RPKI/BGP subject matter expert, Internet routing security hacker-for-hire, OpenBSD developer
I authored a new Policy Proposal: "Revocation of Persistently Non-functional Delegated RPKI CAs"
Policy proposal itself: https://www.ripe.net/community/policies/proposals/2025-02/
Discussion: https://mailman.ripe.net/archives/list/routing-wg@ripe.net/thread/SW7HSAGK57X4WFCMF4YMU2SN6ABQTY5A/
Consider chiming in!
@pesco @canadianbryan @prahou about 10 bucks/euros
@canadianbryan @prahou made the art
@OpenBSDAms @biglinter I didn't make one, but you can!
Ooh a cat drawn out by making IP addresses ping!
https://bgp.tools/prefix/185.87.56.0/22
#RPKI's 2024 Year in Review by @job https://mailarchive.ietf.org/arch/msg/sidrops/wI_PqEMsScRh1-jYl8XYPDI-3qE/
For more background on the ultra long-lived root certificates, see https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/
rpki-client 9.4 has been released! This release imposes restrictions on Trust Anchor certificate validity periods, includes ASPA support for BIRD2, protection against AS0 TALs, and various reliability improvements. Read the release notes here: https://cdn.openbsd.org/pub/OpenBSD/rpki-client/rpki-client-9.4.txt
The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED BUT REPULSIVE", "WRONG BUT WROMANTIC", "FREQUENTLY MISUNDERSTOOD", "NOBODY BOTHERS WITH THIS BIT", "SHOULDN'T REALLY BUT WE WON'T JUDGE", "REQUIRED IN ORDER TO WORK AROUND EVERYONE ELSE'S BUGS", "YOU DO YOU", and "OBVIOUSLY ABSURD BUT VERY COMMON FOR SOME REASON" in this document are to be interpreted as described in RFC 2119.
New (short) RFC: Detecting RPKI Repository Delta Protocol (RRDP) Session Desynchronization https://www.rfc-editor.org/rfc/rfc9697.html Rpki-client was the first to implement Tiesβs clever concept
Juicht, allen, juicht! Dankzij de hemelmechanica gaat de zon *vanaf morgen* al iets later onder. Geniet ervan! π
(De nachten worden korter vanaf 21/12; 's ochtends is het nog wachten tot 31/12 eer de zon weer vroeger opkomt.)
RFC 9674: Same-Origin Policy for the RPKI Repository Delta Protocol (RRDP), J. Snijders, https://www.rfc-editor.org/info/rfc9674 #RFC This document describes a Same-Origin Policy (SOP) requirement for Resource Public Key Infrastructure (RPKI) Repository Delta Protocol (RRDP) servers and clients. Application of a SOP in RRDP client/server communication isolates resources such as Delta and 1/2
RFC 9687: Border Gateway Protocol 4 (BGP-4) Send Hold Timer, J. Snijders, et al., https://www.rfc-editor.org/info/rfc9687 #RFC This document defines the SendHoldTimer, along with the SendHoldTimer_Expires event, for the Border Gateway Protocol (BGP) Finite State Machine (FSM). Implementation of the SendHoldTimer helps overcome situations where a BGP connection is not terminated after the 1/2
Our favorite Internet routing protocol - BGP - just got an update!
The mechanism in this RFC should help a bit against zombie routes and other problems https://rfc-editor.org/rfc/rfc9687.html
hat tip to @benjojo and Yingzhen Qu for sticking it out with me
rpki-client 9.2 has just now been released! \o/ This is a bugfix release, it is recommended that all users upgrade to this version for improved reliability. Release notes are here https://marc.info/?l=openbsd-announce&m=172449237716591&w=2
OpenBSD rpki-client 9.1 has been released. This release contains novel replay attack & DoS countermeasures, bug fixes, and more. Read the full announcement here: https://marc.info/?l=openbsd-announce&m=171917608831201&w=2
Proudly made without AI π
The year is 2030.
Computers boot directly into the browser. IDEs are just a web app now, running in the GPU. No one knows why. Or how.
All programs run in 4 nested containers on top of a hypervisor abstracting over the 5 major computational clouds. The last time a branch was predicted correctly, in any CPU anywhere, was 4 years ago.
Cloud costs are withdrawn directly from your retirement fund.
Ext7 just came out, it's written in Javascript and uses AI to guess what the file may contain.
Expiration of ROAs - what is it and how does it work? What to monitor for @dougmadory
and I teamed up to analyze and visualize what's happening under the hood of the RPKI. https://www.fastly.com/blog/times-up-how-rpki-roas-perpetually-are-about-to-expire/
