BSDSec

deadsimple BSD Security Advisories and Announcements

rpki-client 7.0 released

15 April, 2021 by benno@openbsd.org | openbsd 

rpki-client 7.0 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties (RP) to
facilitate validation of the Route Origin of a BGP announcement. The
program queries the RPKI repository system and outputs Validated ROA
Payloads in the configuration format of OpenBGPD, BIRD, and also as
CSV or JSON objects for consumption by other routing stacks.

See RFC 6811 for a description of how BGP Prefix Origin Validation
secures the Internet's global routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio
Jeker, Job Snijders, and Sebastian Benoit as part of the OpenBSD
Project and gets released as a base component of OpenBSD every six
months, and follows the OpenBSD release numbering scheme.

This release includes the following changes to the previous release:

 * Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support
   as a 'technology preview'. To use it, the "-r" flag needs to be used.
 * Support the use of more than one URI in the TAL file sorting with a
   preference for https.
 * Validation of ghostbuster records (RFC 6493)
 * Fixed checks of the manifest validity interval.
 * The rsync connection is now killed when the rsync server stalls.                         
 * Limited the URL embedded in .cer files to alphanumeric characters
   and punctuation.
 * Added a "-V" option to show version.
 * Included the default cert.pem file path in tls_load_file error
   messages.
 * Use of the ibuf (imsg) API for data exchange between the
   rpki-client processes.

In the portable version,

 * Emit all output formats, no need to choose with options.
 * Changes to for using github actions forautomatic testing.
 * The RRDP support requires HTTPS connections, necessitating a
   dependency for libtls from LibreSSL.
 * Support for building rpki-client on MacOSX.
 * Added expat as an extra dependency, needed for RRDP support.

Finally, with this release, we will change the way in which we release
rpki-client updates:

Instead of tracking OpenBSD releases every 6 months and providing
patches for bugfixes in the intervening time, we will produce full
releases more often.

We hope that this will give users on other operating systems earlier
access to new features. If security bugs necessitate an update, a full
release will be provided that may also include new features that were
developed up to that point.

rpki-client is known to compile and run on at least the following
operating systems: Alpine 3.12, Debian 9, 10, Fedora 31, 32, 33, macOS
Catalina, RHEL/CentOS 7, 8, Windows Subsystem for Linux 2.

It is our hope that packagers take interest and help adapt
rpki-client-portable to more distributions.

The mirrors where rpki-client can be found are on
https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org

Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community.
Thanks to all of the contributors who helped make this release
possible.