Internet2 Network Security SIG

["Garrett, Seth B" <>]

Appreciate the feedback Dale.  

I've modified the default states of both containers to operate on localhost only.  I set an optional environment variable that can be passed to change this behavior without having to rebuild the docker image.  Along with some warnings about security & proxy for the validator.  This way any movement to something not localhost is intentional.

I also modified the ARIN TAL download to be its own environment variable.  This also includes a note about reading their Relying Party Agreement.  

Thanks,

Seth Garrett
Principal Network Systems Engineer
Indiana University

---

From: Garrett, Seth B
Sent: Monday, August 6, 2018 5:44 PM
To:
Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers

 

Thats correct.  Some discussion on it here: 

https://github.com/RIPE-NCC/rpki-validator-3/issues/33

I'll update the public build and just note the need to be aware of that depending on the deployment scenario.  

Sent from my Samsung device

-------- Original message --------

From: "Dale W. Carder" <>

Date: 8/6/18 5:29 PM (GMT-05:00)

To:

Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers

Hi Seth,

RIPE specifically ships the software reachable only to localhost and
recommends using a reverse proxy to manage access.  Based on that, my
read is that it may not be a good idea to distribute a build of this
software that accessible to the public by default.

Dale

Thus spake Garrett, Seth B () on Mon, Aug 06, 2018 at 09:23:04PM +0000:
> Here are Docker containers I made for the RIPE RPKI version 3 validation server.  I first started with a Centos container that was 600MB.  These are built on the openjdk:8-alpine container which gets them down to 165MB.  I've been running them successfully in AWS using a t2.medium EC2 Docker host running the AWS Linux OS.
>
> RPKI is pretty easy to get started with.  Information shared from Andrew Gallo and others is a very good place to start.
>
> Docker Hub:
> https://hub.docker.com/r/toomscj7/rpki3-rtr-server-alpine/
> https://hub.docker.com/r/toomscj7/rpki3-validator-alpine/
>
> GitHub:
> https://github.com/sethgarrett/rpki-rtr-server-alpine
> https://github.com/sethgarrett/rpki-validator-alpine
>
>
> Note: They will start listening on all interfaces.  Keep that in mind with regards to your Docker host's orientation to the public.  You can modify the application.properties files and rebuild to adjust that.
>
> https://github.com/RIPE-NCC/rpki-validator-3/
>
> ===========================================
> Juniper Config
>
> ?BGP Import Policy (chained before our existing import)
> policy-options policy-statement RPKI-VALIDATE-NEXT-POLICY
> term VALID {
>     from {
>         protocol bgp;
>         validation-database valid;
>     }
>     then {
>         validation-state valid;
>         next policy;
>     }
> }
> term INVALID {
>     from {
>         protocol bgp;
>         validation-database invalid;
>     }
>     then {
>         validation-state invalid;
>         next policy;
>     }
> }
> term UNKNOWN {
>     from {
>         protocol bgp;
>         validation-database unknown;
>     }
>     then {
>         validation-state unknown;
>         next policy;
>     }
> }
> term DEFAULT {
>     then next policy;
> }
>
> Validation Server Router Config (under routing-options)
> validation {
>     group RPKI-VALIDATOR {
>         session xxx.xxx.xxx.xxx {   (IP of your validation server)
>             refresh-time 120;
>             hold-time 240;
>             port 8323;
>             local-address xxx.xxx.xxx.xxx;  (source IP of your router)
>         }
>     }
> }
>
> Keep in mind if you use your loopback IP that you will need to be mindful of any loopback filters too.
>
>
>
>
>
> Seth Garrett
> Principal Network Systems Engineer
> Indiana University