1.5.2

Improvements since 1.5.1:

1. #51: Fix crash when --server.address is not defined in the configuration.
2. 673c679: Change autogen.sh's interpreter to /bin/sh. (Allows straightforward compilation on default *BSDs.)
3. #53: Add RPM packages to the release.
4. #55: Fix situational crash due to bad code cleanup.
5. eb68ebb, 274dc14: Performance optimizations.
6. #57: Fix practically inevitable crash in server mode's second iteration.
7. #58: Remove BGPsec certificate code. (Was crashing easily; needs more testing.)

Please note that version numbers no longer include "v".
(ie. "1.5.2", not "v1.5.2".)
I did this to streamline RPM package generation.
You might need to adjust scripts.

v1.5.1

Changes:

Add ROA export in JSON format

Fort can now output ROAs (as well as Router Keys) in JSON format. (In addition to the old CSV format.) This is controlled by the --output.format flag.

#47

Patch NID retrieval/registration

Fort was quitting (during initialization) when the libcrypto implementation already declared some of its NIDs. Fort now handles existing NIDs properly.

#48

Ignore SIGPIPE in standalone mode

When the RPKI repository hangs in the middle of a file transfer, Fort sometimes receives a "Broken Pipe" signal (SIGPIPE). For dumb historical reasons, the default response to SIGPIPE is sudden program termination.

Previous versions of Fort actually did register a proper SIGPIPE handler, but only when in server mode. The handler now applies globally.

#49

Near complete rewrite of the RTR server

Previous model:

When the RTR server opens a connection, it borrows a thread from the thread pool, and tasks it with the whole connection.

Needless to say, one thread per router didn't scale well. The new model is

When the RTR server receives a request, it borrows a thread from the thread pool, and tasks it with the request.

So --thread-pool.server.max was a hard limit for simultaneous RTR clients (routers), but now it's just a limit to simultaneous RTR requests. (Surplus requests will queue.) This is much less taxing to the CPU when there are hundreds of clients.

--thread-pool.server.max's maximum value also changed: From 500 to UINT_MAX.

Fix --work-offline

This flag stopped working in version 1.4.1. It's back now.

Changed the delta expiration conditional

Was "keep track of the clients, expire deltas when all clients outgrow them." I see two problems with that:

1. It'll lead to bad performance if a client misbehaves by not maintaining the connection. (ie. the server will have to fall back to too many cache resets.)
2. It might keep the deltas forever if a client bugs out without killing the connection.

New conditional is "keep deltas for server.deltas.lifetime iterations." --server.deltas.lifetime is a new configuration argument.

Improve --init-tals

1. Update the TAL URLs. (The old ones were very obsolete.)
2. Add --init-as0-tals. (Used to download the ASN0 TALs.)
3. Deprecate and zero-op --init-locations. (Didn't make sense. If the user needs a different URL, they can do curl or wget instead.)
4. Deprecate fort_setup.sh. (Seems to be redundant. --init-tals already takes care of downloading TALs.)

Lots of small bugfixes

This list is probably not exhaustive:

• Libcurl: Catch lots of status codes properly. (They were being ignored.)
• Libcurl: Send proper data types to curl_easy_setopt(). (Argument types were not matching documented requirements.)
• Libcurl: Eliminate the custom writefunction. (It was buggy, and there was no reason to override the default implementation.)
• Remove redundant fopen() and fclose() during valid_file_or_dir(). (If stat() is used instead of fstat(), there's no need to open and close the file.)
• Segmentation Fault handler: Remove illegal operations. (This was unlikely to be affecting anyone.)
• main: Add result code sanitizer. (Forces Fort's exit status code to be in the range 0-125.)
• Deltas: Do not discard meaningful validation results when the deltas array cannot be built for miscellaneous errors. (Deltas are optional; as long as Fort has the snapshot of the latest validation results, it can keep serving routers. At a lower performance, but functional nonetheless.)
• Deltas: The database was always keeping one serial's worth of obsolete deltas. (Cleaned up, saves a potentially large amount of memory.)
• Deltas: The code computed deltas even whene there were no routers listening. (Connected routers are the only delta consumers, so there was no need to waste all that time.)
• Deltas: Start from serial 1. (I found an RTR client implementation [Cloudflare's rpki-rtr-client] that hangs when the first serial is zero. Zero is technically a valid serial, but whatever.)
• sockaddr2str() was returning a pointer to invalid memory on success. (This was only used to print addresses.)
• Deltas: Serials weren't being compared according to RFC 1982 serial arithmetic. This was going to cause mayhem when the integer wrapped. (Though Fort always started at 0, and serials are 32-bit unsigned integers, so this wasn't going to be a problem for a very long time.)
• Thread pool: Hard to explain termination bug. (See problem 4.)

Tweaked lots of logging messages

Please review if you're parsing them.

One significant change is that logs are now semaphore'd, so they shouldn't mix anymore.

v1.5.0

The main updates of this release are:

• Add argument to daemonize the process (--daemon arg).
• Integrate TALs download to the binary (--init-tals arg).
• Implement a thread pool for incoming RTR clients and TALs validation.

Special thanks to Ivaylo Josifov from VarnaIX/Varteh Ltd! For his contribution regarding the implementation of the thread pool.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.4.2:

• Updates

  • Add a warning message to the operation logs when the first validation cycle begins and ends. This is only to notify the RTR server availability to receive clients (router connections).
  • Add --daemon argument to daemonize FORT validator; fixes #25.
  • Integrate the TALs download to FORT binary, by using --init-tals argument.
  • Terminate execution when there's no more memory available, since a full recovery after this isn't assured; related to #40. The RPM and DEB packages will restart the service if FORT validator ends this way, this is achieved using RestartForceExitStatus service setting.
  • Implement a thread pool that's utilized to attend incoming RTR clients (see --thread-pool.server.max) and to process TALs during each validation cycle (see --thread-pool.validation.max).

• Docs

  • Add links for router OS configurations (Mikrotik, Nokia, Arista, and Huawei) at Routers - Router configuration.
  • Add "Quick Start" section at Home and README.

v1.4.2

The main updates of this release are:

• Use a local workspace to store all files fetched via HTTP (includes RRDP, see #39).
• Fix bug that could lead to keep stale data when the local cache directory was removed.
• Create an official RPM package.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.4.1:

• Bug fixes

  • If the --local-repository was deleted in between validation cycles, stale data could be kept a long time. Now this doesn't happens, since the files are sync'd again via RRDP if they aren't found (if RRDP is supported and --http.priority is on top).

• Updates

  • Create and use local workspaces for all the files fetched via HTTP, including RRDP resultant files; related to #39.

• Docs

  • Add installation steps for the recently created RPM package.

v1.4.1

This release fixes a couple of bugs found at v1.4.0:

• Memory leak due to a bad structure release.
• Bad lock usage when storing an error'd repository URI.

The issue #41 was a consequence of one of these bugs.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.3.0:

• Bug fixes

  • Use the adequate function to release a temporary URI structure (this bug was causing a memory leak).
  • Request write lock whenever a new error'd URI is stored, the lock is used from the start to the end of the transaction.

• Docs

  • Add missing parenthesis at Logging section.

v1.4.0

The main updates of this release are:

• Upload Dockerfile so that the docker image can be built (located at the docker directory) (fixes issue #17).
• Prefer HTTP repositories over RSYNC repositories by default (fixes issue #34).
• RTR server can be bound to multiple IPs (server.address can be a list of addresses).
• New incidences for stale manifests (incid-mft-stale) and stale CRLs (incid-crl-stale).

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.3.0:

• Bug fixes

  • Some XML parsing and validation errors where printed straight to stderr, now they're printed to the configured validation-log.output.
  • The protocol part of an URI only was only valid in lowercase, now the case is ignored.

• Updates

  • Upload Dockerfile in order to build a docker image, fixes issue #17.
  • RTR server can be bound to multiple IPs by using a list of addresses in server.address; each address must have the format <address>#<port> (the #port is optional, if none is indicated then server.port is utilized as the default port).
  • Deprecate all rrdp.* arguments, renaming them to http.*. The new arguments are http.enabled, http.priority, http.retry.count and http.retry.interval. They apply for each outgoing HTTP request.
  • 3 of the 4 TALs now include an HTTPs URI (one of them still hasn't the TA on an HTTPS URI), fixes issue #34.
  • HTTPS requests are now preferred by default over RSYNC requests, this applies only when both of the options are present, related to #34.
  • New incidences for stale manifests (incid-mft-stale) and stale CRLs (incid-crl-stale).

• Docs

  • Add steps to install Debian package created by Marco D'Itri
  • Add build steps for Gentoo and Alpine.
  • Add docs to build and run the docker image.
  • Update docs to include new arguments http.*, behavior of server.address, and new incidences.
  • Add a section for deprecated arguments.

v1.3.0

The main updates of this release are:

• Separate validation logs from operation logs, the validation logs are disabled by default.
• Allow to work with local files if a repository can't be synced.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.2.1:

• Bug fixes

  • Minimize function calls and processing once a fork is made to execute rsync, related to issue #35.

• Updates

  • Separate the validation messages from the operation messages, each log type has its own configuration arguments.
  • Include a configurable syslog facility for each log type, useful when syslog is utilized.
  • Add new argument stale-repository-period. When a repository URI can't be reached, the validator will log the error messages at the operation log after stale-repository-period seconds had elapsed since the first error fetching the repository URI.
  • Allow to work with local files if a repository can't be synced.

• Docs

  • Add installation steps for Gentoo, based on an ebuild from issue #23.
  • Update all logging docs, since now there are two types of logs: operation and validation.
  • Update docs to include new argument stale-repository-period.

v1.2.1

The main updates at this release are:

• Wait for RTR client connections once the first validation cycle is done.
• Improve SLURM file(s) processing.
• New incidences related to manifests validation.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.2.0:

• Bug fixes

  • Add broken pipe (SIGPIPE) signal handler, this avoids a sudden death when the socket is still alive at the server but closed at the client side.
  • Don't hold the DB lock when the SLURM is being loaded.
  • Specific for CentOS7 libcurl: check for time condition met/unmet (whenever the HTTP header "If-Modified-Since" is sent) when requesting RRDP update notification files.
  • Stop sending PDUs on reset exchange error.
  • Fix GCC 10 compiling error and warnings, this fixes #32.

• Updates

  • Wait for client connections at --server.port until the first validation cycle is done.
  • Update internal PDU logs.
  • SLURM upgrades:
    • Improve loading process, use an internal cache when a SLURM file is being loaded.
    • Don't discard the loaded SLURM if there's an error applying it.
    • Calculate SLURM file(s) checksum and compare it with its previous one to avoid loading each SLURM at every validation cycle if there aren't updates.
    • Stop doing unnecessary validations, since they aren't part of the RFC 8416: duplicated elements at the same file, covered prefixes at the same file.
  • Add new incidences related to manifests processing, fixes issue #28. The new incidences are:
    • incid-file-at_mft-not-found (default value: error).
    • incid-file-at-mft-hash-not-match (default value: error).
  • Internal improvements resultant from a code review (thanks to @ydahhrk).

• Docs

  • Add new incidences documentation: incid-file-at_mft-not-found and incid-file-at-mft-hash-not-match.
  • Add CAP_NET_BIND_SERVICE capability usage (thanks to @rfc1036 for the comment at #22 (comment)).
  • Fix Debian dependencies.
  • Add MALLOC_ARENA_MAX memory tuning quirk, specific for Linux and glibc.

v1.2.0

The main updates at this release are:

• RFC 8182 "The RPKI Repository Delta Protocol (RRDP)" support.
• RFC 8630 "Resource Public Key Infrastructure (RPKI) Trust Anchor Locator" support.
• New incidence incid-obj-not-der-encoded to validate DER encoding of a signed object (see RFC 6488 section 3 bullet 1.l).
• Remember last valid SLURM in case of syntax error with newer SLURMs(s).
• Setup script to ease ARINs TAL download (see more).
• sync-strategy will be deprecated, log a warning and invite to use rsync.strategy instead.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.1.3:

• Bug fixes

  • Solve issue #9 "Use previous valid SLURM configuration on SLURM error": whenever there's an error, apply the last valid SLURM version.
  • If an empty value was sent to arguments that expect paths (eg. fort --tal=), this was treated as valid; now this isn't allowed.
  • rsync execution logs didn't logged to syslog, now they do.
  • Allow reuse server address/port on restart.
  • Try to fetch the trust anchor certificate from another URI whenever the previous TAL URI wasn't fetched due to an error.
  • Standard output wasn't flushed when the console logs where piped, now it is flushed.

• Updates

  • Support RRDP (solves issue #20).
  • Support HTTPS URIs in TALs (solves issue #19).
  • Add new incidence incid-obj-not-der-encoded to validate signed objects DER encoding.
  • Log additional information on start/end of a validation cycle, the information is printed at log level info:
    • When a client starts/ends a connection, or when the connection is killed (print its address and an internal ID).
    • When a new validation cycle is started and finished (includes number of valid Prefixes and Router Keys, current/new serial number, and real execution time).
  • Add setup script to ease ARINs TAL download, explicitly accepting their RPA. The script does the following:
    • Invites to agree ARIN RPA and downloads ARIN's TAL.
    • Downloads the rest of the TALS from github repository.
    • Creates a local repository directory, and an example configuration file.
  • Create examples directory:
    • Move tal directory to this new directory.
    • Add a valid configuration file.
    • Add a valid SLURM file.
  • New configuration arguments added:
    • work-offline: Disables outgoing requests to work only with local files from local-repository.
    • http.user-agent: User-Agent header set at HTTP requests.
    • http.connect-timeout: Timeout in seconds for the connect phase at HTTP requests.
    • http.transfer-timeout: Maximum allowed time that an HTTP request can take.
    • http.idle-timeout: Maximum idle time during an HTTP request.
    • http.ca-path: Directory where CA certs to verify peers are found.
    • rrdp.enabled: Enables RRDP files processing.
    • rrdp.priority: Priority to use this protocol whenever a CA has another option to access the repository files.
    • rrdp.retry.count: Maximum number of retries on requests error.
    • rrdp.retry.interval: Interval (in seconds) between each retry.
    • rsync.enabled: Enables RSYNC execution.
    • rsync.priority: Priority to use this protocol whenever a CA has another option to access the repository files.
    • rsync.strategy: Synchronization download strategy (replaces sync-strategy).
    • rsync.retry.count: Maximum number of retries whenever there's an execution error.
    • rsync.retry.interval: Interval (in seconds) between each retry.
    • asn1-decode-max-stack: indicates the max stack size that can be utilized when decoding ASN1 objects (mainly to avoid a stack overflow).
  • Update unit tests.

• Docs

  • Indicate full RFC 8182 and RFC 8630 compliance.
  • Add docs for new configuration parameters (at web docs module 'Program arguments' and user man).
  • Add the usage of the setup script at Installation module, as well as the new dependencies of libcurl and libxml2.
  • Add new section 'Routers', contains a basic explanation of data exchange with routers.
  • Update 'Incidences' module to include DER encoding validation (incid-obj-not-der-encoded).
  • Update RFC compliance of RFC 6488 to 100%.
  • Update READMEs to use relative paths instead of always use master URLs.
  • Replace '2019' year refs to '2020'.

v1.1.3

This release includes a bug fix: don't update valid prefixes and router keys database if one of the root certificates had a communication error (rsync) or a processing error.

The public key to verify the tarball is here (it isn't certified yet).

Changes since v1.1.2:

• Bug fixes
  • Prefixes and router keys database isn't altered whenever there's a communication error with a root certificate.