Giters

pmacct / pmacct

pmacct is a small set of multi-purpose passive network monitoring tools [NetFlow IPFIX sFlow libpcap BGP BMP RPKI IGP Streaming Telemetry].

Home Page:http://www.pmacct.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[RPKI] RPKI version mismatch when TLS for RTR

SanderDelden opened this issue · comments

commented

Description
We are implementing insight into RPKI using PMACCT, when connecting our Routinator instance (which makes use of TLS for secure transport) we are getting an error referring to a version mismatch.

Example nfacctd configuration:

plugins: print[roa]

bgp_daemon: true
nfacctd_port: 5008
rpki_rtr_cache: 172.20.0.20:3323
rpki_rtr_cache_version: 0

aggregate[roa]: dst_roa
print_output_file[roa]: /tmp/pmacct/1m_roa.json
print_output[roa]: json
print_history[roa]: 1m
print_history_roundoff[roa]: m
print_refresh_time[roa]: 60
print_output_file_append[roa]: true

Example docker-compose.yml:

%YAML 1.1
---
version: '3.8'
services:
  nfacctd:
    image: pmacct/nfacctd:bleeding-edge
    volumes:
    - $PWD/pmacct.conf:/etc/pmacct/nfacctd.conf:ro
    networks:
      pmacct_network:
        ipv4_address: 172.20.0.10

  routinator:
    image: nlnetlabs/routinator:v0.13.2
    command: [
    "server",
    "--rtr-tls", "0.0.0.0:3323",
    "--rtr-tls-cert", "/home/routinator/ssl/rtr/routinator-rtr.crt",
    "--rtr-tls-key", "/home/routinator/ssl/rtr/routinator-rtr.key",
    "--http-tls", "0.0.0.0:8323",
    "--http-tls-cert", "/home/routinator/ssl/http/routinator-http.crt",
    "--http-tls-key", "/home/routinator/ssl/http/routinator-http.key"
    ]
    volumes:
    - $PWD/ssl:/home/routinator/ssl:ro
    networks:
      pmacct_network:
        ipv4_address: 172.20.0.20

networks:
  pmacct_network:
    ipam:
      config:
      - subnet: 172.20.0.0/24

When starting the containers the following log entries are observed:

INFO ( default/core/RPKI ): Connected to RTR Cache: 172.20.0.20:3323
WARN ( default/core/RPKI ): rpki_rtr_parse_msg(): RPKI version mismatch (me=0 cache=21)

If we disable the TLS for RTR the error is no longer observed.

Version
We are running 1.7.8 but I've also tested this against the latest bleeding-edge (nfacctd 1.7.10-git (20240308-0 (2901919))) with the same results.

Appreciation
Please consider starring this project to boost our reach on github!

If any additional information is required, please let me know.

commented

pmacct does not support RTR-over-TLS, only plain RTR. As an alternative you could consider using scp to securely copy a JSON representation of the VRPs to the pmacct box

commented

Hi @job

Thanks for the quick reply and clarification. I've created PR #767 to add some information in the documentation regarding this.