top of page
Search

Rpki-client 9.7 released

  • hello931573
  • 2 days ago
  • 2 min read

Copied from the OpenBSD announce mailing list: https://marc.info/?l=openbsd-announce&m=176834126417093&w=2


rpki-client 9.7 has just been released and will be available in the
rpki-client directory of any OpenBSD mirror soon. It is recommended
that all users upgrade to this version for improved reliability.

rpki-client is a FREE, easy-to-use implementation of the Resource
Public Key Infrastructure (RPKI) for Relying Parties to facilitate
validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks.

See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system.

rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt, and Sebastian Benoit as part of the OpenBSD Project.

* The Canonical Cache Representation underwent a breaking change after the adoption of https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/ as a SIDROPS working group item. Apart from several CMS-related cosmetics, it now uses a IANA-assigned content type. As a result, rpki-client 9.7 cannot parse rpki-client 9.6's .ccr files and vice versa.

* Support for Ghostbusters Record objects (RFC 6493) has been removed. Nobody showed interest in deploying this and there are other, widely supported ways of exchanging operational contact information such as RDAP. RFC 6493 is undergoing a status review to be marked as historic: https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-historic/

* Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4.

* Fixed two reliability issues: one where a malicious RPKI Certification Authority can trigger a crash, one where malicious Trust Anchor can provoke memory exhaustion. Thanks to Xie Yifan for reporting.

rpki-client works on all operating systems with a libcrypto library
based on OpenSSL 1.1 or LibreSSL 3.6, a libtls library compatible with LibreSSL 3.6 or later, expat and zlib.

rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD!

It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions.

The mirrors where rpki-client is available can be found on https://www.rpki-client.org/portable.html

Reporting Bugs:
===============

General bugs may be reported to tech@openbsd.org.

Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable

We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

Assistance to coordinate security issues is available via security@openbsd.org.

 
 
 

Recent Posts

See All
OpenBGPD 9.0 & bgp-perf release!

OpenBGPD 9.0 has been released, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. Additionally, a new software package named " bgp-perf " has been made available. T

 
 
 
OpenBGPD 8.9 released

OpenBGPD 8.9 has been released and will soon be arriving in the OpenBGPD directory of your local OpenBSD mirror. This release includes the following changes to the previous release: In verbose mode lo

 
 
 
rpki-client 9.6 released

rpki-client 9.6 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. It is recommended...

 
 
 

Comments

bottom of page