1
0
mirror of https://github.com/openbsd/src.git synced 2025-01-02 06:15:37 -08:00
Commit Graph

29927 Commits

Author SHA1 Message Date
job
a3ccbae723 Remove BIRD v1 output, add BIRD v3 output (which includes static ASPA entries)
OK tb@
2025-01-02 12:29:30 +00:00
anton
018a085a0a More daemons need the same treatment as ospfd recently got in order to
prevent NULL dereference in interface departure logic when the arrival
of the same interface has not been observed.

Prodded by and ok claudio@
2025-01-02 06:35:57 +00:00
dlg
a7b8518d79 improve the lldp printing a bit, in particular the mgmt address printer. 2025-01-02 01:21:35 +00:00
anton
95d3cd23b2 Prevent NULL dereference in ospfd interface departure logic when the
arrival of the same interface has not been observed.

ok claudio@
2025-01-01 13:44:52 +00:00
denis
560116d97c Use correct function name in fatalx() 2024-12-30 17:14:02 +00:00
florian
4905b49233 Adjust rDNS lifetime to RFC 8106 default (minimum) value.
It doesn't make sense to have the rDNS lifetime lower than the router
lifetime, this information travels together.

Pointed out by & OK jrick
2024-12-28 08:58:13 +00:00
tb
bb0e26feb6 Check that the manifest fileList has at least one entry
We already check that the fileList isn't excessively large. A bit later we
also check that the list contains a CRL, as required by RFC 9286. However,
between these two checks a zero-sized allocation may happen, which is now
avoided. sk_num() is one of those gifts that keep on giving, but it seems
that this is the only occurrence in rpki-client that can be problematic.

ok job
2024-12-24 10:03:59 +00:00
florian
b0c10c99a4 Set correct request timeout once we found the correct server block.
On accept(2), httpd(8) sets the timeout based on ip:port. Once we have
parsed the http headers we can find the name-based server block and
apply its request timeout.

Problem identified and fix from Nick Owens, thanks!

OK tb
2024-12-22 13:51:42 +00:00
job
05a19cc6f2 Improve cleanup process
In some cases, following a fallback from RRDP to RSYNC, files are
moved to the wrong place. With this change, only rsync repositories
are considered when looking up where to move DIR_TEMP files.

repo.c requires more study, this fix might be a bandaid for a problem
not fully understood.

"put it in" claudio@ OK tb@
2024-12-19 13:23:38 +00:00
tb
a56972eb38 tweak previous: typo in comment and some cosmetics 2024-12-18 21:12:26 +00:00
job
e489b84834 Schedule future rejection of ultra long-lived TA certificates
The RPKI ecosystem suffers from a partially unmitigated risk related to
long-lived Trust Anchor certificate issuances.

Issues could arise when a on-path attackers (or, operational errors such
as restoring a super old backup of a webserver) bring back into
circulation old (but still valid) TA certificate. Older certificates
remain valid for the duration of their validity period, because TA
certificates - being top of the chain - cannot be revoked.

Real world examples of old potential replayable certificates that today
still would pass validation are here:
https://mailarchive.ietf.org/arch/msg/sidrops/NxzvSFH0sPXEmyfOS99cLApFKqM/

The trouble with these replayable TA certificates is that when an
on-path entity ends up presenting such an outdated-but-still-valid
certificate to the RP, accepting such a cert will damage the RP's local
validated cache. Parts of the validated output will disappear, in an
unpredictably manner.

Periodic reissuance of TA certs is important because TA certificates are
not entirely static, which of course is why replay might even be an issue
in the first place!. There are 3 'dynamic' fields in TA certificates:

  - the validity period (notBefore, notAfter)
  - the SubjectInfoAccess (where can the RP find the first repository?)
  - the extensions for IP addresses & AS identifiers (RFC 3779 INRs)
    (the RFC 3779 extensions are of critical importance to the
    RPKI's chain validation algorithm)

RIRs will want RPs to validate using the 'latest' issuance of the TA
certificate, because a TA cert from 10 years ago obviously will be 10
years behind on operational decisions, potential SIA migrations,
resource transfers, new IANA assignments, or any other updates to the
RIR's current holdings.

How to repair this situation?

The plan to overcome this risk has three steps:

step 1) RPs to prefer shorter-lived Trust Anchor certificates over
        longer-lived ones. (rpki-client already implemented this)
        https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rpki-ta-tiebreaker

step 2) RPs ship with scheduled future refusal of ultra long-lived Trust
        Anchor certificates (that's the below diff).

step 3) Consequently, RIRs have to reissue shorter-lived TA certificates
        to avoid being rejected by RPs.

The end result is that after anno 2026 / 2027, if 100 year or 10 year
certs somehow be brought back into circulation, RPs will simply refuse
such long-lived certs, despite them technically being 'valid'.

Why this works:

The ta-tiebreaker mechanism provides an incentive for TA operators to
reissue with reasonable (1 or 2 year) validity periods, as those certs
will be preferred. In turn, RPs scheduling refusal of long-lived certs
at a predetermined future point in time, relieves TA operators from
worrying about previously issued certs with ultra long lifetimes. It is
a win win for everyone in the ecosystem.

Scheduling details:

- February 2nd 2026 for phase 1, because 02-02-2026 is an unambiguous
  date both in the US and elsewhere.
- March 3rd 2027 for phase 2, because 03-03-2027 also is unambiguous and
  visually is very distinct from the phase 1 date.

The hope is that with this schedule global coordination less will be less
error-prone, and everyone should get adequate preparation time.

Discussed with various RIRs

with & OK tb@
2024-12-18 16:38:40 +00:00
tb
76232002e5 tcpdump: switch this gross macro to using c99 initializers
This should really be a function with a switch, but I have enough
dumpster fires to deal with, so I'm not going to add tcpdump.

ok denis
2024-12-18 06:36:48 +00:00
tb
7598353d73 tcpdump: fix an off-by-one so that this can also print gwid
ok denis
2024-12-18 06:33:25 +00:00
claudio
86da87d93e Bump version 2024-12-16 16:14:46 +00:00
claudio
b3b12989e0 Adjust enum msg_type since they are now prefixed.
OK tb@ millert@ deraadt@
2024-12-16 16:10:46 +00:00
claudio
0d4ceb4100 Prefix enum msg_type with MSG_ to prevent a duplicate symbol warning
for NOTIFICATION (which is also used in parse.y as token).
OK tb@ millert@ deraadt@
2024-12-16 16:10:10 +00:00
tb
39b34cbdda Determine the expiration date also for TA certs
Avoids an incorrect "Signature path expired" for such certs.

noticed by and ok job
2024-12-16 13:53:37 +00:00
denis
f4b7e39cf3 Add a missing AF description.
Previously the wrong description was returned if address family number was greater than 16.

OK tb
2024-12-15 21:37:11 +00:00
tb
1f50142272 Fix copy-paste error 2024-12-15 19:42:33 +00:00
tb
851f546489 Only warn about pruning VRPs if there's anything to prune
ok job
2024-12-15 19:40:07 +00:00
denis
5bfef6125a Fix wrong token name
OK claudio@
2024-12-14 21:24:31 +00:00
claudio
2364114a54 bgpctl bits for RFC 8358 (Graceful notification) support
OK tb@
2024-12-13 19:22:01 +00:00
claudio
6c15f94398 Implement RFC 8538: Notification Message Support for BGP Graceful Restart
This is an extension to graceful restart and requires graceful restart to
be enabled to work. The NOTIFICATION bits are implemented as specified but
a much more strict stand was taken as to when send a graceful reset.

bgpd only sends graceful notifications for a few cease cases (same as in
the RFC) and for the holdtimer and sendholdtimer errors. Everything else
is a hard error because the other side is not trustworthy.

OK tb@
2024-12-13 19:21:03 +00:00
claudio
442a03204b Cache the Adj-RIB-Out for sessions that have not been down for more than
INTERVAL_SESSION_DOWN (3600) seconds.

Rebuilding the Adj-RIB-Out is a lot of work while keeping the RIB in sync
is reasonably trivial. So avoid the work for the case that a session
was just quickly reset. This only works if the same peer settings are
used in the old and new session.

For this introduce a IMSG_SESSION_DELETE that tells the RDE to remove the
peer and split peer_down into a part that takes the session down (and
clears the Adj-RIB-In) and a part the frees the peer (peer_delete).
The SE now sends an IMSG_SESSION_ADD command on first connect and skips
that imsg on later connects unless IMSG_SESSION_DELETE was called before.
During config reload the IMSG_SESSION_ADD calls only need to happen when
the RDE actually has that information.

OK tb@
2024-12-12 20:19:03 +00:00
pascal
7c9b6f9dcf Do not hardcode the CRL lifetime for "ikectl revoke" to 365 days. This value
is supposed to be configurable via ikeca.cnf.

ok tobhe@, "probably ok" sthen@
2024-12-12 17:29:33 +00:00
claudio
f666252400 Introduce a peer_reaper() which asynchronously removes the Adj-RIB-Out
of a peer.

Once the peer is kind of done enqueue it onto the zombie list and then
the reaper will take care of the Adj-RIB-Out.
OK tb@
2024-12-11 09:19:44 +00:00
dlg
0c21bd8129 init snapend when handling DLT_PFSYNC interfaces.
this helps avoid segfaults when using tcpdump -X and similar.
2024-12-11 04:05:53 +00:00
claudio
6df2f81829 In prefix_adjout_update() and prefix_adjout_withdraw() only link
prefixes to the update / withdraw queue if the peer is up.

For updates the Adj-RIB-Out is already updated and nothing more needs to happen.
For withdraws the prefix is unlinked and needs to be destroyed if the peer is
not up. For this to work correctly make the prefix as dead.

Right now this is a no-op since the functions are only called if the peer
is up.
OK tb@
2024-12-10 20:06:11 +00:00
claudio
6d701af4d6 A lot of space fixing and other minor consitency fixes that have no
effect on the code but reduce eyestrain.
OK tb@
2024-12-10 16:29:07 +00:00
claudio
1d44387dec Introduce a SessionDownTimer that is started when a session goes down
and is stopped when the session comes up (ESTABLISHED state).
Right now it is used to remove cloned sessions. For that the SessionDownTimer
is also started when a clone is created.
OK tb@
2024-12-10 14:34:51 +00:00
claudio
d31a879178 For ROUTE_REFRESH_REQUEST use peer_blast() since the Adj-RIB-Out is
already calculated. Saves a fair bit of work by skipping peer_dump().
OK tb@
2024-12-10 13:40:02 +00:00
claudio
fcf73b57ed Make the unknown AID case in pt_writebuf() a fatal error.
The pointer passed to pt_writebuf() is bad and there is no reason to limp
further. Someone else will trip over this at a later stage so better to
do it now.
OK tb@
2024-12-10 13:29:47 +00:00
claudio
c8208cf126 Refactor code around peer_dump.
Rename the upcall and done callbacks:
 - rde_up_adjout_force_upcall() to peer_blast_upcall() and same for done
 - rde_up_dump_upcall() to peer_dump_upcall() and same for done
Introduce peer_blast() which blasts out the Adj-RIB-Out including all
the route refresh messages (BEGIN_RR, EOR and END_RR) needed.
peer_dump() now always throttles the peer before starting the table walk to
fill the Adj-RIB-Out and calls peer_blast() in all cases (either directly or
via the peer_dump_done() call.
OK tb@
2024-12-10 12:23:42 +00:00
jmc
49f9fe9c73 increaded -> increased 2024-12-09 11:38:38 +00:00
claudio
82293aeb2b Bits for the new extended message capability (RFC8654).
OK tb@
2024-12-09 10:52:27 +00:00
claudio
25cbba3a33 Add support for extended messages (RFC8654)
This extends the maximum message size of BGP from 4096 to 65535.

This mostly follows rfc8654 with the following differences:
- NOTIFICATIONS are always truncated to fit in 4096 bytes.
- There is no message reduction using "attribute discard" in case of overflow.
- Large messages are only sent if both sides announced extended message support.
OK tb@
2024-12-09 10:51:46 +00:00
job
b5d1cb3f60 Update references for recent RPKI specifications 2024-12-04 16:17:31 +00:00
mpi
ffce2a5431 Disallows registering multiple probes of the same type.
If a bt(5) script uses the same probe multiple times (like interval:hz),
btrace(8) has currently no knowledge of which rule to execute when it
parses events read from the kernel.

Disable the funcitonnality until someone in need of such feature comes
up with a nice implementation.

From Christian Ludwig.
2024-12-04 09:33:41 +00:00
tb
ddff58c964 Fix debug output for http headers
from Kenjiro Nakayama
2024-12-04 07:58:51 +00:00
job
dab7a176b1 Add more checks for router keys
OK tb@
2024-12-03 14:51:09 +00:00
claudio
3a99c822f7 Only set the SO_RCVBUF and SO_SNDBUF on the socketpair to what we want.
Do not retry if that fails hoping for a different result.
OK tb@ kn@
2024-12-03 13:46:53 +00:00
claudio
5ffbcedbb1 Add /rib/in and /rib/out as endpoints to query the Adj-RIB-In and Adj-RIB-Out
respectively.

Also fix the rib query parameter to properly work. bgpctl calls this table.
OK sthen@
2024-12-03 10:38:06 +00:00
sthen
d11b04b269 Have pkg_add run ldconfig after each updateset if the list of shared
libraries was changed. Before @tag we used to execute programs directly
as part of many updates (rebuilding desktop databases, icon cache, etc)
but those are now usually deferred until the end of the run, leaving
some executables not able to be run until pkg_add finishes.

From espie.
2024-12-02 22:32:57 +00:00
claudio
ba04a0e746 Check in bgpctl show rib commands if the table / rib passed is
Adj-RIB-Out and in that case set F_CTL_ADJ_OUT on the request.
With this 'bgpctl show rib out' and 'bgpctl show rib table Adj-RIB-Out'
return the same results.
OK tb@
2024-12-02 16:31:51 +00:00
claudio
aaaf7e1f15 Remove the ASPA imsg size workaround now that imsg are large enough to
handle MAX_ASPA_SPAS_COUNT (10k) entries.
OK tb@
2024-12-02 15:13:57 +00:00
claudio
5bf6f54305 Bump imsg size like bgpd just did.
OK tb@
2024-12-02 15:03:46 +00:00
claudio
04e124822c Bump imsg size up to MAX_BGPD_IMSGSIZE (128k) to support extended messages
and more.
OK tb@
2024-12-02 15:03:17 +00:00
job
bf5a499ba8 If AS0 TALs are provided, by default omit VRPs derived from such AS0 TALs
AS0 TALs represent unmitigated operational risks: what if the RIR by
accident marks some IP space as 'unassigned'?

APNIC notes in their limitation of liability statement:

    """
    Depending on router configuration, errors in the AS0 ROA could
    cause unintended interruption to routing with other networks.
    For this reason, it is strongly recommended that the AS0 ROA is
    used for advisory and/ or alerting purposes only, and not for
    automatic filtering of BGP routes.
    """
    https://www.apnic.net/community/security/resource-certification/apnic-limitations-of-liability-for-rpki-2/

Guard usage of AS0 TALs behind new '-0' option

OK deraadt@ tb@
2024-12-02 14:55:02 +00:00
claudio
3417aeaedd Remove global queue_buf which is no longer used.
OK compiler
2024-12-02 13:46:11 +00:00
kn
347b73737b -o[arg] must not have spaces between option and argument; OK jmc
getopt(3) says so and, e.g. 'mrouted -d 1' must be 'mrouted -d1' to work.
dhcpd(8) and sed(1) got this right, our multicast programs did not.
2024-12-01 09:58:15 +00:00