpki-client: read: short read: 1 remain rpki-client: ca.rg.net/rpki: loading rpki-client: /var/cache/rpki-client/ca.rg.net/rpki: loaded rpki-client: ...trace: error:02001002:system library:fopen:No such file or directory rpki-client: ...trace: error:2006D080:BIO routines:BIO_new_file:no such file rpki-client: /var/cache/rpki-client/ca.rg.net/rpki/RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft: BIO_new_file $ Of course rpki-client(1) should handle this more gracefully and not bomb out, but I'm curious whether anymore knows what's up with RG? Is this a bug on their side or is a feature missing on our side? Kind regards, Job From nathalie at ripe.net Mon Jun 3 14:10:39 2019 From: nathalie at ripe.net (Nathalie Trenaman) Date: Mon, 3 Jun 2019 16:10:39 +0200 Subject: [RPKI] missing file in RG repo? In-Reply-To: <20190603140617.GD1645@hanna.meerval.net> References: <20190603140617.GD1645@hanna.meerval.net> Message-ID: Hi there, > Op 3 jun. 2019, om 16:06 heeft Job Snijders het volgende geschreven: > > Hi all, > > Does anyone know what is wrong with the RG repository? What is this reference > to RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft? > > $ rpki-client -v /home/job/source/rpki-client/tals/ripe.tal > /etc/bgpd/rpki.conf > rpki-client: rpki.ripe.net/ta: loading > The RIPE NCC Certification Repository is subject to Terms and Conditions > See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc > rpki-client: /var/cache/rpki-client/rpki.ripe.net/ta: loaded > rpki-client: rpki.ripe.net/repository: loading > The RIPE NCC Certification Repository is subject to Terms and Conditions > See http://www.ripe.net/lir-services/ncc/legal/certification/repository-tc > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: period stats: 1 pending repos > rpki-client: period stats: 1 pending entries > rpki-client: /var/cache/rpki-client/rpki.ripe.net/repository: loaded > rpki-client: read: short read: 14 remain > rpki-client: read: short read: 14 remain > rpki-client: read: short read: 4 remain > rpki-client: read: short read: 14 remain > rpki-client: read: short read: 1 remain > rpki-client: ca.rg.net/rpki: loading > rpki-client: /var/cache/rpki-client/ca.rg.net/rpki: loaded > rpki-client: ...trace: error:02001002:system library:fopen:No such file or directory > rpki-client: ...trace: error:2006D080:BIO routines:BIO_new_file:no such file > rpki-client: /var/cache/rpki-client/ca.rg.net/rpki/RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft: BIO_new_file > $ > > Of course rpki-client(1) should handle this more gracefully and not bomb > out, but I'm curious whether anymore knows what's up with RG? Is this a > bug on their side or is a feature missing on our side? > > Kind regards, > > It?s a problem on their side with their CA, we?re working with Randy to solve it. Cheers, Nathalie Trenaman RIPE NCC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From tim at nlnetlabs.nl Mon Jun 3 14:13:13 2019 From: tim at nlnetlabs.nl (Tim Bruijnzeels) Date: Mon, 3 Jun 2019 16:13:13 +0200 Subject: [RPKI] missing file in RG repo? In-Reply-To: <20190603140617.GD1645@hanna.meerval.net> References: <20190603140617.GD1645@hanna.meerval.net> Message-ID: <8D759029-E47D-4C0F-8B30-17459529CB6C@nlnetlabs.nl> Hi Job, It seems that there is a certificate (under RIPE NCC?) that refers for its manifest to: rsync://ca.rg.net/rpki/RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft But there is no such file.. Yoda:~ tim$ rsync --list-only rsync://ca.rg.net/rpki/RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft rsync: change_dir "/RGnet" (in rpki) failed: No such file or directory (2) rsync error: some files could not be transferred (code 23) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-52.200.1/rsync/main.c(1404) [receiver=2.6.9] It seems the repo is empty except for an id.xml file used in the dance between CAs when setting up a secure communication channel: Yoda:~ tim$ rsync --list-only rsync://ca.rg.net/rpki drwxr-xr-x 4096 2019/05/24 13:34:48 . -rw-r--r-- 1175 2016/05/14 16:08:26 RGnet.identity.xml In short I think that the rpkid died somehow, or its publication server. > On 3 Jun 2019, at 16:06, Job Snijders wrote: > > ca.rg.net/rpki/RGnet/WWz_C2qLO_yVk8-8glRCLHuz7Fw.mft -------------- next part -------------- An HTML attachment was scrubbed... URL: From martin at nlnetlabs.nl Mon Jun 3 14:58:59 2019 From: martin at nlnetlabs.nl (Martin Hoffmann) Date: Mon, 3 Jun 2019 16:58:59 +0200 Subject: [RPKI] =?utf-8?q?Routinator_0=2E4=2E0_=E2=80=98Bumpy_Road_to_Lov?= =?utf-8?q?e=E2=80=99_released?= Message-ID: <20190603165859.1b8203c6@glaurung.nlnetlabs.nl> Dear Mailing List, we are euphoric to finally announce the latest release of Routinator, version 0.4.0 ?The Bumpy Road to Love.? This release fundamentally changes the command line options for running the server and introduces a new way to initialize the local RPKI repository used by Routinator. If you have been using previous releases, you will likely have to adjust your tooling. We apologize for this, but we also feel that the new commands are more intuitive and logical. Server Mode ----------- The command for running the server (previously ?rtrd?) is now called ?server?. It will not detach from the terminal anymore unless explicitly instructed via the -d option. When we added HTTP support, we intended it to be for monitoring only. But it turned out that using HTTP is very useful for integrating Routinator into existing work flows, so we now make HTTP a first class protocol. Since this means that users may want to use the server mode without RTR, Routinator will not listen on any ports by default any more. Instead, you will have to explicitly choose the protocols, addresses, and ports to listen on. The options for listening are now more intuitive, too: --rtr for RTR and --http for HTTP. Initialization -------------- Previously, Routinator automatically installed the TALs if the TAL directory wasn?t present and then stopped because of the missing ARIN TAL. This made it difficult to automatically install TALs in deployments. This release replaces the automatic mechanism with a manual procedure that is invoked by the new ?init? command. In addition, we have received permission by ARIN to include their TAL. If you agree with the ARIN Relying Party Agreement, you can now instruct Routinator to install all TALs without having to download anything. Filtering of VRPs ----------------- To make up for all these breaking changes, we added filtering of VRPs in output both via the ?vrps? command and in the HTTP output. Command line options or HTTP query fields allow limiting the output to those VRPs that cover a set of address prefixes or are related to a set of ASNs. As ever, you can read about all the changes in the complete release notes at https://github.com/NLnetLabs/routinator/releases/tag/v0.4.0 The Routinator section in the RPKI Documentation has been updated to reflect all the changes. You can find it at https://rpki.readthedocs.io/en/latest/routinator/index.html Happy Routinating! On behalf of the NLnet Labs RPKI Team, Martin