Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RPKI validation with OpenBSD's rpki-client and Cloudflare's gortr
12 views
Skip to first unread message
Marco d'Itri
Oct 25, 2020, 11:46:04 PM10/25/20
to
This article documents how to install rpki-client[0] (an RPKI relying
party software, the actual validator) and gortr[1] (which implements
the RPKI to Router protocol) on Debian 10 to provide RPKI validation to
routers. If you are using testing or unstable then you can just skip
the part about apt pinnings.
The packages in bullseye (Debian testing) can be installed as is on
Debian stable with no need to rebuild them, by configuring an
appropriate pinning for apt[2]:
cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: gortr rpki-client rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update
Before starting, make sure that curl (or wget) and the web PKI
certificates are installed:
apt install curl ca-certificates
If you already know about the legal issues related to the ARIN TAL[3]
then you may instruct the package to automatically install it. If you
skip this step then you will be asked at installation time about it,
either way is fine.
echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true'
\
| debconf-set-selections
Install the packages as usual:
apt install rpki-client gortr
And then configure rpki-client to generate its output in the the JSON
format needed by gortr:
echo 'OPTIONS=-j' > /etc/default/rpki-client
You may manually start the service unit to immediately generate the
data instead of waiting for the next timer run:
systemctl start rpki-client &
gortr too needs to be configured to use the JSON data generated by
rpki-client:
echo 'GORTR_ARGS=-bind :323 -verify=false -checktime=false -cache
/var/lib/rpki-client/json' > /etc/default/gortr
And then it needs to be restarted to use the new configuration:
systemctl restart gortr
You may also install FORT Validator on Debian 10[4], or maybe cfrpki
with gortr. I have also tried packaging Routinator 3000 for Debian[5],
but this effort is currently on hold because the Rust ecosystem is
broken and hostile to the packaging practices of Linux distributions.
[0] https://www.rpki-client.org/
[1] https://github.com/cloudflare/gortr
[2] https://manpages.debian.org/buster/apt/apt_preferences.5
[3] https://www.youtube.com/watch?v=oBwAQep7Q7o
[4] https://blog.bofh.it/debian/id_460
[5] https://salsa.debian.org/md/routinator/
Permalink: https://blog.bofh.it/debian/id_459
party software, the actual validator) and gortr[1] (which implements
the RPKI to Router protocol) on Debian 10 to provide RPKI validation to
routers. If you are using testing or unstable then you can just skip
the part about apt pinnings.
The packages in bullseye (Debian testing) can be installed as is on
Debian stable with no need to rebuild them, by configuring an
appropriate pinning for apt[2]:
cat <<END > /etc/apt/sources.list.d/bullseye.list
deb http://deb.debian.org/debian/ bullseye main
END
cat <<END > /etc/apt/preferences.d/pin-rpki
# by default do not install anything from bullseye
Package: *
Pin: release bullseye
Pin-Priority: 100
Package: gortr rpki-client rpki-trust-anchors
Pin: release bullseye
Pin-Priority: 990
END
apt update
Before starting, make sure that curl (or wget) and the web PKI
certificates are installed:
apt install curl ca-certificates
If you already know about the legal issues related to the ARIN TAL[3]
then you may instruct the package to automatically install it. If you
skip this step then you will be asked at installation time about it,
either way is fine.
echo 'rpki-trust-anchors rpki-trust-anchors/get_arin_tal boolean true'
\
| debconf-set-selections
Install the packages as usual:
apt install rpki-client gortr
And then configure rpki-client to generate its output in the the JSON
format needed by gortr:
echo 'OPTIONS=-j' > /etc/default/rpki-client
You may manually start the service unit to immediately generate the
data instead of waiting for the next timer run:
systemctl start rpki-client &
gortr too needs to be configured to use the JSON data generated by
rpki-client:
echo 'GORTR_ARGS=-bind :323 -verify=false -checktime=false -cache
/var/lib/rpki-client/json' > /etc/default/gortr
And then it needs to be restarted to use the new configuration:
systemctl restart gortr
You may also install FORT Validator on Debian 10[4], or maybe cfrpki
with gortr. I have also tried packaging Routinator 3000 for Debian[5],
but this effort is currently on hold because the Rust ecosystem is
broken and hostile to the packaging practices of Linux distributions.
[0] https://www.rpki-client.org/
[1] https://github.com/cloudflare/gortr
[2] https://manpages.debian.org/buster/apt/apt_preferences.5
[3] https://www.youtube.com/watch?v=oBwAQep7Q7o
[4] https://blog.bofh.it/debian/id_460
[5] https://salsa.debian.org/md/routinator/
Permalink: https://blog.bofh.it/debian/id_459
0 new messages