Re: [Sidrops] trying to limit RP processing variability

[Stephen Kent <stkent@verizon.net>]

Robert,
> Hi Steve,
>
>>> If, at the previous run, the RP fetched the relevant (now missing
>>> object, then I see no reason to not use it again. Think of the previous
>>> run as an object a cache if you will: if you're looking for an object
>>> mentioned in the manifest, and you have it already (hash / name / etc.
>>> matches) then you can reuse it.
>> I probably should have said that an RP views an object as "missing" if
>> the the object is not present in the RP's cache and cannot be retrieved
>> from the relevant PP. Because RPs retrieve objects only if the objects
>> have changed (newly added or updated), an RP would not be aware that an
>> object is not present at a PP if the object is present in the RP's
>> cache. I recall a famous quote about whether an object that has not been
>> updated makes any noise when it is deleted from a PP, or something like
>> that :-)
> rsync has a flag (--delete) where it literally syncs, ie. not only
> fetches new/updated objects but also removes the local ones that no
> longer exist remotely. (Either this, or some other processes have to do
> cleanup, otherwise the local copy accumulates objects eternally.)

I forgot about the --delete flag. But, if one chooses to make use of the 
flag, it requires caution. if an attacker deleted files and an RP 
removed instances of those files from the local cache, this is an easy 
DoS attack. One would have to see if there is a current manifest and if 
it lists files that have been deleted from the PP. Only if there is a 
current manifest, and the deleted files are also not present in the 
manifest, would it be safe to delete those files.

If one relies on examination of a current manifest to trigger deletion 
of cached files this problem would be avoided, and thus those files 
would not accumulate forever. maybe that's why I was not thinking about 
the flag.

>
> I believe the NLnetLabs routinator and the NCC's RPKI validator use
> --delete with rsync. Maybe this behaviour changes if/when not using
> rsync, I'm not sure.
>
>>> Of course it can be useful to check if it still exists in the PP, but it
>>> seems to me the only benefit is to detect that it is missing from there
>>> and perhaps warn the PP operator. Otherwise the RP has a hard time
>>> arguing "no idea what this is since it's not there!".
>> I think I agree about the utility of detecting an object that has gone
>> missing from a PP, when the RP has the object locally cached. But, in my
>> experience, RP software was not designed to detect this case.
> I believe the discussion here is about specifying how RP software should
> (or must) behave, so that their behaviour is consistent. IMO in order to
> achieve that, the behaviour around missing objects should be part of the
> specification.

Agreed.

Steve