[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

[Mark Tinka]

On 10/Apr/19 14:59, Owen DeLong wrote:

>
> RPKI is operational. I’m not sure how serious it is, as I have trouble
> taking seriously a system which, at best, tells you what you need to
> prepend. It’s a nice protection from fat fingers, but, in its current
> state, it provides little to no protection beyond that for anyone but
> the largest operators.
>
> Nonetheless, even if one wants to take RPKI seriously, a quick review
> of the RFCs and IETF guidance on the matter shows that the worst case
> scenario for an RIR outage on ROA publication should be that routing
> reverts to its pre-RPKI unauthenticated state. It should not cause any
> sort of outage (except to the extent you might start accepting routes
> you previously rejected).
>
> If you’re rejecting routes for RPKI validation failure, you should be
> tracking down the advertisers and getting those situations corrected.
> If you’re doing that, then any such outages should be somewhere
> between minimal and non-existent.
>
> Did any packets go the wrong way due to the AfriNIC outage? Was there
> any actual operational impact?
>
> I suspect not. I suspect that this is a lot of handwaving about a
> non-issue.
>
> Don’t get me wrong, I’m all for making AfriNIC’s systems more
> resilient and more available, but, I think we also need to consider
> the actual impact of failures and not over-react to failures without
> impact.

I, for one, need to gain operational experience about RPKI, and start to
form some BCP's that will be helpful in the coming months/years.

RPKI is here (like IPv6 and DNSSEC), so the time to argue its merits is
long gone. One is welcome not to use it if they so wish, but for those
that want to, we can only gain experience when the base system is stable
and free of simple, reasonably avoidable errors.

Mark.