Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)

Martin Hoffmann <martin@opennetlabs.com> Wed, 26 August 2020 18:24 UTC

Return-Path: <martin@opennetlabs.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963CC3A003F for <sidrops@ietfa.amsl.com>; Wed, 26 Aug 2020 11:24:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qo-GAclgsOAO for <sidrops@ietfa.amsl.com>; Wed, 26 Aug 2020 11:24:46 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E55633A0044 for <sidrops@ietf.org>; Wed, 26 Aug 2020 11:24:45 -0700 (PDT)
Received: from grisu.home.partim.org (82-197-214-124.dsl.cambrium.nl [82.197.214.124]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 17CA01933F; Wed, 26 Aug 2020 20:24:43 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none (p=none dis=none) header.from=opennetlabs.com
Authentication-Results: dicht.nlnetlabs.nl; spf=none smtp.mailfrom=martin@opennetlabs.com
Date: Wed, 26 Aug 2020 20:24:42 +0200
From: Martin Hoffmann <martin@opennetlabs.com>
To: Job Snijders <job@ntt.net>
Cc: John Curran <jcurran@arin.net>, "sidrops@ietf.org" <sidrops@ietf.org>
Message-ID: <20200826202442.232829fc@grisu.home.partim.org>
In-Reply-To: <20200826160001.GF95612@bench.sobornost.net>
References: <DE33EFAE-FBD2-478F-92A9-1FBD81CCC43F@arin.net> <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net> <20200826160001.GF95612@bench.sobornost.net>
Organization: Open Netlabs
X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/7JxOCNBvYbwDHL7hcPHsfvxto0Q>
Subject: Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 18:24:48 -0000

Job Snijders wrote:
> 
> The current versions of routinator and ripe ncc's validator have weak
> (lacking) support for manifest handling, there are other issues in
> both softwares that don't yield errors where they should yield errors
> related to manifest handling. Neither implementation handles
> manifests correctly at the moment, so neither software currently can
> be used to confirm the correct publication of manifest related
> data. :-(

To the best of my knowledge, Routinator and the RIPE NCC RPKI Validator
handle manifests according to the specifications laid out in the
relevant standards track IETF documents. I assume that you are referring
to your assessment that all objects published by a CA should be
discarded if any inconsistencies are discovered. While such behaviour
is certainly acceptable under the current specification, not doing so
does not constitute incorrect handling of manifests.

Given that this topic is currently discussed in this very working
group and there wasn’t outright consensus on how software should behave
in these cases, it seems only prudent to delay modifications until
after such consensus has been achieved.

If you have information about other issues these software packages
have with regards to manifest handling -- as you seem to imply there
are multiple issues --, I am sure the maintainers would like to hear
about them.

Regards,
Martin