Recommendation to update RPKI validators
Hi all, About eight months ago I discovered a number of issues in the validation procedure of most RPKI validator softwares (including the RIPE NCC Validator, Routinator, and OctoRPKI). The impact of improper verification of Manifests (and associated aspects of the X.509 system) in the RPKI can have rather dramatic effects in today's Internet routing landscape. When handling a manifest, make sure everything is accounted for! The mitigation guidance is at present is very simple: just make sure all deployed RPKI validators are updated to the latest version. Going forward I hope our industry as a whole will be able to respond faster to issues of this type. A write-up with examples and details is available here: http://sobornost.net/~job/manifest_handling_issue.txt Thank you to all involved who helped fix & progress this issue. Kind regards, Job
participants (1)
-
Job Snijders