ARIN no longer requires the explicit RPA agreement.
docs/_site
docs/.jekyll-metadata
-# Files we're sorta contractually obligated to exclude.
-# Can't include ARIN's TAL because of their Relying Party Agreement
-# (https://www.arin.net/resources/manage/rpki/tal/)
-examples/tal/arin.tal
-examples/tal/arin-rfc7730.tal
-
# Unwanted manure shat by imbecile OSs
.DS_Store*
ehthumbs.db
4. [Option 3: Compiling and installing the git repository](#option-3-compiling-and-installing-the-git-repository)
5. [Option 4: Running from a Docker container](#option-4-running-from-a-docker-container)
6. [Fetching the TALs](#fetching-the-tals)
- 1. [`--init-tals` argument](#--init-tals-argument)
- 2. [Setup script](#setup-script)
## Dependencies
Layman will be utilized, so it must be installed in order to add the GURU repository:
-{% highlight bash %}
+```bash
root# emerge --ask app-portage/layman
root# layman -a guru
-{% endhighlight %}
+```
Now, allow to install the unstable FORT validator package (use according to your architecture). The following lines can be used for **amd64** arch:
-{% highlight bash %}
+```bash
root# nano /etc/portage/package.accept_keywords
## Add the following line and save
net-misc/FORT-validator ~amd64
-{% endhighlight %}
+```
-FORT validator can now be installed. Don't forget to add ARIN's TAL and restart the validator:
+FORT validator can now be installed. Don't forget to update the TALs and restart the validator:
-{% highlight bash %}
+```bash
root# emerge --ask net-misc/FORT-validator
-root# su -s /bin/sh -c '/usr/libexec/fort/fort_setup.sh /usr/share/fort/tal/' fort
+root# su -s /bin/sh -c '/usr/bin/fort --init-tals --tal /usr/share/fort/tal/' fort"
root# rc-service fort restart
-{% endhighlight %}
+```
The configuration file utilized by the service can be found at `/etc/fort/config.json` (see more about [configuration file](usage.html#--configuration-file)).
## Fetching the TALs
-Once FORT validator is installed and ready to run, you should have the TAL files from the 5 RIRs. You can obtain them one by one from each RIR, or also you can use the following options.
-
-### `--init-tals` argument
-
-Probably this is a more straight forward approach, since you only need to run Fort binary using the [`--init-tals`](usage.html#--init-tals) argument:
-
-{% highlight bash %}
+```bash
fort --init-tals --tal /etc/fort/tal
-{% endhighlight %}
-
-See more about this argument at [Program Arguments - `--init-tals`](usage.html#--init-tals).
-
-### Setup script
-
->  This script exists merely to ease the ARIN TAL download (and some other additional stuff), it isn't a prerequisite to compile or run FORT validator, although we strongly advise to fetch ARIN TAL (using this script or by other means) in order to get the whole RPKI validated by FORT validator.
-
-The script can be found [here](https://github.com/NICMx/FORT-validator/blob/{{ site.fort-latest-version }}/fort_setup.sh). It only expects one argument: an _existent directory path_ where the 5 RIRs TALS will be downloaded.
+```
-Basically, it does the following:
-1. Display message to agree ARIN RPA.
-2. If agreed, download ARIN TAL to the received arg (named `TALS_PATH` from now on).
-3. Download the rest of the TALs to `TALS_PATH`.
-4. Try to create directory `/var/cache/fort/repository`, on error create `/tmp/fort/repository`.
-5. Create configuration file with [`tal`](https://nicmx.github.io/FORT-validator/usage.html#--tal) and [`local-repository`](https://nicmx.github.io/FORT-validator/usage.html#--local-repository) members, with a value of `TALS_PATH` (absolute path) and the directory path created at the previous step.
-6. Display FORT validator execution examples:
- - Using the created configuration file (uses the arg [`-f`](https://nicmx.github.io/FORT-validator/usage.html#--configuration-file)).
- - Using the values of the configuration file (uses the args [`--tal`](https://nicmx.github.io/FORT-validator/usage.html#--tal) and [`--local-repository`](https://nicmx.github.io/FORT-validator/usage.html#--local-repository)).
-
-Preferably, run this script with the same user what will run FORT validator. It's recommended that the user has write permission in `/var/cache`, since the script will try to create a directory there ([see more](https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s05.html)). Here's an execution example:
-
-{% highlight bash %}
-# Get the script
-wget https://raw.githubusercontent.com/NICMx/FORT-validator/{{ site.fort-latest-version }}/fort_setup.sh
-mkdir ~/tal
-./fort_setup.sh ~/tal
-{% endhighlight %}
+More details [here](usage.html#--init-tals).
The reason why you provide locators instead of anchors is to allow the latter to be officially updated without the need to awkwardly redistribute them. (TALs rarely need to change.)
-Registries which own TAs are responsible for providing you with their TALs. For convenience, you can use [`--init-tals`](#--init-tals) and [`--init-as0-tals`](#--init-as0-tals) to speed up and mostly automate this process. Alternatively, you can download the TALs manually. As of 2021-05-26, they can be found by following these links:
+Registries which own TAs are responsible for providing you with their TALs. For convenience, you can use [`--init-tals`](#--init-tals) and [`--init-as0-tals`](#--init-as0-tals) to speed up and automate this process. Alternatively, by following these links, you can download them manually:
- [AFRINIC](https://afrinic.net/resource-certification/tal)
- [APNIC](https://www.apnic.net/community/security/resource-certification/tal-archive/)
Downloads the currently known core TALs into the [`--tal`](#--tal) directory, then exits. It's a convenience option, meant for quick TAL retrieval, in case you don't have a more formal means to do it.
-ARIN's TAL requires that you accept their _Relying Party Agreement_ before the file can be downloaded. This is done through the standard streams.
-
-{% highlight bash %}
+```bash
$ {{ page.command }} --init-tals --tal /etc/fort/tal
Jul 30 12:00:55 DBG: HTTP GET: https://rpki.afrinic.net/tal/afrinic.tal
Successfully fetched '/etc/fort/tal/afrinic.tal'!
Jul 30 12:00:57 DBG: HTTP GET: https://tal.apnic.net/apnic.tal
Successfully fetched '/etc/fort/tal/apnic.tal'!
-Attention: ARIN requires you to agree to their Relying Party Agreement (RPA) before you can download and use their TAL.
-Please download and read https://www.arin.net/resources/manage/rpki/rpa.pdf
-If you agree to the terms, type 'yes' and hit Enter: yes
Jul 30 12:01:04 DBG: HTTP GET: https://www.arin.net/resources/manage/rpki/arin.tal
Successfully fetched '/etc/fort/tal/arin.tal'!
Jul 30 12:01:06 DBG: HTTP GET: https://tal.rpki.ripe.net/ripe-ncc.tal
Successfully fetched '/etc/fort/tal/ripe-ncc.tal'!
-{% endhighlight %}
+```
This flag can be used in conjunction with `--init-as0-tals`.
>  This argument **is DEPRECATED**. Use [`--http.retry.interval`](#--httpretryinterval) instead.
-### `init-locations`
-
-- **Type:** JSON Object array
-- **Availability:** JSON only
-
->  This argument is deprecated. I don't know why it exists; just do normal wgets or curls instead. As of Fort 1.5.1, it does nothing. The documentation below applies to 1.5.0 and below.
-
-List of URLs from where the TALs will be fetched when [`--init-tals`](#--init-tals) is utilized. Each URL can have an optional `accept-message` that will be displayed at the terminal. When this message is displayed, the word **"yes"** is expected by FORT to download the corresponding TAL file; this way an explicit acceptance is obtained to comply with the printed message.
-
-By default it has 4 URLs from each TAL that doesn't require and explicit politics acceptance by the user, and 1 URL that does have an acceptance message so that FORT can proceed with its download.
-
-This is a JSON array of objects, where each object has a mandatory `url` member, and an optional `accept-message` member. The default value is:
-
-```
-"init-locations": [
- {
- "url": "https://www.arin.net/resources/manage/rpki/arin.tal",
- "accept-message": "Please download and read ARIN Relying Party Agreement (RPA) from https://www.arin.net/resources/manage/rpki/rpa.pdf. Once you've read it and if you agree ARIN RPA, type 'yes' to proceed with ARIN's TAL download:"
- },
- {
- "url": "https://raw.githubusercontent.com/NICMx/FORT-validator/main/examples/tal/lacnic.tal"
- },
- {
- "url": "https://raw.githubusercontent.com/NICMx/FORT-validator/main/examples/tal/ripe-ncc.tal"
- },
- {
- "url": "https://raw.githubusercontent.com/NICMx/FORT-validator/main/examples/tal/afrinic.tal"
- },
- {
- "url": "https://raw.githubusercontent.com/NICMx/FORT-validator/main/examples/tal/apnic.tal"
- }
-]
-```
-
### `--http.idle-timeout`
- **Type:** Integer
-Please ignore this folder. If you need to download the current TALs, run `fort --init-tals --tal <TAL directory>` instead.
+These TALs might be outdated. To download the latest versions, run
-Alternatively, you can just download them manually. To the best of my knowledge, as of 2021-12-03, they are officially hosted at
+```bash
+fort --init-tals --tal .
+```
+
+or download them manually:
- AFRINIC: https://afrinic.net/resource-certification/tal
- APNIC: https://www.apnic.net/community/security/resource-certification/tal-archive/
--- /dev/null
+rsync://rpki.arin.net/repository/arin-rpki-ta.cer
+https://rrdp.arin.net/arin-rpki-ta.cer
+
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3lZPjbHvMRV5sDDqfLc/685th5FnreHMJjg8
+pEZUbG8Y8TQxSBsDebbsDpl3Ov3Cj1WtdrJ3CIfQODCPrrJdOBSrMATeUbPC+JlNf2SRP3UB+VJFgtTj
+0RN8cEYIuhBW5t6AxQbHhdNQH+A1F/OJdw0q9da2U29Lx85nfFxvnC1EpK9CbLJS4m37+RlpNbT1cba+
+b+loXpx0Qcb1C4UpJCGDy7uNf5w6/+l7RpATAHqqsX4qCtwwDYlbHzp2xk9owF3mkCxzl0HwncO+sEHH
+eaL3OjtwdIGrRGeHi2Mpt+mvWHhtQqVG+51MHTyg+nIjWFKKGx1Q9+KDx4wJStwveQIDAQAB
https://www.lacnic.net/innovaportal/file/4983/1/lacnic.tal
.br
https://tal.rpki.ripe.net/ripe-ncc.tal
-.P
-Please note that ARIN requires that you accept a Relying Party Agreement before you can download their TAL: https://www.arin.net/resources/manage/rpki/rpa.pdf
.RE
.B \-\-init-as0-tals
.SH EXAMPLES
.B fort \-\-init-tals \-\-tal=/tmp/tal
.RS 4
-Download the 5 RIR TALs into the specified directory. ARIN TAL will be
-downloaded only if the user accepts ARIN's RPA.
+Download the 5 RIR TALs into the /tmp/tal directory.
.RE
.P
#include "log.h"
#include "http/http.h"
-static bool
-download_arin_tal(void)
-{
- char c;
-
- printf("Attention: ARIN requires you to agree to their Relying Party Agreement (RPA) before you can download and use their TAL.\n"
- "Please download and read https://www.arin.net/resources/manage/rpki/rpa.pdf\n"
- "If you agree to the terms, type 'yes' and hit Enter: ");
-
- c = getchar();
- if (c != 'y' && c != 'Y')
- goto cancel;
-
- c = getchar();
- if (c != 'e' && c != 'E')
- goto cancel;
-
- c = getchar();
- if (c != 's' && c != 'S')
- goto cancel;
-
- if (feof(stdin) || (c = getchar()) == '\n')
- return true;
-
- /* Fall through */
-cancel:
- printf("Skipping ARIN's TAL.\n\n");
- return false;
-}
-
static int
fetch_url(char const *url)
{
error = fetch_url("https://rpki.afrinic.net/tal/afrinic.tal");
if (error)
return error;
+ /*
+ * APNIC is a bit weird. Some thoughts:
+ *
+ * 1. The 6490 and ripe-validator TALs are obsolete, and Fort has never
+ * been compatible with them.
+ * 2. apnic.tal is identical to apnic-rfc7730.tal, and neither of them
+ * contain HTTP URLs.
+ * 3. apnic-rfc7730-https.tal is not actually compliant with RFC 7730;
+ * it's an RFC 8630 TAL. However, I'm wondering if there's a reason
+ * why they haven't upgraded it to their default TAL.
+ *
+ * I'll stick to the rsync-only one until I've tested it more.
+ */
error = fetch_url("https://tal.apnic.net/apnic.tal");
if (error)
return error;
- if (download_arin_tal())
- error = fetch_url("https://www.arin.net/resources/manage/rpki/arin.tal");
- error = fetch_url("https://www.lacnic.net/innovaportal/file/4983/1/lacnic.tal");
+ error = fetch_url("https://www.arin.net/resources/manage/rpki/arin.tal");
if (error)
return error;
- error = fetch_url("https://tal.rpki.ripe.net/ripe-ncc.tal");
+ error = fetch_url("https://www.lacnic.net/innovaportal/file/4983/1/lacnic.tal");
if (error)
return error;
-
- return error;
+ /* I wish they stated why they don't recommend the 8630 TAL. */
+ return fetch_url("https://tal.rpki.ripe.net/ripe-ncc.tal");
}
int
error = fetch_url("https://tal.apnic.net/apnic-as0.tal");
if (error)
return error;
-
return fetch_url("https://www.lacnic.net/innovaportal/file/4983/1/lacnic-as0.tal");
}
projects / thirdparty / FORT-validator.git / commitdiff
