Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)

Tim Bruijnzeels <tim@nlnetlabs.nl> Thu, 27 August 2020 14:32 UTC

Return-Path: <tim@nlnetlabs.nl>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7153A0C6C for <sidrops@ietfa.amsl.com>; Thu, 27 Aug 2020 07:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1foKB3oeD0jC for <sidrops@ietfa.amsl.com>; Thu, 27 Aug 2020 07:32:50 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBE833A0D17 for <sidrops@ietf.org>; Thu, 27 Aug 2020 07:32:43 -0700 (PDT)
Received: from [172.20.10.4] (unknown [109.37.137.176]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A5E041A706; Thu, 27 Aug 2020 16:32:41 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=fail (p=none dis=none) header.from=nlnetlabs.nl
Authentication-Results: dicht.nlnetlabs.nl; spf=fail smtp.mailfrom=tim@nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1598538761; bh=jZJmrpygDAFXWP5jAmCKcC5JHnjCZSQok9fZzrYCiIg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=lMFrNFm0HrwoRogIMz+KSd6pwT9TmoWOZIXrej4w/ZngOvV4bNFMZFQtpqa/O0jg5 DuFpmQ+K9XY78+hYmhJ9/ZzzlCTemIMppQzz1gnvU6M+pFSIN4XI+wYV8LDBPtprLm s7IJXhq4yOt4oaR32M31CwvNMqSKVVZW2eeXkMZw=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Tim Bruijnzeels <tim@nlnetlabs.nl>
In-Reply-To: <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net>
Date: Thu, 27 Aug 2020 16:32:40 +0200
Cc: "sidrops@ietf.org" <sidrops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AEEB145A-D458-420E-BD22-57C9CDAB6784@nlnetlabs.nl>
References: <DE33EFAE-FBD2-478F-92A9-1FBD81CCC43F@arin.net> <727F6FBD-F73C-4F58-AE2D-0276B2A183A3@arin.net>
To: John Curran <jcurran@arin.net>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/FI-wpJCNoFwLdBKcjaqTye8WyWA>
Subject: Re: [Sidrops] Reason for Outage report (was: Re: ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 14:32:52 -0000

Hi John, all,

> On 26 Aug 2020, at 16:54, John Curran <jcurran@arin.net> wrote:
> 
>> As a corrective action, ARIN will be broadening its testing strategy. In future releases, we will be validating not only LibreSSL-based validators (RIPE’s Validator and NLNetlab’s Routinator) but also OpenSSL-based validators such as rpki-client and Fort. The list of validators we do test against the ARIN repository will be noted within the RPKI section of ARIN’s website.

fwiw, we have automated tests for Krill where we set it up with an embedded TA and a CA which produces a bunch of ROAs. We then expect the same set of VRPs to come out on the other end of:

- fort 1.1.3
- octorpki v1.1.4
- rcynic buildbot-1.0.1544679302
- routinator 0.7.0-pre
- rpkiclient VERSION_0_3_0
- RIPE NCC RPKI Validator 3.1-2020.07.06.14.28

We try to use 'strict' modes where available.

The set up is based on GitHub actions, Terraform and docker. The details are probably not interesting to this mailing list, but if CA or RP implementors want to have more details please feel free to contact me directly.

Tim