info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RPKI validation with FORT Validator
4 views
Skip to first unread message
Marco d'Itri
Oct 25, 2020, 11:46:04 PM10/25/20
to
This article documents how to install FORT Validator[0] (an RPKI
relying party software which also implements the RPKI to Router
protocol in a single daemon) on Debian 10 to provide RPKI validation to
routers. If you are using testing or unstable then you can just skip
the part about apt pinnings.
The packages in bullseye (Debian testing) can be installed as is on
Debian stable with no need to rebuild them, by configuring an
appropriate pinning for apt[1]:
cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: fort-validator rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update
Before starting, make sure that curl (or wget) and the web PKI
certificates are installed:
apt install curl ca-certificates
If you already know about the legal issues related to the ARIN TAL[2]
then you may instruct the package to automatically install it. If you
skip this step then you will be asked at installation time about it,
either way is fine.
echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true'
\
| debconf-set-selections
Install the package as usual:
apt install fort-validator
You may also install rpki-client and gortr on Debian 10[3], or maybe
cfrpki and gortr. I have also tried packaging Routinator 3000 for
Debian[4], but this effort is currently on hold because the Rust
ecosystem is broken and hostile to the good packaging practices of
Linux distributions.
[0] https://nicmx.github.io/FORT-validator/
[1] https://manpages.debian.org/buster/apt/apt_preferences.5
[2] https://www.youtube.com/watch?v=oBwAQep7Q7o
[3] https://blog.bofh.it/debian/id_459
[4] https://salsa.debian.org/md/routinator/
Permalink: https://blog.bofh.it/debian/id_460
relying party software which also implements the RPKI to Router
protocol in a single daemon) on Debian 10 to provide RPKI validation to
routers. If you are using testing or unstable then you can just skip
the part about apt pinnings.
The packages in bullseye (Debian testing) can be installed as is on
Debian stable with no need to rebuild them, by configuring an
appropriate pinning for apt[1]:
cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: fort-validator rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update
Before starting, make sure that curl (or wget) and the web PKI
certificates are installed:
apt install curl ca-certificates
If you already know about the legal issues related to the ARIN TAL[2]
then you may instruct the package to automatically install it. If you
skip this step then you will be asked at installation time about it,
either way is fine.
echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true'
\
| debconf-set-selections
Install the package as usual:
apt install fort-validator
You may also install rpki-client and gortr on Debian 10[3], or maybe
cfrpki and gortr. I have also tried packaging Routinator 3000 for
Debian[4], but this effort is currently on hold because the Rust
ecosystem is broken and hostile to the good packaging practices of
Linux distributions.
[0] https://nicmx.github.io/FORT-validator/
[1] https://manpages.debian.org/buster/apt/apt_preferences.5
[2] https://www.youtube.com/watch?v=oBwAQep7Q7o
[3] https://blog.bofh.it/debian/id_459
[4] https://salsa.debian.org/md/routinator/
Permalink: https://blog.bofh.it/debian/id_460
0 new messages