-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathfeatures.html
53 lines (44 loc) · 2.01 KB
/
features.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<!doctype html>
<html lang=en>
<meta charset=utf-8>
<title>rpki-client: Features</title>
<meta name="description" content="rpki-client Features">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.rpki-client.org/features.html">
<h2 id=OpenBSD>
<a href="index.html">
<strong>rpki-client</strong></a>
Features
</h2>
<hr>
<p>
The global routing system of the internet consists of a number of
functionally independent actors (Autonomous Systems) which use BGP
(Border Gateway Protocol) to exchange routing information. The system is
very dynamic and flexible by design. Connectivity and routing topologies
are subject to change. Changes easily propagate globally within a few
minutes. One weakness of this system is that these changes cannot be
validated against information existing outside of the BGP protocol
itself.
RPKI is a way to define data in an out-of-band system such that the
information that is exchanged by BGP can be validated to be correct.
RPKI allows holders of internet number resources to make verifiable
statements about how they intend to use their resources. To achieve
this, it uses a public key infrastructure that creates a chain of
resource certificates that follows the same structure as the way IP
addresses and AS numbers are handed down.
<p>
In order to satisfy those requirements, rpki-client has:
<ul>
<li>A simple and easily understandable codebase.
<li>Privilege separation combined with
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
to restrict the use of kernel API used by the processes.
<li>Integrates the latest secure API advances from OpenBSD such as
<a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>
(an integer overflow-checking malloc/calloc/realloc replacement) and
<a href="https://man.openbsd.org/explicit_bzero.3">explicit_bzero(3)</a>
(clear memory that will not be removed by a compiler's dead store
optimization).
</ul>