[RPKI-Discuss] AFRINIC now supports RFC 8182 (RPKI Repository Delta Protocol)
benm at workonline.africa
Wed Apr 1 11:35:18 UTC 2020
On Tue, 2020-03-31 at 21:22 +0400, Amreesh Phokeer wrote:
> Hi Ben,
> > On 31 Mar 2020, at 16:36, Ben Maddison <benm at workonline.africa>
> > wrote:
> > Thanks for the post-mortem, that certainly makes sense.
> > Reading https://github.com/RIPE-NCC/rpki-validator-3/issues/161, it
> > appears that the same manifest URI was accidentally placed into the
> > SIA
> > extension of multiple resource certs. Is that correct?
> Yes that’s correct, the same URI was placed on different master
> certificates. Each master
> certificate must have their own manifest URI. This meant that the
> whole tree below the
> master certificates couldn’t be retrieved, hence the outage.
> > As I noted on yesterday's thread, our RIPE validators were
> > blissfully
> > unaware that anything was amiss! If the above is correct, then it's
> > kinda bizarre that it didn't break.
> Yes that’s right, we also did not see any errors coming from the RIPE
> validators but
> rcynic and routinator complained. I suspect RIPE caches the last
> “consistent” state
> and keep it so until the manifest/crl expire? not quite sure...
Maybe. I don't get how it doesn't at least warn in that scenario.
> > > We will ensure that extra precautionary measures are taken to
> > > ensure
> > > seamless RPKI deployment in the future, knowing the criticality
> > > of
> > > the system. Please note that deployment was done under special
> > > circumstances where access to our offline system was limited to
> > > one
> > > staff due to the ongoing curfew in Mauritius. The rest of the
> > > deployment team was remote.
> > >
> > What kind of precautions do you have in mind?
> We are planning to add an intermediary repository that would be
> hidden to the public.
> The hidden repo will be sync to the public one but the
> synchronisation can be stopped during a
> deployment process. We can then validate the hidden repo before
> pushing to the public one.
That's an interesting choice. Why not something more atomic, like
writing to a staging directory, testing, and then flipping a symlink?
The additional sync seems to me to be another opportunity to introduce
> > I'd like to know what this type of activity *should* look like
> > going
> > forward, so that we can distinguish intentional operational actions
> > from outages.
> Any similar future activity will be communicated to the members
Thanks, that's appreciated by everyone, I'm sure.
But my question was more about understanding what externally observable
state (or lack of state) should be expected during a maintenance like
this, so that we can all ensure our RPs behave sensibly in that state.
More information about the RPKI-Discuss