Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
Ties de Kock <tdekock@ripe.net> Wed, 07 February 2024 08:29 UTC
Return-Path: <tdekock@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 048F8C18DBAB for <sidrops@ietfa.amsl.com>; Wed, 7 Feb 2024 00:29:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e78FxiW7T_fA for <sidrops@ietfa.amsl.com>; Wed, 7 Feb 2024 00:28:59 -0800 (PST)
Received: from mail-mx-2.ripe.net (mail-mx-2.ripe.net [IPv6:2001:67c:2e8:11::c100:1312]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C8FCC18DBAC for <sidrops@ietf.org>; Wed, 7 Feb 2024 00:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Cc:Date:Subject:Mime-Version:Content-Type:Message-Id:From ; bh=n0vKvjC02HXv02NtP9g/eHVXdziib+//iy1Vm0OzYEw=; b=Qxc18rFNZEkL0HeBPq2ZO3cG ieEbuttkELtTpQhVU+K4ws5AVEWxmUdUZ8UWVe9xXUncWjzUg2qD3yHNBL950+puNeEb+H2eMXNrT PqAQpjs/7M5gvsI7aYjv/l8EjtegtuejgTu/xvRuh5l0EJvt1yxHYAJ68pZ0K7v/riI3rz3CUmjNW wleOpdCVvF6PO6B4QVGztKJn8LK+nP0tr1l351bDO2adWlR1CBCHC2ueZgVcWFkBGTX1PwZFTjO8G Ogv+KiXbMZcAXwIazw1RWbnCDIrxuyBuDeDjuEi1fdvGc8OJO2B9//WLbjin//ufGHLdacmP8Bmvx aNd3zVLHUA==;
Received: from imap-01.ripe.net ([2001:67c:2e8:23::c100:170e]:52214) by mail-mx-2.ripe.net with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rXdIg-00B27Q-0Y; Wed, 07 Feb 2024 08:28:58 +0000
Received: from sslvpn.ripe.net ([193.0.20.230] helo=smtpclient.apple) by imap-01.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <tdekock@ripe.net>) id 1rXdIf-00C3ix-37; Wed, 07 Feb 2024 08:28:58 +0000
From: Ties de Kock <tdekock@ripe.net>
Message-Id: <90CF33A4-E38D-456A-B797-7708E683C218@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1C3216D2-AFD0-4B24-8DB0-4625F95C234C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Wed, 07 Feb 2024 09:28:47 +0100
In-Reply-To: <EFFA95AA-F07D-490B-BEC3-0446ED2D3AA2@ripe.net>
Cc: Job Snijders <job=40fastly.com@dmarc.ietf.org>, Tim Bruijnzeels <tbruijnzeels@ripe.net>
To: IETF SIDRops <sidrops@ietf.org>
References: <87h6j1kug1.wl-morrowc@ops-netman.net> <B60D7B39-FA81-45AF-BCBD-2784F91B43C3@vigilsec.com> <ZcFNNfrkMFxKf5hN@snel> <BBE2320C-4525-4713-B4AF-3F00ECD4228A@ripe.net> <ZcIuI7lS1OtOW_xT@snel> <EFFA95AA-F07D-490B-BEC3-0446ED2D3AA2@ripe.net>
X-Mailer: Apple Mail (2.3774.400.31)
X-RIPE-Signature: 059faafd1cc22ebb05e1592c815fe1e145272b091040e9f2e6772a87bb9a835b
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/ZnrS_gktIUTUySxyk90LYWAScVI>
Subject: Re: [Sidrops] [WG ADOPTION] Adoption call: draft-timbru-sidrops-publication-server-bcp - ENDS 02/08/2024
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 08:29:04 -0000
Hi Tim, > On 6 Feb 2024, at 17:19, Tim Bruijnzeels <tbruijnzeels@ripe.net> wrote: > > Hi, > >> On Feb 6, 2024, at 14:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: >> >> On Tue, Feb 06, 2024 at 08:57:59AM +0100, Ties de Kock wrote: >>>> On 5 Feb 2024, at 22:03, Job Snijders <job=40fastly.com@dmarc.ietf.org> wrote: >>>> Some suggestions for draft-timbru-sidrops-publication-server-bcp-02: >>>> >>>> - Make a recommendation to Publishers to not regenerate RRDP content for >>>> every request, nor regenerate previous RRDP deltas when creating a new >>>> snapshot. This might help implementers of RRDP publication software >>>> perceive and treat older RRDP content as immutable. See >>>> https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rrdp-desynchronization/ >>>> for more details about mutations in previously published RRDP content. >>> >>> I think that it is clear to all that the content of a delta should not >>> change after being written for the first time. I think specifying the >>> "how" for that process is too prescriptive. For example, your proposed >>> method would rule out symlink pivoting for RRDP while you still need >>> an atomic mechanism to prevent partial reads of some files - e.g. >>> notification.xml. >> >> The notification file (by specification) indeed is mutable. >> >> I think it is helpful to point out that the RRDP deltas really only need >> to be generated once, as some implementers seem to have gotten this >> wrong in the past. > > To the best of my knowledge no RRDP implementation has intentionally > regenerated deltas. There have been issues where a server was restored > from backup to an earlier state and it was unaware of the state changes > since the backup. I know of two RRDP implementations that re-generate deltas. However they re-generate the deltas with identical content. If we add phrasing for this, let’s make sure that it means that the content needs to be identical. How to get there is up to implementers? > So, I would like to include text in this BCP that instructs the Publication > Server to perform a full RRDP session reset in case they restored from > backup. A session reset as a fallback mechanism is a idea that is generally safe I think. An operator _needs_ to have infrastructure that can survive the switch back from rsync to RRDP. This session reset would cause identical load and is much easier to handle if it's a prepared scenario. >>> In practice, RRDP distribution uses multiple layers of caching >>> (generating software -> origin servers -> CDN internal caching nodes >>> -> edge). Effectively all write a copy. All can corrupt it. I think >>> the hashes in RRDP are the perfect machanism for detecting corruption. >>> Personally, I have found a memory corruption issue due to those >>> hashes... >> >> Hah, memtest86+ implemented in RRDP ;-) >> >>>> - Perhaps a note could be added about temporarily disabling RRDP >>>> being a viable option to conserve bandwidth in (rare) scenarios >>>> where the Publication Point operator's network is congested. In >>>> low-bandwidth scenarios rsync performs far better than RRDP (a >>>> particular race condition in RRDP is avoided, rsync synchronization >>>> trivially is resumed). Notwithstanding that both PP and RP side of >>>> the house would do well to implement bandwidth conservation >>>> strategies such as implementation of HTTP content encoding >>>> compression. I do think it is helpful to remind interested readers >>>> that ultimately the objective is to /somehow/ serve RPKI data (be it >>>> via RRDP or RSYNC) in a timely fashion. >>> >>> That is a recommendation that comes with big caveats. While the >>> behaviour of RRDP degrades badly (we describe the negative feedback >>> loop in the document), in a steady-state situation, rsync uses >>> significantly more bandwidth (and IO). >> >> Right, which is why it might be counter-intuitive for Publication Point >> operators to realize that temporarily disabling RRDP can help when >> bandwidth is scarce, and as such perhaps worth documenting. >> >>> I wonder what the success rate of rsync clients is during fallback in >>> a bandwidth-limited scenario. More data on this would help make a >>> recommendation. The fixed cost of transferring file names is high >>> (e.g. 640KB for rpki.afrinic.net, 263KB+1.6MB for rpki.apnic.net, >>> 5.2MB for rpki.arin.net, 1.2MB for rpki.lacnic.net, 5.5MB for >>> rpki.ripe.net) Based on that I would expect many rsync clients to hit >>> timeouts as well. >> >> The situation I had in mind was an example from last year, when for one >> of the regional internet registries all my alerts cleared within 2 hours >> after RRDP was disabled. >> >> You are right to point out that the RRDP notification file usually is >> smaller than the rsync filename transfer list, but in turn, the rsync >> transfer list is way smaller than the RRDP snapshot. > > I am in two minds about this. > > I think the BCP should not recommend disabling rsync, it should > recommend that enough bandwidth is available and/or a CDN is > used. > > The problem happens when this cannot be done. In that case RRDP > degrades badly, as described in the document, because all RPs > fall back to full snapshots. This makes the bandwidth load worse. Another factor that would be good to know: How often do RPs fetch from rsync? If the routinator interval for RRDP is 10 minutes, but 60 minutes for rsync, that would make a material difference. Kind regards, Ties > > In the case of your example there were higher layer (non-technical) > reasons why the bandwidth capacity could not be increased and > a CDN could not be used at the time. > > In this specific case disabling RRDP helped because even though > there could still be bandwidth issues affecting RPs this allowed > enough of them to perform a sync so that subsequent data usage > was reduced. > > So, yes disabling RRDP helped here, but no, I don’t think it should > be recommended best practice. I want to think about wording that > captures this... > > Kind regards, > Tim > >> >> Kind regards, >> >> Job >> >> _______________________________________________ >> Sidrops mailing list >> Sidrops@ietf.org <mailto:Sidrops@ietf.org> >> https://www.ietf.org/mailman/listinfo/sidrops
- [Sidrops] [WG ADOPTION] Adoption call: draft-timb… Chris Morrow
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Russ Housley
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Di Ma
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Hollyman, Michael
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Lukas Tribus
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Job Snijders
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Ties de Kock
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Claudio Jeker
- Re: [Sidrops] [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Job Snijders
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Tim Bruijnzeels
- [Sidrops] Re: [WG ADOPTION] Adoption call: draft-… Christopher Morrow