-- $Id$
-- Copyright (C) 2007-2008 American Registry for Internet Numbers ("ARIN")
--
-- Permission to use, copy, modify, and distribute this software for any
-- purpose with or without fee is hereby granted, provided that the above
-- copyright notice and this permission notice appear in all copies.
--
-- THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
-- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-- AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
-- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-- PERFORMANCE OF THIS SOFTWARE.
-- Signed manifests for RPKI repositories. Relying parties use object
-- (as opposed to channel) security for everything in this design
-- repository, which is the right thing to do for various reasons but
-- leaves us open to attacks which intercept the rsync connection and
-- drop valid objects out of an SIA collection. At present this is
-- not detectable, so we need a mechanism.
--
-- Manifests as described here are modeled on CRLs, because the issues
-- involved in detecting stale manifests, manifest replays, etc are
-- similar to those for CRLs. So we want many of the fields that a
-- CRL has. Syntax differs, though, since RPKI repositories can
-- contain objects not covered by CRLs (eg, ROAs), and reuse CMS as
-- the manifest signature format rather than inventing another one.
--
-- See RFC 3280 section 5 for CRL layout and extensions.
--
-- We're only trying to cover objects in the same SIA collection
-- (directory) as the manifest. We will probably want to name the
-- manifest itself with a name derived from the g(ski) of the cert of
-- which this is the SIA collection. We'll need an EE cert to sign
-- the manifest; the EE cert should probably just use RFC 3779
-- inheritance to cover all the resources that its issuer holds. If we
-- use CMS, we might just want to include the EE cert in the CMS
-- bag of certs.
--
-- Lisp pseudo-code version of my original proposal for what goes
-- inside the CMS wrapper:
--
-- (manifest :version 1
-- :collection-uri "rsync://foo.example/wombat/"
-- :this-update timestamp
-- :next-update timestamp
-- :manifest-serial 17
-- :hash-algorithm :sha256
-- (:name foo.cer :hash aabbccdd...)
-- (:name bar.cer :hash bbccddee...)
-- (:name foo.roa :hash ccddeeff...)
-- (:name baz.crl :hash ddeeff00...)
-- ...)
--
-- Steve Kent came up with something very similar in ASN.1. At this
-- point I think that Steve and I have converged, so here is Steve's
-- ASN.1, which, absent new issues, I expect to implement with
-- OpenSSL's ASN.1 engine.
Manifest ::= SEQUENCE {
version [0] INTEGER DEFAULT 0, -- first version is 0
manifestNumber INTEGER, -- to identify unscheduled manifest issuance
thisUpdate GeneralizedTime, -- this manifest issuance time
nextUpdate GeneralizedTime, -- next scheduled manifest issuance time
fileHashAlg OBJECT IDENTIFIER, -- algorithm used to generate file content hash values
fileList SEQUENCE OF FileAndHash -- list of file name and content hash pairs
}
FileAndHash ::= SEQUENCE {
file IA5String -- file name
hash BIT STRING -- hash of file content
}
href='#n20'>20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# $Id$
#
# Copyright (C) 2009-2012 Internet Systems Consortium ("ISC")
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
"""
Parse a WHOIS research dump and write out (just) the RPKI-relevant
fields in myrpki-format CSV syntax.
Unfortunately, unlike the ARIN and APNIC databases, the RIPE database
doesn't really have any useful concept of an organizational handle.
More precisely, while it has handles out the wazoo, none of them are
useful as a reliable grouping mechanism for tracking which set of
resources are held by a particular organization. So, instead of being
able to track all of an organization's resources with a single handle
as we can in the ARIN and APNIC databases, the best we can do with the
RIPE database is to track individual resources, each with its own
resource handle. Well, for prefixes -- ASN entries behave more like
in the ARIN and APNIC databases.
Feh.
NB: The input data for this script is publicly available via FTP, but
you'll have to fetch the data from RIPE yourself, and be sure to see
the terms and conditions referenced by the data file header comments.
"""
import gzip
from rpki.csv_utils import csv_writer
class Handle(dict):
want_tags = ()
want_status = ("ASSIGNED", "ASSIGNEDPA", "ASSIGNEDPI")
debug = False
def set(self, tag, val):
if tag in self.want_tags:
self[tag] = "".join(val.split(" "))
def check(self):
for tag in self.want_tags:
if not tag in self:
return False
if self.debug:
self.log()
return True
def __repr__(self):
return "<%s %s>" % (self.__class__.__name__,
" ".join("%s:%s" % (tag, self.get(tag, "?"))
for tag in self.want_tags))
def log(self):
print repr(self)
def finish(self, ctx):
self.check()
class aut_num(Handle):
want_tags = ("aut-num", "mnt-by") # "as-name"
def set(self, tag, val):
if tag == "aut-num" and val.startswith("AS"):
val = val[2:]
Handle.set(self, tag, val)
def finish(self, ctx):
if self.check():
ctx.asns.writerow((self["mnt-by"], self["aut-num"]))
class inetnum(Handle):
want_tags = ("inetnum", "netname", "status") # "mnt-by"
def finish(self, ctx):
if self.check() and self["status"] in self.want_status:
ctx.prefixes.writerow((self["netname"], self["inetnum"]))
class inet6num(Handle):
want_tags = ("inet6num", "netname", "status") # "mnt-by"
def finish(self, ctx):
if self.check() and self["status"] in self.want_status:
ctx.prefixes.writerow((self["netname"], self["inet6num"]))
class main(object):
types = dict((x.want_tags[0], x) for x in (aut_num, inetnum, inet6num))
def finish_statement(self, done):
if self.statement:
tag, sep, val = self.statement.partition(":")
assert sep, "Couldn't find separator in %r" % self.statement
tag = tag.strip().lower()
val = val.strip().upper()
if self.cur is None:
self.cur = self.types[tag]() if tag in self.types else False
if self.cur is not False:
self.cur.set(tag, val)
if done and self.cur:
self.cur.finish(self)
self.cur = None
filenames = ("ripe.db.aut-num.gz", "ripe.db.inet6num.gz", "ripe.db.inetnum.gz")
def __init__(self):
self.asns = csv_writer("asns.csv")
self.prefixes = csv_writer("prefixes.csv")
for fn in self.filenames:
f = gzip.open(fn)
self.statement = ""
self.cur = None
for line in f:
line = line.expandtabs().partition("#")[0].rstrip("\n")
if line and not line[0].isalpha():
self.statement += line[1:] if line[0] == "+" else line
else:
self.finish_statement(not line)
self.statement = line
self.finish_statement(True)
f.close()
self.asns.close()
self.prefixes.close()
main()
|