Re: [Sidrops] RPKI Outage Post-Mortem

Tony Tauber <ttauber@1-4-5.net> Fri, 08 January 2021 15:34 UTC

Return-Path: <ttauber@1-4-5.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE4C33A105F for <sidrops@ietfa.amsl.com>; Fri, 8 Jan 2021 07:34:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1-4-5-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrZwxoXjBm5O for <sidrops@ietfa.amsl.com>; Fri, 8 Jan 2021 07:34:50 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FF33A105E for <sidrops@ietf.org>; Fri, 8 Jan 2021 07:34:50 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id jx16so14986704ejb.10 for <sidrops@ietf.org>; Fri, 08 Jan 2021 07:34:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1-4-5-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g72aljaKUUhzXszS6jodQEHkBJQQNmH0liN0hd7HKaQ=; b=WNWRevITCwkzHrbBZp+5L7fKlc+YR3o4hRpD9J0fwGh3qfEBaUJ7V9cp9P1I8Icky1 fTg6aJNP89SCypaMkTX3NoJKHPawe1ppELe18H6JvtcpvmfsxQs7G5mo8hd2x6oCdJ0D Ju27uBvQZb0cn+6XXwfk41hZnSN06YK8e1ZOgCpGv3+m0lnyE6+wpA6CXIh0bN7bt8ls 5SjvSwQlYlfVuUNAVzrpbr/+J0X7GdzUrm22MTgn9bahRkGtm5/Yy7hjh+9dTeD7jqoD t0T7Br6iJezaWiisx7bdnPeOHvIyAx6OZsWGLpoxjoTneXtGmheaq1vlRLo6JxUM+6Ln Ds7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g72aljaKUUhzXszS6jodQEHkBJQQNmH0liN0hd7HKaQ=; b=CrAk++SQ4UOYtvh5sFmkQEPWda0tnpy5fZVTxvrj12LbIJ4aGDCqYBAvIrDRHDO7FD DVWjEDiNmCercNZGBX1PBzUjv37wrH8xTI53ET3FNNhqykfcEbchn7yoUjoUBdDTgwdU aEwemFZbDXfxtVYlsk73imQhOMzgA90qwILqq0Dyn/ZNw6zW4AOfNLEa9AKwuNx+wlYF TGrZWbdzVC/9I0ZR3CN/DgbpS1mxCNssAgo1WAGvqxjI+bYjJxZVCqQ2lYgQ7OZoCta8 KvEIpdskImXZgTT3N6F8Y51GSO5CELVVQ68cZc+zXw/hxc3NptxBRFukYgz8jUtM5N00 ka9A==
X-Gm-Message-State: AOAM531TFaFKQHwQEbbZ8Y3bDUNv0IZOtQOcFLPCtrOb9vaXhQIFakVl 2FJ+jqtTVNArfYIvvo4sh6k3qGFCCe29UBAfQ4Dzzw==
X-Google-Smtp-Source: ABdhPJzo0iXg0tz8+DdRkjwypt8r+YR/EgUkRtd5a7tDEQsVYvDWjWGV10K1vTzDayH6oAqHXNAPrJWcAKPf/IAKWbY=
X-Received: by 2002:a17:906:2f8b:: with SMTP id w11mr2903614eji.246.1610120088789; Fri, 08 Jan 2021 07:34:48 -0800 (PST)
MIME-Version: 1.0
References: <11932542-611A-4DDC-AD2D-3356E0CB44ED@ripe.net>
In-Reply-To: <11932542-611A-4DDC-AD2D-3356E0CB44ED@ripe.net>
From: Tony Tauber <ttauber@1-4-5.net>
Date: Fri, 8 Jan 2021 10:34:37 -0500
Message-ID: <CAGQUKcc+t5M1QXaB3wgn=2-BmCi2cgRsd51UW5T9szRfB1Ld4A@mail.gmail.com>
To: Nathalie Trenaman <nathalie@ripe.net>
Cc: SIDR Operations WG <sidrops@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f03efc05b8654b6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Ale5sNvdBuUPfnOEv6km5f94dts>
Subject: Re: [Sidrops] RPKI Outage Post-Mortem
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jan 2021 15:34:52 -0000

On Fri, Jan 8, 2021 at 8:56 AM Nathalie Trenaman <nathalie@ripe.net> wrote:
<snip>

> Some older Relying Parties had applied a strict manifest handling
> interpretation in their validator software. This meant that they were
> configured to reject all certificates in the manifest if a single entry was
> invalid. As a consequence, all RPKI certificates covering RIPE resources
> were rejected by these validators during this period.
>
> Based on our access logs, we estimate that 327 instances of Relying Party
> software were impacted.
>

Hi Nathalie,

Thank you for the detailed write-up.

I'm curious how you arrived at this estimate of "...327 instances impacted"?

I'm guessing many more instances are out there querying RIPEs repository,
even w/in the outage window.
But maybe I'm mistaken?

Tony