search

dragonresearch / rpki.net

Dragon Research Labs rpki.net RPKI toolkit
54 stars 30 forks source link

doc simplification and rootd #612

Closed sraustein closed 8 years ago

sraustein commented 11 years ago

this user from the br nic seems to have been trapped by doc complexity into doing things such as rebuilding openssl. and then he hit a lack of simple docco for rootd. i fear many folk will be doing root installs.

From: Pablo Martins Figueiredo da Costa pablo@nic.br Subject: [rpki] Help on configuring my RPKI Certificate Authority To: rpki@rpki.net Date: Fri, 16 Aug 2013 21:09:13 -0300 (BRT)

Hello,

I trying to configure a Testbed environment for RPKI, but I got stuck on the configuration of rpki-ca.

I already played with cisco ASR1001 (XE3.9S), GNS3 ( IOS 15.2S3), quagga-rtrlib, rcynic and RIPE-NCC Validator and I'm confident with this part of the rpki infrastructure.

My goal is to create my own CA and be able to create certificates and ROAs for private ASes (RFC6996) and IP addresses (RFC1918), and use they in lab.

I got a little bit confused, because I installed rpka-ca using ubuntu binary packages and the most part of configuration steps described in docs were already done after "apt-get install"

I had to compile openssl with rfc3779, then I rebuilt the ubuntu package for openssl with enable-rfc3779.

I'm able to access the web gui, but can't figure out how to create the ROAs as I would like.

I read the following documentation: https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/rootd

I really appreciate any help you can provide.

Thanks, Pablo From: Pablo Martins Figueiredo da Costa pablo@nic.br Subject: [rpki] Help on configuring my RPKI Certificate Authority To: rpki@rpki.net Date: Fri, 16 Aug 2013 21:09:13 -0300 (BRT)

Hello,

I trying to configure a Testbed environment for RPKI, but I got stuck on the configuration of rpki-ca.

I already played with cisco ASR1001 (XE3.9S), GNS3 ( IOS 15.2S3), quagga-rtrlib, rcynic and RIPE-NCC Validator and I'm confident with this part of the rpki infrastructure.

My goal is to create my own CA and be able to create certificates and ROAs for private ASes (RFC6996) and IP addresses (RFC1918), and use they in lab.

I got a little bit confused, because I installed rpka-ca using ubuntu binary packages and the most part of configuration steps described in docs were already done after "apt-get install"

I had to compile openssl with rfc3779, then I rebuilt the ubuntu package for openssl with enable-rfc3779.

I'm able to access the web gui, but can't figure out how to create the ROAs as I would like.

I read the following documentation: https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/CreatingRoot https://trac.rpki.net/wiki/doc/RPKI/CA/Configuration/rootd

I really appreciate any help you can provide.

Thanks, Pablo

Trac ticket #599 component doc priority major, owner sra, created by randy on 2013-08-17T01:18:09Z, last modified 2016-08-05T15:43:27Z

sraustein commented 11 years ago

this user from the br nic seems to have been trapped by doc complexity into doing things such as rebuilding openssl.

You may be reading things into his message that he did not put there.

He is correct that the documented way of constructing an RPKI root certificate requires an RFC-3779-enabled version of the OpenSSL command line tool, which we do not install, nor, given the horrors of shared libraries, are we ever likely to do so. So he did what he had to do to construct a root certificate.

The configuration snippet you sent him does not do what you think it does, in fact it does not do anything anymore, it's a historical artifact in your rpkid.conf that's not present in current versions.

We might want to consider adding some dumb little Python tool which constructs a root certificate using the rpki.POW module, since that, unlike an RFC-3779-enabled version of OpenSSL command line tool, is something we can rely on being available.

and then he hit a lack of simple docco for rootd. i fear many folk will be doing root installs.

There is no simple documentation for rootd because rootd is not simple. Or, rather, rootd is too stoopid to be simple.

Note, however, that it looks like he got past all the rootd stuff on his own, he just hasn't figured out the GUI. Which doc was it that you said was the problem here? :)

As far as rootd's awfulness and the likelyhood of users needing to deal with it goes: We could declare that merging rootd's functionality into rpkid has now risen to the top of the priority list. Not a trivial piece of work, but as it would require SQL changes it would be an opportunity to work on several other things as well.

Trac comment by sra on 2013-08-17T20:38:02Z

sraustein commented 11 years ago

[ adding pablo to ticket ]

He is correct that the documented way of constructing an RPKI root certificate requires an RFC-3779-enabled version of the OpenSSL command line tool, which we do not install, nor, given the horrors of shared libraries, are we ever likely to do so. So he did what he had to do to construct a root certificate.

> The configuration snippet you sent him does not do what you think it > does, in fact it does not do anything anymore, it's a historical > artifact in your rpkid.conf that's not present in current versions. yechh. that was from ca0.rpki.net! > Note, however, that it looks like he got past all the rootd stuff on > his own, he just hasn't figured out the GUI. Which doc was it that > you said was the problem here? :) not from what i see. he sees no resources, i.e. the rootd cert may have no resources. > We could declare that merging rootd's functionality into rpkid has > now risen to the top of the priority list. Not a trivial piece of > work, but as it would require SQL changes it would be an opportunity > to work on several other things as well. may be. 1918 is one driver. another is folk testing, common at this stage of deployment. randy _Trac comment by randy on 2013-08-18T00:08:24Z_
sraustein commented 11 years ago

procedures.txt Installation steps Trac attachment by pablo on 2016-08-05T15:43:27Z

sraustein commented 11 years ago

Hello,

I attached a file with the installation procedures that I followed

Trac comment by pablo on 2013-08-20T21:01:25Z

sraustein commented 11 years ago

I suspect that part of the problem may be the format of the RSA private key file root.key. See ticket #603 for details.

If this theory is correct, the following conversion commands may help: {{{

!sh

if openssl rsa -in root.key -out root.key.new then echo success mv root.key.new root.key else echo failure rm root.key.new fi }}}

Trac comment by sra on 2013-08-23T02:58:17Z

sraustein commented 11 years ago

pablo, please report if this helps or not -- randy

Trac comment by randy on 2013-08-23T03:02:14Z

sraustein commented 11 years ago

Randy and Rob,

Yessss, It worked quite well !!!

Now I can see the resources and the entire infrastructure is running.

I did a test creating the following ROA "A64512,10.0.8.0/24,24" Then I made a TAL file, which succesfully worked with rpki-validator and rcynic

The only warning I received was from the rpki validator saying: WARNING: root.mft Manifest validity differs from EE certificate validity WARNING: Uukm_I6aWcHX8ean57oBA6x0isI.mft Manifest validity differs from EE certificate validity

But it didn't caused any trouble.

I'm very grateful for your help in solving this problem.

Congratulations, Pablo

See some tests I did:

rtr-origin x rpki-rtr (from rpki-rp)

rtr-origin --client tcp localhost 43779 2013-08-23 07:58:26 rtr-origin/client[27039]: [Startup] 2013-08-23 07:58:26 rtr-origin/client[27039]: [Starting raw TCP connection to localhost:43779] 2013-08-23 07:58:26 rtr-origin/client[27039]: [Trying addr 127.0.0.1 port 43779] 2013-08-23 07:58:26 rtr-origin/client[27039]: [reset_query] 2013-08-23 07:58:26 rtr-origin/client[27039]: [cache_response, nonce 64050] 2013-08-23 07:58:26 rtr-origin/client[27039]: + 64512 10.0.8.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:0A:00:08:00:00:00:FC:00 2013-08-23 07:58:26 rtr-origin/client[27039]: [end_of_data, serial #1377243588 nonce 64050]

rtr-origin x rpki-validator (from ripe)

rtr-origin --client tcp localhost 8282 2013-08-23 08:11:40 rtr-origin/client[27667]: [Startup] 2013-08-23 08:11:40 rtr-origin/client[27667]: [Starting raw TCP connection to localhost:8282] 2013-08-23 08:11:40 rtr-origin/client[27667]: [Trying addr 127.0.0.1 port 8282] 2013-08-23 08:11:40 rtr-origin/client[27667]: [reset_query] 2013-08-23 08:11:40 rtr-origin/client[27667]: [cache_response, nonce 20416] 2013-08-23 08:11:40 rtr-origin/client[27667]: + 64512 10.0.8.0/24-24 00:04:00:00:00:00:00:14:01:18:18:00:0A:00:08:00:00:00:FC:00 2013-08-23 08:11:40 rtr-origin/client[27667]: [end_of_data, serial #12 nonce 20416]

Testing with rtrclient from rpkirealmv6.org x rpki-rtr (from rpki-rp)

rtrclient tcp localhost 43779 Prefix Prefix Length ASN

Testing with rtrclient from rpkirealmv6.org x rpki-validator

rtrclient tcp localhost 8282 Prefix Prefix Length ASN

API - RPKI VALIDATOR

lynx --dump http://127.0.0.1:8080/export.csv ASN,IP Prefix,Max Length AS64512,10.0.8.0/24,24

lynx --dump http://127.0.0.1:8080/api/v1/validity/AS64512/10.0.8.0/24 { "validated_route":{ "route":{ "origin_asn":"AS64512", "prefix":"10.0.8.0/24" }, "validity":{ "state":"Valid", "description":"At least one VRP Matches the Route Prefix", "VRPs":{ "matched":[{ "asn":"AS64512", "prefix":"10.0.8.0/24", "max_length":24 }], "unmatched_as":[], "unmatched_length":[] } } } }

Trac comment by pablo on 2013-08-23T11:41:56Z

sraustein commented 8 years ago

Issue resolved years ago, ticket never closed.

Trac comment by sra on 2016-08-05T15:43:27Z

sraustein commented 8 years ago

Closed with resolution fixed