search

openwrt / routing

OpenWrt Routing Packages
333 stars 372 forks source link

[routing / bird2] RPKI does not work due to compile flag #589

Closed ghost closed 4 years ago

ghost commented 4 years ago

@tohojo @BKPepe

facing the same issue as mentioned here https://bird.network.cz/pipermail/bird-users/2019-November/013959.html

caused by --disable-libssh in https://github.com/openwrt-routing/packages/blob/master/bird2/Makefile#L99

tohojo commented 4 years ago

Hmm, not sure we want to pull in libssh unconditionally, though. So either it'll have to be a separate package variant, or we will need to patch bird to allow a different library or runtime detection or something...

ghost commented 4 years ago

Hmm, not sure we want to pull in libssh unconditionally, though

You consider it a security risk?

tohojo commented 4 years ago

Was mostly thinking of the size impact; don't think libssh is widely used(?), so it'll be a whole 'nother library just for that one feature (rpki) that not everyone may want...

ghost commented 4 years ago

Never mind, if RPKI is not wanted on a router distro I will just fall back to compile self.

tohojo commented 4 years ago

Never said it would never be wanted, just said it shouldn't be unconditional. For instance, on most of the nodes I deploy Bird on, I do so to run Babel. So no need for rpki there.

If you do compile a package yourself, could you please post the size difference? Both to bird itself, and the size of the library it pulls in. If the size difference is minuscule, I won't object to just enabling it unconditionally. But if it's not (as I suspect), I'd prefer to make it a separate package variant (similar to how we have dnsmasq-full, for instance).

ghost commented 4 years ago

If you do compile a package yourself, could you please post the size difference?

Sure, if I decide to stay with bird, currently testing other daemons as potential replacements, e.g. gobgp

I'd prefer to make it a separate package variant (similar to how we have dnsmasq-full, for instance).

Probably not worth the effort since the RPKI / SLURM deployment requires certain capable hardware (mostly RAM demand > 1 GiB) that is not available for the majority of the distro's targets anyway and thus the potential user base is more of a fringe case, notwithstanding that it requires a (caching) RPKI validator that is not available in the distro.

or we will need to patch bird to allow a different library or runtime detection or something...

looking trough the source code it probably would suffice to patch

https://gitlab.nic.cz/labs/bird/-/blob/v2.0.7/proto/rpki/config.Y#L34

-- CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, SSH, TRANSPORT, USER,
-+ CF_KEYWORDS(RPKI, REMOTE, BIRD, PRIVATE, PUBLIC, KEY, TCP, TRANSPORT, USER,

and

https://gitlab.nic.cz/labs/bird/-/blob/v2.0.7/proto/rpki/config.Y#L108

-- | SSH rpki_transport_ssh_init '{' rpki_transport_ssh_opts '}' rpki_transport_ssh_check

leaving TCP as communication channel with the RPKI validator.