<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 10, 2019, at 3:57 AM, Ben Maddison via Community-Discuss <<a href="mailto:community-discuss@afrinic.net" class="">community-discuss@afrinic.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252" class="">
<div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class="">
<div class="hiri-body-wrapper" applecontenteditable="true">
<div class="">Hi all,</div>
</div>
<div class="hiri-extra-edited" applecontenteditable="true"><p class="">On 2019-04-10 12:10:22+02:00 Noah wrote:</p>
<blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div dir="auto" class="">+1 and Ack @saul</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 10 Apr 2019, 12:57 Saul Stein, <<a href="mailto:saul@enetworks.co.za" class="">saul@enetworks.co.za</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class="">
<div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">Agreed.</span></p><div class=""><span style="font-size:11.0pt;color:#1f497d" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">There is a bigger issue at stake here: I have yet to see any evidence that AFRINIC takes RPKI seriously.</span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br class="">
Until relatively recently, this attitude may have been understandable, since the RPKI was largely a curiosity with almost no impact on operations.<br class="">
This is no longer the case, and all of the RIRs have serious work to do to improve operations in this area. This is clearly the case in this region.<br class=""></div></div></div></blockquote><div><br class=""></div>Absent a badly flawed implementation, there’s no serious consequence to an RPKI outage… It merely reverts routing back to it’s previous unauthenticated state.</div><div><br class=""></div><div>I’m not convinced that all of the RIRs have serious work to do here. I think some of the RIRs have stable, reliable operations in this regard. I’m not yet convinced that the level of stability in AfriNIC operations here is impactful, let alone seriously impactful to operations.</div><div><span style="font-family: "Segoe UI", Frutiger, "Frutiger Linotype", "Dejavu Sans", "Helvetica Neue", Arial, sans-serif; font-size: 14px;" class=""> </span><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class="">
<div class="">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class="">
<div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">The last issue I had, when no ROAs could be added, deleted etc, it was admitted that the issue was known about for over two weeks without anything on the announce list or being fixed! After escalation
to the CEO and others it was fixed in a couple of hours!</span></p>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br class="">
As an operator community, we need to have a serious conversation about what we expect from afrinic (and the other RIRs). 24x7 availability comes with a price tag, as everyone on this list should be all too aware.<br class=""></div></div></blockquote><div><br class=""></div>Any availability comes with a price tag. The higher the level of availability, the higher the price tag.</div><div><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true">
It is quite clear however, both from recent experience and from the postmortem below, that the current system is unfit for purpose.<br class=""></div></div></blockquote><div><br class=""></div>Is it? I’m unconvinced at this time…</div><div><br class=""><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class=""><div class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class=""><div class="m_-4592790368224664121WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;color:#1f497d" class="">RPKI is serious and needs to be taken seriously. We can’t continuously be having issues with it. It is like customs at immigration being offline!</span></p></div></div></blockquote></div></div></blockquote></div></div></blockquote>RPKI is operational. I’m not sure how serious it is, as I have trouble taking seriously a system which, at best, tells you what you need to prepend. It’s a nice protection from fat fingers, but, in its current state, it provides little to no protection beyond that for anyone but the largest operators.</div><div><br class=""></div><div>Nonetheless, even if one wants to take RPKI seriously, a quick review of the RFCs and IETF guidance on the matter shows that the worst case scenario for an RIR outage on ROA publication should be that routing reverts to its pre-RPKI unauthenticated state. It should not cause any sort of outage (except to the extent you might start accepting routes you previously rejected).</div><div><br class=""></div><div>If you’re rejecting routes for RPKI validation failure, you should be tracking down the advertisers and getting those situations corrected. If you’re doing that, then any such outages should be somewhere between minimal and non-existent.</div><div><br class=""></div><div>Did any packets go the wrong way due to the AfriNIC outage? Was there any actual operational impact?</div><div><br class=""></div><div>I suspect not. I suspect that this is a lot of handwaving about a non-issue.</div><div><br class=""></div><div>Don’t get me wrong, I’m all for making AfriNIC’s systems more resilient and more available, but, I think we also need to consider the actual impact of failures and not over-react to failures without impact.</div><div><br class=""></div><div>Based on the information in the post mortem, it does not look like a systems failure, but purely human error. Taking the humans out of the loop on that monthly maintenance would involve compromising the integrity of the private key and thus reduce the validity of the RPKI data. As such, I’m not convinced that there is a problem here to solve beyond the procedural changes that AfriNIC says they have already implemented.</div><div><br class=""></div><div>Owen</div><div><br class=""></div><div><br class=""></div><div><blockquote type="cite" class=""><div style="font-family: 'Segoe UI',Frutiger,'Frutiger Linotype','Dejavu Sans','Helvetica Neue',Arial,sans-serif; font-size: 14px;" class=""><div class="hiri-extra-edited" applecontenteditable="true"><blockquote style="padding-left:10px; border-left:1px solid #ccc; margin:0" class=""><div class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-ZA" link="blue" vlink="purple" class=""><div class="m_-4592790368224664121WordSection1"><div class=""><div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm" class=""><p class="MsoNormal"><b class=""><span lang="EN-US" style="font-size:11.0pt;color:windowtext" class="">From:</span></b><span lang="EN-US" style="font-size:11.0pt;color:windowtext" class=""> Mark Tinka [mailto:<a target="_blank" rel="noreferrer" href="mailto:mark.tinka@seacom.mu" class="">mark.tinka@seacom.mu</a>]<br class="">
<b class="">Sent:</b> 10 April 2019 08:32 AM<br class="">
<b class="">To:</b> <a target="_blank" rel="noreferrer" href="mailto:community-discuss@afrinic.net" class="">
community-discuss@afrinic.net</a><br class="">
<b class="">Subject:</b> Re: [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report</span></p>
</div>
</div><div class=""><span lang="EN-GB" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB" style="font-family:"Tahoma",sans-serif" class="">Thanks, Cedrick.<br class="">
<br class="">
A question that is, perhaps, obvious... are you able to take the human component out of this? If 2 reminders were not enough to get the humans to act, I'm not sure the current methodology is sustainable.<br class="">
<br class="">
Mark.</span></p>
<div class=""><p class="MsoNormal"><span lang="EN-GB" class="">On 8/Apr/19 17:46, Cedrick Adrien Mbeyet wrote:</span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class=""><p class="MsoNormal"><span lang="EN-US" class="">Dear AFRINIC community,</span></p><div class=""><span lang="EN-GB" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span lang="EN-US" class="">Find below postmortem report on the incident that happen on 06 April 2019.
</span></p><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span lang="EN-US" class="">The AFRINIC RPKI engine has an offline part that has to be renewed on a monthly bases. The process is known, documented and automated reminders set. The system is set to send 2 reminders each month, one 15 days prior
to the expiry date and the second one 7 days before expiry. On the 2nd half of March, the monitoring system sent a reminder to perform the offline refresh but this was not acted upon.
</span></p><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span lang="EN-US" class="">On Saturday 06 April 2019, Certificate revocation List (CRL) and the manifest file of AFRINIC RPKI repository expired (around 07:24AM UTC). Our monitoring system picked this up. The immediate action was to generate new
certificates and manifest file and upload them onto RPKI engine system.</span></p><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span lang="EN-US" class="">The failure was as a result of human error, no changes were made on the system but we have taken additional steps to the existing process to ensure that this does not happen again. We do acknowledge that it is unacceptable
to have such a failure with critical infrastructure and necessary done in this regard.
</span></p><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><div class=""><span lang="EN-US" class=""> </span><br class="webkit-block-placeholder"></div><p class="MsoNormal"><span lang="EN-US" class="">We do apologize for the inconvenience caused and thank you for your patience in this regard.</span><span lang="EN-US" class="">
</span></p>
<pre class="">-- </pre>
<pre class="">_______________________________________________________________</pre>
<pre class="">Cedrick Adrien Mbeyet </pre>
<pre class="">Infrastructure Unit Manager, AFRINIC Ltd.</pre>
<pre class="">t: +230 403 5100 / 403 5115 | f: +230 466 6758 | tt: @afrinic | w: <a target="_blank" rel="noreferrer" href="http://www.afrinic.net/" class="">www.afrinic.net</a></pre>
<pre class=""><a target="_blank" rel="noreferrer" href="http://facebook.com/afrinic" class="">facebook.com/afrinic</a> | <a target="_blank" rel="noreferrer" href="http://flickr.com/afrinic" class="">flickr.com/afrinic</a> | <a target="_blank" rel="noreferrer" href="http://youtube.com/afrinicmedia" class="">youtube.com/afrinicmedia</a></pre>
<pre class="">______________________________________________________</pre>
<pre class=""></pre>
</blockquote><div class=""><span style="font-family:"Times New Roman",serif" class=""> </span><br class="webkit-block-placeholder"></div>
</div>
</div>
_______________________________________________<br class="">
Community-Discuss mailing list<br class="">
<a target="_blank" rel="noreferrer" href="mailto:Community-Discuss@afrinic.net" class="">Community-Discuss@afrinic.net</a><br class="">
<a rel="noreferrer noreferrer" target="_blank" href="https://lists.afrinic.net/mailman/listinfo/community-discuss" class="">https://lists.afrinic.net/mailman/listinfo/community-discuss</a></blockquote>
</div>
</div>
</blockquote>
</div>
</div>
_______________________________________________<br class="">Community-Discuss mailing list<br class=""><a href="mailto:Community-Discuss@afrinic.net" class="">Community-Discuss@afrinic.net</a><br class="">https://lists.afrinic.net/mailman/listinfo/community-discuss<br class=""></blockquote></div><br class=""></body></html>