OpenBSD CVS

CVS log for src/usr.sbin/rpki-client/constraints.c

[BACK] Up to [local] / src / usr.sbin / rpki-client

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.4 / (download) - annotate - [select for diffs], Fri Mar 15 05:14:16 2024 UTC (2 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: HEAD
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored) 

whitespace

Revision 1.3 / (download) - annotate - [select for diffs], Fri Mar 15 03:38:59 2024 UTC (2 months, 2 weeks ago) by job
Branch: MAIN
Changes since 1.2: +17 -7 lines
Diff to previous 1.2 (colored) 

Log which of the constraints files triggered a violation

Requested by Ties de Kock (RIPE NCC)

OK tb@

Revision 1.2 / (download) - annotate - [select for diffs], Wed Dec 27 07:15:55 2023 UTC (5 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE, OPENBSD_7_5
Changes since 1.1: +4 -3 lines
Diff to previous 1.1 (colored) 

Rework the warnings on internet resources

Unify the printing of warnings about AS numbers and IP address blocks to
use a call to as_warn() and ip_warn(). Fix a bug in the latter where the
upper bound of an IP range didn't take the RFC 3779 encoding into account
and passed the address directly to inet_pton() rather than filling the
missing bits with 1. Switch the argument order to match the warnings and
tweak some warning messages.

ok claudio job

Revision 1.1 / (download) - annotate - [select for diffs], Fri Oct 13 12:06:49 2023 UTC (7 months, 2 weeks ago) by job
Branch: MAIN 

Allow imposing constraints on RPKI trust anchors

The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.

For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html

With and OK tb@, OK claudio@

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.