Re: [Sidrops] weak validation is unfit for production (Was: Reason for Outage report)
Job Snijders <job@ntt.net> Fri, 28 August 2020 15:25 UTC
Return-Path: <job@ntt.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCBA33A0C8F for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 08:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tk0k4uZt6KIb for <sidrops@ietfa.amsl.com>; Fri, 28 Aug 2020 08:25:10 -0700 (PDT)
Received: from mail4.sttlwa01.us.to.gin.ntt.net (mail4.sttlwa01.us.to.gin.ntt.net [204.2.238.64]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F40403A0C37 for <sidrops@ietf.org>; Fri, 28 Aug 2020 08:25:09 -0700 (PDT)
Received: from bench.sobornost.net (129-vpn.londen03.uk.bb.gin.ntt.net [165.254.197.129]) by mail4.sttlwa01.us.to.gin.ntt.net (Postfix) with ESMTPSA id 6C0E5220136; Fri, 28 Aug 2020 15:25:07 +0000 (UTC)
Received: from localhost (bench.sobornost.net [local]) by bench.sobornost.net (OpenSMTPD) with ESMTPA id fda80495; Fri, 28 Aug 2020 15:25:05 +0000 (UTC)
Date: Fri, 28 Aug 2020 15:25:05 +0000
From: Job Snijders <job@ntt.net>
To: Stephen Kent <stkent=40verizon.net@dmarc.ietf.org>
Cc: sidrops@ietf.org
Message-ID: <20200828152505.GH88356@bench.sobornost.net>
References: <DE33EFAE-FBD2-478F-92A9-1FBD81CCC43F@arin.net> <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net> <20200826160001.GF95612@bench.sobornost.net> <20200826202442.232829fc@grisu.home.partim.org> <20200827142827.GC88356@bench.sobornost.net> <DEBF83EC-B5B7-490B-9F30-19571991E273@nlnetlabs.nl> <045cb11f-5eea-1568-5260-d9794143dc7a@verizon.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <045cb11f-5eea-1568-5260-d9794143dc7a@verizon.net>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/B9wWIOQr09Jz3s68jOkPyllYTIU>
Subject: Re: [Sidrops] weak validation is unfit for production (Was: Reason for Outage report)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Aug 2020 15:25:11 -0000
Dear Stephen, On Fri, Aug 28, 2020 at 10:00:14AM -0400, Stephen Kent wrote: > I am very bothered by the observation that, if were were to strictly > enforce the requirements imposed by the RPKI RFCs, then the number of > verified routes would substantially decrease. >From my observations, OpenBSD rpki-client produces 514 VRPs fewer than some of the other validators, but still totals at 171,643 VRPs related to the global routing system (currently 895,143 routing table entries, ipv4 and ipv6 combined). In the grand scheme of things those 500 VRPs to me are not 'substantial' but rather "just out of luck", knowing that any attempts to 'repair' or 'salvage' those 500 VRPs puts the remaining 171,643 route origin authorizations at risk. This is a good noise level, and if we come up with additional ideas to improve strictness that krank it from 500 to the low thousands, we are still in great shape. Also knowing that whatever triggers further decreases can probably easily be remedied by the relevant TA or CA. Kind regards, Job
- [Sidrops] Reason for Outage report (was: Re: ARIN… John Curran
- [Sidrops] ARIN RPKI Service Impact - 12 August 20… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Christopher Morrow
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Randy Bush
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Job Snijders
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report (was: Re: … John Curran
- Re: [Sidrops] Reason for Outage report Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report Mikael Abrahamsson
- [Sidrops] weak validation is unfit for production… Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Jakob Heitz (jheitz)
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Benno Overeinder
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Lukas Tribus
- Re: [Sidrops] weak validation is unfit for produc… Nathalie Trenaman
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels