[RPKI-Discuss] AFRINIC now supports RFC 8182 (RPKI Repository Delta Protocol)

Amreesh Phokeer amreesh at afrinic.net
Tue Mar 31 17:22:52 UTC 2020


Hi Ben,


> On 31 Mar 2020, at 16:36, Ben Maddison <benm at workonline.africa> wrote:

>

> Thanks for the post-mortem, that certainly makes sense.

> Reading https://github.com/RIPE-NCC/rpki-validator-3/issues/161, it

> appears that the same manifest URI was accidentally placed into the SIA

> extension of multiple resource certs. Is that correct?


Yes that’s correct, the same URI was placed on different master certificates. Each master
certificate must have their own manifest URI. This meant that the whole tree below the
master certificates couldn’t be retrieved, hence the outage.


>

> As I noted on yesterday's thread, our RIPE validators were blissfully

> unaware that anything was amiss! If the above is correct, then it's

> kinda bizarre that it didn't break.


Yes that’s right, we also did not see any errors coming from the RIPE validators but
rcynic and routinator complained. I suspect RIPE caches the last “consistent” state
and keep it so until the manifest/crl expire? not quite sure...


>

>> We will ensure that extra precautionary measures are taken to ensure

>> seamless RPKI deployment in the future, knowing the criticality of

>> the system. Please note that deployment was done under special

>> circumstances where access to our offline system was limited to one

>> staff due to the ongoing curfew in Mauritius. The rest of the

>> deployment team was remote.

>>

> What kind of precautions do you have in mind?


We are planning to add an intermediary repository that would be hidden to the public.
The hidden repo will be sync to the public one but the synchronisation can be stopped during a
deployment process. We can then validate the hidden repo before pushing to the public one.


> I'd like to know what this type of activity *should* look like going

> forward, so that we can distinguish intentional operational actions

> from outages.


Any similar future activity will be communicated to the members beforehand.

Regards,
Amreesh




More information about the RPKI-Discuss mailing list