Re: [Sidrops] nlnet rp and rsync

Martin Hoffmann <> Tue, 12 May 2020 09:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3ED313A0D48 for <>; Tue, 12 May 2020 02:53:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1id1ujTQ9tG5 for <>; Tue, 12 May 2020 02:53:09 -0700 (PDT)
Received: from ( [IPv6:2a04:b900::1:0:0:10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8CBF3A0D44 for <>; Tue, 12 May 2020 02:53:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 45F1133F23; Tue, 12 May 2020 11:53:07 +0200 (CEST)
Authentication-Results:; dmarc=none (p=none dis=none)
Authentication-Results:; spf=none
Date: Tue, 12 May 2020 11:53:06 +0200
From: Martin Hoffmann <>
To: Randy Bush <>
Cc: Russ Housley <>, SIDR Operations WG <>
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Sidrops] nlnet rp and rsync
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 May 2020 09:53:11 -0000

Randy Bush wrote:
> rrdp is more fragile.  e.g. the nlnet labs client (rightly, imiho)
> checks the full certificate chain.  if any piece of the chain expires,
> is CRLed, ... the client does not go to rsync.  bam!

I would argue that operating an rsync server is much more fragile in
practice, simply because operators have much less experience with it.
As opposed to keeping an HTTPS server up and running which is absolutely
essential to each and every Internet operation now. 

If a certificate appears on a CRL, there is probably a good reason for
it and perhaps the service shouldn’t be trusted anymore.

> falling back to rsync is not a 'downgrade' in that the rpki uses an
> object, not transport, security model.

It has been demonstrated that by maliciously withholding RPKI objects
you can cause damage to the routing system, so we should perhaps
revisit the choice of not relying on transport security.

> the goal in rrdp was to make the rpki more, not less reliable.  we
> found the nllnet labs misfeature in the wild when CA data were no
> longer fetched.  imiho not good.

Was that a permanent issue or did the CA in question fix their RRDP
service in due time? From what I am seeing, the current shift to reject
stale manifests and CRLs will cause much more issue.

Kind regards,