| [7730](https://tools.ietf.org/html/rfc7730) (TALs) | 100% |
| [7935](https://tools.ietf.org/html/rfc7935) (RPKI algorithms) | 100% |
| [8182](https://tools.ietf.org/html/rfc8182) (RRDP) | 0% |
-| [8209](https://tools.ietf.org/html/rfc8209) (BGPSec Certificates) | 0% |
+| [8209](https://tools.ietf.org/html/rfc8209) (BGPSec Certificates) | 100% |
| [8360](https://tools.ietf.org/html/rfc8360) (Validation Reconsidered) | 100% |
### RFC 6350 (vCard)
"validationOutputFilters": {
"prefixFilters": [ <Removed ROAs> ],
- "bgpsecFilters": []
+ "bgpsecFilters": [ <Removed Router Keys> ]
},
"locallyAddedAssertions": {
"prefixAssertions": [ <Added ROAs> ],
- "bgpsecAssertions": []
+ "bgpsecAssertions": [ <Added Router Keys> ]
}
}
```
-The root object contains a `slurmVersion` field (which, for now, must be set to 1), a listing of filters called `validationOutputFilters`, and a listing of additions called `locallyAddedAssertions`. Fort does not yet support BGPsec, so `bgpsecFilters` and `bgpsecAssertions` must be empty.
+The root object contains a `slurmVersion` field (which, for now, must be set to 1), a listing of filters called `validationOutputFilters`, and a listing of additions called `locallyAddedAssertions`.
### `prefixFilters`
`comment` is always optional.
+### `bgpsecFilters`
+
+`<Removed Router Keys>` expands to a sequence of (zero or more) JSON objects, each of which follows this pattern:
+
+```
+{
+ "asn": <AS number>,
+ "SKI": <Base64 of some SKI>,
+ "comment": <Explanatory comment; ignored by Fort for now>
+}
+```
+
+Any Router Keys that match `asn` and `SKI` will be invalidated. A Router Key matches `asn` by having the same AS number and `SKI` by having the same decoded Subject Key Identifier.
+
+One of `asn` and `SKI` can be absent. On absence, any AS number matches `asn`, and any Subject Key Identifier matches `SKI`.
+
+`comment` is always optional.
+
### `prefixAssertions`
`<Added ROAs>` expands to a sequence of (zero or more) JSON objects, each of which follows this pattern:
`prefix` and `asn` are mandatory, `maxPrefixLength` and `comment` are not. `maxPrefixLength` defaults to `prefix`'s length.
+### `bgpsecAssertions`
+
+`<Added Router Keys>` expands to a sequence of (zero or more) JSON objects, each of which follows this pattern:
+
+```
+{
+ "asn": <AS number>,
+ "SKI": <Base64 of some SKI>,
+ "routerPublicKey": <Base64 of some public key>,
+ "comment": <Explanatory comment; ignored by Fort for now>
+}
+```
+
+Will force Fort into believing that the [`asn`, `SKI`, `routerPublicKey`] Router Key validated successfully.
+
+Only `comment` isn't mandatory, the rest [`asn`, `SKI`, `routerPublicKey`] are mandatory.
+
## SLURM File Example
```
"comment": "All VRPs encompassed by prefix, matching ASN"
}
],
- "bgpsecFilters": []
+ "bgpsecFilters": [
+ {
+ "asn": 64496,
+ "comment": "All keys for ASN"
+ }, {
+ "SKI": "Q8KMeBsCto1PJ6EuhowleIGNL7A",
+ "comment": "Key matching Router SKI"
+ }, {
+ "asn": 64497,
+ "SKI": "g5RQYCnkMpDqEbt9WazTeB19nZs",
+ "comment": "Key for ASN 64497 matching Router SKI"
+ }
+ ]
},
"locallyAddedAssertions": {
"comment": "My important de-aggregated routes"
}
],
- "bgpsecAssertions": []
- }
+ "bgpsecAssertions": [
+ {
+ "asn": 64496,
+ "SKI", "Dulqji-sUM5sX5M-3mqngKaFDjE",
+ "routerPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE-rkSLXlPpL_m-L7CfCfKrv1FHrM55FsIc8fMlnjHE6Y5nTuCn3UgWfCV6sYuGUZzPZ0Ey6AvezmfcELUB87eBA",
+ "comment": "My known key for my important ASN"
+ }
+ ]
}
+}
```
10. [`--server.address`](#--serveraddress)
11. [`--server.port`](#--serverport)
12. [`--server.backlog`](#--serverbacklog)
- 13. [`--server.validation-interval`](#--servervalidation-interval)
- 14. [`--slurm`](#--slurm)
- 15. [`--log.color-output`](#--logcolor-output)
- 16. [`--log.file-name-format`](#--logfile-name-format)
- 17. [`--output.roa`](#--outputroa)
- 18. [`--configuration-file`](#--configuration-file)
- 19. [`rsync.program`](#rsyncprogram)
- 20. [`rsync.arguments-recursive`](#rsyncarguments-recursive)
- 21. [`rsync.arguments-flat`](#rsyncarguments-flat)
- 22. [`incidences`](#incidences)
+ 13. [`--server.interval.validation`](#--serverintervalvalidation)
+ 14. [`--server.interval.refresh`](#--serverintervalrefresh)
+ 15. [`--server.interval.retry`](#--serverintervalretry)
+ 16. [`--server.interval.expire`](#--serverintervalexpire)
+ 17. [`--slurm`](#--slurm)
+ 18. [`--log.color-output`](#--logcolor-output)
+ 19. [`--log.file-name-format`](#--logfile-name-format)
+ 20. [`--output.roa`](#--outputroa)
+ 21. [`--output.bgpsec`](#--outputbgpsec)
+ 22. [`--configuration-file`](#--configuration-file)
+ 23. [`rsync.program`](#rsyncprogram)
+ 24. [`rsync.arguments-recursive`](#rsyncarguments-recursive)
+ 25. [`rsync.arguments-flat`](#rsyncarguments-flat)
+ 26. [`incidences`](#incidences)
## Syntax
[--server.address=<string>]
[--server.port=<string>]
[--server.backlog=<unsigned integer>]
- [--server.validation-interval=<unsigned integer>]
+ [--server.interval.validation=<unsigned integer>]
+ [--server.interval.refresh=<unsigned integer>]
+ [--server.interval.retry=<unsigned integer>]
+ [--server.interval.expire=<unsigned integer>]
[--slurm=<file>|<directory>]
[--log.color-output]
[--log.file-name-format=global-url|local-path|file-name]
[--output.roa=<file>]
+ [--output.bgpsec=<file>]
```
If an argument is declared more than once, the last one takes precedence:
[--log.file-name-format=global-url|local-path|file-name]
(File name variant to print during debug/error messages)
[--output.roa=<file>]
- (File where the valid ROAs will be dumped.)
+ (File where ROAs will be stored in CSV format, use '-' to print at console.)
+ [--output.bgpsec=<file>]
+ (File where BGPsec Router Keys will be stored in CSV format, use '-' to print at console.)
{% endhighlight %}
The slightly larger usage message is `man {{ page.command }}` and the large usage message is this documentation.
...
[--log.file-name-format=global-url|local-path|file-name]
[--output.roa=<file>]
+ [--output.bgpsec=<file>]
{% endhighlight %}
### `--version`
- **Default:** `server`
Run mode, commands the way Fort executes the validation. The two possible values and its behavior are:
-- `server`: Enables the RTR server using the `server.*` arguments ([`server.address`](#--serveraddress), [`server.port`](#--serverport), [`server.backlog`](#--serverbacklog), [`server.validation-interval`](#--servervalidation-interval)).
+- `server`: Enables the RTR server using the `server.*` arguments ([`server.address`](#--serveraddress), [`server.port`](#--serverport), [`server.backlog`](#--serverbacklog), [`server.interval.validation`](#--serverintervalvalidation), [`server.interval.refresh`](#--serverintervalrefresh), [`server.interval.retry`](#--serverintervalretry), [`server.interval.expire`](#--serverintervalexpire)).
- `standalone`: Disables the RTR server, the `server.*` arguments are ignored, and Fort performs an in-place standalone RPKI validation.
### `--server.address`
See the corresponding manual page from your operating system (likely `man 2 listen`) for specific implementation details.
-### `--server.validation-interval`
+### `--server.interval.validation`
- **Type:** Integer
- **Availability:** `argv` and JSON
"Validation cycle" includes the rsync update along with the validation operation. Because you are taxing the global repositories every time the validator performs an rsync, it is recommended not to reduce the validation interval to the point you might be contributing to DoS'ing the global repository. The minimum value (60) was taken from the [RRDP RFC](https://tools.ietf.org/html/rfc8182#section-3.1), which means it's not necessarily a good value for heavy rsyncs.
+### `--server.interval.refresh`
+
+- **Type:** Integer
+- **Availability:** `argv` and JSON
+- **Default:** 3600
+- **Range:** 1--86400
+
+Number of seconds that a router should wait before the next attempt to poll FORT using either a Serial Query PDU or Reset Query PDU.
+
+Countdown for this timer starts upon receipt of an End Of Data PDU (this should be administered by the client).
+
+This value is utilized only on RTR version 1 sessions (more information at [RFC 8210 section 6](https://tools.ietf.org/html/rfc8210#section-6)).
+
+### `--server.interval.retry`
+
+- **Type:** Integer
+- **Availability:** `argv` and JSON
+- **Default:** 600
+- **Range:** 1--7200
+
+Number of seconds that a router should wait before retrying a failed Serial Query PDU or Reset Query PDU.
+
+Countdown for this timer starts upon failure of the query and restarts after each subsequent failure until a query succeeds (this should be administered by the client).
+
+This value is utilized only on RTR version 1 sessions (more information at [RFC 8210 section 6](https://tools.ietf.org/html/rfc8210#section-6)).
+
+### `--server.interval.expire`
+
+- **Type:** Integer
+- **Availability:** `argv` and JSON
+- **Default:** 7200
+- **Range:** 600--172800
+
+Number of seconds that a router can retain the current version of data while unable to perform a successful subsequent query.
+
+Countdown for this timer starts upon receipt of an End Of Data PDU (this should be administered by the client).
+
+This value is utilized only on RTR version 1 sessions (more information at [RFC 8210 section 6](https://tools.ietf.org/html/rfc8210#section-6)).
+
### `--slurm`
- **Type:** String (path to file or directory)
File where the ROAs will be stored in CSV format.
-When the file is specified, its content will be removed to store the ROAs; if the file doesn't exists, it will be created. To print at console, use a hyphen `"-"`. If RTR server is enabled, then the ROAs will be printed every [`--server.validation-interval`](#--servervalidation-interval) secs.
+When the file is specified, its content will be removed to store the ROAs; if the file doesn't exists, it will be created. To print at console, use a hyphen `"-"`. If RTR server is enabled, then the ROAs will be printed every [`--server.interval.validation`](#--serverintervalvalidation) secs.
+
+Each line of the result is printed in the following order: _AS, Prefix, Max prefix length_; the first line contains those column descriptors.
If a value isn't specified, then the ROAs aren't printed.
+### `--output.bgpsec`
+
+- **Type:** String (Path to file)
+- **Availability:** `argv` and JSON
+
+File where the BGPsec Router Keys will be stored in CSV format.
+
+Since most of the data is binary (Subject Key Identifier and Subject Public Key Info), such data is base64url encoded without trailing pads.
+
+When the file is specified, its content will be removed to store the Router Keys; if the file doesn't exists, it will be created. To print at console, use a hyphen `"-"`. If RTR server is enabled, then the BGPsec Router Keys will be printed every [`--server.interval.validation`](#--serverintervalvalidation) secs.
+
+Each line of the result is printed in the following order: _AS, Subject Key Identifier, Subject Public Key Info_; the first line contains those column descriptors.
+
+If a value isn't specified, then the BGPsec Router Keys aren't printed.
+
### `--configuration-file`
- **Type:** String (Path to file)
"<a href="#--serveraddress">address</a>": "192.0.2.1",
"<a href="#--serverport">port</a>": "8323",
"<a href="#--serverbacklog">backlog</a>": 16,
- "<a href="#--servervalidation-interval">validation-interval</a>": 120
+ "interval": {
+ "<a href="#--serverintervalvalidation">validation</a>": 3600,
+ "<a href="#--serverintervalrefresh">refresh</a>": 3600,
+ "<a href="#--serverintervalretry">retry</a>": 600,
+ "<a href="#--serverintervalexpire">expire</a>": 7200
+ }
},
"log": {
],
"output": {
- "<a href="#--outputroa">roa</a>": "/tmp/fort_roas.csv"
+ "<a href="#--outputroa">roa</a>": "/tmp/fort_roas.csv",
+ "<a href="#--outputbgpsec">bgpsec</a>": "/tmp/fort_bgpsec.csv"
}
}
</code></pre>
.SH DESCRIPTION
-FORT is an RPKI validator and a RTR server (currently only RTR version 0
-is supported).
+FORT is an RPKI validator and a RTR server (RTR versions 0 and 1 are
+supported).
In the RPKI context, FORT is also known as an RP (Relying Party).
A simple resume of the actions performed by an RP can be read at RFC 6480
section 6
.P
The RTR (RPKI to Router Protocol) is basically "a protocol to deliver validated
prefix origin data to routers", see RFC 6810
-.RI "(" https://tools.ietf.org/html/rfc6810 ")."
+.RI "(" https://tools.ietf.org/html/rfc6810 ")"
+and RFC 8210
+.RI "(" https://tools.ietf.org/html/rfc8210 ")."
.P
So, FORT performs RPKI validations starting from a single or set of TALs (Trust
Anchor Locators), either in a recurrent or single (standalone) way.
-Additionally, it can talk to routers using the RTR protocol (currently version
-0) to provide them the VRPs (Validated ROA Payloads) resultant of the
+Additionally, it can talk to routers using the RTR protocol (version will
+depend on the client, both 0 and 1 are supported) to provide them the VRPs
+(Validated ROA Payloads) and the BGPsec Router Keys resultant of the
validation.
.SH OPTIONS
.RE
.P
-.B \-\-server.validation-interval=\fIUNSIGNED_INTEGER\fR
+.B \-\-server.interval.validation=\fIUNSIGNED_INTEGER\fR
.RS 4
Number of seconds that FORT will sleep between validation cycles. The timer
starts counting every time a validation is finished, not every time it begins.
.RE
.P
+.B \-\-server.interval.refresh=\fIUNSIGNED_INTEGER\fR
+.RS 4
+Number of seconds that a router should wait before the next attempt to poll
+FORT using either a Serial Query PDU or Reset Query PDU. Countdown for this
+timer starts upon receipt of an End Of Data PDU (this should be administered by
+the client).
+.P
+This value is utilized only on RTR version 1 sessions (more information at RFC
+8210 section 6).
+.P
+By default, it has a value of \fI3600\fR. Minimum allowed value: \fI1\fR,
+maximum allowed value \fI86400\fR.
+.RE
+.P
+
+.B \-\-server.interval.retry=\fIUNSIGNED_INTEGER\fR
+.RS 4
+Number of seconds that a router should wait before retrying a failed Serial
+Query PDU or Reset Query PDU. Countdown for this timer starts upon failure of
+the query and restarts after each subsequent failure until a query succeeds
+(this should be administered by the client).
+.P
+This value is utilized only on RTR version 1 sessions (more information at RFC
+8210 section 6).
+.P
+By default, it has a value of \fI600\fR. Minimum allowed value: \fI1\fR,
+maximum allowed value \fI7200\fR.
+.RE
+.P
+
+.B \-\-server.interval.expire=\fIUNSIGNED_INTEGER\fR
+.RS 4
+Number of seconds that a router can retain the current version of data while
+unable to perform a successful subsequent query. Countdown for this timer starts
+upon receipt of an End Of Data PDU (this should be administered by the client).
+.P
+This value is utilized only on RTR version 1 sessions (more information at RFC
+8210 section 6).
+.P
+By default, it has a value of \fI7200\fR. Minimum allowed value: \fI600\fR,
+maximum allowed value \fI172800\fR. It must be larger than
+\fIserver.interval.refresh\fR and \fIserver.interval.retry\fR.
+.RE
+.P
+
.BR \-c ", " \-\-log.color-output
.RS 4
If enabled, the logging output will contain ANSI color codes. Meant for human
When the \fIFILE\fR is specified, its content will be overwritten by the
resulting ROAs of the validation (if FILE doesn't exists, it'll be created).
.P
+Each line of the result is printed in the following order: AS, Prefix, Max
+prefix length; the first line contains those column descriptors.
+.P
In order to print the ROAs at console, use a hyphen as the \fIFILE\fR value, eg.
.B \-\-output.roa=-
.RE
+.B \-\-output.bgpsec=\fIFILE\fR
+.RS 4
+File where the BGPsec Router Keys will be printed in CSV format. Since most of
+the data is binary (Subject Key Identifier and Subject Public Key Info), such
+data is base64url encoded without trailing pads.
+.P
+When the \fIFILE\fR is specified, its content will be overwritten by the
+resulting Router Keys of the validation (if FILE doesn't exists, it'll be
+created).
+.P
+Each line of the result is printed in the following order: AS, Subject Key
+Identifier, Subject Public Key Info; the first line contains those column
+descriptors.
+.P
+In order to print the Router Keys at console, use a hyphen as the \fIFILE\fR
+value, eg.
+.B \-\-output.bgpsec=-
+.RE
+
.SH EXAMPLES
.B fort \-t /tmp/tal \-r /tmp/repository \-\-server.port 9323
.RS 4
.nf
\fBfort \-t /tmp/tal \-r /tmp/repository \\
\-\-server.address ::1 \-\-server.port 9323 \\
- \-\-server.validation-interval 1800 \\
+ \-\-server.interval.validation 1800 \\
\-\-output.roa /tmp/roas.csv\fR
.fi
.RS 4
"address": "192.0.2.1",
"port": "8323",
"backlog": 64,
- "validation-interval": 3600
+ "interval": {
+ "validation": 3600,
+ "refresh": 3600,
+ "retry": 600,
+ "expire": 7200
+ }
},
"log": {
"color-output": true,
}
],
"output": {
- "roa": "/tmp/roas.csv"
+ "roa": "/tmp/fort_roas.csv",
+ "bgpsec": "/tmp/fort_bgpsec.csv"
}
}
.fi
.B Dummy SLURM file
.RS 4
-This is an example of a SLURM file with some prefix filters and
-assertions:
+This is an example of a SLURM file with some prefix filters and assertions, as
+well as some dummy Router Keys (BGPsec) info:
.nf
{
"comment": "All VRPs encompassed by prefix, matching ASN"
}
],
- "bgpsecFilters": []
+ "bgpsecFilters": [
+ {
+ "asn": 64496,
+ "comment": "All keys for ASN"
+ },
+ {
+ "SKI": "Q8KMeBsCto1PJ6EuhowleIGNL7A",
+ "comment": "Key matching Router SKI"
+ },
+ {
+ "asn": 64497,
+ "SKI": "g5RQYCnkMpDqEbt9WazTeB19nZs",
+ "comment": "Key for ASN 64497 matching Router SKI"
+ }
+ ]
},
"locallyAddedAssertions": {
"prefixAssertions": [
"comment": "My other important de-aggregated routes"
}
],
- "bgpsecAssertions": []
- }
+ "bgpsecAssertions": [
+ {
+ "asn": 64496,
+ "SKI": "Dulqji-sUM5sX5M-3mqngKaFDjE",
+ "routerPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE-rkSLXlPpL_m-L\
+7CfCfKrv1FHrM55FsIc8fMlnjHE6Y5nTuCn3UgWfCV6sYuGUZzPZ0Ey6AvezmfcELUB87eBA"
+ }
+ ]
+ }
}
.fi
.RE
.type = >_uint,
.offset = offsetof(struct rpki_config,
server.interval.refresh),
- .doc = "Interval between normal cache polls", // TODO
+ .doc = "Interval between normal cache polls",
/*
- * RFC 6810 and 8210:
- * "The cache MUST rate-limit Serial Notifies to no more
- * frequently than one per minute."
- * We do this by not getting new information more than once per
- * minute.
+ * RFC 8210: "Interval between normal cache polls".
+ * Min, max, and default values taken from RFC 8210 section 6.
+ *
+ * RFC mentions "router SHOULD NOT poll the cache sooner than
+ * indicated by this parameter", but what if this is ignored by
+ * the router? There's no proper error message to notice the
+ * client about its error without dropping the connection (I
+ * don't think that 'No Data Available' is the right option).
+ *
+ * So, let the operator configure this option hoping that
+ * clients honor the interval.
*/
.min = 1,
.max = 86400,
.type = >_uint,
.offset = offsetof(struct rpki_config,
server.interval.retry),
- .doc = "Interval between cache poll retries after a failed cache poll", // TODO
+ .doc = "Interval between cache poll retries after a failed cache poll",
/*
- * RFC 6810 and 8210:
- * "The cache MUST rate-limit Serial Notifies to no more
- * frequently than one per minute."
- * We do this by not getting new information more than once per
- * minute.
+ * RFC 8210: "Interval between cache poll retries after a
+ * failed cache poll"
+ * Min, max, and default values taken from RFC 8210 section 6.
*/
.min = 1,
.max = 7200,
.type = >_uint,
.offset = offsetof(struct rpki_config,
server.interval.expire),
- .doc = "Interval during which data fetched from a cache remains valid in the absence of a successful subsequent cache poll", // TODO
+ .doc = "Interval during which data fetched from a cache remains valid in the absence of a successful subsequent cache poll",
/*
- * RFC 6810 and 8210:
- * "The cache MUST rate-limit Serial Notifies to no more
- * frequently than one per minute."
- * We do this by not getting new information more than once per
- * minute.
+ * RFC 8210: "Interval during which data fetched from a cache
+ * remains valid in the absence of a successful subsequent
+ * cache poll"
+ * Min, max, and default values taken from RFC 8210 section 6.
*/
.min = 600,
.max = 172800,
.name = "output.bgpsec",
.type = >_string,
.offset = offsetof(struct rpki_config, output.bgpsec),
- .doc = "File where BGPsec certificates will be stored in CSV format, use '-' to print at console",
+ .doc = "File where BGPsec Router Keys will be stored in CSV format, use '-' to print at console",
.arg_doc = "<file>",
},
projects / thirdparty / FORT-validator.git / commitdiff
