rpki-client: make maximum number of publication points to sync operator configurable

2021-11-25 Thread Job Snijders
It might be advantageous to permit operators to optionally specify the maximum number of publication points with which rpki-client will synchronize. For example: "doas rpki-client -m 1 -t /etc/rpki/ripe.tal" has as effect that only RIPE NCC's repository is contacted, but none of the delegated

rpki-client: set repo_timeout to be 1/4th of timeout

2021-11-25 Thread Job Snijders
Replace MAX_REPO_TIMEOUT with repo_timeout, which is set to 1/4th of timeout, or if timeout is disabled set it to 24 hours. OK? Index: extern.h === RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v retrieving revision 1.97 diff -u

Re: rpki-client code shuffle

2021-11-24 Thread Job Snijders
On Wed, Nov 24, 2021 at 03:09:02PM +0100, Claudio Jeker wrote: > For a RRDP regress test I would like to move some functions to better > places. hex_decode() belongs into encoding.c and the publish XML code > is now in rrdp_util.c. OK job@

Re: Typo in ASN1_NULL_new.3

2021-11-22 Thread Job Snijders
On Mon, Nov 22, 2021 at 07:46:23PM +0100, Matthias Schmidt wrote: > a typo snuck in Thanks

libcrypto: add OID for RPKI ASPA objects

2021-11-09 Thread Job Snijders
IANA made a permanent registration in the SMI Security for S/MIME CMS Content Type registry at https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 for signed objects conforming to draft-ietf-sidrops-aspa-profile OK? Kind regards, Job Index: obj_mac.num

Re: rpki-client: increase MAX_FILE_SIZE to accommodate key rollovers

2021-11-09 Thread Job Snijders
On Tue, Nov 09, 2021 at 12:12:42PM +0100, Theo Buehler wrote: > I'm ok with that. Maybe we should bump even higher, say 8M? Isn't the > main point to have a limit at all? I don't think it needs to be very > tight. I think it is best to bump the limits to accommodate real world observations. 8 MB

rpki-client: increase MAX_FILE_SIZE to accommodate key rollovers

2021-11-09 Thread Job Snijders
Hi all, Ties de Kock reported that the RIPE NCC Production CA's manifest is likely to double in size during RFC 6489 key rollover events. Both old and new entries will be listed. KpSo3VVK5wEHIJnHC2QHVV3d5mk.mft currently is 1.1 MB. OK? Kind regards, Job Index: extern.h

Re: speedup io marshal in rpki-client

2021-11-05 Thread Job Snijders
On Fri, Nov 05, 2021 at 09:18:15AM +0100, Claudio Jeker wrote: > Noticed the other day. The ip addr arrays and as number array are > marshalled element by element which is not very efficent. > All the data is in one big blob of memory so just use the basic io > operations for a memory blob and

Re: rpki-client adjust tal parse to the BIO free world

2021-10-26 Thread Job Snijders
OK job@ On Tue, Oct 26, 2021 at 05:43:32PM +0200, Claudio Jeker wrote: > This is part 3 of the BIO removal. Switch tal_parse to pass a file buffer > like all other callers. The parent process can now just use load_file() > and pass that buffer to the parser. From there on the magic just happens.

Re: rpki-client RRDP delta vs snapshot sync

2021-09-14 Thread Job Snijders
On Tue, Sep 14, 2021 at 12:22:41PM +0200, Claudio Jeker wrote: > I'm tired waiting 30min and more for apnic and idnic to finish their delta > syncs with 1000+ deltas to fetch from a server on the other side of the > planet. If a repo is more than 300 deltas behind just grab the snapshot, > it is

Re: timeout: Prettify man page and usage

2021-09-02 Thread Job Snijders
On Thu, Sep 02, 2021 at 07:23:26AM +0100, Jason McIntyre wrote: > > .Ar time > > -can be integer or decimal numbers. > > +are positive integer or real (decimal) numbers, with an optional > > can you have a negative timeout? Negative values are not permitted $ timeout -- -1 /bin/ls timeout:

Import timeout(1) from NetBSD

2021-09-01 Thread Job Snijders
Hi, FreeBSD/NetBSD/DragonFly and GNU 'coreutils' have a utility called timeout(1) which allows you to kill a process after X time. Importing timeout would remove the only reason I have coreutils installed :-) I retrieved timeout.{c,1} from

Re: rpki-client exclude files from rsync fetch

2021-09-01 Thread Job Snijders
On Wed, Sep 01, 2021 at 11:14:15AM +0200, Claudio Jeker wrote: > On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote: > > RPKI repository can only include a few specific files, everything else is > > just ignored and deleted after every fetch. Since openrsync supports > > --exclude-file

Re: rpki-client add http_proxy support

2021-09-01 Thread Job Snijders
On Tue, Aug 31, 2021 at 09:58:54AM +0200, Claudio Jeker wrote: > This diff improves the http code by a) adding an IO timeout and b) > implementing http_proxy support. > > Works for me using tinyproxy as proxy server. OK? Index: http.c

Re: rpki-client exclude files from rsync fetch

2021-08-31 Thread Job Snijders
Hi, I don't think this should be user configurable. If folks remove entries like "+ *.crl" it breaks things. If folks add entries like "+ *.mp3" it wastes network bandwidth. :-) Let's use "--include" and "--exclude" instead. kind regards, Job On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio

rpki-client: adjust HTTP/1.1 request string

2021-07-23 Thread Job Snijders
Hi all, Based on suggestions from Julian Reschke. * "Connection: keep-alive" isn't needed, as the HTTP 1.1 default is to use persistent connections (RFC 7230, section 6.3). * "Host" is recommended to be in the front. * "Accept-Encoding: identity" makes it clear to the server compression

Re: cron(8): add '@' interval time specifier

2021-07-10 Thread Job Snijders
On Sat, Jul 10, 2021 at 09:05:15AM -0600, Theo de Raadt wrote: > Job Snijders wrote: > > A use case could be running rpki-client more frequently than once an > > hour: Perhaps I choose a poor example, because of $work *I* run rpki-client very often, but do not recommend o

cron(8): add '@' interval time specifier

2021-07-10 Thread Job Snijders
Hi all, The below patch adds a new kind of time specifier: an interval (in minutes). When used, cron(8) will schedule the next instance of a job after the previous job has completed and a full interval has passed. A crontab(5) configured as following: $ crontab -l @3 sleep 100 Will

Re: bgpd support for enhanced route refresh

2021-06-17 Thread Job Snijders
Disabled by default is a good start. OK job@

Re: bgpd support for enhanced route refresh

2021-06-17 Thread Job Snijders
On Thu, Jun 17, 2021 at 03:29:38PM +0200, Claudio Jeker wrote: > On Thu, Jun 17, 2021 at 01:25:07PM +0000, Job Snijders wrote: > > On Thu, Jun 17, 2021 at 12:24:16PM +0200, Claudio Jeker wrote: > > > On Mon, Jun 14, 2021 at 05:10:07PM +0200, Claudio Jeker wrote: > > > &

Re: bgpd support for enhanced route refresh

2021-06-17 Thread Job Snijders
On Thu, Jun 17, 2021 at 12:24:16PM +0200, Claudio Jeker wrote: > On Mon, Jun 14, 2021 at 05:10:07PM +0200, Claudio Jeker wrote: > > On Thu, May 27, 2021 at 06:24:06PM +0200, Claudio Jeker wrote: > > > Implement RFC 7313 enhanced route refresh. > > > > > > While there also change when graceful

rpki-client: change "asn" from string to integer in JSON output

2021-05-05 Thread Job Snijders
I'd like to modify our JSON format, many people in the community have voiced complaints that transforming the string to an integer is annoying. This won't break existing deployments coupled with GoRTR. OK? Index: output-json.c ===

Re: rpki-client: add per VRP 'until' column to CSV+JSON output

2021-05-03 Thread Job Snijders
On Mon, May 03, 2021 at 10:40:53AM -0600, Theo de Raadt wrote: > This needs a cast from time_t to long long, otherwise the code won't compile > or operate correctly on laggard legacy 32-bit time_t systems. thanks, fixed! OK? Index: usr.sbin/rpki-client/extern.h

Re: rpki-client: add per VRP 'until' column to CSV+JSON output

2021-05-03 Thread Job Snijders
On Mon, May 03, 2021 at 08:37:52AM -0600, Theo de Raadt wrote: > Job Snijders wrote: > > > AS38971,178.57.71.0/24,24,ripe,2021-05-04T05:39:30Z > > This time format is human readable, but these files are largely part > of the machinery. And now they need expens

rpki-client: add per VRP 'until' column to CSV+JSON output

2021-05-03 Thread Job Snijders
Hi all, The below changeset adds a column containing the soonest expiration moment to rpki-client(8)'s CSV and JSON output. This can be useful to CA operators to monitor progression/stalling of the signer pipeline, but also to relying parties who wish to avoid routing based on stale RPKI data. A

Re: rpki-client http keep-alive support

2021-04-20 Thread Job Snijders
On Tue, Apr 20, 2021 at 10:27:51AM +0200, Claudio Jeker wrote: > On Fri, Apr 16, 2021 at 12:21:56PM +0200, Claudio Jeker wrote: > > This diff changes the http module to support keep-alive. > > It splits requests (for a resource) from connections (to a server). > > When a request is received the

rpki-client: emit number of deleted files/dirs in JSON output

2021-04-08 Thread Job Snijders
Hi all, The below patch exposes two metrics via JSON. This will remove the need for some rpki-client affiniadios to screen scrape rpki-client's STDOUT. OK? Kind regards, Job Index: output-json.c === RCS file:

Re: Teach rpki-client some https

2021-03-03 Thread Job Snijders
On Tue, Mar 02, 2021 at 05:04:12PM +0100, Theo Buehler wrote: > > I think this is now ready to go in. > > Go for it! > > ok tb OK job@

Re: rpki-client: get Authority Information Access (AIA) from CA & EE certs

2021-02-15 Thread Job Snijders
Hi, Thank you for the review On Mon, Feb 15, 2021 at 01:42:57PM +0100, Claudio Jeker wrote: > Please do not define variables in the middle of functions. now fixed > > + AUTHORITY_INFO_ACCESS_free(info); > > + > > + return aia; > > +} > > I really don't like the way x509_get_aia() is

rpki-client: get Authority Information Access (AIA) from CA & EE certs

2021-02-14 Thread Job Snijders
Make the AIA more easily available for debugging purposes & future changesets In the context of the RPKI, the AIA extension identifies the publication point of the certificate of the issuer of the certificate in which the extension appears. A single reference to the publication point of the

Re: rpki-client check IP and ASnum coverage only on ROAs

2021-01-08 Thread Job Snijders
On Fri, Jan 08, 2021 at 03:43:18PM +0100, Claudio Jeker wrote: > rpki-client is currently very strict about the ip ranges and as ranges in > certificates. If a child certificate has a uncovered range in its list it > is considered invalid and is removed from the pool (with it all the ROA > entries

Re: bgpd send side hold timer

2020-12-16 Thread Job Snijders
On Tue, Dec 15, 2020 at 05:02:19PM +0100, Claudio Jeker wrote: > On Mon, Dec 14, 2020 at 06:22:09PM +0000, Job Snijders wrote: > > This patch appears to be a very elegant solution to a thorny subtle > > problem: what to do when a peer is not accepting new routing > > informati

Re: bgpd send side hold timer

2020-12-14 Thread Job Snijders
Hi all, This patch appears to be a very elegant solution to a thorny subtle problem: what to do when a peer is not accepting new routing information from you? I've seen in the wild that some crashed BGP implementations continue to be able to generate KEEPALIVE messages, and are able to TCP ACK

Re: rpki-client, validate all files in mft even unknown ones

2020-12-07 Thread Job Snijders
On Mon, Dec 07, 2020 at 10:03:57PM +0100, Claudio Jeker wrote: > So ghostbuster records (rfc6493) are showing up in RPKI datasets and > instead of silently ignoring them rpki-client should first of all validate > the file hash in the manifest and later on also validate the CMS data. > > This

[PATCH] usr.sbin/rpki-client: remove -f (force) option

2020-06-30 Thread Job Snijders
Remove rpki-client's -f command line option I haven't come across a use case that requires tricking the software into accepting out-of-date manifests. Anyone using -f? I think this is a leftover from the initial debugging era. OK? Index: extern.h

Re: suggest to run rpki-client hourly

2020-04-16 Thread Job Snijders
Now that cron(8) was put on a quick steroids programme, we have new options available! Awesome work Todd, Theo. On Mon, Apr 13, 2020 at 02:43:27PM +, Job Snijders wrote: > I'm reviewing some of the timers associated with the workings of the > end-to-end propagation from ROA to VRP. I

Re: suggest to run rpki-client hourly

2020-04-13 Thread Job Snijders
On Mon, Apr 13, 2020 at 02:43:27PM +, Job Snijders wrote: > I'm reviewing some of the timers associated with the workings of the > end-to-end propagation from ROA to VRP. I think suggesting to run > rpki-client only once a day can make for needless brittleness. > > Running r

suggest to run rpki-client hourly

2020-04-13 Thread Job Snijders
Hi, I'm reviewing some of the timers associated with the workings of the end-to-end propagation from ROA to VRP. I think suggesting to run rpki-client only once a day can make for needless brittleness. Running rpki-client just once a day also results in only making a rsync fetch attempt once a

Re: BIRD 1.x/2.x support at rpki-client

2020-03-06 Thread Job Snijders
On Fri, Mar 06, 2020 at 07:11:56PM +0100, Robert Scheck wrote: > On Fri, 06 Mar 2020, Sebastian Benoit wrote: > > Note that I haven't tried this with bird 1 or 2 yet ;) > > comments, oks? > > I did not try it yet, but I think BIRD 1 also needs something like "define > force_roa_table_update =

Re: BIRD 1.x/2.x support at rpki-client

2020-03-06 Thread Job Snijders
I have a small suggestion, in some deployments I saw the convention to name it as following so it is clear the data came from user provided data rather than internal bird structures I tested Benno's patch against BIRD 1.6.6 - wfm. Index: main.c

Re: BIRD 1.x/2.x support at rpki-client

2020-03-06 Thread Job Snijders
On Fri, Mar 06, 2020 at 12:24:18PM +0100, Sebastian Benoit wrote: > Robert Scheck(rob...@fedoraproject.org) on 2020.03.03 01:20:24 +0100: > > job@ suggested to move this from GitHub to tech@ list (as upstream): > > > > 1. Currently, BIRD 1.x support in rpki-client seems to be broken: As per > >

Re: BIRD 1.x/2.x support at rpki-client

2020-03-04 Thread Job Snijders
We are still at the early stages of RPKI deployment, so if we make it easier to plug things into BIRD1 is beneficial given the wide deployment scale. Only /very/ recently was rpki-client packaged for some of the Linux distros, so if we add support for all formats now - it’ll improve the

Re: BIRD 1.x/2.x support at rpki-client

2020-03-04 Thread Job Snijders
I think we still need to support BIRD 1 for the foreseeable future, NIC.CZ hasn’t communicated plans to deprecate BIRD1 and still supports it; and BIRD1 still is widely deployed. I’m somewhat preferential to just generate all 3 BIRD flavors if -B is given as command line option. Kind regards,

Re: BIRD 1.x/2.x support at rpki-client

2020-03-04 Thread Job Snijders
On Wed, Mar 4, 2020, at 00:55, Robert Scheck wrote: > > The idea is you can specify many outputs. That will make the commandline > > very long, especially for the way we run it in cron. > > Oh! I'm sorry, I didn't see the idea of specifying many outputs. Yeah, its nice to do things in one batch

Re: IPv6 Support for umb(4)

2020-01-29 Thread Job Snijders
On Tue, Jan 28, 2020 at 03:03:47PM +0100, Gerhard Roth wrote: > this patch adds IPv6 support to umb(4). OK job@ Tested with 'telnet -6 towel.blinkenlights.nl' on Fibocom L831-EAU on IIJ MIO's network (Japan), with 'inet6 autoconf' in /etc/hostname.umb0 :-) job@vurt ~$ doas ifconfig umb0 umb0:

Re: Add #define for RFC8622 IPTOS_DSCP_LE codepoint

2020-01-25 Thread Job Snijders
On Sat, Jan 25, 2020 at 11:36:53PM +1100, Damien Miller wrote: > This adds a #define for the "lower effort" DSCP code point specified > by https://tools.ietf.org/html/rfc8622 > > People have asked to be able to use this OpenSSH for "don't care" > traffic. > > ok? OK job@

Re: bgpd max-prefix out limit

2020-01-22 Thread Job Snijders
On Wed, Jan 22, 2020 at 05:02:32AM +0100, Claudio Jeker wrote: > This diff implements 'max-prefix NUM out' which is a simple way to > avoid leaking full tables to upstream or peers. If the limit is > triggered the session will be closed with a NOTIFICATION (kind of > suicide for the good of the

[PATCH] nc(1): print IP address in verbose mode (-v)

2019-10-23 Thread Job Snijders
Dear all, Scratching a small itch: telnet(1) nicely prints what IP addresses it is attempting to connect to, I'd like 'nc -v' to do the same, see below: $ nc -v localhost 23 nc: connect to localhost (127.0.0.1) port 23 (tcp) failed: Connection refused nc: connect to localhost (::1) port 23 (tcp)

Re: OpenBSD crossed 400,000 commits

2019-10-08 Thread Job Snijders
On Tue, Oct 08, 2019 at 09:57:42PM -0600, Theo de Raadt wrote: > Sometime in the last week OpenBSD crossed 400,000 commits (*) upon all > our repositories since starting at 1995/10/18 08:37:01 > Canada/Mountain. That's a lot of commits by a lot of amazing people. Great achievement! Time to pop a

Re: bgpd fail before daemonizing on config errors

2019-08-08 Thread Job Snijders
On Thu, Aug 08, 2019 at 11:48:08AM +0200, Claudio Jeker wrote: > With the introduction of re-exec of the childs the config parsing happened > after bgpd demonized. This is super annoying and therefor this diff > changes that. It will make bgpd fail on startup if there is an issue with > the config

Re: bgpd adj-rib-out rewrite

2019-07-16 Thread Job Snijders
On Wed, Jul 10, 2019 at 10:08:38PM +0200, Claudio Jeker wrote: > This diff is a bit of a monster. It changes the Adj-RIB-Out to be a > peer specific set of RB trees instead of using a rib in the original > sense. The reason for this is that the more peers a system has the > more elements end up

Re: Remove irrfilter from bgpctl

2019-06-24 Thread Job Snijders
Hi, On Mon, Jun 24, 2019 at 12:41:08PM +0200, Claudio Jeker wrote: > I think it is time to remove the bgpctl irrfilter code. It is not > useful and it is better to use tools like bgpq3 to build as-sets and > prefix-sets for bgpd filtering. Agreed. I'd love to have a replacement in base some day,

Re: bgpd set nexthop 198.51.100.42 clarifications

2019-05-28 Thread Job Snijders
On Tue, May 28, 2019 at 05:17:08PM +0200, Claudio Jeker wrote: > On Tue, May 28, 2019 at 01:28:32PM +0200, Job Snijders wrote: > > On Mon, May 13, 2019 at 09:03:41PM +0200, Claudio Jeker wrote: > > > When using a rule forcing the nexthop to a specific address bgpd > > &

Re: bgpd set nexthop 198.51.100.42 clarifications

2019-05-28 Thread Job Snijders
Hi, On Mon, May 13, 2019 at 09:03:41PM +0200, Claudio Jeker wrote: > When using a rule forcing the nexthop to a specific address bgpd > currently does not mark that nexthop as no-modify. In other words > the default rules for nexthop propagation applies. This means that > for ebgp it only sends

Re: bgpd set nexthop 198.51.100.42 clarifications

2019-05-27 Thread Job Snijders
On Mon, May 13, 2019 at 21:11 Claudio Jeker wrote: > When using a rule forcing the nexthop to a specific address bgpd > currently does not mark that nexthop as no-modify. In other words > the default rules for nexthop propagation applies. This means that > for ebgp it only sends out the set

Re: Stream Control Transmission Protocol SCTP RFC4960

2019-05-23 Thread Job Snijders
On Thu, May 23, 2019 at 19:50 Denis wrote: > > SCTP(4) present in FreeBSD 12.0 > > OpenBSD implementation planned? Nothing planned as far as I know. Out of curiosity - what is your use case? Do you really use it? It doesn’t seem to be a widely used protocol. Kind regards, Job

Re: NSD & Unbound refusing to bind to IPv6 when anycast flag set ?

2019-05-17 Thread Job Snijders
On Fri, May 17, 2019 at 2:13 PM Stuart Henderson wrote: > On 2019/05/16 23:37, Rachel Roch wrote: > > > RFC3513 says this: > > > > > > o An anycast address must not be used as the source address of > > > an IPv6 packet. > > > > > > o An anycast address must not be assigned to an IPv6 host,

Re: tcpdump support extended bgp shutdown communication

2019-05-11 Thread Job Snijders
OK job@ On Sat, May 11, 2019 at 14:37 Claudio Jeker wrote: > bgpd already got support for extended shutdown communication messages. > This adds the same support to tcpdump. > > OK? > -- > :wq Claudio > > Index: print-bgp.c > === >

[PATCH] bgpctl(8): improve user interface for RPKI Origin Validation

2019-04-01 Thread Job Snijders
Dear all, I've consulted with numerous user interface experts, their consistent advice was to facilitate internalization by provoking simpler, stronger emotions through the text based interface. bgpctl(8) will now provide simplified 'SAD' or 'HAPPY' ascii ideograms to help network operators

Re: bgpd optimize filter rules

2018-12-03 Thread Job Snijders
On Mon, Dec 03, 2018 at 12:14:13PM +0100, Claudio Jeker wrote: > There is a trivial optimization that bgpd can do when loading the filter > ruleset. If the rule is the same as the previous rule than the filterset > can be merged. e.g. > > match from ebgp set community delete $myAS:* >

Re: bgpd refactor aspath_match a bit

2018-11-27 Thread Job Snijders
On Tue, Nov 27, 2018 at 06:23:53PM +0100, Claudio Jeker wrote: > On Tue, Nov 27, 2018 at 04:21:53PM +0100, Job Snijders wrote: > > On Fri, Nov 23, 2018 at 03:55:18PM +0100, Claudio Jeker wrote: > > > For origin validation I chacked the source_as in struct rde_aspath > &

Re: bgpd refactor aspath_match a bit

2018-11-27 Thread Job Snijders
Hi Claudio, On Fri, Nov 23, 2018 at 03:55:18PM +0100, Claudio Jeker wrote: > For origin validation I chacked the source_as in struct rde_aspath > this is not really the right place. It should be in struct aspath > since that holds all the ASPATH related stuff. Change this, move > aspath_match out

Re: bgpd refactor community code

2018-11-27 Thread Job Snijders
On Thu, Nov 22, 2018 at 05:56:20PM +0100, Claudio Jeker wrote: > On Tue, Nov 13, 2018 at 06:53:55PM +0100, Claudio Jeker wrote: > > This is a large diff that changes the way communities are stored in > > filters and filter_sets. Both standard communities and large communities > > now share the

Re: prevent bgpd from starting when control socket already used

2018-11-11 Thread Job Snijders
Shouldnt we already bomb out at the following? cannot bind to 0.0.0.0:179: Address already in use cannot bind to [::]:179: Address already in use In any regard, I agree with the functionality proposed. No strong opinion on the diff itself. Kind regards, Job On Sun, Nov 11, 2018 at 22:35 Remi

Re: ifconfig(8) to deny non-contiguous netmask / take 2

2018-09-30 Thread Job Snijders
OK job@

[PATCH] bgpd: expose ROA origin validation state in show rib

2018-09-29 Thread Job Snijders
Dear all, This small patch exposes the origin validation state in 'bgpctl show rib' and 'bgpctl show rib detail'. This will help debugging, and draw attention to routing problems. I know we're weary of spending horizontal space, but I think spending 3 chars to show the OV state (and as such make

Re: bgpd ROA validation

2018-09-25 Thread Job Snijders
On Tue, Sep 25, 2018 at 12:23:48PM +0200, Claudio Jeker wrote: > On Sat, Sep 22, 2018 at 09:48:24PM +0000, Job Snijders wrote: > > Seems we are getting very close. Some suggestions to simplify the > > experience for the end user. > > > > Let's start with supporting jus

Re: bgpd ROA validation

2018-09-22 Thread Job Snijders
Hi claudio, Seems we are getting very close. Some suggestions to simplify the experience for the end user. Let's start with supporting just one (unnamed) roa-set, so far I've really not come across a use case where multiple ROA tables are useful. I say this having implemented origin validation

Re: bgpd ROA validation

2018-09-22 Thread Job Snijders
On Fri, Sep 21, 2018 at 05:29:24PM +0200, Claudio Jeker wrote: > I currently use the RIPE RPKI validator to grab a JSON file (e.g. > http://localcert.ripe.net:8088/export.json) and feed that to this perl > script to convert it into bgpd syntax: For now I recommend using

Re: bgpd roa-set backend

2018-09-14 Thread Job Snijders
Dear Claudio, On Fri, Sep 14, 2018 at 04:59:51PM +0200, Claudio Jeker wrote: > This diff extends the existing trie code for prefix-set to also work with > roa-set. Unlike prefix-set there is no need for a prefixlen mask during > lookup, instead the source-as needs to be checked and also if the >

Re: bgpd: refine source-as matching

2018-08-09 Thread Job Snijders
On Thu, Aug 09, 2018 at 03:10:11PM +0200, Claudio Jeker wrote: > Per rfc6472 AS_SET should no longer be used but some AS still do. > Until now source-as would take the rightmost AS number of an AS_PATH > no matter if it was an AS_SEQUENCE or an AS_SET. Thit is not correct. Indeed, good find! >

[PATCH] column(1): -r to right justify

2018-07-04 Thread Job Snijders
Dear all, Following some back and forth on how disklabel output should be formatted, I proposed to Kenneth to extend the column(1) utility. All that was missing is the ability to right justify. I've longed for this feature for a while: I often use 'column -t' to prettify data coming from an awk

Re: BGPD - refactor nexthop handling

2018-06-24 Thread Job Snijders
On Thu, Jun 21, 2018 at 08:59:45PM +0200, Claudio Jeker wrote: > This is the first step of some larger reshuffling of how the RDE is > working. One of the things needed is proper reference counting for > nexthops since I want to kill nexthop_link and nexthop_unlink in the > long run. > > Even

Add 6to4 anycast prefixes to examples/bgpd.conf

2018-06-21 Thread Job Snijders
Hi, Globally anycasted 6to4 has outlived its usefulness. Operational discussion: http://seclists.org/nanog/2018/Jun/268 Kind regards, Job diff --git etc/examples/bgpd.conf etc/examples/bgpd.conf index a5fa7234a3c..77f610b9a06 100644 --- etc/examples/bgpd.conf +++ etc/examples/bgpd.conf @@

Re: Should whois(1) and IPv6 default to ANICHOST?

2018-06-17 Thread Job Snijders
OK job@ On Sun, 17 Jun 2018 at 17:00, Florian Obser wrote: > I like it, I think the heuristic is good enough. > > OK florian@ or I take OKs to commit it myself ;) > > On Sun, May 20, 2018 at 07:48:34PM +0100, Mikolaj Kucharski wrote: > > Hi, > > > > This is very naive patch for whois(1) which

Re: [patch] crontab(5) add -n option to suppress mail when the run was successful

2018-06-12 Thread Job Snijders
on/do_command.c index 6a4022fcc9a..4fbca61d170 100644 --- usr.sbin/cron/do_command.c +++ usr.sbin/cron/do_command.c @@ -3,6 +3,7 @@ /* Copyright 1988,1990,1993,1994 by Paul Vixie * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") * Copyright (c) 1997,2000 by Internet Softwar

[patch] crontab(5) add -n option to suppress mail when the run was successful

2018-06-11 Thread Job Snijders
ISC") * Copyright (c) 1997,2000 by Internet Software Consortium, Inc. + * Copyright (c) 2018 Job Snijders * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -80,7 +81,6 @@ child

Re: bgpd: stop with the announce confusion

2018-06-07 Thread Job Snijders
On Thu, Jun 07, 2018 at 12:14:07PM +0200, Claudio Jeker wrote: > > It would be helpful during upgrades if it's possible to write some > > configurations that work the same on both the old and new versions. > > That way the configuration can be changed to a version which will > > still work before

Re: bgpd: stop with the announce confusion

2018-06-07 Thread Job Snijders
On Wed, Jun 06, 2018 at 11:04:56PM +0200, Claudio Jeker wrote: > The following diff does a few things. > a) it removes the `announce (all|none|self|default-route)` version > b) `announce none` is now `export none` > c) `announce default-route` is now `export default-route` > d) the examples file

Re: bgpd ignore aspath with to large attributes

2018-05-31 Thread Job Snijders
On Wed, May 30, 2018 at 03:18:45PM +0200, Claudio Jeker wrote: > This adds a protection to handle aspaths overly large attributes in > bgpd. The main idea is to protect other bgp routes downstream for > hitting the limit with is often not well catched. I am not sure this is sound logic. The BGP

Re: Eliminate trailing whitespace & typo in chmod

2018-04-13 Thread Job Snijders
https://en.wikipedia.org/wiki/If_and_only_if As a non-native speaker, it took some years before I realized the use of “iff” is not a typo. Kind regards, Job

Re: Stop ping telling world its pid

2018-04-11 Thread Job Snijders
When things arrive out of sequence, that usually is of special interest to network operator people. Not sure the sequence field can easily be overloaded to increase “validity”. I’m not great at math, with a 16 bit random value, wouldn’t we start running into ID collisions around 256 concurrent

Re: high sofnet load with gif(4) and icmp

2018-04-05 Thread Job Snijders
Hi, I'm optimistic about this patch: where previously running traffic through this router over gif tunnels would result in memory exhaustion, the problem now seems gone. memory graph: http://instituut.net/~job/screenshots/ee7f0fa5304032a2.png Should perhaps an errata / syspatch blob be prepared

Re: [PATCH] Update default QoS markers for ssh

2018-04-01 Thread Job Snijders
On Sun, Apr 01, 2018 at 11:29:55AM +0100, Stuart Henderson wrote: > On 2018/03/31 16:10, Job Snijders wrote: > > TL;DR: I propose to update the defaults to use DSCP "AF21" (Low > > Latency Data) for interactive session traffic, and CS1 ("Lower > > Effort")

[PATCH] Update default QoS markers for ssh

2018-03-31 Thread Job Snijders
Dear all, There may be opportunity for improvement of ssh(1) and sshd(8)'s default QoS markers for better integration in environments that can offer either layer-2 or layer-3 prioritisation profiles. Currently ssh(1) and sshd(8) set obsoleted values 'lowdelay' for interactive sessions and

Re: handle updates via Adj-RIB-Out

2018-03-05 Thread Job Snijders
Claudio, How best to test this change proposal? Should this maybe be tested on one of the yycix route servers? I'll let it run on my home router, if that doesn't cause issues in a week or so; we can consider rs2.yycix.ca Kind regards, Job On Fri, Mar 02, 2018 at 04:55:23PM +0100, Claudio

Re: [PATCH] bgplg error message fix

2018-02-02 Thread Job Snijders
On Fri, Feb 02, 2018 at 02:38:54PM +0100, Pierre Emeriaud wrote: > While playing with bgplg I noticed that 'show ip bgp detail as' error > message is wrong: expects an AS number but asks for a prefix. Thanks! Committed. Kind regards, Job

Re: /etc/rc: fsck -y

2018-01-18 Thread Job Snijders
On Thu, Jan 18, 2018 at 12:22:21PM +, Stuart Henderson wrote: > A flag (fsck_flags) would be a better idea than a file, and more > flexible (users with many disks and low RAM could use the same > mechanism to force "-l 1" for example). fsck_flags would be an idea. I prefer not to bring local

Re: [patch] faq5.html, added missing branch to update -stable trees.

2018-01-06 Thread Job Snijders
Hi, On Sat, Jan 6, 2018 at 9:53 AM, Christoph R. Murauer wrote: > Here is a diff for the missing -rOPENBSD_6_2 branch to update the > -stable CVS trees as described in https://www.openbsd.org/anoncvs.html > at Updating an existing tree. I don't think this is needed in this context

Re: pckbd: go back to using table 2 by default

2018-01-02 Thread Job Snijders
Hi all, I often observed on my Thinkpad x270 that after an upgrade via bsd.rd, the first reboot resulted in keystrokes being garbage (and at second reboot everything was fine again). The below patch seems to be an improvement. Kind regards, Job On Tue, Jan 02, 2018 at 09:36:49AM -0600, joshua

Re: Add "-c command" option to script(1)

2017-12-16 Thread Job Snijders
On Sat, Dec 16, 2017 at 09:45:02AM +0100, Paul de Weerd wrote: > On Fri, Dec 15, 2017 at 12:24:45PM +0100, Paul de Weerd wrote: > | I've updated the diff to add this example as per jmc's suggestion. It > | now has: > | > | - add the `-c command` feature > | - updates usage > | -

Re: Add "-c command" option to script(1)

2017-12-15 Thread Job Snijders
On Thu, Dec 14, 2017 at 09:23:29AM +0100, Paul de Weerd wrote: > Another use I personally find very convenient is this: > > [weerd@pom] $ script -c "vmctl start test -c" > > Hope others see value here too :) That is a great use case. Kind regards, Job

Re: Include hostname in shell prompts by default

2017-12-09 Thread Job Snijders
On Sat, Dec 09, 2017 at 06:44:44PM +0100, Theo Buehler wrote: > Theo asked me to make sure that all our shells print a prompt > including the hostname by default. Thank you. This is a significant improvement. I keep finding myself updating /etc/profile everywhere to ensure I don't lose my

Re: pf neighbor discovery hop limit

2017-12-04 Thread Job Snijders
On Mon, Dec 04, 2017 at 02:55:16PM +0100, Alexander Bluhm wrote: > RFC 4861 requires that all neighbor discovery packets have 255 in > their IPv6 header hop limit field. Let pf drop neighbor solicitation, > neighbor advertisement, router solicitation, router advertisement, > and redirect ICMP6

Re: [PATCH] amd64/bsd.rd: add growfs(8)

2017-11-07 Thread Job Snijders
On Mon, Nov 06, 2017 at 04:14:48PM -0700, Theo de Raadt wrote: > I agree on that. So please put it into the correct lists files for > all the unlimited ramdisks. > > Job, the situation is a little nit-picky but try to do it for all the > architectures and I'll give you fast feedback. This is

Re: [PATCH] amd64/bsd.rd: add growfs(8)

2017-11-06 Thread Job Snijders
Thanks for the feedback. I'll get to work on a MI patch and test on amd64 + i386, then pass it on to you.

[PATCH] amd64/bsd.rd: add growfs(8)

2017-11-05 Thread Job Snijders
Goodmorning everyone, While quite some resizing scenarios can be done from within single user mode, resizing the root partition requires you to bring your own growfs(8) binary into the ramdisk environment. The below patch adds growfs(8) to the amd64 ramdisk to simplify such operations. I tested

Re: Remove TCP_FACK

2017-10-25 Thread Job Snijders
This has been committed. Since the patch changed the userland ABI, don't forget to rebuild (at least) fstat, netstat & tcpbench. Kind regards, Job

Re: Refactor TCP partial ACK handling

2017-10-24 Thread Job Snijders
On Tue, Oct 24, 2017 at 03:21:08PM +0200, Mike Belopuhov wrote: > I didn't do it because tcp_var.h is where tcp keeps all of it's prototypes > but I don't mind moving them into tcp_input.c. Any objections? Otherwise > I'll check in the diff below. ok job@

Remove TCP_FACK

2017-10-24 Thread Job Snijders
Dear all, This patch builds upon the work shared in the following email. Mike's patch is a prerequisite to apply this patch. Date: Tue, 24 Oct 2017 15:21:08 +0200 From: Mike Belopuhov Subject: Re: Refactor TCP partial ACK handling TCP_FACK was

  1   2   >