netsec-sig - Re: [Security-WG] RIPE RPKI v3 Docker Containers
Subject: Internet2 Network Security SIG
List archive
- From: "Dale W. Carder" <>
- To:
- Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers
- Date: Tue, 7 Aug 2018 16:36:29 -0500
- Ironport-phdr: 9a23:MhSVBhX695H3l3FhlmNzB+8gxyfV8LGtZVwlr6E/grcLSJyIuqrYbBWPt8tkgFKBZ4jH8fUM07OQ7/i+HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9zIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KptVRTmijoINyQh/W/ZisJ+kr9VrhGvpxNw34HbfYOaO/Rlc6PBYd8XX3ZNUtpLWiBfBI63cosBD/AGPeZdt4TxqVUAogG6BQayGejgyiVEjWLo0KIgyeQuDB/J3BYuE9kTt3nbsdv0O7sIXuCv0abH0y/DYuhI1jfm8oTIdA4uoe2VUL92bMHfx04vFwbfgVWRr4zoJy6a1uMRvGiY8eVgT/ijhHIgqwF0ujSvycYsipXJhoII0V/I7zl2wIEwJdC+VUV1YsakHYNNuy2ENIZ6WM0vT3tntSon0LELu4O3cDAUxJkm2xLTd/mKfomU7R/sW+ucJDd1hHxndbKxghu970mtxvHhWsSx3lZHoTRJn9nJu38X2BHf9saKR/5g8ku82DuDygXe5f9GLE8plKfWLYMqzKQqmZoJq0vDGzf7mEXog6+ScUUp4uao5Prob7n8op+TLIt0hhvxMqQphMyzGeU4Mg4QUGiH4emwyaPv8E7jTLhElPE7nbTVvIrYKMgGvqK5BhVa0ocn6xaxFTem19EYkGEaI1NLZB2IlZLpNEzQL/DiFvqwnU+snC1tx//YIr3tGo/NIWTbkLf9YbZ97FZRyBEtwt9D+pJUELABIO7zW0Pout3YAQQ0Mwi1w+b8FNV9zZ0SVXiOAq+fLKPdr0WI5uQxLOmQeoMZoijyJOU4562msXhsglIWYLOowYpSd3+QH/J6Ll+fbGa2xNoNDDQkpA07GabGgVmPGQEVL127Ra4x/HtzXI65Bo7ZSo23qLGamiG2AssFNSh9FlmQHCKwJM2/UPAWZXfKLw==
Cool!
I've been using the prebuilt RPM on some test vm's mostly,
but this is a nice option for the community.
Oh, ARIN. <sigh>
Dale
Thus spake Garrett, Seth B
()
on Tue, Aug 07, 2018 at 02:31:35PM +0000:
> Appreciate the feedback Dale.
>
>
> I've modified the default states of both containers to operate on localhost
> only. I set an optional environment variable that can be passed to change
> this behavior without having to rebuild the docker image. Along with some
> warnings about security & proxy for the validator. This way any movement
> to something not localhost is intentional.
>
>
> I also modified the ARIN TAL download to be its own environment variable.
> This also includes a note about reading their Relying Party Agreement.
>
>
> Thanks,
>
> Seth Garrett
> Principal Network Systems Engineer
> Indiana University
> ________________________________
> From: Garrett, Seth B
> Sent: Monday, August 6, 2018 5:44 PM
> To:
>
> Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers
>
> Thats correct. Some discussion on it here:
>
> https://github.com/RIPE-NCC/rpki-validator-3/issues/33
>
> I'll update the public build and just note the need to be aware of that
> depending on the deployment scenario.
>
>
> Sent from my Samsung device
>
> -------- Original message --------
> From: "Dale W. Carder"
> <>
> Date: 8/6/18 5:29 PM (GMT-05:00)
> To:
>
> Subject: Re: [Security-WG] RIPE RPKI v3 Docker Containers
>
>
> Hi Seth,
>
> RIPE specifically ships the software reachable only to localhost and
> recommends using a reverse proxy to manage access. Based on that, my
> read is that it may not be a good idea to distribute a build of this
> software that accessible to the public by default.
>
> Dale
>
> Thus spake Garrett, Seth B
> ()
> on Mon, Aug 06, 2018 at 09:23:04PM +0000:
> > Here are Docker containers I made for the RIPE RPKI version 3 validation
> > server. I first started with a Centos container that was 600MB. These
> > are built on the openjdk:8-alpine container which gets them down to
> > 165MB. I've been running them successfully in AWS using a t2.medium EC2
> > Docker host running the AWS Linux OS.
> >
> > RPKI is pretty easy to get started with. Information shared from Andrew
> > Gallo and others is a very good place to start.
> >
> > Docker Hub:
> > https://hub.docker.com/r/toomscj7/rpki3-rtr-server-alpine/
> > https://hub.docker.com/r/toomscj7/rpki3-validator-alpine/
> >
> > GitHub:
> > https://github.com/sethgarrett/rpki-rtr-server-alpine
> > https://github.com/sethgarrett/rpki-validator-alpine
> >
> >
> > Note: They will start listening on all interfaces. Keep that in mind
> > with regards to your Docker host's orientation to the public. You can
> > modify the application.properties files and rebuild to adjust that.
> >
> > https://github.com/RIPE-NCC/rpki-validator-3/
> >
> > ===========================================
> > Juniper Config
> >
> > ?BGP Import Policy (chained before our existing import)
> > policy-options policy-statement RPKI-VALIDATE-NEXT-POLICY
> > term VALID {
> > from {
> > protocol bgp;
> > validation-database valid;
> > }
> > then {
> > validation-state valid;
> > next policy;
> > }
> > }
> > term INVALID {
> > from {
> > protocol bgp;
> > validation-database invalid;
> > }
> > then {
> > validation-state invalid;
> > next policy;
> > }
> > }
> > term UNKNOWN {
> > from {
> > protocol bgp;
> > validation-database unknown;
> > }
> > then {
> > validation-state unknown;
> > next policy;
> > }
> > }
> > term DEFAULT {
> > then next policy;
> > }
> >
> > Validation Server Router Config (under routing-options)
> > validation {
> > group RPKI-VALIDATOR {
> > session xxx.xxx.xxx.xxx { (IP of your validation server)
> > refresh-time 120;
> > hold-time 240;
> > port 8323;
> > local-address xxx.xxx.xxx.xxx; (source IP of your router)
> > }
> > }
> > }
> >
> > Keep in mind if you use your loopback IP that you will need to be mindful
> > of any loopback filters too.
> >
> >
> >
> >
> >
> > Seth Garrett
> > Principal Network Systems Engineer
> > Indiana University
- [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/06/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Dale W. Carder, 08/06/2018
- <Possible follow-up(s)>
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/06/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/07/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Dale W. Carder, 08/07/2018
- Re: [Security-WG] RIPE RPKI v3 Docker Containers, Garrett, Seth B, 08/07/2018
Archive powered by MHonArc 2.6.19.