[rpd] RPKI ROAs for Unallocated and Unassigned AFRINIC Address Space AFPUB-2019-GEN-006-DRAFT02

[Amreesh Phokeer]

hi Nishal ;-)


> On 18 Sep 2020, at 02:26, rpd-request at afrinic.net wrote:

> 

> fwiw, i *have* tested revocation propagation times earlier this year.  

>    we even found a bug with the RPKI system, for ROAs that had expiry dates 

>    set after 2050 (hi amreesh!  :-)).  my measurement time, between 

>    revocation of the offensive ROA, (funnily enough, it was an AS0 ROA) and 

>    the time that my nine relying party caches spread across south africa, 

>    mauritius, zimbabwe and tanzania updated, was well less than twenty 

>    minutes at worst.  in fact, 8/9 of them, refreshed accurately within 600 

>    seconds (10minutes) which is the rfc8210 default.  i could probably have 

>    made that shorter, but i am too lazy to change default settings.


The propagation time is affected by the following:
1. The time it takes for a change to appear in the AFRINIC RPKI repository
2. The time it takes for the validator software to update the VRP list
3. The time it takes for the relying party (your router) to fetch the VRP list from the validator

For 1:
The AFRINIC RPKI repository is refreshed every 1 minute.

For 2.: 
- Routinator the most used validator has a default value of 600s (10mins)
- OctoRPKI has a default of 20mins
- rpki-client, OpenBSD recommends every hour using a cronjob
- RIPE RPKI has a default of 10mins for rsync and 2mins for RRDP

For 3. rfc8210 recommends a minimum of 1s to a maximum of 84600s (1day) with a recommended refresh rate at 3600s (10mins)
- On Juniper: default 300s
- On Cisco: typically 600s

2 and 3 are configurable. So best case it can be less than 5 minutes and worst case it would be 1 day.

—
Amreesh