search

NLnetLabs / routinator

An RPKI Validator and RTR server written in Rust
https://nlnetlabs.nl/projects/routing/routinator/
BSD 3-Clause "New" or "Revised" License
465 stars 70 forks source link

--strict broken? #301

Closed job closed 4 years ago

job commented 4 years ago 
[root@rpkiv-test job]# /usr/bin/routinator --strict -b /var/cache/routinator -v vrps -n -f json -o /var/www/html/export-routinator.json.tmp
Found valid trust anchor rsync://rpki.arin.net/repository/arin-rpki-ta.cer. Processing.
rsync://rpki.arin.net/repository/arin-rpki-ta/arin-rpki-ta.mft: failed to decode
Found valid trust anchor rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer. Processing.
Found valid trust anchor rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer. Processing.
rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.mft: failed to decode
Found valid trust anchor rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer. Processing.
rsync://rpki.ripe.net/repository/ripe-ncc-ta.mft: failed to decode
Found valid trust anchor rsync://rpki.afrinic.net/repository/AfriNIC.cer. Processing.
rsync://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft: failed to validate
rsync://rpki.apnic.net/repository/B527EF581D6611E2BB468F7C72FD1FF2/DmWk9f02tb1o6zySNAiXjJB6p58.mft: failed to validate
rsync://rpki.apnic.net/repository/B3A24F201D6611E28AC8837C72FD1FF2/dAFlqA0QcZcKvAnAK3HBrHwdbg4.mft: failed to validate
rsync://rpki.apnic.net/repository/B41FE6101D6611E2A62F877C72FD1FF2/NI-bm5KnLM_Tbzxw81Z1czzI6iI.mft: failed to validate
rsync://rpki.apnic.net/repository/B322A5F41D6611E2A3F27F7C72FD1FF2/DPzneFf88B852ZpitKpi5hWedvg.mft: failed to validate
rsync://rpki.apnic.net/repository/B4A1BEA61D6611E2B2CD8B7C72FD1FF2/lqhe9LjK9dTDWhV_ThJe5JS6-Tk.mft: failed to validate

this is on 0.7.0-pre @ d89f088d541b46df7a522f043b18548316754530

partim commented 4 years ago

Unless I am missing something, I think that’s correct? The --strict option is for object parsing following the rules as closely as possible and shouldn’t really be used in practice.

If you are looking for the new option to reject stale objects, that would be --stale reject.

job commented 4 years ago

perhaps I am misunderstanding what --strict is supposed to do. what is it failing on in this example run?

AlexanderBand commented 4 years ago

See https://rpki.readthedocs.io/en/latest/routinator/manual-page.html#cmdoption-strict and https://rpki.readthedocs.io/en/latest/routinator/manual-page.html#relaxed-validation

partim commented 4 years ago

There is a few of limitations on how objects are to be encoded in the RPKI specs that are not followed by some of the RPKI CAs out there. Since these are not security-relevant – they just make it harder to implement a parser –, we decided to normally do something we call ‘relaxed validation’ where we accept these violations. Out of interest, we also have ‘strict validation’ where all these rules are enforced. That’s what --strict selects.

For details, see https://github.com/NLnetLabs/rpki-rs/blob/master/doc/relaxed-validation.md – or, incidentally, the routinator.1 manpage.

The option has been there since the very first version.

job commented 4 years ago

thanks