Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RPKI single IPv46 #1596

Merged
merged 3 commits into from
Jan 8, 2025
Merged

Fix RPKI single IPv46 #1596

merged 3 commits into from
Jan 8, 2025

Conversation

bwbroersma
Copy link
Collaborator

@bwbroersma bwbroersma commented Dec 12, 2024
edited
Loading

Current state:

  • Webserver > Route Origin Authorisation existence

    Webserver IP address RPKI Route Origin Authorization
    rijksoverheid.nl 178.22.85.8 yes
    ... 178.22.85.9 yes
    ... 178.22.85.10 yes
    ... 178.22.85.11 yes
    ... 2a00:d00:3:2::5 yes
    ... 2a00:d00:3:2::4 yes
    ... 2a00:d00:3:2::6 yes
    ... 2a00:d00:3:2::3 yes

  • Webserver > Route announcement validity
    Initial pre de-duplication version:

    Web server BGP Route Prefix BGP Route Origin ASN RPKI Origin Validation state
    rijksoverheid.nl 178.22.80.0/21 AS41887 valid
    ... 178.22.84.0/22 AS41887 valid
    ... 178.22.80.0/21 AS41887 valid
    ... 178.22.84.0/22 AS41887 valid
    ... 178.22.80.0/21 AS41887 valid
    ... 178.22.84.0/22 AS41887 valid
    ... 178.22.80.0/21 AS41887 valid
    ... 178.22.84.0/22 AS41887 valid
    ... 2a00:d00::/32 AS41887 valid
    ... 2a00:d00::/29 AS41887 valid
    ... 2a00:d00::/32 AS41887 valid
    ... 2a00:d00::/29 AS41887 valid
    ... 2a00:d00::/32 AS41887 valid
    ... 2a00:d00::/29 AS41887 valid
    ... 2a00:d00::/32 AS41887 valid
    ... 2a00:d00::/29 AS41887 valid

  • de-duplicate routes in Webserver > Route announcement validity tech table

    Web server BGP Route Prefix BGP Route Origin ASN RPKI Origin Validation state
    rijksoverheid.nl 178.22.84.0/22 AS41887 valid
    ... 178.22.80.0/21 AS41887 valid
    ... 2a00:d00::/29 AS41887 valid
    ... 2a00:d00::/32 AS41887 valid

  • test: Name servers of domain > Route Origin Authorisation existence

    Name server IP address RPKI Route Origin Authorization
    ns3.cloudflare.com. 162.159.7.226 yes
    ... 162.159.0.33 yes
    ... 2400:cb00:2049:1::a29f:7e2 yes
    ... 2400:cb00:2049:1::a29f:21 yes
    ns4.cloudflare.com. 162.159.8.55 yes
    ... 162.159.1.33 yes
    ... 2400:cb00:2049:1::a29f:837 yes
    ... 2400:cb00:2049:1::a29f:121 yes
    ns5.cloudflare.com. 162.159.2.9 yes
    ... 162.159.9.55 yes
    ... 2400:cb00:2049:1::a29f:937 yes
    ... 2400:cb00:2049:1::a29f:209 yes
    ns6.cloudflare.com. 162.159.5.6 yes
    ... 162.159.3.11 yes
    ... 2400:cb00:2049:1::a29f:506 yes
    ... 2400:cb00:2049:1::a29f:30b yes
    ns7.cloudflare.com. 162.159.6.6 yes
    ... 162.159.4.8 yes
    ... 2400:cb00:2049:1::a29f:606 yes
    ... 2400:cb00:2049:1::a29f:408 yes

  • test: Name servers of domain > Route announcement validity

    Name server BGP Route Prefix BGP Route Origin ASN RPKI Origin Validation state
    ns3.cloudflare.com. 162.159.0.0/20 AS13335 valid
    ... 162.159.7.0/24 AS13335 valid
    ... 162.159.0.0/24 AS13335 valid
    ... 2400:cb00:2049::/48 AS13335 valid
    ns4.cloudflare.com. 162.159.8.0/24 AS13335 valid
    ... 162.159.0.0/20 AS13335 valid
    ... 162.159.1.0/24 AS13335 valid
    ... 2400:cb00:2049::/48 AS13335 valid
    ns5.cloudflare.com. 162.159.0.0/20 AS13335 valid
    ... 162.159.2.0/24 AS13335 valid
    ... 162.159.9.0/24 AS13335 valid
    ... 2400:cb00:2049::/48 AS13335 valid
    ns6.cloudflare.com. 162.159.5.0/24 AS13335 valid
    ... 162.159.0.0/20 AS13335 valid
    ... 162.159.3.0/24 AS13335 valid
    ... 2400:cb00:2049::/48 AS13335 valid
    ns7.cloudflare.com. 162.159.6.0/24 AS13335 valid
    ... 162.159.0.0/20 AS13335 valid
    ... 162.159.4.0/24 AS13335 valid
    ... 2400:cb00:2049::/48 AS13335 valid

  • de-duplicate routes in Mail server(s) > Route announcement validity tech table
    Before (see fastmail.com test report):

    Mail server BGP Route Prefix BGP Route Origin ASN RPKI Origin Validation state
    in1-smtp.messagingengine.com. 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    ... 103.168.172.0/24 AS151847 valid
    in2-smtp.messagingengine.com. 202.12.124.0/24 AS151847 valid
    ... 202.12.124.0/24 AS151847 valid

    After:

    Mail server BGP Route Prefix BGP Route Origin ASN RPKI Origin Validation state
    in1-smtp.messagingengine.com. 103.168.172.0/24 AS151847 valid
    in2-smtp.messagingengine.com. 202.12.124.0/24 AS151847 valid

@bwbroersma bwbroersma requested a review from mxsasha December 12, 2024 00:10
@bwbroersma bwbroersma marked this pull request as draft December 12, 2024 00:23
@mxsasha mxsasha force-pushed the gh1596-fix-rpki-single-ip46 branch from ccd0714 to 771e02a Compare January 7, 2025 17:02
@mxsasha
Copy link
Collaborator

mxsasha commented Jan 7, 2025

I think this already worked for NS with multiple A's? Do you have an example where it did not?

@bwbroersma
Copy link
Collaborator Author

bwbroersma commented Jan 7, 2025
edited
Loading

Note my simple 'fix' to patch do_resolve_ns_ips with do_resolve_a_aaaa => do_resolve_all_a_aaaa seems to break things.

@mxsasha
Copy link
Collaborator

mxsasha commented Jan 7, 2025
edited
Loading

Ah right, I overlooked your patch to do_resolve_ns_ips in this branch, so I thought that was unchanged behaviour.

@mxsasha
Copy link
Collaborator

mxsasha commented Jan 8, 2025

I think this is now good? I fixed do_resolve_mx_ips just now, tests pass.

@bwbroersma
Copy link
Collaborator Author

Looks good, thanks for the 🐛 fixing, note it also fixed the de-duplication routes in Mail server(s) > Route announcement validity tech table, that we did not noticed before, e.g. see the fastmail.com test report.

@bwbroersma bwbroersma changed the title [WIP] Fix RPKI single IPv46 Fix RPKI single IPv46 Jan 8, 2025
@bwbroersma bwbroersma marked this pull request as ready for review January 8, 2025 19:31
@bwbroersma bwbroersma added this to the v1.9 milestone Jan 8, 2025
@mxsasha mxsasha merged commit edf12d3 into internetstandards:main Jan 8, 2025
13 checks passed
@bwbroersma bwbroersma deleted the gh1596-fix-rpki-single-ip46 branch January 10, 2025 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mxsasha mxsasha Awaiting requested review from mxsasha

Assignees
No one assigned
Labels
None yet
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.

RPKI not *all* IPs are checked for ROA?
2 participants
@bwbroersma @mxsasha