<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 10, 2019, at 7:00 AM, Ben Maddison <<a href="mailto:benm@workonline.africa" class="">benm@workonline.africa</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252" class="">
<div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class="">
<div class="hiri-body-wrapper" applecontenteditable="true">
<div class="">Hi Owen,</div>
</div>
<div class="hiri-extra-edited" applecontenteditable="true"><p class="">On 2019-04-10 15:00:28+02:00 Owen DeLong wrote:</p>
<blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Apr 10, 2019, at 3:57 AM, Ben Maddison via Community-Discuss <<a href="mailto:community-discuss@afrinic.net" class="">community-discuss@afrinic.net</a>> wrote:</div>
<div class="">
<div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class="">
<div class="hiri-body-wrapper" applecontenteditable="true">
<div class="">Hi all,</div>
</div>
<div class="hiri-extra-edited" applecontenteditable="true"><p class="">On 2019-04-10 12:10:22+02:00 Noah wrote:</p>
<blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div dir="auto" class="">+1 and Ack @saul</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 10 Apr 2019, 12:57 Saul Stein, <<a href="mailto:saul@enetworks.co.za" class="">saul@enetworks.co.za</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class="">
<div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">Agreed.</span></p>
<div class=""><span style="font-size:11.0pt;color:#1f497d" class=""> </span></div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">There is a bigger issue at stake here: I have yet to see any evidence that AFRINIC takes RPKI seriously.</span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br class="">
Until relatively recently, this attitude may have been understandable, since the RPKI was largely a curiosity with almost no impact on operations.<br class="">
This is no longer the case, and all of the RIRs have serious work to do to improve operations in this area. This is clearly the case in this region.</div>
</div>
</div>
</blockquote>
<div class=""></div>
Absent a badly flawed implementation, there’s no serious consequence to an RPKI outage… It merely reverts routing back to it’s previous unauthenticated state.</div>
<div class=""></div>
</div>
</blockquote>
<br class="">
That's not entirely true. A partial outage (where for example a single TAL becomes unverifiable, as in this case) may lead to a missing ROA for a prefix that remains covered by other ROAs issued under other TALs.<br class="">
<br class="">
Consider ROAs:<br class="">
{prefix: 2001:db8::/32, maxLength: 48, asn: 65000, tal: AFRINIC}<br class="">
{prefix: 2001:db8:f00::/48, maxLength: 48, asn: 65001, tal: RIPE}<br class="">
<br class="">
With the above, a route 2001:db8:f00::/48 via 65000_65001 will have a status Valid.<br class="">
If the RIPE TAL fails verification, it will become Invalid.<br class=""></div></div></div></blockquote><div><br class=""></div>If I understand it correctly, however, ALL of the RIRs mirror all of the other RIRs data, so you should be able to get a complete set of data from any RIR. The TAL is very long term cacheable (at least 30 days).</div><div><br class=""></div><div>What happened in this instance wasn’t an issue of the TAL becoming unavailable, but the TAL (and related certificates) going past their expiration date without being renewed.</div><div><br class=""></div><div>Further, absent inter-RIR IPv6 transfers (which to the best of my knowledge are only permitted from RIPE to RIPE), that circumstance cannot occur.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
This is most certainly a corner case, but is at least theoretically possible given that all RIRs claim 0/0 in their root certs.<br class=""></div></div></div></blockquote><div><br class=""></div>Only if Inter-RIR IPv6 transfers are permitted. So, this is, in fact, a valid argument against a current ARIN proposal to allow such transfers, but in the current instance, it’s not actually a concern.</div><div><br class=""></div><div><blockquote type="cite" class=""><div class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
A more likely scenario is that an existing mis-origination that is being dropped as Invalid suddenly becomes Not Found, and wins path selection, thereby misdirecting traffic.<br class=""></div></div></div></blockquote><div><br class=""></div>I did mention that as a possible consequence below.</div><div><br class=""><blockquote type="cite" class=""><div class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
I'm not aware of any such cases on our network from this last outage, but it's possible that they went undetected. The likelihood of this case increases substantially as more operators begin to drop Invalids.<br class=""></div></div></div></blockquote><div><br class=""></div>My point earlier was that it actually shouldn’t. If there is growth in the number of rejected routes from RPKI, that indicates that</div><div>operators aren’t doing their due diligence when that happens. A route should only be dropped by RPKI for a very short period</div><div>of time while the originating ASN and/or upstreams of the originating ASN are contacted to cease and desist the announcement</div><div>of this route.</div><div><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class=""></div>
<div class="">I’m not convinced that all of the RIRs have serious work to do here. I think some of the RIRs have stable, reliable operations in this regard. I’m not yet convinced that the level of stability in AfriNIC operations here is impactful, let alone seriously
impactful to operations.</div>
</div>
</blockquote>
<blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class=""><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span>
<blockquote type="cite" class="">
<div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class="">
<div class="hiri-extra-edited" applecontenteditable="true">
<blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class="">
<div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">The last issue I had, when no ROAs could be added, deleted etc, it was admitted that the issue was known about for over two weeks without anything on the announce list or being fixed! After escalation
to the CEO and others it was fixed in a couple of hours!</span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br class="">
As an operator community, we need to have a serious conversation about what we expect from afrinic (and the other RIRs). 24x7 availability comes with a price tag, as everyone on this list should be all too aware.</div>
</div>
</blockquote>
<div class=""></div>
Any availability comes with a price tag. The higher the level of availability, the higher the price tag.</div>
<div class="">
<blockquote type="cite" class="">
<div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class="">
<div class="hiri-extra-edited" applecontenteditable="true">
It is quite clear however, both from recent experience and from the postmortem below, that the current system is unfit for purpose.</div>
</div>
</blockquote>
<div class=""></div>
Is it? I’m unconvinced at this time…</div>
</div>
</blockquote>
<br class="">
A system, whether human or computerised, that fails to mitigate an impending and predictable failure, and then takes several hours to correct it is, in my book the very definition of unfit for purpose.<br class=""></div></div></blockquote><div><br class=""></div>Not necessarily. It is certainly the definition of a system which can be improved and which has flaws in its inherent design.</div><div><br class=""></div><div><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class=""><div class=""><div class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class=""><div class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class=""><div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">RPKI is serious and needs to be taken seriously. We can’t continuously be having issues with it. It is like customs at immigration being offline!</span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
RPKI is operational. I’m not sure how serious it is, as I have trouble taking seriously a system which, at best, tells you what you need to prepend. It’s a nice protection from fat fingers, but, in its current state, it provides little to no protection beyond
that for anyone but the largest operators.</div>
</div>
</blockquote>
<br class="">
Becoming bestpath in a densely-interconnected network using a forged-origin hijack in the face of a ROA that has all it's covered prefixes in the DFZ is actually not trivial, and often not possible, because you loose on path-length.<br class=""></div></div></blockquote><div><br class=""></div>If you’re forging a major provider’s origin AS, sure. If you’re forging a remote single-homed customer of a small rural ISP that buys from a reseller of a reseller of a transit backbone, it gets fairly trivial if you can find a cooperative (or inattentive) network close to a major IX (not so hard currently).</div><div><br class=""></div><div><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
This is even more true in networks that filter peers and customers by prefix, as you have less chance of exploiting a higher local-pref to overcome path-length.<br class="">
As a result, the protection that OV offers is not meaningless.<br class=""></div></div></blockquote><div><br class=""></div>Yes, but you only need to tie the path length, and you don’t necessarily need to hijack 100% of traffic to achieve a useful result, depending on the goal of your particular hijack.</div><div><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
OV is also a prerequisite for validating the entire path against stated policy, various mechanisms for which are currently WIP in SIDROPS and GROW.<br class=""></div></div></blockquote><div><br class=""></div>Yes, but none of those has much promise of producing a useful result in the foreseeable future. Once they do, then I might consider this serious vs. merely operational.</div><div><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span></div><div><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class=""></div>
<div class=""></div>
<div class="">Nonetheless, even if one wants to take RPKI seriously, a quick review of the RFCs and IETF guidance on the matter shows that the worst case scenario for an RIR outage on ROA publication should be that routing reverts to its pre-RPKI unauthenticated state.
It should not cause any sort of outage (except to the extent you might start accepting routes you previously rejected).</div>
<div class=""></div>
<div class="">If you’re rejecting routes for RPKI validation failure, you should be tracking down the advertisers and getting those situations corrected. If you’re doing that, then any such outages should be somewhere between minimal and non-existent.</div>
<div class=""></div>
</div>
</blockquote>
If issuing party tools are unavailable to resource holders, they will be unable to effect the correction.<br class=""></div></div></blockquote><div><br class=""></div>True. But it’s going to take longer to get to the point of being ready to make the correction than my understanding of the duration of this outage.</div><div><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class=""></div>
<div class="">Did any packets go the wrong way due to the AfriNIC outage? Was there any actual operational impact?</div>
<div class=""></div>
<div class="">I suspect not. I suspect that this is a lot of handwaving about a non-issue.</div>
<div class=""></div>
</div>
</blockquote>
<br class="">
I suspect some, though certainly few. The same incident at a time when more networks are performing OV could look very different, and I'm simply suggesting that we look closely at the options before that happens.<br class=""></div></div></blockquote><div><br class=""></div>As I understand it, AfriNIC has already modified their human procedures to address exactly this. What am I missing?</div><div><br class=""></div><div>I suspect no actual packets were harmed in the making of this email thread.</div><div><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class=""></div>
<div class="">Don’t get me wrong, I’m all for making AfriNIC’s systems more resilient and more available, but, I think we also need to consider the actual impact of failures and not over-react to failures without impact.</div>
<div class=""></div>
<div class="">Based on the information in the post mortem, it does not look like a systems failure, but purely human error. Taking the humans out of the loop on that monthly maintenance would involve compromising the integrity of the private key and thus reduce the
validity of the RPKI data. As such, I’m not convinced that there is a problem here to solve beyond the procedural changes that AfriNIC says they have already implemented.</div>
<div class=""></div>
</div>
</blockquote>
<br class="">
I'm not arguing for any specific change. I would point out that when there are humans in the system, then a human failure *is* a system failure, and we should be clear on what failure modes can and cannot be tolerated.<br class=""></div></div></blockquote><div><br class=""></div>Yep… And the design specs of RPKI call for this kind of failure to be tolerable. If that’s not acceptable, then go address the RFCs and redesign RPKI to be more resilient.</div><div><br class=""></div><div>Owen</div><div><br class=""></div><br class=""></body></html>