Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
Mikael Abrahamsson <swmike@swm.pp.se> Thu, 27 August 2020 12:30 UTC
Return-Path: <swmike@swm.pp.se>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FBF3A0C8E for <sidrops@ietfa.amsl.com>; Thu, 27 Aug 2020 05:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PAZ_iTjtfNeF for <sidrops@ietfa.amsl.com>; Thu, 27 Aug 2020 05:30:18 -0700 (PDT)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58CFF3A0C90 for <sidrops@ietf.org>; Thu, 27 Aug 2020 05:30:17 -0700 (PDT)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id E75EAB1; Thu, 27 Aug 2020 14:30:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1598531413; bh=7CDR93SmCAUx6MZBS5WVXFAYahMCkbvSttO/gz6z39Y=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=0AKimR1tvA8RHPAYTkIEg0721aNIfJVk64+3zxEfuNty0IzGeIVFx4fwS/vipnGaT ra52IxqMPkOCIXEBzfEgfpRzwwUCCHXol1+N9JM76GRDJQxfQ8dOKLbiu6KPu6QcaX 33NI33FtN/qsKd+7McoOIoib8T12LRwbGzmkPpM0=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id E3625B0; Thu, 27 Aug 2020 14:30:13 +0200 (CEST)
Date: Thu, 27 Aug 2020 14:30:13 +0200
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: Martin Hoffmann <martin@opennetlabs.com>
cc: Job Snijders <job@ntt.net>, John Curran <jcurran@arin.net>, "sidrops@ietf.org" <sidrops@ietf.org>
In-Reply-To: <20200826202442.232829fc@grisu.home.partim.org>
Message-ID: <alpine.DEB.2.20.2008271422560.11025@uplift.swm.pp.se>
References: <DE33EFAE-FBD2-478F-92A9-1FBD81CCC43F@arin.net> <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net> <20200826160001.GF95612@bench.sobornost.net> <20200826202442.232829fc@grisu.home.partim.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/CLPb7xihblBDFuW04f63SC76lr4>
Subject: Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 12:30:21 -0000
On Wed, 26 Aug 2020, Martin Hoffmann wrote: > To the best of my knowledge, Routinator and the RIPE NCC RPKI Validator > handle manifests according to the specifications laid out in the > relevant standards track IETF documents. I assume that you are referring > to your assessment that all objects published by a CA should be > discarded if any inconsistencies are discovered. While such behaviour is > certainly acceptable under the current specification, not doing so does > not constitute incorrect handling of manifests. At this point in time, everybody I am aware of who are implementing RPKI in the routing system are doing invalid=drop, and nothing else. The overall goal right now is to make sure the ROA is correctly validated, all the way. If a ROA is gone, it doesn't cause an outage. It causes lack of protection. It's not a competition which validator can validate the most ROAs, the competition should be to get things *right*. If something doesn't validate correctly, drop it. Drop all it depends on. If all ROAs from a RIR are gone for an hour or a day, it's not the end of the world. It's not an outage. We need to make sure the entire ecosystem gets things right, correct, and have procedures in place to do things right, all the time. Other parts of the Internet ecosystem had teething problems in the beginning, but they worked it out. RPKI ecosystem needs to do the same. The goal of the validator should be to validate. It should be picky. It should throw things away that doesn't look right. You're advocating for something else, and I don't understand why. -- Mikael Abrahamsson email: swmike@swm.pp.se
- [Sidrops] Reason for Outage report (was: Re: ARIN… John Curran
- [Sidrops] ARIN RPKI Service Impact - 12 August 20… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Christopher Morrow
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Randy Bush
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… Job Snijders
- Re: [Sidrops] ARIN RPKI Service Impact - 12 Augus… John Curran
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report (was: Re: … John Curran
- Re: [Sidrops] Reason for Outage report Martin Hoffmann
- Re: [Sidrops] Reason for Outage report (was: Re: … Mikael Abrahamsson
- Re: [Sidrops] Reason for Outage report Mikael Abrahamsson
- [Sidrops] weak validation is unfit for production… Job Snijders
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Jakob Heitz (jheitz)
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Benno Overeinder
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Tim Bruijnzeels
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] Reason for Outage report (was: Re: … Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels
- Re: [Sidrops] Reason for Outage report (was: Re: … Randy Bush
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Lukas Tribus
- Re: [Sidrops] weak validation is unfit for produc… Nathalie Trenaman
- Re: [Sidrops] weak validation is unfit for produc… Job Snijders
- Re: [Sidrops] weak validation is unfit for produc… Stephen Kent
- Re: [Sidrops] weak validation is unfit for produc… Tim Bruijnzeels