Network Policies Towards Software Supply Chain Compromise

• Previous message (by thread): CC: s to Non List Members (Was Re: Making Use of 240/4 NetBlock) Re: 2022031711315.AYC
• Next message (by thread): Ukraine electric grid now synced with Europe grid (year ahead of schedule)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi network operators,

As RPKI validation continues to become increasingly broadly deployed (yay!), I wanted to highlight 
and ask what deployment policies are towards dependency validation and pinning of RPKI validation 
software. For example, routinator's dependency graph is somewhat large, and includes at least one or 
two single-maintainer projects[1] which could inject arbitrary results into the RPKI-based filters.

Certainly routinator is not the only project to fall prey to modern development practices which tend 
to have an exponentially expanding TCB, which makes it a concern that has landed in the laps of 
sysadmins instead of developers.

I assume the large players are considering these issues and taking them into account when deploying, 
eg by writing tools to compare the feeds of multiple RPKI validators and rejecting any differences, 
am I correct in that assumption, and are there any open source projects to do so that smaller 
operators should be looking at using as well?

Matt

[1] eg https://github.com/vorner/log-reroute could edit your RPKI feed if, vorner wanted to.

• Previous message (by thread): CC: s to Non List Members (Was Re: Making Use of 240/4 NetBlock) Re: 2022031711315.AYC
• Next message (by thread): Ukraine electric grid now synced with Europe grid (year ahead of schedule)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]