Incorrect RTR default port

[waehlisch]

The current RTR default port is 8282 but should be 323 (see https://tools.ietf.org/html/rfc6810#section-7)

rpki-validator/rpki-validator-app/src/main/resources/reference.conf

Line 42 in eb09c0d

rtr.port=8282

[timbru]

I know, but...

This should have been more clearly documented but we made a choice to use a high port, because using 323 would mean you have to run the process as root and I think that is not best practice.

As far as I know a lot of the router implementations will let you choose a different port.

If you want to use 323 you have a number of options, also highlighted here:
https://blogs.oracle.com/sduloutr/binding-a-server-to-privileged-port-on-linux-wo-running-as-root

1. Change "rtr.port" to 323 and run as root (not advised)
2. I read about updating the linux config to no longer mark 323 as privileged (but I would not recommend it)
3. Use "setcap" and allow java to bind to port 323 (the validator does not have its own process).
4. Use "iptables"

Method 4 seems easiest to me as it is explicit and does not involve changing default security settings. You can use the following commands to make this work on Linux:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 323 -j REDIRECT --to-port 8282
iptables-save > /etc/sysconfig/iptables

[waehlisch]

Thanks @timbru.

I understand that you cannot easily use common approaches such as chroot because of Java.

Another Java program that has similar problems is Tomcat, for example. Maybe you can investigate their solution: http://commons.apache.org/proper/commons-daemon/jsvc.html.

In any case, the standard rpki-rtr port is tcp/323. It would be good to have an out of the box ready that does require NAT or setcap.