Index | Thread | Search

From:
Stuart Henderson <stu@spacehopper.org>
Subject:
Re: rpki-client: detect & reject "AS0 TALs"
To:
Job Snijders <job@openbsd.org>
Cc:
tech@openbsd.org
Date:
Fri, 29 Nov 2024 15:28:34 +0000

Download raw body.

Thread 
On 2024/11/29 15:21, Job Snijders wrote:
> Following the above advice, the below diff makes it so that, by default,
> rpki-client will omit AS0 TAL information from its validated ROA payload
> outputs. Operators who believe they truly need AS0 TAL output will have
> to use the '-x' (experimental) option.
> 
> OK?

Broadly OK, but I think this behaviour on -x should be mentioned in the
manual.

> Kind regards,
> 
> Job
> 
> Index: output.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/output.c,v
> diff -u -p -r1.33 output.c
> --- output.c	22 Feb 2024 12:49:42 -0000	1.33
> +++ output.c	29 Nov 2024 14:57:07 -0000
> @@ -82,6 +82,46 @@ static int	 output_finish(FILE *);
>  static void	 sig_handler(int);
>  static void	 set_signal_handler(void);
>  
> +/*
> + * Detect & reject so-called "AS0 TALs".
> + * AS0 TALs are TALs where for each and every subordinate ROA the asID field
> + * set to 0. Such TALs introduce operational risk, as they change the fail-safe
> + * from 'fail-open' to 'fail-closed'. Some context:
> + *     https://lists.afrinic.net/pipermail/rpd/2021/013312.html
> + *     https://lists.afrinic.net/pipermail/rpd/2021/013314.html
> + */
> +static void
> +prune_as0_tals(struct vrp_tree *vrps)
> +{
> +	struct vrp *v, *tv;
> +	int talid;
> +	int is_as0_tal[TALSZ_MAX] = { 0 };
> +
> +	for (talid = 0; talid < talsz; talid++)
> +		is_as0_tal[talid] = 1;
> +
> +	RB_FOREACH(v, vrp_tree, vrps) {
> +		if (v->asid != 0)
> +			is_as0_tal[v->talid] = 0;
> +	}
> +
> +	for (talid = 0; talid < talsz; talid++) {
> +		if (is_as0_tal[talid]) {
> +			warnx("%s: Detected AS0 TAL, pruning associated VRPs",
> +			    taldescs[talid]);
> +		}
> +	}
> +
> +	RB_FOREACH_SAFE(v, vrp_tree, vrps, tv) {
> +		if (is_as0_tal[v->talid]) {
> +			RB_REMOVE(vrp_tree, vrps, v);
> +			free(v);
> +		}
> +	}
> +
> +	/* XXX: update talstats? */
> +}
> +
>  int
>  outputfiles(struct vrp_tree *v, struct brk_tree *b, struct vap_tree *a,
>      struct vsp_tree *p, struct stats *st)
> @@ -90,6 +130,12 @@ outputfiles(struct vrp_tree *v, struct b
>  
>  	atexit(output_cleantmp);
>  	set_signal_handler();
> +
> +	/*
> +	 * By default prune AS0 TALs
> +	 */
> +	if (!experimental)
> +		prune_as0_tals(v);
>  
>  	for (i = 0; outputs[i].name; i++) {
>  		FILE *fout;
>