[AFRINIC-announce] Report on the RPKI Incident

For and on Behalf of CEO <ceo at afrinic.net> ceo at afrinic.net
Fri Mar 6 12:23:41 UTC 2015 

Dear Members,


Please find attached a PostMortem Report on the RPKI  Validation
Incident  which occurred on  the 2nd of  March 2015

 

*Overview of AFRINIC RPKI System     *

 

AFRINIC RPKI's system launched on 1st January 2011 is composed of an
Offline root CA  and a production CA. Both CA publish objects in the
RPKI repository available at

 http://rpki.afrinic.net <http://rpki.afrinic.net/>
<http://rpki.afrinic.net/>/     rsync://rpki.afrinic.net
<http://rpki.afrinic.net/> <http://rpki.afrinic.net/>     

 

Like every CA in the RPKI, the Offline root CA maintains a CRL and a
manifest for the certificates it manages and objects in its
repository.     
http://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/      As
per CA practices, the CRL and manifest  are valid for 30 days

( Next update time is set to 30days). Processes and mechanisms have been
put in place to refresh these objects weeks before expiration.

 

*Description of the incident   *

* *

The CRL and Manifest of the root CA were refreshed on the 01/28/2015 
and next update set to 03/02/2015  as showed below:     

 

Manifest     -------------     

Object Type: RPKI Manifest    

Signing time: 2015-01-28T08:01:29.000Z    

Version: 0    

Number: 59    

This update time: 2015-01-28T08:01:28.000Z    

Next update time: 2015-03-02T08:01:28.000Z     

 

CRL     ---------    

Certificate Revocation List (CRL):           

Version 2 (0x1)       

Signature Algorithm: sha256WithRSAEncryption           

Issuer: /CN=AfriNIC-Root-Certificate           

Last Update: Jan 28 08:01:28 2015 GMT           

Next Update: Mar  2 08:01:28 2015 GMT  

  

Due to some issues with internal monitoring system, this task was missed
and as from 08:01 AM UTC, the  03/02/2015, the CRL and Manifest were
invalid and  therefore the whole AFRINIC RPKI repository became
invalid.     

This was the first time this incident occurred since January 2011.

 

*Actions taken*

 

The incident was reported by a ticket opened on our support system the
03/02/2014 at 10:30 PM UTC. Investigations confirmed the issue and 
immediate corrective measures taken. At  5:55 AM on the 03/03/2015,  the
repository has been restored to normal mode.

The internal systems and processes have been reviewed and  appropriate
measures taken such as  more stringent monitoring, regular system audit,
redundancy, etc  to avoid this in the future.

 

Questions or comments to rpki-help at afrinic.net
<mailto:rpki-help at afrinic.net> <mailto:rpki-help at afrinic.net>
<mailto:rpki-help at afrinic.net>  


__________
Patrisse Deesse
Interim Chief Executive Officer
AFRINIC Ltd
t: +230 403 5122 | f: +230 466 6758 | tt: @afrinic | w: www.afrinic.net
facebook.com/afrinic | flickr.com/afrinic | youtube.com/afrinicmedia
___________________________
Join us for AIS'15 in Tunisia
24 May to 5 June, 2015


 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/announce/attachments/20150306/927f67a4/attachment-0001.html

More information about the announce mailing list