Ship/support HTTPS URIs in TALs

NICMx / FORT-validator

RPKI cache validator

MIT License

49 stars 24 forks source link

Ship/support HTTPS URIs in TALs #34

Closed AlexanderBand closed 4 years ago

AlexanderBand commented 4 years ago

As per RFC8630, 4/5 RIRs have now published their TALs with an HTTPS URI in addition to rsync. This allows relying party software that supports RRDP to fetch data without relying on rsync at all, bring us closer to deprecating rsync.

The URIs are:

Does FORT support fetching the root certificate over HTTPS and will it prefer that if the TAL contains both URIs?

It would be great if you could support this and ship the included TALs with the new URIs added. Routinator 0.7.1 and the upcoming RIPE NCC Validator have support as well.

pcarana commented 4 years ago

Hi Alexander.

Does FORT support fetching the root certificate over HTTPS {...}

Yes, this is currently supported.

{...} and will it prefer that if the TAL contains both URIs?

No. Currently to achieve this, the HTTPS URI must be the first of the URIs list at the TALs, since by default FORT validator processes the TAL URIs in the same order that they are written at the TAL (unless you use --shuffle-uris).

It would be great if you could support this and ship the included TALs with the new URIs added.

There's only one doubt that we (as a team) have. As of today, the RIRs have a public location where they offer their "updated TALs"? I'm refering to "updated TALs" to the TALs with their corresponding HTTPs URI. The only one that I've found so far, is from ARIN (https://www.arin.net/resources/manage/rpki/tal/).

AlexanderBand commented 4 years ago

There's only one doubt that we (as a team) have. As of today, the RIRs have a public location where they offer their "updated TALs"?

Perhaps @dacruz (RIPE NCC), @geeohgeegeeoh (APNIC) and @amreesh (AFRINIC) can weigh in?

geeohgeegeeoh commented 4 years ago

At this time, we haven't unified a single point place to get the TAL.

worse, we don't catalog in the NRO website "the same" so the format of the URLs in the NRO include a mix of both direct download of the .tal file and web pages with indirect references, and textual 'cut-and-paste' forms.

https://www.nro.net/technical-coordination/security/certification/

We're discussing this, Carlos will know about this too btw. I am seeking to get this remediated and we will probably standardise on indirect URL paths because of ARIN needing consent. That said, ARIN also publish a tal-archive/ path

pcarana commented 4 years ago

Thanks @AlexanderBand for redirecting my doubt, and thanks @geeohgeegeeoh for your clarification.

The main reason of our "concern" is that we would like to have something backing up our decision to update the TALs (something that's "official"). For now, is enough to know that other RPs offer the updated TALs, so we'll update them as well.

This will be added to the upcoming version 1.4.0.