0
0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-23 02:01:55 +00:00
Commit Graph

13 Commits

Author SHA1 Message Date
Ondrej Zajicek
89d548accb RPKI: Increase max PDU length to 64k
APSA records can be arbitrarily large, let's use 64k as
a reasonable limit.
2024-12-02 07:06:34 +01:00
Maria Matejka
3ca6e03db7 RPKI: refactored pdu to host byte order conversion
We shouldn't convert bytes 2 and 3 of the PDU blindly, there are several
cases where these are used by bytes. Instead, the conversion is done
only where needed.

This fixes misinterpretation bug of ASPA PDU flags on little endian
architectures.
2024-11-28 14:19:47 +01:00
Ondrej Zajicek
fb919ac2a2 RPKI: Fix PDU length check
The END_OF_DATA PDU was extended in version 1, so it has different length
in different versions. We should do the PDU length check according to its
version.
2024-11-26 17:52:51 +01:00
Maria Matejka
e330fb1614 RPKI: added documentation and RTR version config options 2024-11-26 04:47:33 +01:00
Katerina Kubecova
fa65e06372 RPKI: protocol version 2, loading ASPA
Implemented draft-ietf-sidrops-8210bis-16, interoperable with StayRTR
development branches.
2024-11-26 04:14:36 +01:00
Job Snijders
b9f38727a7 RPKI: Add contextual out-of-bound checks in RTR Prefix PDU handler
RFC 6810 and RFC 8210 specify that the "Max Length" value MUST NOT be
less than the Prefix Length element (underflow). On the other side,
overflow of the Max Length element also is possible, it being an 8-bit
unsigned integer allows for values larger than 32 or 128. This also
implicitly ensures there is no overflow of "Length" value.

When a PDU is received where the Max Length field is corrputed, the RTR
client (BIRD) should immediately terminate the session, flush all data
learned from that cache, and log an error for the operator.

Minor changes done by commiter.
2021-12-18 16:35:28 +01:00
Ondrej Zajicek (work)
fc1e3211b1 RPKI: Add 'ignore max length' option
Add 'ignore max length' option to RPKI protocol, which ignores received
max length in ROA records and instead uses max value (32 or 128). This
may be useful for implementing loose RPKI check for blackholes.
2020-10-11 01:00:54 +02:00
Maria Matejka
5f60d14ede RPKI: fixed rare va_list leak 2020-05-01 15:19:12 +02:00
Ondrej Zajicek (work)
d59c1a2958 RPKI: Update to new timers 2017-12-07 13:52:21 +01:00
Ondrej Zajicek (work)
eeba61ccd5 Minor cleanups 2016-12-13 20:18:11 +01:00
Jan Moskyto Matejka
b94e5e58db RPKI: fixed some of the extended warnings 2016-12-07 15:35:35 +01:00
Jan Moskyto Matejka
af62c0f9f1 LibSSH may be switched off together with RPKI 2016-12-07 14:15:35 +01:00
Pavel Tvrdík
65d2a88dd2 RPKI protocol with one cache server per protocol
The RPKI protocol (RFC 6810) using the RTRLib
(http://rpki.realmv6.org/) that is integrated inside
the BIRD's code.

Implemeted transports are:
 - unprotected transport over TCP
 - secure transport over SSHv2

Example configuration of bird.conf:
  ...
  roa4 table r4;
  roa6 table r6;

  protocol rpki {
    debug all;

    # Import both IPv4 and IPv6 ROAs
    roa4 { table r4; };
    roa6 { table r6; };

    # Set cache server (validator) address,
    # overwrite default port 323
    remote "rpki-validator.realmv6.org" port 8282;

    # Overwrite default time intervals
    retry   10;         # Default 600 seconds
    refresh 60;         # Default 3600 seconds
    expire 600;         # Default 7200 seconds
  }

  protocol rpki {
    debug all;

    # Import only IPv4 routes
    roa4 { table r4; };

    # Set cache server address to localhost,
    # use default ports tcp => 323 or ssh => 22
    remote 127.0.0.1;

    # Use SSH transport instead of unprotected transport over TCP
    ssh encryption {
      bird private key "/home/birdgeek/.ssh/id_rsa";
      remote public key "/home/birdgeek/.ssh/known_hosts";
      user "birdgeek";
    };
  }
  ...
2016-12-07 09:35:24 +01:00