IETF Logo Mail Archive

Re: [Sidrops] Publication Point -> RP synchronization in bandwidth constrained environments (note for RRDP v2)

Job Snijders <job@fastly.com> Mon, 12 June 2023 18:44 UTC

Return-Path: <job@fastly.com>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE09CC14F736 for <sidrops@ietfa.amsl.com>; Mon, 12 Jun 2023 11:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fastly.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EwViApuY-ael for <sidrops@ietfa.amsl.com>; Mon, 12 Jun 2023 11:44:10 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3709C14F6EC for <sidrops@ietf.org>; Mon, 12 Jun 2023 11:44:10 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-1b3c0c47675so15097405ad.1 for <sidrops@ietf.org>; Mon, 12 Jun 2023 11:44:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastly.com; s=google; t=1686595450; x=1689187450; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=x0Bv/ndUmSmaBbpY42KZAJVd/0r82PpZEHTCpnJ3jwQ=; b=agM7TFobZjUmZIaH+5r+Kq4EeirS2g9O9DB6TGKJqylcPq5JuGQm5RdVvVq7rxKUYT ITE5aJKU1DTOU6c/ZmsIco1g736VebHfObByDQr7jBvnQRs5P2OtzX1ViZWODZm4+Ehi NO0m++rrqXf85yRaTZLeurc/dJB6OUrW0UF5I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686595450; x=1689187450; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=x0Bv/ndUmSmaBbpY42KZAJVd/0r82PpZEHTCpnJ3jwQ=; b=TBR77k9p4+eF/GHl0/Yx7zkbifU5RW1dG7icFwhW89iEEct+mtHx8oHH93owxSCGMW eVO2jINXoAIgdBDJZgucv0a028EpIKAObOvNMyaWg/bJX0lJz4ks/ZNhgU+JbEW2uI7n xKdYWDpJS3+tHkGqgI18+o7R+Hs/qXjW07bPYR3E+ql5O0UUoU5k84XDBlRu9e8pfOIv prjGWxJf0FWOdm8Or5NvMmTozuKgLuzhcXDmTemJv0Z9HZqYBz+Cuo51J3T79J1oA714 LX6CcJSciZrYADHt1UoJjBNgOZhVyyUP2qnT7xDEoaBc6bsQZPl6ZHzfZ2vO5qOQS9ev 6Zpw==
X-Gm-Message-State: AC+VfDzLpJLeUjZ5f1rYv2vxX/BrSkpeDPZNOVdnXcNCIAsZgmKgIxde 5IaoKgY/cW/cJUgPKS5opuJ1Pptjnnu9/8sdVho=
X-Google-Smtp-Source: ACHHUZ6VLkBw2ekXK4UqVh76Km6QE/JHPoSIm1jlqsof7fEFYjI7vCkpbteRC3EJZ5xDBcJ39Z85DQ==
X-Received: by 2002:a17:902:ec8c:b0:1b2:46b9:d42a with SMTP id x12-20020a170902ec8c00b001b246b9d42amr7149645plg.27.1686595450009; Mon, 12 Jun 2023 11:44:10 -0700 (PDT)
Received: from feather.sobornost.net ([50.237.87.214]) by smtp.gmail.com with ESMTPSA id jj14-20020a170903048e00b001b3df595582sm948486plb.124.2023.06.12.11.44.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Jun 2023 11:44:09 -0700 (PDT)
Date: Mon, 12 Jun 2023 18:44:07 +0000
From: Job Snijders <job@fastly.com>
To: Mikhail Puzanov <mpuzanov@ripe.net>
Cc: sidrops@ietf.org
Message-ID: <ZIdndx6tgayGx17d@feather.sobornost.net>
References: <ZHYYt77xdtrkNV1a@snel> <955CFF67-8D19-4B38-8585-3754F3119EDF@ripe.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <955CFF67-8D19-4B38-8585-3754F3119EDF@ripe.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/Rm9Q1IIj0NWYWygXbWK5YTmCXIU>
Subject: Re: [Sidrops] Publication Point -> RP synchronization in bandwidth constrained environments (note for RRDP v2)
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2023 18:44:14 -0000

Dear all,

On Thu, Jun 08, 2023 at 01:45:46PM +0200, Mikhail Puzanov wrote:
> I think compression is probably the quickest way of mitigating the
> size problem:

Yes. Support for gzip and deflate HTTP Content-Encoding has now been
added in OpenBSD rpki-client and will be available in a next release.

> Even the good ol’ gzip can shrink RIPE NCC’s snapshot more than
> twofold.  Also compression should take care of the repetitive parts,
> i.e.  XML tags, newlines, etc.

And as a nice bonus: compression (unsurprisingly) reduces the time spend
waiting for the network.

> Extra 2 cents as an RP implementer: rpki-prover fetches every
> repository in a separate OS process with constrained heap, constrained
> download size and a timeout, so it pretty much ignores all
> CVE-2021-43174-related considerations and compression was never
> disabled in it. If the fetching process crashes or runs out of some
> resource the impact is limited to the specific repository. So there is
> a way to have compression and tolerate crashes.

In the rpki-client implementation a similar approach is used:
establishing RRDP TLS connections, and HTTP decompression happens in a
dedicated subprocess [1] which runs in a restricted-service operating
mode using pledge() [2].

The fetches are timeboxed and size constrained (both in original and
inflated form). Inflation happens in a streaming fashion, so even if
HTTP Chunked transfer encoding is used, the size is checked on the fly
and to impose the constraint. Special attention needs to be taken to
stop the remote side from continuing to send data after Z_STREAM_END.

Kind regards,

Job

[1]: https://sha256.net/privsep.html
[2]: https://man.openbsd.org/pledge.2

v2.23.0 | Report a Bug | By Email