Re: [Sidrops] ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved

Randy Bush <> Sat, 15 August 2020 21:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 597853A089F for <>; Sat, 15 Aug 2020 14:19:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hHPAQVjdFfdc for <>; Sat, 15 Aug 2020 14:19:40 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD3F73A081D for <>; Sat, 15 Aug 2020 14:19:39 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.90_1) (envelope-from <>) id 1k73aS-0000Hw-Hz; Sat, 15 Aug 2020 21:19:37 +0000
Date: Sat, 15 Aug 2020 14:19:36 -0700
Message-ID: <>
From: Randy Bush <>
To: John Curran <>
In-Reply-To: <>
References: <> <> <>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/26.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <>
Subject: Re: [Sidrops] ARIN RPKI Service Impact - 12 August 2020 - manifest issue - resolved
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Aug 2020 21:19:41 -0000

thanks for the preliminary post mortem

> 3) Additional stringency to specs for the more common validators would
>    help in some cases

fwiw, one dragon lab instance sra is running is so old it is rsync only,
and so did not see the problem.

the assorted dragon labs instances i watch did not report anything.
they quietly fell back from rrdp to rsync per spec.  this is both good
news, things worked as expected, and bad news, they knew something went
wrong and did not report it.

in general, the rpki infrastructure lacks alerts and lacks reporting
channels other than ghostbuster records.

this week our (john kristoff doing the heavy lifting) short paper was
accepted at imc.  will shout when there is camera ready.  from the

    In this short paper, we introduce a framework to observe RPKI
    relying parties (i.e., those that fetch RPKI data from the
    distributed repository) and present insights into this ecosystem
    for the first time. Our longitudinal study of data gathered from
    three RPKI certification authorities (AFRINIC, APNIC, and our own
    CA) identifies different deployment models of relying parties and
    (surprisingly) larger inconsistent fetching behavior, which might
    affect robustness in Internet routing. Our results reveal that some
    relying parties are not able to connect to specific publication
    points at all.