Re: [Sidrops] weak validation is unfit for production (Was: Reason for Outage report)

Job Snijders <> Sat, 29 August 2020 18:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F0C463A0F13 for <>; Sat, 29 Aug 2020 11:52:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AH2CdzKOL7ef for <>; Sat, 29 Aug 2020 11:52:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0FFC3A0F10 for <>; Sat, 29 Aug 2020 11:52:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPSA id 587E7220161; Sat, 29 Aug 2020 18:52:22 +0000 (UTC)
Received: from localhost ( [local]) by (OpenSMTPD) with ESMTPA id 6261e9e5; Sat, 29 Aug 2020 18:48:19 +0000 (UTC)
Date: Sat, 29 Aug 2020 18:48:19 +0000
From: Job Snijders <>
To: Nathalie Trenaman <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
X-Clacks-Overhead: GNU Terry Pratchett
Archived-At: <>
Subject: Re: [Sidrops] weak validation is unfit for production (Was: Reason for Outage report)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 29 Aug 2020 18:52:31 -0000

On Sat, Aug 29, 2020 at 12:22:54PM +0200, Nathalie Trenaman wrote:
> Last month, we released a “strict mode” for our validator. It takes
> into account 6486bis except the use of cached data, which I did not
> see consensus on yet (correct me if I’m wrong please).

I think you are wrong on the cached data consensus, but it doesn't
matter, it is a small implementation detail. If an implementer doesn't
want to take advantage of their local file cache, they don't need to.
RPs are expected to be able to function with empty caches as well.

> Where Job sees around 400 objects missing, we do see a lot more. 
> We have been monitoring the amount of missing objects and we see a
> difference of around 4500 objects. Mainly from the APNIC region.

The difference between rpki-client and ripe ncc validator
'insecure-mode=off / rsync-only' seems to be about 2,500 VRPs. However,
the ripe ncc validator logs 5 only errors:

One of the errors appears to be logged at "2020-08-29 18:08:48" and
indicates: "CRL next update was expected on or before 2020-08-29T22:46:19.000Z"
It is not clear why it errors on things still in the future. The 2,500
VRP difference might be caused by a software issue rather than a
specifications issue?

For example, I can't find a reason why a VRP for Prefix: Maxlength: 24, Origin: AS10085, TA: APNIC is not
emitted by the ripe ncc validator. It is also curious to see RRDP
fetches are performed while 'rpki.validator.rsync-only=true' is set.

Are you sure the current version implemented things correctly?

> This is why I believe Tim’s suggestion for a flag day sounds
> reasonable to me. We have to inform CAs about the impact changing the
> behaviour of RPs has on them. 

A flag day to release a security update? Flag day's generally are used
for other types of events.