NLnetLabs / routinator

An RPKI Validator and RTR server written in Rust
https://nlnetlabs.nl/projects/routing/routinator/
BSD 3-Clause "New" or "Revised" License
470 stars 71 forks source link

TCP-AO #630

Open sarasalingam opened 3 years ago

sarasalingam commented 3 years ago

Is routinator planning to support TCP-AO for RTR connections ?

partim commented 3 years ago

TCP-AO needs to be implemented by the TCP stack, so this it not something that Routinator can implement on its own. If the underlying socket library supports TCP-AO, then we are not opposed to supporting it as well. However, I am a bit wary that each OS uses a different mechanism to enable and configure it and this will become a bit of a portability nightmare.

That all said, I am not entirely convinced that TCP-AO is the right choice for RTR connections. These connections should only exist within the management network which should be secured against the kind of interference TCP-AO protects against. Inter-site connections, meanwhile, need to be properly secured which would require the use of TLS or SSH. Am I missing something?

maelmans commented 3 years ago

I'm happy to report an initiative has started to (finally) get this work done. The scope of work has been defined (BSD and Linux implementation) and the next step is to secure funding including applying with the RIPE NCC Community Projects Fund. The team behind this initiative include, Max Stucchi (ISOC), Greg Hankins (Nokia), Stefan Wahl (Megaport), Philip Paeps (Alternative Enterprises), Ron Bonica (Juniper Networks) and Melchior Aelmans (Juniper Networks).

ppaeps commented 3 years ago

@partim As part of the work I'm proposing together with @maelmans et al, I intend to keep the socket layer as common as possible between platforms (Linux, BSD). My proposal specifically includes support for BSD and Linux precisely to avoid portability nightmares.

Having said that, if our proposal is accepted, you can expect a patch from me to add support to routinator. :)

AlexanderBand commented 3 years ago

This is great news @maelmans, I hope the RIPE NCC Community Projects Fund request works out. Once this work is done we look forward to reviewing and including the patch by @ppaeps. Open source community work at its finest!