[RPKI-Discuss] AFRINIC now supports RFC 8182 (RPKI Repository Delta Protocol)

[Ben Maddison]

Hi Amreesh,

On Tue, 2020-03-31 at 21:22 +0400, Amreesh Phokeer wrote:

> Hi Ben,

> 

> > On 31 Mar 2020, at 16:36, Ben Maddison <benm at workonline.africa>

> > wrote:

> > 

> > Thanks for the post-mortem, that certainly makes sense.

> > Reading https://github.com/RIPE-NCC/rpki-validator-3/issues/161, it

> > appears that the same manifest URI was accidentally placed into the

> > SIA

> > extension of multiple resource certs. Is that correct?

> 

> Yes that’s correct, the same URI was placed on different master

> certificates. Each master

> certificate must have their own manifest URI. This meant that the

> whole tree below the

> master certificates couldn’t be retrieved, hence the outage.

> 

Ack. Thanks.

> > 

> > As I noted on yesterday's thread, our RIPE validators were

> > blissfully

> > unaware that anything was amiss! If the above is correct, then it's

> > kinda bizarre that it didn't break.

> 

> Yes that’s right, we also did not see any errors coming from the RIPE

> validators but

> rcynic and routinator complained. I suspect RIPE caches the last

> “consistent” state

> and keep it so until the manifest/crl expire? not quite sure... 

> 

Maybe. I don't get how it doesn't at least warn in that scenario.
Anyhoo...

> > 

> > > We will ensure that extra precautionary measures are taken to

> > > ensure

> > > seamless RPKI deployment in the future, knowing the criticality

> > > of

> > > the system. Please note that deployment was done under special

> > > circumstances where access to our offline system was limited to

> > > one

> > > staff due to the ongoing curfew in Mauritius. The rest of the

> > > deployment team was remote.

> > > 

> > 

> > What kind of precautions do you have in mind?

> 

> We are planning to add an intermediary repository that would be

> hidden to the public.

> The hidden repo will be sync to the public one but the

> synchronisation can be stopped during a

> deployment process. We can then validate the hidden repo before

> pushing to the public one.

> 

That's an interesting choice. Why not something more atomic, like
writing to a staging directory, testing, and then flipping a symlink?
The additional sync seems to me to be another opportunity to introduce
inconsistency.


> > I'd like to know what this type of activity *should* look like

> > going

> > forward, so that we can distinguish intentional operational actions

> > from outages.

> 

> Any similar future activity will be communicated to the members

> beforehand.

> 

Thanks, that's appreciated by everyone, I'm sure.
But my question was more about understanding what externally observable
state (or lack of state) should be expected during a maintenance like
this, so that we can all ensure our RPs behave sensibly in that state.

Cheers,

Ben